Log in

Site menu:



Site search

September 2019
« Dec    



Determine the scope? How?

Not a month after the Heartland breach, we now have reports of another malware-driven payment system breach of as-yet unknown proportions. Despite the proliferation of anti-threat devices and well-intentioned compliance programs such as PCI, we continue to see an increase in the number and cost of reported data breaches. The ITRC reported 656 breaches in 2008, an increase of 47% over 2007’s total of 446. As of today, Feb. 25, 2009, reports 57 data breaches, and DataLossDB reports 92 breaches, just 56 days into 2009. And Ponemon’s recent study shows that the average cost per compromised record is now $202, with the greatest cost coming from lost business.

These statistics should come as a surprise to no one, given the increasing organization, motivation, and sophistication of criminals. What should come as a surprise is the common public response to reports of such events: “How were they breached? They just passed a PCI audit!” – this is as sane and erudite as asking “How did she get spyware? She has a firewall!” or “How did he get cancer? He takes vitamins!”

But instead of an understanding that “compliance does not equal security”, we should instead expect an inevitable backlash against PCI and other such efforts, questioning their potency, bemoaning their expense, and demanding their reform. The same sort of pathological reasoning that has some people lament “ever since Obama’s been in office the economy has gotten much worse”. Despite the popular perception that all problems are easy to solve as long as they are someone else’s, complex systemic problems cannot be solved overnight, unless wholesale system replacement is an option. Of course, it generally isn’t, either for reasons of cost, or experiential immunity to Pollyannaism.

Some will argue that trying to regulate security is ineffectual at best and injuriously protectionist at worst. Yes, over-regulation and over-protection can be harmful, but employing such a one-size-fits-all perspective is simplistic and parochial. In reality, some things need protection. Saying that, I must also say that any good Darwinist should be opposed to the phenomenon of nanny statism. The intentional creation of dependency (whether well-intentioned, demagogic, or despotic) debilitates, whereas reasonable adversity, independence, and self-accountability fortifies. But even compassionless, godless Darwinists know that some things need protection. Putting our more-moral-than-thou, feel-good pretense aside for a moment: protecting some thing makes sense when it is temporarily infirm or in its infancy, but on the course to recovery or maturity. Examples of this would be protecting an emerging government or economy, or protecting an infant child. However, protecting the terminally weak does not make sense because there is no benefit (accepting that virtue is not a benefit, but rather is its own reward), only cost. Examples of this would be protecting irrecoverably diseased banks or businesses, or kind-heartedly administering chicken soup to someone with Marburg fever. Clearly, the effect of such misguided behavior is not only unproductive, but is actually destructive, as it prolongs suffering and imperils the healthy.

The point is not mercilessness, but rather that we are in the infancy of the information age, and to achieve information security at this vulnerable stage requires well-designed protection. Imperfect as the situation seems, the collection of regulatory and compliance programs designed to protect us as we move toward maturity were not divinely engineered, so they, themselves, must also evolve. And for all its incompatibility with our livelocked postmodern attention spans, we need to have patience as they go through their necessary iterations.

So what is the current state of regulation to defend against data breaches? The National Conference of State Legislators provides a set of breach notification laws that have been enacted by 44 U.S. States, DC, Puerto Rico, and the Virgin Islands (caveat emptor et creditor if doing business with companies in AL, KY, MS, MO, NM, or SD). Looking a little more closely at some of the states’ laws (a sample selected below for their incorporation popularity and proximity), it seems that government editions of Microsoft Word might include a “Data Breach Law” template:


12B-102. Disclosure of breach of security of computerized personal information by an individual or a commercial entity.
… Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.


NRS 603A.220  Disclosure of breach of security of system data; methods of disclosure.
… The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection 3, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.


(2) A person required to provide notification under Subsection (1) shall provide the notification in the most expedient time possible without unreasonable delay:
(a) considering legitimate investigative needs of law enforcement, as provided in Subsection (4)(a);
(b) after determining the scope of the breach of system security; and
(c) after restoring the reasonable integrity of the system.


