2009 Verizon Breach Report

April 27, 2009

I read through the 2009 Verizon Breach Report on 4/17 on a plane from Columbus, OH to Washington DC. Below are my thoughts regarding some of the report’s content I found to be note-worthy.

Page 10 – Insider Threat. I really appreciate how they differentiated between insiders acting alone versus insiders being used as unknowing attack vectors. All to often we hear “insider threat” and assume these individuals are all malicious. For information security risk professionals – do not be afraid to ask your leadership or general council teams if this occurs within your organization – especially given the current economic climate. While I am not one to predict, it will be interesting to see the numbers next year for this threat community.

Page 11 – Measuring Central Tendency. Yes, yes, yes (almost an herbal essences moment) – statistics being used properly. As part of a risk quantification effort I am leading, I have also observed numerous instances where skewed data made the median a much more valuable variable to react to then the mean. While on the surface it sounds boring and border-line splitting hairs – the differences between these two can have a tremendous impact on decisions related to them.

Page 12 – External Breach Sources. Let’s talk about preventive controls – IP blocking. I know, easier said then done – but it is still a tool available to us. Not 100% bullet proof – but it is another defense measure that we should not discount.

Page 29 – Target of Choice vs. Target of Opportunity. This concept of determining if you are a “target of choice” versus a “target of opportunity” can factor into “threat event frequency” – how often a threat agent attempts to attack your asset and attempt to overcome its control resistance. In addition, these considerations may also help you determine the threat capability of the attacker. For example, an attacker targeting a “target of choice” may have higher skills and more time, and different motives then an attacker that happens to stumble upon a “target of opportunity”. What type of target you are will probably vary depending on the application, company, and industry. Regardless, this is a great and effective mental exercise to perform.

Page 35 – Time Span of Breach Events. Awesome stuff in this section. From a risk perspective – this type of information can be used to analyze potential impact should a breach occur. However, the report does not correlate time span of compromise to breach size – so one should not assume that the longer a breach goes undetected the bigger the impact. Regardless, there are still reputation implications that should not be discounted. If it takes a large organization weeks or months to discover something – how does that make consumers feel about that organization? In a risk assessment, time span between “compromise to discovery” could be a valuable contributing factor to document; it will obviously vary from scenario to scenario.

Page 38 – Breach Discovery Methods
. I labeled this section in my notes “the forgotten detective control”. This section has really challenged my mindset on how I think of third parties as a detective security control. Let’s face it – we don’t want third parties to be a security control – at least not the control we respond to first. We often think of security controls as those things we have direct control over. In some cases, third parties may be a more cost effective control then those security controls in our own environment. I would submit that how an organization responds to third party detection alerts is very important in the consumer’s mind. I am sure there are philosophical debates on this concept. I need to force myself consider this type of security control moving forward.

** NOTE ** A great blog I keep eyes on, regarding how companies react to “situations” is called the BulletProofBlog – by Levick Strategic Communications. Even though this blog is not security related – there are quite a few posts on reputation and the public’s perception when companies are faced with a public relations crisis. Check out their post regarding the recent Domino’s Pizza ordeal.

Overall – I thought the Verizon Business RISK Team did an outstanding job on this report. This was information sharing in the purest sense with no underlying security vendor / security product FUD.


PCI Treatment

April 2, 2009

pci_hurts_090402

Once again, I am pushing the limits of decency.

Some of my co-workers have been expressing their sarcasm about my deep involvement with an internal PCI program. Why, because some of them have had to take on non PCI-related projects that typically would have fallen in my court.

One of them has been making statements about PCI and how it hurts.

Another got creative and sent me a potential PCI antidote / treatment.

My teammates are awesome!