Damage Control

ChoicePoint's Rich Baich faced the perfect storm: a huge security breach, intense media attention and a shareholder revolt. What he needed was an incident response plan to get him out of the hot seat.

This article can also be found in the Premium Editorial Download: Information Security magazine: Spotlight on the incident response hot seat:

EXPOSE
ChoicePoint's Rich Baich faced the perfect storm: a huge security breach, intense media attention and a shareholder revolt. What he needed was a response plan to get him out of the HOT SEAT.

Legislation: Disclosure Loopholes
ChoicePoint may have discovered the breach that exposed the personal data of 145,000 people, but the break-in likely would never have been publicly disclosed had it not been for California's landmark Security Breach Information Act, SB 1386.

The Georgia-based company was bound by law to come clean to more than 35,000 affected Californians, and soon revealed that 110,000 more Americans nationwide were also at risk to identity theft.

What few know is that the law gives compromised companies wide latitude as to when they must inform consumers. The gap between discovery and disclosure could ultimately work against numerous state and federal bills swiftly being modeled after the California statute.

"I don't think that Congress or big business really has a clue yet as to how to deal with consumer data privacy," says Stephen Cobb, author of Privacy for Business. "I'm not sure notification is where the focus should be. Per-instance or per-incident fines may be more appropriate."

ChoicePoint sat on the disclosure for five months, going public in February after a Nigerian man's conviction in the scam become public record in Los Angeles. The company says it stayed mum at investigators' request, which is allowed under SB 1386. The law stresses that "disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement."

That disclosure loophole could leave individuals exposed to identity theft during criminal investigations, and privacy advocates aren't convinced legislators will provide the level of protection consumers need. Some experts say that the courts may have to determine what constitutes proper notification.

"The day of reckoning is coming when the case is made in court that someone suffered great harm, in terms of actual costs and stress, during the time the theft remained a secret," Cobb says.

--Anne Saita

Despite its best efforts and spin control, ChoicePoint has joined the American lexicon as the next symbol of shoddy data protection. The Georgia-based data collector didn't suffer a traditional network hack. No firewall was bypassed. No AV subverted. No IDS tricked. Rather, a fraudulent scheme duped the processes that guarded the sensitive information of 145,000 people. It's an instance where a company's most precious asset was compromised because security and business managers failed to properly assess the risk of a business process. It's also an example of how a company's public disclosure of a security breach can quickly spin out of control once the mainstream media begins ripping into the story.

"I'm in awe of how this has gone to the dinner table," says ChoicePoint CISO Rich Baich. "It's not possible to assess the damage to our reputation." Baich bristles at headlines proclaiming the fraud perpetrated against ChoicePoint as the work of "hackers." With identity theft a sexy topic, the news media will latch on to a story like ChoicePoint's, which is fluid with details following an arrest and prosecution in the case in February, as well as the compulsory disclosure of the breach under California's Security Breach Information Act (SB 1386). Managing the message sent to shareholders and customers via the press has been paramount.

"The mislabeling of this event as a hack is killing ChoicePoint," says Baich. "It's such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don't."

Regardless of the incident's true classification, or what the media calls it, ChoicePoint has quickly become a case study in the importance of an incident response plan that takes into account working with law enforcement, publicly disclosing breach information and dealing with overwhelming press coverage.

A Rich Target
More than 50 acquisitions since 1997 made ChoicePoint one of the richest depositories of American personal data. Social Security numbers, addresses, medical records, criminal rap sheets--you name it, chances are ChoicePoint had it stored in its databases. Firms like ChoicePoint, Lexis-Nexis and others sell this data to clients doing background checks on job and loan applicants and conducting criminal investigations.

CISOs like ChoicePoint's Baich understand how hackers, organized crime groups and scam artists covet that data. They also understand that no security control or business process is perfect, and that there may be days like the one last October when ChoicePoint's fraud detection systems found an anomaly in its public records group. Someone had figured out a way to beat the company's credential verification process and was setting up phony accounts to pilfer thousands of records.

This is the moment when the bottom drops out of a CISO's stomach--and it's worse for those who don't have a thorough and tested incident response plan in place.

"CISOs have to have a plan and make sure all aspects work," says Patrick Gray, director of X-Force operations for Internet Security Systems (ISS). "[During a crisis] isn't the time to create one. When an incident breaks, it's already too late."

Opinion: Security Isn't Just Technical
By: Michael Assante and Gerald Freese

It's ironic that ChoicePoint went out of its way to emphasize that it wasn't the victim of a "hack," as though the lack of a digital intrusion lessens the damage caused by identity thieves who circumvented its procedures.

ChoicePoint's failure to safeguard thousands of individuals' records was systemic. Once the fraudlent accounts were open, the identity thieves needn't bothered trying to break through the layers of security devices and applications guarding ChoicePoint's data treasure trove.

