OK, you've spent the last week patching and stripping Lovsan/MSBlaster files from your corporate systems -- what's the next step? At first glance, it may be a stretch to equate a Blaster infection to the compromise of a California resident's information, but an investigation is recommended to determine if provisions in California Senate Bill 1386 apply.
CA 1386 mandates that organizations disclose incidents to victims in which there's reasonable belief that an unauthorized person accessed specific California resident information in unencrypted form. That information includes an individual's name combined with a Social Security number, driver's license/California Identification Card number or account number. Failure to disclose these incidents opens an organization to serious legal ramifications, as the law establishes a statute on which a strong civil action case can be built.
Blaster exploits Windows NT/2000/XP/2003 systems through an RPC vulnerability and installs a remote command shell, which could be used to Telnet and gain remote control of the machine.
Infected organizations need to evaluate if there's a reasonable belief that California resident information was accessed. Though that possibility may seem remote, the breach requires a review of the audit trails of any infected system that contains information covered by the California law, including servers and desktops.
The investigation should determine whether the audit trails (system application logs, transaction records, firewalls, intrusion detection and forensic analysis) are collecting detailed event information. If not, the question may go unanswered and require the organization to comply with the law. As attacks don't always generate detailed audit log information, the use of forensic analysis tools may be needed. If audit trails indicate that an unauthorized individual accessed a machine that stores the protected information in unencrypted form, then disclosure is necessary.
Organizations need to:
- Consider the effects of Blaster infection and other similar security incidents in light of the California legislation.
- Understand which systems store protected data and what other systems have access to those systems and the data they contain.
- Capture sufficient audit log information to determine if the law applies.
- Invest in forensics tools to investigate systems that have been or are thought to have been compromised.
- Develop incident response and incident disclosure policies and procedures to respond to events like this.
The impact of the California legislation is yet to be tested in court. Questions have been raised regarding this legislation's broader definition of personal information, which courts may expand upon to enforce the law. Furthermore, U.S. Sen. Dianne Feinstein (D-Calif.) is moving forward with similar legislation at the federal level. The future may hold even more stringent requirements as regulators and legislators critically examine ways to protect privacy and prevent identity theft.
The combined impact of worms, hacker attacks and legislation is a dark storm cloud on the horizon. Organizations need to protect themselves by being proactive in defining their security and response plans today, instead of being reactive in court tomorrow.About the author
Michael Rasmussen (mailto:firstname.lastname@example.org), CISSP, is an information security analyst at Forrester Research.
Forrester research is provided as general background and is not intended as legal or financial advice. Forrester Research, Inc. cannot and does not provide legal or financial advice. Readers are advised to consult their attorney or qualified financial advisor for legal and/or financial advice related to this information.
For more information on this topic, visit these resources:
- Guest Commentary: Compliance with California's new mandatory disclosure law
- Guest Commentary: Finding a safe harbor in the California breach disclosure law
- News & Analysis: California screaming: Companies must disclose security breaches
This was first published in August 2003