Friday, August 6, 2010

DBR600RR - The Verizoning

I admit I genuinely enjoyed the latest Data Breach Report courtesy the stalwart boffins at Verizon Business.   My personal benchmark of genuineness is derived from my ability to almost immediately put it to use in my job.    Nonetheless, I'd like to see the data hashed up one more way. 

The following quotes from page 14 -

"Though we do not assert that the full impact of a breach is limited to the number of records compromised, it is a measurable indicator of it."

“There is not a linear relationship between frequency and impact; harm done by external agents far outweighs that done by insiders and partners. This is true for Verizon and for the USSS and true for this year and in years past  … We could provide commentary to Figure 9, but what could it possibly add? If a chart in this report speaks with more clarity and finality we aren’t sure what it is.”
I’ll tell you what you can add, cause I’m that way.  And the suggestion comes from the assumption that records=impact. I'm groovy with the assumption that number of records compromised is a measurable indicator for the top three categories of records listed on Fig. 31 on page 41 (regulated data that requires breach disclosure).   However, it seems that an incident that involves the theft of proprietary source code, non-public financial statements, or trade secrets, or whatever else comes under the umbrella of "data breach," is it counted as a single record just as one credit card transaction record counts as one record.  

I'd like to see the PCI DSS and PII/PHI database breaches broken out from the other (information property, trade secret, national security) breaches.  Looking at the data where they are detailed (p 41), there are not a whole lot of them.  Based on the statement on page 18, viz:
”It is worth noting that while executives and upper management were not responsible for many breaches, IP and other sensitive corporate information was usually the intended target when they were.”  
NPI/PII/PHI mandatory disclosure type breaches may be characterized by a different set of threats, impacts, frequencies, and require a differing set corresponding controls than the breaches associated with occupational fraud.   Yeah, I said "fraud" not "insider."  And I'd like to keep on saying "fraud" until I'm comfortable that the internal controls over non-regulated data are targeted at management override rather than external organized crime.  Is organized crime recruiting from the sysadmins and call centers?  Or is the insider a fraud (corruption/breach of fiduciary duty) issue?  Little help and we'll all be safer. 

(I personally believe in Solove's assertion that management should have a fiduciary duty to the privacy of data, but from what I've seen, we ain't there yet, and it is still all about compliance.)

On a side note, the other category of data - authentication credentials - interests me.  Do bad guys just stop at root?  Or do they start at root?  Do the executives/upper management types rely on their organizational credentials, or do they use their authority to con an underling to hand them over?  I've got the anecdotes, but I'd like the data.

Some other comments:
Figure 27 (p38) – People?  A person is a compromised asset and contains records?  I’m not sure I follow the taxonomy (or is it  taxidermy?) here.
P 40 and 41 – Thanks!  These charts help quite a bit in understanding the data.
Fig. 35 (p46) Is not only hard on my eyes, but my brain.   Why is the scale broken into non-proportional time units?  Does the data naturally break down this way? A continuous timeline would give me more confidence how stuff happens.  It tapers off dramatically since each “timespan” is considerably bigger than the previous.  My brain could handle a logarithmic scale, but 60 / 12 / 7 / 4 / 12 / (sideways eight) is kinda hard.  I’m a simple country auditor, dadgummit.   The accompanying text 
“In over 60% of breaches investigated in 2009, it took days or longer for the attacker to successfully compromise data.”  
is not fully illustrated in the graph (to my humble eyes).   Also, it could be more informative.  (e. to the extreme g., my kitchen remodel is taking "days or longer" and yet, three months later, the fridge is in living room.  But my bourbon is appropriately iced!  (This is a footnote, really, rather than a parenthetical, so there you go.))

Good thing it the follow up on page 50 struck me like a diamond, a diamond bullet right through my forehead:
Internal audit methods—both financial and technical—are the bright spot in all of this.
Yeah! Give the auditor some!  

 (Image of Roger Lee Hayden's Moto2 Moriwaki Amerigasm courtesy Motorcycle News, American Honda and USA! USA! USA! because a) it is not wholly unlike a CRB600RR and CBR sounds like DBR, b) all information security can be seen as a metaphor for motorcycle roadracing (technology, engineering, empiricism, piloted by moody irrational egomaniacs who are only in it for the birds & booze) and c) it looks totally awesome!  Porkchop better clean the clock of some euro trash come Indy what with big ol' #34 plastered on the faring)