Thursday, January 1, 2009

SANS 2009 Security Predictions

The SANS Technology Institute has released version 1.7 of their 2009 Security Predictions.

Assorted experts from various fields collaborated to produce this collection about the future of security for computers, networks, and information.

It's a wide-ranging piece that frankly lost some focus as more data was collected. It's hard for me to find actionable intelligence for my day job in this compilation, but it's a valuable as a digest of what's expected to transpire over the next twelve months.


One thread that I happen to agree with is a future-looking view that a significant data breach will occur at a firm shown to be PCI/DSS compliant.

As we learned in 2008, several breaches were reported via the Open Security Foundation Data Loss db that involved organizations with varying levels of PCI/DSS programs implemented.


Government regulation tends to be a trailing indicator of effective security and control. What typically happens is that a flurry of incidents becomes public, and the industries involved are either slow to react by redesigning their programs or in re-evaluating the effectiveness of their controls, so politicians clamor for regulations and directives to force widespread compliance to a set of requirements so cookie-cutter that they can't possibly be effective in companies of various sizes, degrees of complexity, or breadth of information and infrastructure.


The number of reported data breaches hasn't been reduced, even after the introduction of significant regulation such as HIPAA, SOX, PCI, and others. Many regulations have been targeted to specific data sources or business types, which has led to irregular approaches to data privacy and protection tailored to meeting regulatory requirements rather than improving security posture.
Data Loss statistics indicate the following breakdown of incidents by industry type:
  • 36% business
  • 28% education
  • 24% government
  • 12% medical
HIPAA standards for the health care industry have been in effect for years, and some would like to point to the 12% as evidence that the focus has worked. However, are we certain that all breaches are being reported, or has the increased attention simply made hospital administrators and other professionals more careful about what they release publicly?

Massive breaches at companies like TJMaxx (45.7 million credit card numbers and transactions), US Dept. of Veteran's Affairs (26.5 million veteran's personal information stolen) and Hannaford (4.2 million credit and debit card numbers exposed) get all the attention, but there are substantially more people affected by the thousands of other breaches that, if made public at all, drop from the media's radar within hours.


Hannaford's breach occurred in 2008, and one of their first statements of defense was that they were PCI compliant. They soon dropped that approach when it failed to buy them any measure of sympathy from an outraged public, indignant security professionals, or embarrassed government officials who designed PCI in an incestuous partnership with the credit card industry.

In October 2008, Brian Krebs reported in his
Security Fix blog that The Identity Theft Resource Center found that 2008's data breach tally had already exceeded 2007's 446 incidents, with at least 680 breaches predicted by the end of the year. 30 million customer records had been exposed through October.

There are differing explanations for these results, depending on which group of experts you're dealing with. Some believe the issue is simply that there are more breaches. Others opine that organizations are getting better at detecting breaches - not preventing them, which should be the goal, but detecting them. The third explanation is
that more organizations are complying with state data breach notification laws.

Regardless of the explanation, it's clear that we're not seeing a statistically significant improvement in the privacy and protection of information. There's too much data being retained, too little documentation on where the information is located, how it's protected, and who has access to it, and too little attention paid to destroying data when it's no longer needed for legitimate purposes.



No comments:

Post a Comment

Please tell me what you think.