An article from Peter Benson, Security-Assessment.com on Disclosure Laws.
————————————
So when do you disclose a breach? From what we have seen in Australia and New Zealand, generally only when you are forced into it. The notion of disclosure is starting to raise its profile around Australasia, as a result of breaches occurring, and a general lack of public disclosure being undertaken.
The unfortunate aspect of this, is that within our region, there is nothing to force companies to disclose, and as a result, a number of companies are not taking their information security seriously.
Companies are either burying their heads in the sand, or using obscurity as the weapon whereby they resist letting the public and their customers know of bad stuff happening. Often times, as a lack of this accountability and good corporate citizenship, information security is still being seen as an “IT issue”, or alternatively, something to be avoided. In a number of cases that we are aware of, organizations haven’t even been aware that they have been breached, until such time as “weird things happen”, or it otherwise gets into the public arena.
Lets be real about this; while there are emerging standards such as the Payment Card Industry and banking regulations that bring in mandatory compliance in some organizations, the reality is that it is simply just good and responsible practice to at least let your customers know that you have had a breach, and that their information may have been impacted!. What is better…. covering up a breach and having the media find out about it first (then catch up with media controls), or to demonstrate an ethical responsibility to customers where their information has been put at risk? The old school notions of “not telling anyone” just dosen’t cut it any more, and is likely to result in a higher impact over time if issues become disclosed by third parties.
So lets look at bringing back a level of responsibility and accountability to the customer. If we don’t, it is likely that disclosure laws will be enforced sooner rather than later, which will force the issue, and potentially have a much higher impact than if we take a proactive stance on this.
Lets make no mistake, accountability is there, and while there are some courses of action available to enforce accountability around protection of information, the reality is that these will largely be superceded in the not too distant future through disclosure laws. Protection for customers interests and privacy is something that a lot of us have not really addressed seriously as yet, and we still give lip service to this as an “IT issue”. It is not; it is the ethical and responsible protection of our customer’ (and implicitly our shareholders) in behaving in ways that are socially and ethically responsible. To say that this doesn’t exist, or is not a risk, is simply untrue, and we will see changes coming in the near future. Watch this space!
——————————————–
Peter was recently quoted in Computerworld on this topic. He will be presenting on this topic in New Zealand and possibly Australia. Watch this space also.
Peter raises a good comment about organisations not even knowing if they have been breached. We see this all the time as I have noted in a few entries; Botnets, Zero Days, Tell me I’m not owned. How will this play out when disclosure laws come out? 3 monkey approach? I hope not!
Posted at http://bsdosx.blogspot.com/2007/04/pull-up-those-breeaches.html
I love this kind of topic, merely to highlight the macro and micro issues. One must look outside ones own discipline to find answers, as sometimes becoming too specialised does not allow one to ’see the forest, for the trees’, more often than not.
I would like to try and answer the issue if I may with some history, a dash of the present and a dab of the future.
History:
This is what’s starting to happen in our society and industry in terms of complexity and economics http://dieoff.org/page134.htm . Even though this paper is focussed on natural ecosystems and civilizations; the internet and composing networks are a wonderfully rich representative ecosystem existing in our civilization.
As complexity increases there is increased energy needed in any system. This either produces new paradigms which address diminishing marginal returns, or the system collapses under the weight of trying to address the complexity. Thus what is required is either non-reductionist thought to address the complexity, e.g. “Defense in Depth” (which happens to be extremely costly), or a reduction in complexity and type of energy required in trying to solve the problems, resulting in a new paradigm or paradigms. To introduce the next paragraph I thought I’d quote Marcus Ranum ( http://www.ranum.com/ ) “Your job, as a security practitioner, is to question – if not outright challenge – the conventional wisdom and the status quo. After all, if the conventional wisdom was working, the rate of systems being compromised would be going down, wouldn’t it?”
