Tuesday, April 05, 2011

More on Breaches...

Sorry...no pun intended.  No...wait.  I totally meant it.

I was reading through some news items recently, and came across an article on Yahoo! news that refers to the recent Epsilon breach, (also read about it on KrebsonSecurity.com) in which, it appears, a number of email addresses were exposed.  However, some things about the article I read caught my attention...

From the article:
Epsilon said that while hackers had stolen customer email addresses, a rigorous assessment determined that no other personal information was compromised. By itself, without passwords and other sensitive data, email addresses are of little use to criminals. But they can be used to craft dangerous online attacks.

Okay, is it just me, or are the last two sentences contradictory?  I mean, without other information, email addresses are useless to criminals...except when they are used to "craft dangerous online attacks."  What are "dangerous online attacks"?  Well, Uri Rivner, the Head of the Security Division at EMC, recently posted "Anatomy of an Attack" on the RSA blog, and states in that post that the breach to their systems started with a phishing attack...specifically crafted emails were sent to specific individuals, knowing that at least some of them would be likely to click on the attachment.

Now, dear reader, please do not assume that these two incidents are tied together in any way, as that's not what I'm saying, nor am I suggesting it.  But what I am saying is that there is a considerable disconnect between what some think online criminals want or need, and what they actually end up going after.  For example, what does the second sentence in the above quoted paragraph sound like to you?  To me, it sounds like a justification to NOT have to notify, based on state notification laws (the first of which was California's SB 1386).  Think about it.  By specifically stating that all of this other personally identifiable information (PII) was not exposed along with the email addresses, there's now justification that the breach laws don't come into play, and by extension/implication, neither do any compliance regulations.

Okay, but someone still accessed your systems and took this information.  And by "took", I'm referring to the fact that while you still "have" the information, so do they.  So this isn't like real-world theft where someone steals your car and you no longer have possession...this is an instance where the confidentiality of the information on which your business runs has been compromised.

In addition, the article goes on to indicate that more than just the email addresses themselves were exposed...the businesses (banks, hotels, etc.) that the owners of those email addresses frequent were also exposed.

Do you know what this reminds me of?  The designer drug trade.  Apparently, designer drugs are outlawed based on chemical structure, so once one drug is outlawed, a chemist comes up with a new, potentially more powerful drug, with a different chemical structure, which is therefore legal until it's discovered by law enforcement and broken down enough to be uniquely identified.  The reason this breach reminds me of this sort of thing is that an organization was breached, and the critical information on which that organization's business relies was compromised...but not enough information to require notification by state breach laws, based on the specific definition of PII.  However, the information that was compromised...this email address is for someone who uses CitiBank, etc...can still be employed to devastating effect (refer back to the RSA breach).

So, Epsilon is notifying its customers...and folks like @briankrebs on Twitter are tracking notifications, and even receiving responses from individuals who are receiving five or more notifications...so that's a good thing.  We see in the media all the time where those who get out in front of an incident and are very open about it fare much better in the long run than those who cover it up in legalese or just flat out deny that it happened.  But I wonder how things would have worked out had the organization taken a proactive approach and done a better job of preparing for an incident.  For example, I wonder what the effect of having Carbon Black installed on systems would have had on the overall incident detection, and ultimately, response.

Folks, the fact is that the instant you think that you don't have anything anyone would want or could use, you've lost..it's a total Sun Tzu thing.  Even if you can not possibly imagine how someone would use or profit from the data that you process or store, someone else likely already has.  At the very minimum, you've likely got CPU cycles, RAM, and storage space that can be used as a staging area or jumping-off point.

So, what do you do about this?  One way to address the situation of the inevitable security incident or breach...after all, the last couple of months should have clearly demonstrated to all that NO ONE is immune...is to be ready for it to happen.  So why not seek out a trusted adviser, someone who has dealt with breaches and incidents across a wide range of clients, and cultivate a relationship?  Incident preparation is more about a change to your corporate culture than it is about purchasing devices and software; a great deal of preparation can be done without purchasing a single device.  However, the lack of visibility that most organizations have will likely be addressed by some sort of purchase, but we're not talking about dropping a truck-load of gear off at your doorstep.  There's a great deal that can be done, and you're going to likely be sold whatever solution is provided by the vendor that you call.

No comments: