Home > Current Affairs, General Rants & Raves, Identity theft, Information Security, Security Breaches > Why are people so shocked re: privacy breaches?

Why are people so shocked re: privacy breaches?

Shocked
This is getting more and more laughable by the minute.  From Dark Reading:

JUNE 22, 2006 | Another
day, another security breach: In the last 48 hours, Visa, Wachovia,
Equifax, and the U.S. Department of Agriculture have joined a growing
list of major companies and government agencies to disclose they’ve
been hit by sensitive — and embarrassing — security breaches.

The organizations now are scrambling to assist customers and
employees whose personal information was either stolen or compromised
in recent weeks. They join AIG, ING, and the Department of Veterans
Affairs, all of which have disclosed major losses of sensitive data in
the last few weeks.

Each of the incidents came to light well after the fact.

Disclaimer: I am *not* suggesting that anyone should make light of or otherwise shrug off these sorts of events.  I am disgusted and concerned just like anyone else with the alarming rate of breach and data loss notifications in the last month, but you’re not really surprised, are you?  There, I’ve said it.

If anyone has any real expectation of privacy or security (two different things) when your data is in the hands of *any* third party, you are guaranteed to be sorely disspointed one day.  I fully expect that no matter what I do, that some amount of my personal information will be obtained, misappropriated and potentially misused in my lifetime.   I fully expect that any company I work for will ultimately have this problem, also.  I do what I can to take some amount of personal responsibility for this admission (and its consequences) but to me, it’s a done deal.  Get over it.

The Shimster (my bud, Alan Shimel) also wrote about some of this here and here.

Am I giving up and rolling over dead?  No.  At the same time, I am facing the realities of the overly-connected world in which we live and moreso the position in which I choose to live it.  It isn’t with my head in the sand or in some other dark cavity, but rather scanning the horizon for the next opportunity to do something about the problem.

Anyone who has been on the inside of protecting the critical assets of an Enterprise knows that isn’t "if" you’re going to have a problem with data or assets showing up somewhere they shouldn’t (or that you did not anticipate) but rather "when" … and hope to (insert diety here) it isn’t on your watch.

Sad but true.  We’ve seen corporations with every capability at their disposal show up on the front page because they didn’t/couldn’t/wouldn’t put in place the necessary controls to prevent these sorts of things from occuring…and here’s the dirty little secret: there is nothing they can do to completely prevent these sorts of things from occuring.

Today we focus on "network security" or "information security" instead of "information defensibility" or "information survivability" and this is a tragic mistake because we’re focusing on threats and vulnerabilities instead of RISK and this is a losing proposition because of these little annoyances called human beings and those other little annoyances they (we) use called computers.

Change control doesn’t work.  Data classification doesn’t work(* see below.)  Policies don’t work.  In the "real world" of IM, encrypted back channels, USB drives, telecommuting, web-based storage, VPN’s, mobile phones, etc., all it takes is one monkey to do the wrong thing even in the right context and it all comes tumbling down.

I was recently told that security is absolute.  Relatively speaking, of course, and that back in the day, we had secure networks.  That said nothing, of course, about the monkeys using them.

Now, I agree that we could go back to the centralized computing model with MAC/RBAC, dumb networks, draconian security measures and no iPods, but we all know that the global economy depends upon people being able to break/bend the rules in order to "innovate" and move business along the continuum and causing me not to put that confidential customer data on my laptop so I can work on it at home over the weekend would impact the business…

The reality is that no amount of compliance initiatives, technology, policies or procedures is going to prevent this sort of thing from happening completely, so the best we can do is try as hard as we can as security professionals to put a stake in the ground, start managing risk knowing we’re going to have our asses handed to us on a platter one day, and do our best to minimize the impact it will have.  But PLEASE don’t act surprised when it happens.

Outraged, annoyed, concerned, angered and vengeful, yes.  Surprised?  Not so much.

Until common sense comes packaged in an appliance, prepare for the worst!

/Chris

P.S. Unofficially, only 3 out of the 50 security professionals I contacted who *do* have some form of confidential imformation on their laptops (device configs, sample code, internal communications, etc.) actually utilize any form of whole disk encryption.  None use two factor authentication to provde the keys in conjunction with a strong password.  See here for the skinny as to why this is relevant.