… The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

But how? How does the victim of a data breach determine the scope of the breach? By going back through logs — logs that likely contain information no more specific or telling than the IP addresses that accessed the affected web-server? IP addresses that were most likely, based on the malicious intent of the activity, obscured by Tor or proxies? Audit trails whose recording facilities rely on proper methods and paths of user access, but whose invocation is never triggered when the method of access is premeditated circumvention or vulnerability exploitation? Logs that were generated by the IPS, SIEM, or DLP platforms that have demonstrated blindness to the threat, having failed to detect or prevent it in the first place? This is reality. It will not be possible to rely on your firewall’s olfactory sense to help you determine how many records were affected in a breach that occurred last month when it detected nothing out of the ordinary.

Despite the well-intentioned constant reminders that traditional security tools will inevitably fail, I am not suggesting a decrease in risk mitigation efforts. Instead, the reminders should reinforce that we can’t expect technology to save us both from our adversaries and from our own doltishness; we need more effort to get the “people” and “process” components of mitigation caught up and working with the technology, not against it. Further, we should remember that risk can be managed in other ways, too, including avoidance (“I’m afraid of having my credit card stolen, so I won’t use credit cards”), acceptance (“I will drive in the HOV lane because the fine is only $35, and it saves me six hours of commute time”) and transference (“I will pay an insurance premium so that when a bad thing happens, my insurer will cover my expense”). Typically, as an industry we eschew (often justifiably) avoidance and acceptance, spend far too much time and money on technology-as-savior mitigation, and lack awareness of transference – frequently even erroneously classifying a mitigator like a firewall as “insurance”. But as we mature, there are real forms of transference that we need to more seriously consider.

Some insurance companies, such as InsureTrust, are providing “cyber risk management” products. While the concept might seem strange for those with an appliance-centric view on security, insurance is one of most effective and common ways of managing risk in our adult lives. If it’s not obvious why I say “adult lives”, consider that the question “how will you deal with costly medical expenses?” is generally answered differently by a 10 year old (“I just won’t get sick”) than by a 40 year old (“I will select my employer based on the health insurance package they offer”).

The Professional Liability Underwriting Society quotes Stephen Haase, CEO of InsureTrust who cautions that when responding to a data breach: “‘One of the biggest struggles for companies is to determine the scope of the breach. So often the leadership of a company will rush to try to get out the notification on a breach,’ … However, Haase explained that making an announcement before the magnitude of the breach is clear can be a mistake. “˜You should not rush to notify. Going out too early without more of the concrete factors in place can do more harm than good.'”

This message is reiterated by the Executive Director of the Identity Theft Resource Center (“Preventing the Unpreventable: Best Practices to Minimize Exposure to Information Losses“) who says “the companies that are sued are not those that quickly disclose a breach but, rather, those that do so poorly.”

Observing trends in information security and antecedent paradigms, it’s reasonable to extrapolate that information security insurance is due to soon become more popular, first voluntarily, and later mandatorily. Initially, we should see increased adoption among a small set of business savvy IT practitioners and analysts. This will be followed by the evolution of mandates by financially interested consortia (think PCIv3), and finally at various government levels. At that point, much as we get discounts on our home and auto insurance for having smoke-alarms, fire-extinguishers, anti-lock brakes, and clean driving records, we can expect similar discounts (or conversely, increases) for every statistically material step we take to reduce (or magnify) our insurance company’s exposure.

Not to put too fine a point on it, but economics dictates that if “one of the biggest struggles for companies is to determine the scope of the breach“ then most-favored insuree status should be granted not only to those with the most effective preventative measures, but also those with the most effective forensic measures.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Reddit
  • Slashdot
  • LinkedIn
  • Facebook
  • email
  • Print


Pingback from Worth A Glance » On the Cybersecurity Act of 2009
Time: 2009-05-31, 01:17

[…] cybersecurity to be a factor in all bond ratings.” I’ve talked about the potential role of insurance in infosec before, so it’s good to see (1), but the foreseeable difficulty of assessing and […]

Pingback from Worth A Glance » National Breach Notification Laws
Time: 2009-11-08, 20:01

[…] a follow-up to a post from February 2009, I’m mostly happy to comment on the recent progress that’s been made […]

You must be logged in to post a comment.