Yes, I will mention this post in tomorrow’s seminar on data breach! “Who’s Gonna Get It?”

This is one of my favorite and my most popular posts ever — and you better believe I will find a way to mention it to this group of CEOs to help them understand why it is important to take seriously the data security threat!

Data Breach – Who’s Gonna Get It? | business cyber risk | law blog.

 

“Defense wins championships” when preparing for the inevitable data breach

“The best strategy to manage the inevitable data breach of your enterprise is to be prepared.” -Adam Greenberg, SC Magazine

Exactly–you must prepare on 2 fronts: Defense & Response

In a recent article in SC Magazine, Adam Greenberg marches along faithfully with many of us in trying to get you, the business leader, to appreciate the severe risk that data breaches pose to your business. He starts by repeating the old data breach proverb, “It is not a matter of if, but when,” which readers of this site have heard many times before.

It is now a given that every enterprise either already has been, or will be, the victim of a data breach. It’s just life in the digital age, get used to it.

More importantly, prepare for it. A data breach can be either (1) a catastrophic event that threatens the very existence of your enterprise, or (2) just another adversity that your enterprise faces, manages, and learns from along its journey to success.

The choice is yours and is determined by whether you stick your head in the sand and ignore the risk or prepare for it. The first step you must take is to decide that you will not ignore this threat and that you will prepare for it. This is the most difficult step for many business leaders but, once we get past it, we start making progress.

Preparing for a data breach requires preparing a defensive strategy and a responsive strategy.

Preparing to Defend

-Defense Wins Championships-“Offense sells tickets; Defense wins championships” -Coach Paul “Bear” Bryant Jr.

When we talk about preparing for a data breach, some people jump the gun and start thinking about how they will respond. This loses sight of the primary objective–your duty–PROTECTING THE DATA which, necessarily, requires defending your system.

The top priority for your enterprise is to take steps to assess and strengthen its cyber security posture. Then, the deficiencies that are identified must be corrected (there are always deficiencies). And don’t forget to document the steps that are taken (here is why).

Preparing to Respond

After you have prepared your defensive strategy, the next step is to prepare for responding to the inevitable data breach. Every enterprise needs a data breach response strategy that is documented in a written breach response plan (here is why).

The breach response plan needs to be comprehensive, readily accessible in an emergency, and everyone needs to be trained on their roles in the plan. You can read more about breach response plans here.

Fortunately, this process is not as intimidating as it may sound. The most difficult part is that you must decide that you will make sure your enterprise is prepared for this risk. After you make that decision, a qualified adviser who has helped other enterprises prepare for these situations can guide you through the process.

Learn more about the author’s unique CyberGard–Cyber Risk Protection Program.

 

Source of original article: Plan ahead: Prepare for the inevitable data breach – SC Magazine.

 

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

FBI Director Talks Cyber Espionage: Chinese Like “Drunk Burglar”

FBI

“[T]here are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese” -FBI Director

The pervasive threat that cyber espionage poses to American business is not a new topic on this blog — we have been talking about it for a few years. But you do not have to take my word for it; there is a “higher authority” on the subject. No, not that high! But the Director of the FBI is pretty high.

Here is the transcript of what FBI Director James Comey had to say about the Chinese cyber espionage efforts. If you follow the link at the bottom, you can watch the video of his interview:

“What countries are attacking the United States as we sit here in cyberspace?”

“Well, I don’t want to give you a complete list. But the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry,” said FBI director Comey.

“What are they trying to get?”

“Information that’s useful to them so they don’t have to invent. They can copy or steal to learn about how a company might approach negotiations with a Chinese company, all manner of things,” said Comey.

“How many hits from China do we take in a day?”

“Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese,” said Comey.

“The Chinese are that good?”

“Actually,” the FBI director replied, “not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.”

via FBI Director: Chinese Like ‘Drunk Burglar’ | The Weekly Standard.

 

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

Uncle Sam doesn’t have a clue on data privacy, cyber crime laws, and neither do we!

