[Dataloss] confirming victims of data breaches?

DAIL, WILLARD A ADAIL at sunocoinc.com
Tue Jul 22 17:33:31 UTC 2008


The rule-of-thumb is that if you cannot positively rule something out of
scope for a breach, due care requires you to include it in the scope. 

I would argue that a company handling risky data should include the
possibility of a breach in its Business Continuity Plan.  A Breach
Response Plan (A Disaster Recovery plan that is customized to deal with
the possibility of a breach as opposed to a physical disaster) should be
developed for the data environment, and the concept of Maximum Tolerable
Downtime should be converted to Maximum Tolerable Breach Volume.  This
should be reviewed at least annually, and the assumptions should be
validated (for instance, the average cost of a breach, per record).

The company should then endeavor to ensure its logging and security
controls prevent any breach from exceeding the MTBV. This sounds pretty
difficult, but the use of file integrity monitoring, IDS and IPS
systems, good logging, and encryption will go far toward ensuring you
are not the "lowest hanging fruit".





-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Mike Simon
Sent: Tuesday, July 22, 2008 11:17 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] confirming victims of data breaches?


Interesting discussion, and great insight from each of you. One of the
problems I wrestle with is that one cannot always be clear about what
records were actually compromised. In a situation where (for example) a
hacker gains access to a transaction stream, the hacker doesn't get the
whole database, but just what flowed by while they had access. In that
case, it should be theoretically possible to notify only those persons
who's data was exposed during that window.

I'm usually all for broad notification and information sharing, but the
expenses of notification and remediation on a per-record basis could
mean the difference between a minor incident for the company and
bankruptcy. WRT this thread, as long as you have a handle on who's data
was exposed, you could certainly still respond to queries from
customers, but as was mentioned earlier, you would need extraordinary
means of authenticating the caller/inquirer so as to not further
compromise customers.

At some price point per record, it becomes cost effective to do the
analysis and notify only the affected rather than pay for notification,
credit monitoring and such for your whole database.

Mike Simon
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.


More information about the Dataloss mailing list