*Data Classification doesn’t work because there’s no way to enforce its classification uniformly in the first place.  For example, how many people have seen documents stamped "confidential" or "Top Secret" somewhere other than where these sorts of data should reside.  Does MS Word or Outlook force you to "classify" your documents/emails before you store/print/send them?  Does the network have an innate capability to prevent the "routing" of data across segments/hosts?  What happens when you cut/paste data from one form to another?

I am very well aware of many types of solutions that provide some of these capabilities, but it needs to be said that they fail (short of being deployed at aterial junctions such as the perimeter) because:

  1. They usually expect to be able to see all data.  Unlikely because anyone that has a large network that has computers connected to it knows this is impossible (OK, improbable)
  2. They want to be pointed at the data and classify it so it can be recognized.  Unlikely because if you knew where all the data was, you’d probably be able to control/limit its distribution.
  3. They expect that data will be in some form that triggers an event based upon the discovery of its existence of movement.  Unlikely because of encryption (which is supposed to save us all, remember ;) and the fact that people are devious little shits.
  4. What happens when I take a picture of it on my screen with my cameraphone, send it out-of-band and it shows up on a blog?

Rather, we should exercise some prudent risk management strategies, hope to whomever that those boring security awareness trainings inflict some amount of guilt and hope for the best.

But seriously, authenticating access *to* any data (no matter where it exists) and then being able to provide some form of access control, monitoring and non-repudiation is a much more worthwhile endeavor, IMHO.

Otherwise, this exercise is like herding cats.  It’s a general waste of time because it doesn’t make you any more "secure."

I’m getting more cynical by the (breach) minute…BTW, Michael Farnum just wrote about this very topic…

  1. June 28th, 2006 at 04:59 | #1

    The Daily Incite – June 28, 2006

    June 28, 2006 Good Morning: Hola. Como esta? Muy bien. OK, enough of my junior high Spanish skills. Quick intro today because Ive got nothing to say, as evidenced by my use of Spanish. Ive also got to run off for a full day of meetings. Bas

  2. Christopher Hoff
    June 28th, 2006 at 06:37 | #2

    This is a pet peeve of mine, so here I am tossing in my two cents and most likely confusing the hell out of some people. ;-)
    Rant on
    While I agree that there is nothing the IT folks can do to totally stop the flow of data out of an organization I don’t really see this as an IT problem per se. Common sense isn’t the only thing missing from the people who have been the conduit for data breaches, there is also a lack of accountability for the person stupid enough to put the data at risk. Case in point, the guy from the VA was put on administrative leave with pay as a reward for his laptop being stolen. No criminal charges, no personal responsibility. The VA is getting sued, (which will take even more tax money from the people they serve) and I’m sure there will be a few IT folks getting slapped around, but the person directly responsible gets to watch Judge Judy and go to the beach. Yes, vacation for potentially screwing millions of people, where do I sign up?
    Making things worse, the courts have weighed in and have ruled that it’s not fault that their security sucks and your personal information was stolen, because they have a written security policy. See links http://www.securityfocus.com/columnists/387 and http://www.eweek.com/article2/0,1895,1935518,00.a….
    In no way am I suggesting that government regulation is the answer, but there needs to be a consequence for the action of the individual. At least fire the perpetrator, or make him wear a sign.
    Rant off
    Anti Chris

  3. Christofer Hoff
    June 28th, 2006 at 07:27 | #3

    Just in case you are wondering, the post above is not from "Me." It is from the "other me." Confused?
    It turns out that Chris (above) and I share the same name (with a different spelling in the first,) and both work in security. We live almost right next to each other…and finally met over a beer a few weeks ago.
    So, he is only the "Anti" Chris because like that episode from Star Trek, every Kirk has got to have an evil twin ;)
    I also happen to agree that we need to hold companies and their management liable for not appropriately managing risk — and more specifically dealing with it when the breach hits the fan.

  4. Scott Millhollin
    August 6th, 2010 at 11:45 | #4

    There should be no one who is surprised anymore. People should just be prepared for the inevitability. Until corporate leaders empower, financially and politically, their organizations to address information and data security, there will be more and more of these occurrences. There is currently too much focus on security technology and not enough thought leadership and risk planning.

  1. No trackbacks yet.