©2011 Braydon Fuller

©2011 Braydon Fuller

The point of the article that is the source of the quote below is exactly right: there is no consistency, cohesiveness, or harmony with the cyber crime and data privacy laws. I believe there are several reasons but these are the two that are most prominent:

  • The cyber crime and data privacy laws are a patchwork collection of laws that have been enacted based upon reactionary fears over a vast amount of time, each in response to a particular “concern of the day” without taking into account the other laws or the possible evolution of the issues and technology they seek to redress. Imagine trying to paint a painting after blindfolding yourself and then only using “dot by dot” with the tip of the brush to make the painting — no strokes (seriously, try it).
  • We, as a society, do not yet know what we really value.
    • On one hand, we want to protect our own information when it is in the custody of others yet, on the other hand, also disclose much of our own information through public channels yet keep others from using that information for purposes we do not like.
    • On one hand, we want to protect other people’s information yet, on the other hand, we want to freely exercise our perceived rights to free access to information (even when it may legally belong to others).
    • On one hand, we want to have a secure information system that allows for vibrant eCommerce that is protected by laws prohibiting people from “hacking” that information, yet on the other hand, we want to protect the rights of the good “hackers” who do security testing and are necessary to ensure that information system is secure.
    • On one hand, we want to punish those who have our information, try to protect it, yet have others hack them and steal it while, on the other hand, support those who are hacking to steal such information, while, on yet another hand (or foot), freely give our information to others and then punish them for using it in ways we do not like.
    • … and the list could go on … (for more, see Hunter Moore or Aaron Swartz: Do we hate the CFAA? Do we love the CFAA? Do we even have a clue?)

Anyway, here is the article that got me thinking about this at 4:00 in the morning:

Uncle Sam has gotten his wires crossed on internet data privacy. A hacker went to prison for exposing private customer information that AT&T failed to protect from online access. Now U.S. prosecutors are defending their right to do essentially the same thing in the Silk Road drug-website case. Anti-hacking laws are tough to take seriously when even enforcers can’t decide what’s allowed.

via Uncle Sam gets wires crossed on data privacy.

Data Breach Judgment: Will Home Depot Be the One to “Get It”?

Will Home Depot be the one to "get it"?Will Home Depot be the one that’s “gonna get it”?

Based upon the information we are learning, it could be.

Way back in 2011 I wrote Data Breach — Who’s Gonna Get it? and it scared people. For good reason. In that piece I wrote of how one day, in the future, a company would come along that had clear and unequivocal knowledge of the risk posed by data breach and, despite that knowledge, ignored it.

Then, because it knew of the risks, but chose to ignore those risks, there would be no forgiveness when its time for judgment came and it would have to pay the price for ignoring this risk.

I expected that judgment to come from a jury. Data breach lawsuits based on privacy rights are are having a difficult time in the courts because the plaintiffs are unable to show they suffered any actual harm. However, enterprising lawyers are finding a way around these impediments by looking to companies’ contractual documents and websites to find things such as Privacy Policies, Terms of Service, and other literature making representations about security and using those documents to serve as the premise for deceptive trade practices claims. A case against Home Depot just may be able to get to a jury on these types of claims.

Or, the judgment could — and likely will — also come from elsewhere such as the FTC or attorneys general of many states.

If true, there will be a price to pay

Regardless of where it comes from, the ultimate price that Home Depot pays for this data breach could be of record proportions and make the costs Target paid for its breach pale in comparison. Why?

Because, according to the statements below, Home Depot knew the risks, was fully aware of scope of the risks, knew the consequences of those risks, could have taken steps to mitigate those risks, but instead, it consciously ignored them. If these statements prove to be accurate, sit back and get ready to watch because this one could get interesting:

The risks were clear to computer experts inside Home Depot: The home improvement chain, they warned for years, might be easy prey for hackers.

But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

via Ex-Employees Say Home Depot Left Data Vulnerable – NYTimes.com.