Present: Quality and Cost Benefit Analysis
Sometimes when you have been travelling along a certain path, there are a few signposts as to why you are potentially lost.
http://www.ranum.com/security/computer_security/editorials/master-tzu/
http://www.ranum.com/security/computer_security/editorials/dumb/
Future:
Personally I believe the tools and processes are out there, but the enumeration of the problem is somewhat incorrect and being hampered by the ‘old guard’ of IT who actually don’t really get it! They are suffering extreme forms of ‘Future Shock’ ( http://en.wikipedia.org/wiki/Future_Shock) “too much change in too short a period of time”… This is in fact a wider social issue that is very hard to address as people are afraid to challenge the status-quo or can’t affect change within their existing roles. This must happen more quickly rather than allowing a generational ‘breed out’ of the less savvy CIO’s, CTO’s, CSO’s and below, as things are speeding up and not slowing down. This will only occur with economic motivations. Economics is based on theories of scarcity and the perceived value of goods and services. We are having huge issues in evaluating data over it’s lifecycle and putting a price on the ensuing issues and costs of a breach, disclosure or unintended manipulation of data.
As Grace Murray Hopper, USN (Ret) points out;
‘Some day, on the corporate balance sheet,
there will be an entry which reads,“Information”;
for in most cases, the information is more valuable
than the hardware which processes it. ‘
Dan Geer re-introduces this in his wonderful paper “The Shrinking Perimeter: Making the Case for Data-Level Risk Management”, which argues for object level protection and data valuation, which opens with the previous quote. (http://www.verdasys.com/pdf/ShrinkPerim.pdf )
Another interesting topic is that of time and physics at play in our new world. Time based security and convergence argues for new paradigms. ( Convergence, Dan Geer http://geer.tinho.net/ieee.geer.0606.pdf ) and highlights new effects of this highly connected information based economy.
To understand the infrastructure and ecosystems out there, one must constantly sample and baseline traffic in the face of constant change. Some change is valid, some invalid. One cannot manage what one cannot measure, and change management is at the heart of it all. Metrics need to be standardised upon and individual nodes or systems need to become simpler e.g. more easily defined and controlled.
MTTR ( Mean Time To Repair, http://en.wikipedia.org/wiki/Mean_time_to_repair ) for example, requires that one actually knows something is at first broken and/or performing incorrectly ( be it malicious or benign!).
Even though technology changes, the challenge of information management stays the same.
Sampling and surveillance, tied to regulation and compliance? Whose pocket gets hurt and what can they then do about it? Does a public shaming exact the financial penalties warranted or is public memory short lived when entities change and reform as different companies?
I do believe it’s the start of building a baseline awareness. But honestly, without a form of Total Information Awareness, massive indexing and far reaching information asset management, how do you know:
a) what you’ve lost
b) when you’ve lost it
c) how you’ve lost it
d) how not to lose it again
Where does the burden of liability fall and how big is the carrot or stick?
Hopefully we don’t start to litigate. http://www.ranum.com/security/computer_security/editorials/lawyers/index.html
I am beginning to be more optimistic with good folks like SA ( http://www.security-assessment.com/ ) on the case!
D.
Posted at http://bsdosx.blogspot.com/2007/04/pull-up-those-breeaches.html
I love this kind of topic, merely to highlight the macro and micro issues. One must look outside ones own discipline to find answers, as sometimes becoming too specialised does not allow one to ’see the forest, for the trees’, more often than not.
I would like to try and answer the issue if I may with some history, a dash of the present and a dab of the future.
History:
This is what’s starting to happen in our society and industry in terms of complexity and economics http://dieoff.org/page134.htm . Even though this paper is focussed on natural ecosystems and civilizations; the internet and composing networks are a wonderfully rich representative ecosystem existing in our civilization.
As complexity increases there is increased energy needed in any system. This either produces new paradigms which address diminishing marginal returns, or the system collapses under the weight of trying to address the complexity. Thus what is required is either non-reductionist thought to address the complexity, e.g. “Defense in Depth” (which happens to be extremely costly), or a reduction in complexity and type of energy required in trying to solve the problems, resulting in a new paradigm or paradigms. To introduce the next paragraph I thought I’d quote Marcus Ranum ( http://www.ranum.com/ ) “Your job, as a security practitioner, is to question – if not outright challenge – the conventional wisdom and the status quo. After all, if the conventional wisdom was working, the rate of systems being compromised would be going down, wouldn’t it?”
