Think about this for a minute…
What happens if you analyze your own work and something you confirmed was working is actually not?
You analyzed a network. You said everything is working.
Then there was a major credit card breach. BOOM!
Next, the SSC (PCI Standards Council) shows up with a microscope to see what happened and they find that you in fact missed something.
Now the fun’s just beginning.
Do you have liability?
The answer is Yes. The case law has been around for almost 10 years.
Maybe you didn’t realize it. After all, you’ve been doing vulnerability scans and pen testing, and they’re simple enough.
You buy a tool and run it in a network. You then review the findings and point out what needs to be fixed.
Why would you ever need a third party to do that?
Perhaps a better question is are you aware of the level of liability you’re taking on when you do a scan?
Are you aware that simply by commenting on the effectiveness of your or your client’s security program, you are taking on hidden liabilities?
This is such a big issue that the PCI Standards Council (SSC) requires anyone performing assessments and attesting to findings carries a special insurance policy. This insurance policy is meant to address fallout from mis-reported results, or damages related to a network environment attested as being secure that had gotten breached.
I’m not going to sugar-coat this for you: The process of analyzing a network and attesting to the security of that network creates liability.
The Target credit card breach is a prescient example of the fallback. Here’s is a link to a Wired article that underscores that liability falls squarely on the auditors: https://www.wired.com/2014/03/trustwave-target-audit/
Trustwave, the auditor attesting to Target’s security controls at the time of the breach, was named in the lawsuit after attesting to the security that Target had in place only months before hackers turned that attestation into a joke.
I’m sure Trustwave didn’t expect to make headlines. How about you?
If you are attesting for your client’s or your own security without having a third-party attestation of this security, you are unintentionally opening yourself up to be the next headline. You’re also piling liability on your plate.
What can you do?
Third-party assessment.
This protects you not only from a liability standpoint, but it gives you a different perspective of the network controls you’ve created. The biggest issue with security is that everyone has blind spots, and getting someone to proofread your work reduces the number of these blind spots.
Think about that for a minute!
