[Dataloss] rant: Abandon Ship! Data Loss Ahoy!

Wed Mar 19 19:26:39 UTC 2008

My understanding is that companies already report, under a plethora of
rules, including 1386 and co, SOX, and others.  My understanding is
also that the liability incurs at the point of breach of duty.

I think that the additional risk is small--it's becoming clear to me
that current practices are not correlated with breach prevention, and
we need more data about what works and what doesn't.  Of course, I'm
not the one disclosing, so that's easy for me to say.

If there's additional risk, then it becomes a public policy discussion
of the possible value of data versus the costs and shapes of liability
protection for those who disclose.

ADam

On Wed, Mar 19, 2008 at 11:22:14AM -0700, Klein, Jonathan wrote:
| You're not going to get companies to report for one reason: LIABILITY
| 
| If corporations report incidents in detail, they could subject
| themselves to additional lawsuits or larger plaintiff awards based on
| the disclosures. Lawyers could try to use the information to prove gross
| negligence on the part of the corporation. You'd be lucky to get any
| kind of information about the details of a breach through legal
| disclosure, much less through voluntary reporting.
| 
| Corporations don't want to be good "netizens." They are in the business
| of making money and providing full details about a breach is not in
| their best interests and provides them little to no benefit. 
| 
| Jonathan Klein
| Regional Security Director - North Region
| Calence, LLC
| www.calence.com
| 
| 
| -----Original Message-----
| From: dataloss-bounces at attrition.org
| [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack
| Sent: Wednesday, March 19, 2008 1:47 PM
| To: Mark Simon
| Cc: dataloss at attrition.org
| Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!
| 
| I agree with you, but I'll go further.  
| 
| First and foremost, it's generally not that embarrassing.  With 900+
| incidents in the DLDOS, and 14000 Federal incidents according to the
| latest GAO report, it is now clear we have a problem which is beyond
| one organization.
| 
| Organizations should talk about what went wrong in some level of
| detail.  New reporting forms, subject to FOIA requests, are already
| asking for this.  Anonymization prevents in-depth follow-on research,
| 
| What we need to do is (1) overcome the perception of embarrassment and
| (2) figure out if there's any real risk in publishing more in-depth
| information.  My expectation is there is not.
| 
| (Andrew and I talk about this in some depth in The New School of
| Information
| Security.)
| 
| Adam
| 
| On Wed, Mar 19, 2008 at 10:45:56AM -0500, Mark Simon wrote:
| | The false sense of comfort with various security products is due to
| the
| | lack of transparency concerning breach occurrences.  It is the rare
| case
| | where an exploited vulnerability is identified and described in detail
| | for the public.
| | 
| | As embarrassing as it may be, we need to share more details about
| breach
| | incidents.  Organizations should be encouraged to redact and
| anonymously
| | publish post-incident reports so the public, including other
| information
| | security professionals, can learn about security tools that have
| failed
| | to help TJX and many others prevent or earlier uncover intruder
| | activities.
| | 
| | It would also help if trusted organizations, such as US-CERT, would
| | provide anonymity and publication facilities allowing organizations to
| | report details concerning breach occurrences.   Congress passed the
| | Communications Decency Act (CDA) in 1996. The Act contains language
| | under the heading - Protection for Good Samaritan blocking and
| screening
| | of offensive material - which provides, "No provider or user of an
| | interactive computer service shall be treated as the publisher or
| | speaker of any information provided by another information content
| | provider."  CDA 230 further provides that "[n]o cause of action may be
| | brought and no liability may be imposed under any State or local law
| | that is inconsistent with this section." 
| | 
| | So, find a publisher and get publishing.
| | 
| | Mark.
| | 
| | --
| | Mark S. Simon, Director of Regulatory Compliance Consulting 
| | Eclipsecurity, LLC
| | Mobile: (224) 612-3101
| | Office: (847) 850-5088
| | Toll Free: (877) 369-5331
| | 
| | www.eclipsecurityLLC.com
| | 
| | 
| | Lock-in success.  Because information travels...
| | 
| | 
| | The information contained in this message may be CONFIDENTIAL and is
| for
| | the intended addressee only. Any unauthorized use, dissemination of
| the
| | information or copying of this message is prohibited. If you are not
| the
| | intended addressee, please notify the sender immediately and delete
| this
| | message. 
| | 
| |  
| | 
| | 
| | -----Original Message-----
| | From: dataloss-bounces at attrition.org