Present: Quality and Cost Benefit Analysis
Sometimes when you have been travelling along a certain path, there are a few signposts as to why you are potentially lost.
http://www.ranum.com/security/computer_security/editorials/master-tzu/
http://www.ranum.com/security/computer_security/editorials/dumb/
Future:
Personally I believe the tools and processes are out there, but the enumeration of the problem is somewhat incorrect and being hampered by the ‘old guard’ of IT who actually don’t really get it! They are suffering extreme forms of ‘Future Shock’ ( http://en.wikipedia.org/wiki/Future_Shock) “too much change in too short a period of time”… This is in fact a wider social issue that is very hard to address as people are afraid to challenge the status-quo or can’t affect change within their existing roles. This must happen more quickly rather than allowing a generational ‘breed out’ of the less savvy CIO’s, CTO’s, CSO’s and below, as things are speeding up and not slowing down. This will only occur with economic motivations. Economics is based on theories of scarcity and the perceived value of goods and services. We are having huge issues in evaluating data over it’s lifecycle and putting a price on the ensuing issues and costs of a breach, disclosure or unintended manipulation of data.
As Grace Murray Hopper, USN (Ret) points out;
‘Some day, on the corporate balance sheet,
there will be an entry which reads,“Information”;
for in most cases, the information is more valuable
than the hardware which processes it. ‘
Dan Geer re-introduces this in his wonderful paper “The Shrinking Perimeter: Making the Case for Data-Level Risk Management”, which argues for object level protection and data valuation, which opens with the previous quote. (http://www.verdasys.com/pdf/ShrinkPerim.pdf )
Another interesting topic is that of time and physics at play in our new world. Time based security and convergence argues for new paradigms. ( Convergence, Dan Geer http://geer.tinho.net/ieee.geer.0606.pdf ) and highlights new effects of this highly connected information based economy.
To understand the infrastructure and ecosystems out there, one must constantly sample and baseline traffic in the face of constant change. Some change is valid, some invalid. One cannot manage what one cannot measure, and change management is at the heart of it all. Metrics need to be standardised upon and individual nodes or systems need to become simpler e.g. more easily defined and controlled.
MTTR ( Mean Time To Repair, http://en.wikipedia.org/wiki/Mean_time_to_repair ) for example, requires that one actually knows something is at first broken and/or performing incorrectly ( be it malicious or benign!).
Even though technology changes, the challenge of information management stays the same.
Sampling and surveillance, tied to regulation and compliance? Whose pocket gets hurt and what can they then do about it? Does a public shaming exact the financial penalties warranted or is public memory short lived when entities change and reform as different companies?
I do believe it’s the start of building a baseline awareness. But honestly, without a form of Total Information Awareness, massive indexing and far reaching information asset management, how do you know:
a) what you’ve lost
b) when you’ve lost it
c) how you’ve lost it
d) how not to lose it again
Where does the burden of liability fall and how big is the carrot or stick?
Hopefully we don’t start to litigate. http://www.ranum.com/security/computer_security/editorials/lawyers/index.html
I am beginning to be more optimistic with good folks like SA ( http://www.security-assessment.com/ ) on the case!
D.
We recently got breached. It was by a hostile competitor who is quite literally prepared to break the law to get to market before us. Drazen and his company analysed and helped to find the breaches, when and what was taken(!). The matter is now in the hands of police. For us, we are actually using this to our own advantage, it will take ‘them’ out of operational competitiveness while we fix our position in a greenfield market that can only hold one group. The fact that we were breached has also led us to review our system – and we have scrapped one aspect of our system in order to improve our security.
We found out about the breach by accident. We would never have known had the competitor not told us – as a brag!
We recently got breached. It was by a hostile competitor who is quite literally prepared to break the law to get to market before us. Drazen and his company analysed and helped to find the breaches, when and what was taken(!). The matter is now in the hands of police. For us, we are actually using this to our own advantage, it will take ‘them’ out of operational competitiveness while we fix our position in a greenfield market that can only hold one group. The fact that we were breached has also led us to review our system – and we have scrapped one aspect of our system in order to improve our security.
We found out about the breach by accident. We would never have known had the competitor not told us – as a brag!
[...] Related story from previous post. [...]
[...] solve the world’s problems but happy to open myself up to criticisms and debate. « Disclosure Laws – Reality Checks Will the TJX security story be the one to finally push the tighter regulations? [...]
Hello! Good Site! Thanks you! kcuvsvhfxposo