With data breach disclosure laws now in place in almost every state and the introduction of the first nationwide law specific to health care information, the news is filled with reports of data breaches.
With few exceptions, these reports focus on the simple fact that there was a security gap and then ultimately question the corporate competency of the affected organization, spurring rumors of what the company did wrong. This approach is overwhelmingly negative and indicative of a trend called “breach-shaming.” By and large, this trend impedes forward progress in preventing such incidents in the future and leaves consumers worrying — often unnecessarily — without educating them on proactive steps they can take to protect their data, or even how at risk they actually are.
Instead of shaming (and counter-shaming), we need more effective, positive-plus-negative and analytical public conversations about breaches. Only in this way can we create an opportunity to evolve security practices. Specifically, we need to be discussing the following questions:
What was the sophistication level of the attack?
The sophistication level of an attack is a key indicator of how the breach will impact ever-evolving security best practices. This information will move the conversation away from a blanket description of negligence to a more proactive discussion of how the threat landscape is evolving. It also allows for more accurate measurement of how well the security industry is doing as a whole.
For example, breaches that occur due to a SQL injection attack indicate negligence based on the absence of what should now be basic security defenses. Breaches such as eBay's recent incident required direct targeting and a high degree of effort and provide helpful indicators of how security practices need to evolve.
What is the actual risk to the individuals whose data was breached?
Delivering post-breach messages to consumers is scary. Their data was hacked; they feel violated. Providing proactive guidance and a risk analysis in terms that consumers can understand will drive greater consumer confidence and a stronger consumer security awareness when using online services, resulting in a more secure Internet overall.
For example, let's weigh the impact on Neiman Marcus customers during the company's recent breach against the also recent Snapchat breach. The former exposed credit card information and the latter exposed usernames and phone numbers. The risk to Neimann Marcus customers was much higher than that of Snapchat users – posing potential credit card fraud and identity theft – and thus required different actions on the part of the company and end users. The Snapchat breach posed far less immediate potential risk.
Ultimately educating consumers about their unique risk will lower the possibility of fraud and drive a more security-conscious, enlightened world wide web.
What protections were in place that reduced the impact of the attack?
We're hindering progress by not asking this question because it ignores the measures that are working to minimize breaches. Let's go back once again to the eBay breach. While PCI DSS has gotten a lot of flak for not “guaranteeing” security, the requirement to segment the payment network worked here.
No credit card data was breached. Perimeter and database security also appeared to be intact and forced the attackers to put forth the high-effort of credential theft, probably through spear phishing. Discussing what went right also helps develop and raises awareness of newer, less utilized best practices.
What protections were in place that didn't make a difference?
Discussing what didn't work during an attack also helps evolve in-depth defense measures as attack techniques evolve. Going back to eBay again, we know that the database was encrypted. While encryption of sensitive customer information is extremely important, this breach emphasizes the importance of in-depth defense. Encryption is only as good as the controls over the decryption command, and in this case it was circumvented.
What additional controls could have stopped or further minimized the breach?
There are often strong security reasons for why specific details of breaches aren't shared, but there needs to be more discussion of the controls that could have prevented the breach. How did the monitoring program need to be tuned to more rapidly identify the breach? In the new case of administrator credential theft through malware, is two-factor authentication needed to stop it? Can we give employees stronger guidelines to reduce the risk of social engineering through controls over LinkedIn and other social networking sites? And finally, how can we make post-breach remediation easier (for example, forced password changes)?At the end of the day, if you're not progressing you're regressing. The way we currently discuss data breaches is hindering the industry's ability to improve security and prevent future attacks. The development of a model, or at the very least an ideology, in which data breaches are discussed in a consistent manner — including the details that would come from asking (and answering) the questions presented here — will move the data breach discussion from hype to proactive forward progress.