Data

Individual Privacy vs. Business Drivers

By Adrian Lane

'I ended a recent post with "I start to wonder if the corporations and public entities of the world have already effectively wiped out personal privacy." It was just a thowaway idea that had popped into my head, but the more I thought about it over the next couple of days, the more it bothered me. It is probably because that idea was germinating while reading a series of news events during the past couple of weeks made me grasp the sheer momentum of privacy erosion that is going on. It is happening now, with little incentive for the parties involved to change their behavior, and there is seemingly little we can do about it.

A Business Perspective

Rich posted a blog entry on "YouTube, Viacom, And Why You Should Fear Google More Than The Government" on this topic as well. Technically I disagree with Rich in one regard, that being to have a degree of fear for all parties involved as Viacom, Google and the US government are in essence deriving value at the expense of individual privacy. I think this really ties in as companies like Google have strong financial incentives to store as much data on people- both at the aggregate and the personal level- as they can.

And it's not just Google, but most Internet companies. Think about Amazon's business model and their use of statistics and behavior profiling to alter the shopping experience (and pricing) for each visitor to their web site. My takeaway from Rich's post was "The government has a plethora of mechanisms to track our activity", and it is starting to look as if the biggest is the records created and maintained by corporations. Corporate entities are now the third party data harvester, and government entities act as the aggregator. While we like to think that we don't live in a world that does such things, there are reasons to believe that this form of data management had a deciding factor in the 2000 presidential election with Database Technologies/Choicepoint. We already know that domestic spying is a reality.

Over the weekend I was catching up on some reading, going over some articles about how the government has provided immunity to telecom companies for providing data to the government. If that is not an incentive to continue data collection without regard for confidentiality, a "get out of jail free" card if you will, I don't know what is.

I also got a chance to watch the Supe ova video on Privacy and Security in the Network Age. Bruce Schneier's comments in the first 10 minutes are pretty powerful. He has been evolving this line of thought over many years and he has really honed the content into a very compelling story. His example about facial recognition software, storage essentially being free, and with ubiquitous cameras is fairly startling when you realize everything you do in a public place could be recorded. Can you imagine having your entire four years at high school filmed, like it or not, and stored forever? Or if someone harvested your worst 5 minutes of driving on film over the last decade? Bruce is exactly right that this conversation is not about our security, but the entire effort is about control and policy enforcement. And it is not the government that is operating the cameras; it is businesses and institutions that make money with the collected data. With business that harvest data now seemingly immune to prosecution for privacy rights violations, there are no "checks and balances" to keep them from pursing this- rather they are financially motivated to do so. From cameras on the freeway to Google, there are always people willing to pay for surveillance data. They are not financially incentivized to care about privacy per se; unless it becomes a major PR nightmare and affects their core business, it is not going to happen.

My intention with the post was not to get all political, but rather to point out that businesses which collect data need some incentive to keep that consumer information confidential. I don't think there is a legitimate business motivator right now. CA1386 and associated legislation is not a deterrent. Businesses make their money by collecting information, analyzing it, and then presenting new information based upon what they have previously collected. Many companies' entire business models are predicated upon successfully doing this. The collection of sensitive and personally identifiable information is part of daily operation. Leakage is part of the business risk. But other than a competitive advantage, do they have any motivation to keep the data safe or to protect privacy? We have seen billions of records stolen, leaked or willfully provided, and yet there is little change in corporate activity in regards to privacy.

So I guess what scares me the most about all this is that I see little incentive for firms to protect individual privacy, and that lack of privacy is supported- and taken advantage of- backed by government. Our government is not only going to approve of the collection of personal data, it is going to benefit from it. This is why I see the problem accelerating. The US government has basically found a way to outsource the costs and risks of surveillance. They are not going to complain about mis-use of your sensitive data as they are saving billions of dollars by using data collected by corporations.

There are a couple of other angles to this I want to cover, but I will get to those in another post.

–Adrian Lane

Stolen Data Cheaper

By Adrian Lane

'It's rare I laugh out loud when reading the paper, but I did on this story. It is a great angle on a moribund topic, saying that there is such a glut of stolen finance and credit data for sale that it is driving prices down.

LONDON (Reuters) - Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says.

The thieves are true capitalists, and now they are experiencing one of the downsides of their success. What do you know, "supply and demand" works. And what exactly are they going to do to boost profit margins? Sell extended warranties? Maybe it is just the latent marketeer in me coming to the fore, but could you just imagine if hackers made television commericals to sell their wares? Cal Hackington? Crazy Eddie's Datamart?

It's time to short your investments in Cybercriminals, Inc.

–Adrian Lane

Comments on Security Breach Statistics

By Adrian Lane

I still have not quite reached complete apathy regarding breach statistics, but I am really close. The Identity Theft Resource Center statistics made their way into the Washington Post last week, and were reposted on the front page of The Arizona Republic business section this morning. In a nutshell they are saying the number of breaches was up 69% for the first half of 2008 over the first half of 2007.

I am certain no one is surprised. As a security blogging community we have been talking about how the custodians of the information fail to address security, how security products are not all that effective, how the 'bad guys' are creative, opportunistic, and committed to finding new exploits, and my personal favorite, how the people who set up the (financial, banking, heath care, government, insert your favorite here) systems have a serious financial stake in things being quick and easy rather than secure. Ultimately, I would have been surprised if the number had gone down.

