This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance and risk modeling."
Download it now to read this article plus other related content.
Data shows that publicized hacks, cyberattacks and data breaches continue to increase, and the majority of attacks are from outsiders. According to Verizon's 2013 Data Breach Investigations Report, released in April, 92% of breaches in 2012 were attributed to outsiders, and 19% involved state-affiliated actors.
Regardless of the motives and the types of hackers or attackers, it behooves chief information security officers (CISOs) and security staff to take actions to better defend their data from these miscreants. Data theft has consequences for organizations: bad press, impact on reputation, devalued share prices and the costs of investigating the breach. Companies may also have to take legal action and make notifications to affected individuals if a breach involves personal data theft.
From the consumer arena to “hactivists,’’ data breaches and disclosure requirements have evolved over several decades. In 1992 the Privacy Rights Clearinghouse (PRC) was formed as a nonprofit in California by Beth Givens, a student at the University of San Diego, to raise consumer awareness on how technology impacts consumer privacy. Although the initial focus of the Clearinghouse was to provide consumer information and consumer advocacy, its role in the general area of data breach analysis expanded in 2005 with the establishment of the Chronology of Data Breaches. This database has become a “go-to” website to gather data and identify trends for data breaches in the United States. Since 2002, the Chronology of Data Breaches has detailed information on more than 607 million records from 3,665 data breaches that were made public.
In 1996, one of the first laws established to address security and privacy of data was the Health Insurance Portability and Accountability Act (HIPAA). However, this law was limited to health data and didn’t have the “teeth” to enforce when data was lost, stolen or otherwise breached until more recent years. Since 1992 with the initial attention to protecting data, an industry has evolved that is focused on data breaches—including analysis of the events, poking and prodding statistics to determine root causes, and ultimately, ways to stop data from being stolen or released to unauthorized entities.
The U.S. Department of Justice identifies a data breach as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, access for an unauthorized purpose, or other unauthorized access, to data, whether physical or electronic.”
Evolution of consequences
Data breaches—at least those that were publicly announced—began to increase in the 1980s. In 1984 the global credit information corporation known as TRW (now called Experian) was hacked and 90 million records were stolen. In 1986, 16 million records were stolen from Revenue Canada, according to the Office of Inadequate Security website.
In the 1990s and early 2000s public awareness of data breaches increased. The news media covered more “cyberthefts.” The nature of the crime was not as dramatic as physical “smash and grab” attacks, but the ramifications were potentially more damaging in the long run.
Lawmakers also began to pay attention. In July 2003, the state of California enacted Senate Bill 1386 which was considered the first law in the U.S. intended to protect the privacy of an individual’s personal information—especially if it is stolen from a vendor’s database. The flurry of attention by information security professionals across the country on this new law and its consequences revealed a concern that data loss needed to be stopped, and consequences for negligence were necessary.
As of August 2012, 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information, according to the National Conference of State Legislators. The only states still without such laws include Alabama, Kentucky, New Mexico and South Dakota.
Data on breaches
In the nine years since California approved its law and the 20 years since the beginnings of Beth Givens’ idea to start the Privacy Rights Clearinghouse, a new industry of data breach investigators, moderators, reviewers and analyzers has surfaced. Some of the organizations providing in-depth analysis of the data breaches and trends include:
- Verizon’s Data Breach Investigations Report (DBIR) – The 2013 DBIR released in April is Verizon Communication Inc.’s sixth report. Verizon’s Research Investigations Solutions Knowledge (RISK) team has been doing data breach analysis and dissection on actual cases based on its computer forensics work since 2004. The DBIR series now spans nine years, more than 2,500 breaches and greater than 1 billion compromised records. According to Verizon’s 2012 DBIR, the hactivists’ entry onto the data breach stage changed the perspective about the motives behind data theft; however, the 2013 DBIR data set indicated that 75% of attacks were financially motivated crimes.
- DataLossDB, maintained by theOpen Security Foundation (OSF) – The OSF project leaders scour news feeds, blogs and other websites looking for data breaches—new and old—which they then add to their database and email members in their mailing list and distribute via social media outlets.
