DETROIT – There was a popular TV commercial back in the 1990s that featured two security guards on patrol in a scary cement tunnel. Cue the sound of running footsteps and the dramatic chase music as our guys desperately pursue an unknown intruder through the tunnel. Then they stop, a look of satisfaction spreads across their faces and the one guy reports into his walkie-talkie ?Sector Six secure!? And they turn and saunter back up the tunnel in the direction that they came from, while the intruder?s ominous footsteps disappear dramatically into Sector SEVEN.
I am not even sure what they were advertising in that commercial but I remember it because it made an excellent point. Nobody was actually secure. All our two heroes did was create a problem for somebody else. And IMHO that little vignette sums up the current state of affairs in the information security business.
The failure to approach security as a collective organizational problem is the reason why mind-boggling incidents like the JPMorgan data breach that affected 76 million households and 7 million firms are really nothing more than TODAY?S news. The fact is that, according to the non-profit Privacy Rights Clearinghouse we have lost about one BILLION records over the past decade.
Keep in mind that those figures only include breaches that were REPORTED. Since most companies don?t like to publicize their security failures that number could be infinitely higher.
The running average of 100 million annual record losses has been subject to some variation and the source of breach has changed in interesting ways, which I will discuss in the next post. But, the number of reported incidents rose from 52 million in 2005 to 259 million in 2013 (and continue to keep in mind that these are only the ones that were REPORTED).
So it would be hard to conclude that we are getting BETTER at protecting information.
In 2005 the 52 million record losses were almost completely due to hacks. By 2013 the approximately 259 million losses were largely due to what might be called human factors; bent insiders, lost or stolen devices and payment card fraud. In fact there were three less hacking incidents in 2013 than physical thefts. And when you add in the human factors category, electronic exploits accounted for less than 30% of the total loss in 2013.
So, what we appear to have done is gotten better at protecting information from one avenue of attack, hacking, while physical and human exploits have been allowed to run riot.
It is probably safe to assume that people who are intent on stealing your information will go about that task in ways that will best ensure their success. So if one avenue is blocked they will try another, like social engineering, or simple physical theft.
A decade ago we weren?t as electronically sophisticated as we are now. And of course it is always much more convenient to hack in from the comfort of your own home in Donetsk, or Bucharest, or Shanghai. Consequently, hacking was the method of choice.
But under the heading of ?we continue fight the last war?, the folks on the dark side have learned to adapt to the more effective measures we have deployed for electronic data protection. So, while we continue to successfully guard one door the bad guys are coming and going by another. That is what the current loss statistics imply.
There is an obvious solution to the sad parade of bombshell announcements, which is that we bring information security into the main tent, not continue to treat it as a side-show. In that respect, the defense of all logical avenues of access has to be coordinated and managed at the very top of the organization by a single corporate entity. And that entity has to be empowered to deploy a complete and correct set of strategic countermeasures that address all meaningful risks in the threat spectrum; for the entire company.
For instance, I can assure you that you would get a blank stare if you asked today?s CISO what he done to ensure against the loss of discarded or stolen non-electronic records, such as paper documents; discarded or stolen laptops, PDAs, smartphones, portable memory devices, CDs, hard drives, or data tapes; or discarded or stolen stationary electronic device such as a computer or server not designed for mobility. That is because the CISO isn?t responsible for corporate physical security. And yet those categories comprise a consistent 31% of the total record losses and reported incidents over the past decade. Or in simple applied terms, last year 80 million records walked out the door under somebody’s arm.
This happens because the responsibility for ensuring information in all of its various forms is shared between a Director of Physical Security, who is usually an ex-cop, and a Chief Information Security Officer, who is never anything but a nerd. That unfortunate division of labor illustrates why the physical exploit categories annually comprise about a third of the records lost.
It is likely that the Director of Physical Security will not be seriously threatened by a pile of old computers in a storeroom, which is a tribute to how innocuous outmoded desktop computers appear to most people. But of course, since you are reading an information security themed post we all know what that would REALLY represent in terms of risk if even one of them is unwiped.
Fortunately, the task of securing a room full of discarded CPUs is not in the CISO?s job description. Storerooms are normally the other guy?s responsibility. So the good news is that for the time being ?our sector is secure?, right?
Daniel P Shoemaker, PhD, Senior Research Scientist at UDM’s Center for Cyber Security and Intelligence Studies, the Director of University of Detroit’s NSA-CAE program and Visiting Professor at London Southbank University.
