Sunday, November 30, 2008

Changing the Face of IR

Major corporations handle our sensitive data...referred to as PII, PHI, PCI. Sometimes, they don't do such a great job of securing and protecting that data. The Dept of Veterans Affairs. TJX. World Bank. IMF. The list goes on. Data breaches happen...there's no question about that. If they didn't, guys and gals like me would be out of jobs.

Historically, the stimulus for change with respect to infosec (particularly with respect to IR) has been external to organizations. An attack or major breach stimulates some change, but its not long lived...once the panic wears off, executive management fails to see ROI from the resources that were suddenly (re: knee-jerk reaction) invested. According to Richard Bejtlich and others, there is no ROI from security...not directly anyway.

Legislation and regulation...with consequences...has a more lasting effect. Visa's PCI defines "compliance", which while not being what most of would consider "security", is at least a step in right direction. There are other regulatory/oversight bodies that provide their own guidelines...NCUA, HIPAA, etc. Section 748.2 of the NCUA Regulations provides guidance on "response programs". The PCI DSS (paragraph 12.9) provides compliance standards for an incident response plan.

Every organization with employees has a payroll process. Why? Well, without it, employees wouldn't get paid, and we all know that the CEO has to get paid, right? And oh, yeah...if you don't pay your employees, they don't come to know where this one is heading. Many organizations have disaster recovery and business continuity plans, backup systems, etc. But why do some organizations not have computer security incident response plans, even when some regulatory body tells them that they need to have one?

Regulatory body definitions of "sensitive data" aside, what about corporations that loose intellectual property (IP)? Did you read this 12 Nov article in USAToday (additional commentary on the story at TaoSecurity)? Many organizations subsist primarily on their IP...remember Ira Winkler's Corporate Espionage?

The Verizon Business Security group put together some interesting statistics in their 2008 Data Breach Investigations Report; for example:

83% of attacks were not "highly difficult" (re: low-hanging fruit)
85% of attacks were opportunistic (re: "hey, look...someone left their keys in their car...")
87% of attacks could have been avoided with reasonable security controls
66% of breaches involved data the victim did not know was on the system

Perhaps one of the most interesting and revealing statistics was that reportedly 75% of breaches were not discovered by the victim. What this means is that data from within those organizations network infrastructure was compromised and exposed, and the breached organization had no idea until someone told them.

So, if its not enough that some regulatory oversight body requires you to have an incident response plan, how about the inevitability of an incident occurring? What's it gonna take for organizations to plan for an incident occurring, rather than reacting (poorly) after one has occurred? Oddly enough, any change in this regard with have nothing whatsoever to do with the victim "doing the right thing", and has everything to do with legislation and regulatory oversight.


hogfly said...

I think there's still a large portion of companies that think "it won't happen to us" and that the people in charge are so out of touch with reality that they have no idea what is really going on. They told someone in a meeting that they "better have an incident response plan" whatever that is, and promptly moved on to the next bullet point in the agenda. People just don't care about buckling their seat belt until they've already been in an accident.

H. Carvey said...


I'm afraid that you're right. However, it's time to make a serious move toward incident prevention and readiness, rather than waiting for an incident to happen. As always, it will take outside stimulus to accomplish this...

Brett Shavers said...

Commonly heard...

"We'll cross that bridge IF we come to it."

"Prevention or preparedness is not revenue generation."

The "won't happen to us" statement fits true with nearly every company, until it happens.

Doesn't mean it's right, but these words are spoken quite a bit.

H. Carvey said...

I think that part of the problem is that there simply aren't metrics to demonstrate what happens when you don't prepare for an incident. It's funny, too, that organizations have processes to pay employees, perform order fulfillment and service delivery, etc.

Crosser said...

"66% of breaches involved data the victim did not know was on the system" That's a scary figure as well. I think of all the corporate laptops that get stolen across the world. How can they identify a breach of PII if they don't know what was on the systems to begin with....