Compliance Cautions: Investigating Security Issues Associated with U.S. Digital-Security Standards

Rock Stevens (University of Maryland), Josiah Dykstra (Independent Security Researcher), Wendy Knox Everette (Leviathan Security Group), James Chapman (Independent Security Researcher), Garrett Bladow (Dragos), Alexander Farmer (Independent Security Researcher), Kevin Halliday (University of Maryland), Michelle L. Mazurek (University of Maryland)

Digital security compliance programs and policies serve as powerful tools for protecting organizations' intellectual property, sensitive resources, customers, and employees through mandated security controls. Organizations place a significant emphasis on compliance and often conflate high compliance audit scores with strong security; however, no compliance standard has been systemically evaluated for security concerns that may exist even within fully-compliant organizations. In this study, we describe our approach for auditing three exemplar compliance standards that affect nearly every person within the United States: standards for federal tax information, credit card transactions, and the electric grid. We partner with organizations that use these standards to validate our findings within enterprise environments and provide first-hand narratives describing impact.

We find that when compliance standards are used literally as checklists --- a common occurrence, as confirmed by compliance experts --- their technical controls and processes are not always sufficient. Security concerns can exist even with perfect compliance. We identified 148 issues of varying severity across three standards; our expert partners assessed 49 of these issues and validated that 36 were present in their own environments and 10 could plausibly occur elsewhere. We also discovered that no clearly-defined process exists for reporting security concerns associated with compliance standards; we report on our varying levels of success in responsibly disclosing our findings and influencing revisions to the affected standards. Overall, our results suggest that auditing compliance standards can provide valuable benefits to the security posture of compliant organizations.

Paper

Video

View More Papers

A Practical Approach for Taking Down Avalanche Botnets Under...

Victor Le Pochat (imec-DistriNet, KU Leuven), Tim Van hamme (imec-DistriNet, KU Leuven), Sourena Maroofi (Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG), Tom Van Goethem (imec-DistriNet, KU Leuven), Davy Preuveneers (imec-DistriNet, KU Leuven), Andrzej Duda (Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG), Wouter Joosen (imec-DistriNet, KU Leuven), Maciej Korczyński (Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG)

CDN Judo: Breaking the CDN DoS Protection with Itself

Run Guo (Tsinghua University), Weizhong Li (Tsinghua University), Baojun Liu (Tsinghua University), Shuang Hao (University of Texas at Dallas), Jia Zhang (Tsinghua University), Haixin Duan (Tsinghua University), Kaiwen Sheng (Tsinghua University), Jianjun Chen (ICSI), Ying Liu (Tsinghua University)

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting

Soroush Karami (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Konstantinos Solomos (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago)

Decentralized Control: A Case Study of Russia

Reethika Ramesh (University of Michigan), Ram Sundara Raman (University of Michgan), Matthew Bernhard (University of Michigan), Victor Ongkowijaya (University of Michigan), Leonid Evdokimov (Independent), Anne Edmundson (Independent), Steven Sprecher (University of Michigan), Muhammad Ikram (Macquarie University), Roya Ensafi (University of Michigan)