The ChoicePoint incident underscores many companies' and security professionals' misplaced faith and inflated reliance on technology. We as security professionals do a reasonably good job of assessing threats and erecting technology-based barriers--firewalls, antivirus, IPS/IDS, access control, application checks, etc. What we stumble with is assessing business operations and exposure to risk, and guarding them against potentially devastating threats.

Defense-in-depth requires intimate knowledge of business drivers and continuous risk assessments. These have to be flexible enough to recognize the digital and human threats to the enterprise--threats with constantly changing exploitation methods and purposes. In today's business environment, even the most effective layered technical security architecture simply isn't enough.

Security professionals need to adopt a more holistic, operational approach to risk assessment. Instead of focusing exclusively on technology, we need to "operationalize" risk methodologies that incorporate process identification, analysis and hardening to help prevent compromises of integrity--regardless of the attack vector--to sustain core business processes and protect critical data.

ChoicePoint's apparent lack of understanding of the interdependencies between the business model, technology architecture and security infrastructure prevented it from conducting effective risk assessments and developing a meaningful mitigation strategy. And they're not alone. The disciplines of operational risk management and comprehensive security risk analysis are just beginning to mature.

The information security profession is in the midst of an accelerated evolution from its origins as a technology-centric backroom black art to an operational business necessity. Consequently, the security practitioner is evolving in parallel, increasingly aligning technical information protection initiatives with business needs and objectives.

These changes shift the focus of enterprise information security away from primarily reactive technical solutions to value-based technology implementations tied to business risks and requirements.


MICHAEL ASSANTE is CSO at American Electric Power. GERALD FREESE, CISSP, is managing director of information security at American Electric Power. Send your thoughts on this opinion column to feedback@infosecuritymag.com.

Follow the Plan
An incident response plan dictates who should handle incidents, and how to isolate and investigate breaches, restore systems to operation and harden the infrastructure against similar attacks. What's often missed or underestimated is how to control the flow of information outside the organization once a breach becomes public.

"If you look at the major disasters involving customer information, the biggest thing that slips through has been the miscalculation of the future impact," says Rebecca Whitener, an EDS fellow and its director of security and privacy. "Not fully understanding the kind of uproar that can occur when individuals are at risk, or when they feel their privacy or other valued rights have been threatened, really turns the tables."

Enterprises shouldn't downplay or mislead the severity of a breach, but instead be as straightforward as investigators will allow. In ChoicePoint's case, though the breach was discovered six months ago, investigators wouldn't allow public disclosure until after an arrest and conviction were made. ChoicePoint had a plan for dealing with the actual incident and followed it to the letter.

Its first move was to call the Los Angeles county sheriff's office and notify them of the breach. A sting eventually netted a 41-year-old Nigerian citizen, Olatunji Oluwatosin, living in Hollywood, who pleaded no contest to felony identity theft charges and was sentenced to 16 months in jail. Investigators say he's part of a ring that set up fraudulent accounts posing as check-cashing institutions and debt collectors to gain access to ChoicePoint's 19 billion records. The identities of approximately 750 individuals have been identities compromised.

ChoicePoint may have helped catch one of the bad guys involved, but its real challenge going forward is repairing its battered reputation.

SB 1386 forced ChoicePoint to publicly disclose the breach. The regulation, which several states and the federal government are considering emulating, requires companies doing business in California to disclose security breaches in which individuals' personal information may have been compromised (see "Disclosure Loopholes"). By following the law and admitting someone had compromised its data, ChoicePoint became the poster child for bad data gatekeepers.

"People are starving for this type of story because it's never disclosed," says Kevin Mandia of computer forensics firm Red Cliff Consulting. "Firms that have mature information security programs are ready for the media circus, no question. If you have a mature program, and if any threat becomes a reality, the plan kicks in. There's no question the CSO, general counsel--all are absolutely prepared for this."

Enterprises generally must be compelled by regulations or other outside pressure to publicly disclose a security breach. None want to become the next ChoicePoint. None want to see the value of their company's stock plummet almost $8 a share in three weeks as Choice-Point's did.

Most would rather concentrate on how to properly respond to an incident, rather than explain away news stories that confuse network hacks with fraud and scams.

"You should probably rely on individuals who have the information available and can translate what's going on in an organization to the media," says EDS's Whitener. "One of the biggest issues companies face is inaccuracy.

If communication is channeled through the appropriate person in an organization, inaccuracies are lessened."

Dry Runs Make Perfect
Delayed communication also delays remediation of a problem. So does an incident response plan that isn't put through its paces at least quarterly by teams that are assembled in advance and kept current.

Security managers can also take this opportunity to evaluate the data their company must protect. While a CSO must assess the data risks associated with information systems, vulnerabilities are often traced to people and processes.

Relying solely on technology to mitigate risk is foolhardy (see "Security Isn't Just Technical").

All of this is part of a comprehensive risk assessment, a crucial precursor to an incident response plan.

"If you're saying you have no time to run a drill like this," says ISS's Gray, "ask yourself if you're too busy to go out of business."

This was first published in March 2005
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close