- Ponemon Institute – The Ponemon Institute has researched data loss incidents and their estimated costs to organizations since 2005. Data breaches can cost a company as much as $194 per compromised record, according to the institute’s annual cost calculations. Put another way, a breach of 1 million records could cost an estimated $194 million to manage. A Data Breach Risk Calculator, which was developed by Symantec Corp. and based on Ponemon’s work, is available on the Web.
- Identity Theft Resource Center (ITRC) – Since 2005, the ITRC has tracked security breaches, looking for patterns, new trends and information that can help protect data and assist companies in their activities.
In the early 2000’s Kirk Bailey, CISO of the University of Washington and the former CISO for the City of Seattle, began to tout the idea of an “assumption of breach.” In other words, CISOs must assume that not only will their systems and databases be breached, but they must use this philosophy to prepare the enterprise for this eventuality.
A Ponemon study issued in June 2011 echoed Bailey’s philosophy: “The threat from cyberattacks today is nearing statistical certainty and businesses of every type and size are vulnerable to attacks.”
With this new mindset come new approaches to protecting data. The traditional “perimeter” approach to security is still required. For instance, the classic technical, administrative and process-based security controls such as firewalls, passwords and employee awareness training are all necessary and remain the first line of defense. However, it is important to look at the next level of data protection.
Protection of key data
It’s tough for security professionals and their bosses to accept this reality: You cannot protect all data. With a proliferation of portable media, smartphones, USB drives and laptops, there are too many opportunities for loss or theft of these devices, and the data within them. It is important to take steps to enable encryption of mobile devices, train end-users to protect their devices and to immediately inform security management if the devices are stolen, lost or there is a suspected data compromise. Many mobile management platforms can remotely wipe stolen or lost devices.
CISOs should educate the executive team and board of directors on this philosophy and encourage their support for security actions necessary to protect the company’s key data. First, it is important to identify the key data owned by the corporation that if it is lost, stolen or compromised it would be detrimental to the company’s future. Second, identify where the data is located—as well as the backups and “mirror copies”—and determine its level of protection. Third, identify who has access to critical data, and look at access rights and capabilities to add data to, or remove it from, this database or folder.
Armed with this information, you can identify an approach for improved protection of the key data using “islanding” or “enclaving” the data. With islanding, critical data is secure for both physical and cyberaccess. This “island” environment locks down the critical data so that it is within its own dedicated perimeter of firewalls and access control lists—with access controls separate from the enterprise Active Directory or LDAP schema.
Individuals with access to this critical data must be trained to recognize suspicious phishing attacks and to look for signs of physical or cyber-tampering. This training also will include instructions to the critical data staff to immediately report these cyber- and physical attacks—such as pretexting—to key staff ready to react 24x7 to such attempts at stealing the data.
Please recognize that the individuals with access to the critical data must be highly restrictive. Take a hard look at individuals with access rights to the critical data today and cull those who don’t have a need-to-know basis. Also, be wary of any administrative access to the critical data perimeter and prohibit remote access to the perimeter devices and the critical data itself in order to ensure you’ve added one more layer of defense.
Lastly, and definitely not least, strictly monitor the dataflow into and out of the new critical data perimeter—including any changes in real time.
Data breaches continue to become increasingly sophisticated—on both sides of the equation. Attackers are getting smarter, developing new advanced persistent threats and advanced volatile threats. They are learning new ways to take malicious advantage of installed software such as Java and Adobe. Alternatively, the defenders must be more adept and agile and maintain focused data protection with the new attack methodologies. The security world is quickly evolving. We have come very far, and it will be interesting to see where we are going.
About the author:
Ernest N. Hayden, CISSP, CEH, is managing principal of Critical Infrastructure Protection and Cyber Security on Verizon’s RISK Team. He works with clients, assessing cybersecurity strategy and implementing recommendations on security policy and deployment plans for energy, utility, critical infrastructure, industrial control systems and smart grid security globally. Hayden is an experienced information security professional and technology executive, providing global thought leadership for more than 13 years in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, leadership, management and research. Send comments on this column to firstname.lastname@example.org.
This was first published in May 2013