| | [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole
| | Sent: Tuesday, March 18, 2008 8:57 PM
| | To: dataloss at attrition.org
| | Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!
| | 
| | 
| | Yup.  And does anyone doubt that a company using Qualys would be in
| the
| | same boat?
| | 
| | All of these vendors that sell non-functioning crapware are seriously
| | damaging the efficacy of online commerce moving forward.  They sell a
| 
| | false sense of security.  Nothing more.  PCI compliance in a box?   
| | Yeah, right...
| | 
| | Then again, Visa is also very much to blame.  Until Visa gets serious
| | about PCI compliance and starts certifying expert security
| | practitioners, rather than clueless companies with big checkbooks,
| this
| | is just going to keep happening over and over again.  Visa should be
| | paying expert security practitioners to do PCI compliance assessments,
| | rather than having the big consulting companies pay THEM for the
| | privilege of saying they are certified to conduct PCI assessments.
| | 
| | All of these automated vulnerability assessment processes achieve the
| 
| | same result - they identify only the lowest of the low-hanging fruit.
| 
| | Automated tools might identify the exposures that script kiddies are
| | looking for, but they most certainly can't identify the exposures that
| | motivated and competent hackers are looking for.  Show me an automated
| | tool that can identify vulnerabilities that are contingent on the
| | successful exploit of other vulnerabilities, and I just might change
| my
| | mind.  I'm not going to hold my breath, because companies are too
| | wrapped up in buying automated scans for $19.99 per host.  As we can
| | see, they always get exactly what they pay for.  What exactly do they
| | think they are buying??
| | 
| | What's even worse is that there are "security consultants" running
| | around telling the world that they base their entire vulnerability
| | assessment offering on some of these useless tools.
| | 
| | Oh, well...
| | 
| | Jamie
| | 
| | 
| | 
| | On Mar 18, 2008, at 8:53 PM, lyger wrote:
| | 
| | >
| | > http://attrition.org/security/rant/z/rapid7.html
| | >
| | > Tue Mar 18 16:10:57 EST 2008
| | > d2d
| | >
| | > You are a security vendor. You sell the mightiest security doohickey
| 
| | > the world has ever seen. It does it all, including "...ensuring your
| 
| | > network is safe from hackers..." and amazingly it "...scans for Web 
| | > site and database vulnerabilities that hackers can use to capture 
| | > credit card information without you being aware". Since your
| doohickey
| | 
| | > does what no others have ever successfully managed to do, you can
| tout
| | 
| | > your client list proudly, and pimp your customer implementations 
| | > liberally.
| | >
| | > UNTIL...
| | >
| | > One of your customers joins the etiolated top 10 with a massive
| hacker
| | 
| | > perpetrated data loss incident.
| | >
| | > OUCH.
| | >
| | > [...]
| | > _______________________________________________
| | > Dataloss Mailing List (dataloss at attrition.org) 
| | > http://attrition.org/dataloss
| | >
| | > Tenable Network Security offers data leakage and compliance
| monitoring
| | 
| | > solutions for large and small networks. Scan your network and
| monitor 
| | > your traffic to find the data needing protection before it leaks
| out!
| | > http://www.tenablesecurity.com/products/compliance.shtml
| | >
| | 
| | _______________________________________________
| | Dataloss Mailing List (dataloss at attrition.org)
| | http://attrition.org/dataloss
| | 
| | Tenable Network Security offers data leakage and compliance monitoring
| | solutions for large and small networks. Scan your network and monitor
| | your traffic to find the data needing protection before it leaks out!
| | http://www.tenablesecurity.com/products/compliance.shtml
| | _______________________________________________
| | Dataloss Mailing List (dataloss at attrition.org)
| | http://attrition.org/dataloss
| | 
| | Tenable Network Security offers data leakage and compliance monitoring
| | solutions for large and small networks. Scan your network and monitor
| your
| | traffic to find the data needing protection before it leaks out!
| | http://www.tenablesecurity.com/products/compliance.shtml
| 
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| 
| Tenable Network Security offers data leakage and compliance monitoring
| solutions for large and small networks. Scan your network and monitor
| your
| traffic to find the data needing protection before it leaks out!
| http://www.tenablesecurity.com/products/compliance.shtml
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| 
| Tenable Network Security offers data leakage and compliance monitoring
| solutions for large and small networks. Scan your network and monitor your
| traffic to find the data needing protection before it leaks out!
| http://www.tenablesecurity.com/products/compliance.shtml