Summary: Show Notes: https://justinfimlaid.com/benefits-of-a-security-certification-&-equifax-security-breach/h<br> <br> <br> <br> Sponsor: https://www.nuharborsecurity.com<br> <br> <br> <br> Contact Me: https://justinfimlaid.com/contact-me/<br> <br> <br> <br> Twitter: @justinfimlaid<br> <br> <br> <br> LinkedIn: https://www.linkedin.com/in/jfimlaid/<br> <br> <br> <br> A lot of companies<br> or agency executives are looking for a security certification or some kind of<br> assurance they can sleep well at night. <br> Truth of the matter is no security firm would assert that their clients<br> are bullet proof from a cyber security breach. <br> The threat landscape is shifting intraday and anything a security firm<br> would attest to today might be outdated by the time the team walks out of the<br> building. In our industry today - there<br> is no certification that offers this level of warranty. HITRUST, PCI-DSS, ISO27001, SOC Reports all<br> ensure that a process is in place not necessarily the rigor of the security<br> control in place and value of said control in the long run. The Knox Security<br> Certification, is the lone technical security certification but that also has<br> bounds to the warranty and very much requires that the company continue to<br> maintain the hygiene of their security posture as nothing in security is set it<br> and forget it.<br> <br> <br> <br> Any potentially viable security certifications is in jeopardy because of this coupled with the fact there is so many people that misunderstand this concept. Case in point is the Equifax security breach. If you don’t know Equifax, congratulations on making it out from under your rock and listening to this first. Equifax is a large credit reporting bureau that holds credit and personal information for millions of people. The breach, impacted over 140 million people…which to put that in perspective is also HALF the citizens in the US.<br> <br> <br> <br> Here’s the thing,<br> Equifax has an ISO27001 certification. The certification was delivered by Ernst<br> and Young and their EY CertifyPoint division. Some folks, including those at<br> Equifax, seemed to think this certification shielded them from breach. If you ever listened to any of my podcasts or<br> read anything I’ve written related to ISO27001, you know that ISO27001 simply<br> certifies you’ve followed a framework and methodology to choose security<br> controls—not whether those controls are right and complete security controls<br> for your environment. To add one more,<br> scope is a big component of ISO27001 and just because someone has an ISO 27001<br> certification doesn’t mean it for the environment they say it is. For example, some companies have an ISO27001<br> certification on their broom closet and say it’s for the whole company. <br> <br> <br> <br> The issue with this<br> Equifax situation is that E&Y, according to MarketWatch, issued an attest<br> opinion that all security controls were complete and in place, which later<br> could not be supported. Aside from this<br> not being possible because it fails to acknowledge existance of the crystal<br> ball that predicts any and all zero day attacks, it’s also a conflict of<br> interest and violation of any accreditation rules.<br> <br> <br> <br> To me this indicates<br> a huge lack of understanding OR purposeful negligence.<br> <br> <br> <br> Further, commentary<br> from former SEC Chiefs…I’m withholding names since I don’t know if quotes are<br> taken out of context BUT one head scratching quote, I’m paraphrasing,<br> “there’s question concerning how much<br> reliance should be placed on the ISO certification when assessing internal<br> controls over financial reporting.”<br> <br> <br> <br> Uhh…you think? I can<br> help out there…none. There should be no<br> reliance.