I used to do a presentation called "Dr. Strangelog or; How I stopped worrying and loved the breach". No, I was not advocating building subterranean caverns to wait this out; rather a mental adjustment in how to approach security. For the corporate IT audience, the premise is that you are never going to be 100% secure, so plan to do the best you can, and be prepared to react when a breach happens. And I try to point out some of the idiocy in certain policies that invite unnecessary risk ... like storing credit card numbers when it is unnecessary, not encrypting backup tapes, and allowing all your customer records to ever be on a laptop outside the company. While we have gone well beyond these basics, I still think that contrarian thinking is in order to find new solutions, or to redefine the problem itself as it seems impossible to stop the breaches at this point.

As an individual, as opposed to as a security practitioner, Is there anything meaningful in these numbers? Is there any value what so ever? Is it going to be easier to quantify the records that have not been breached? Are we getting close to having every personal record compromised at least once? The numbers are so large that they start to lose their meaning. Breaches are so common that they have spawned several secondary markets in areas such as tools and techniques for fraudulently gaining additional personal information, partial personal information useful for the same purpose, and of course various anti-fraud tools and services. I start to wonder if the corporations and public entities of the world have already effectively wiped out personal privacy.

–Adrian Lane

Best Practices For DLP Content Discovery: Part 3

By Rich

In Part 3 of our series we finished our review of the technical architecture and selection; now we're going to delve into best practices for deployment. We will focus on setting expectations, prioritization, and defining your internal processes. The main obstacle to successful deployments isn't a technology weakness, but rather the failure of the enterprise to understand what to protect, decide how to protect it, and recognize what's reasonable in a real-world environment.

Setting Expectations

The single most important factor for any successful DLP deployment -- content discovery or otherwise -- is properly setting expectations at the start of the project. DLP tools are powerful, but far from a magic bullet or black box that makes all data completely secure. When setting expectations you need to pull key stakeholders together in a single room and define what's achievable with your solution. All discussion at this point assumes you've already selected a tool. Some of these practices deliberately overlap steps during the selection process since at this point you'll have a much clearer understanding of the capabilities of your chosen tool.

In this phase, you discuss and define the following:

1. What kinds of content you can protect, based on the content analysis capabilities of your tool.
2. Expected accuracy rates for those different kinds of content; for example, you'll have a much higher false positive rate with statistical/conceptual techniques than partial document or database matching.
3. Protection options: Can you encrypt? Move files? Change access controls?
4. Performance, based on scanning techniques.
5. How much of the infrastructure you'd like to cover (which servers, endpoints, and other storage repositories).
6. Scanning frequency (days? hours? near continuous?).
7. Reporting and workflow capabilities.

It's extremely important to start defining a phased implementation. It's completely unrealistic to expect to monitor every nook and cranny of your infrastructure with your initial rollout. Nearly every organization finds they are more successful with a controlled, staged rollout that slowly expands breadth of infrastructure coverage and types of content to protect.

Prioritization

If you haven't already prioritized your information during the selection process, you need to pull all major stakeholders together (business units, legal, compliance, security, IT, HR, etc.) and determine which kinds of information are more important, and which to protect first. I recommend you first rank major information types (e.g., customer PII, employee PII, engineering plans, corporate financials), then re-order them based on priority for monitoring/protecting within your DLP content discovery tool.

In an ideal world your prioritization should directly align with the order of protection, but while some data might be more important to the organization (engineering plans) other data may need to be protected first due to exposure or regulatory requirements (PII). You'll also need to tweak the order based on the capabilities of your tool.

After your prioritize information types to protect, run through and determine approximate timelines for deploying content policies for each type. Be realistic, and understand that you'll need to both tune new policies and leave time for the organizational to become comfortable with any required business changes.

We'll look further at how to roll out policies and what to expect in terms of deployment times later in this series.

Define Process

DLP tools are, by their very nature, intrusive. Not in terms of breaking things, but intrusive in terms of the depth and breadth of what they find. Organizations are strongly advised to define their business processes for dealing with DLP policy creation and violations before turning on the tools. Here's a sample of a process for defining new policies:

1. Business unit requests policy from DLP team to protect content type.
2. DLP team meets with business unit to determine goals and protection requirements.
3. DLP team engages with legal/compliance to determine any legal or contractual requirements or limitations.
4. DLP team defines draft policy.
5. Draft policy tested in monitoring (alert only) mode without full workflow and tuned to acceptable accuracy.
6. DLP team defines workflow for selected policy.
7. DLP team reviews final policy and workflow with business unit to confirm needs have been met.
8. Appropriate business units notified of new policy and any required changes in business processes.
9. Policy deployed in production environment in monitoring mode, but will full workflow enabled.
10. Protection certified as stable.
11. Protection/enforcement actions enabled.

And here's one for policy violations:

1. Violation detected; appears in incident handling queue.
2. Incident handler confirms incident and severity.
3. If action required, incident handler escalates and opens investigation.
4. Business unit contact for triggered policy notified.
5. Incident evaluated.
6. Protective actions taken.
7. If file moved/protected, notify user and drop placeholder file with contact information.
8. Notify employee manager and HR if corrective actions required.
9. Perform required employee education.
10. Close incident.

These are, of course, just rough samples in text form, but they should give you a good idea of where to start.

–Rich