All of us in the Information Security field have watched different security regulations become law and we have debated what effect they would have on our industry. Some of us even went so far as to hope that a piece of legislation would create an environment for business to take information security seriously.
Many talks have been given at security conferences on how to sell security to company executives. This effort is usually exasperated by budgetary issues for the company we are working for directly or as a consultant. The major problem has always been that if the security measures are in place, security incidents typically don't occur. This leads to the questioning of why the company is spending so much money if nothing is happening.
This can lead to a company managing their risk by not doing anything. A company can have unrealistic expectations such as; they won't be attacked since they are too small or their industry doesn't create high risks. I’ve had fellow security professionals tell me that an executive stated; "The chance of being hacked is about the same as being hit by lightning." Another told me that their company is managing their risk by budgeting for the fines.
Both of these approaches to security can increase their potential for a breach. This brings us back to the main aspect of this blog. Have the security standards, PCI-DSS or legislation such as; GLBA, HIPAA, Sarbanes-Oxley, CA-SB 1386 and other privacy laws caused companies to implement the security measures we in the industry have pushed for all along?
My contention is that it depends upon how a company manages their risk of a "data spill". The risk formula of Risk = Value of asset times (vulnerability X exploitation) holds a lot of validity but the amount of Risk can have a wide variance. We will take a look at what variations of Value of assets, vulnerability, and change of exploitation can do to a company's view of risk.
One of the key variables in the calculation of risk is Assets. The asset can be as simple as the data that a company stores for business or the systems that the company uses to accomplish the tasks needed for maintaining profitability. This was a fairly simple thing to determine a few years back as the data a company was most concerned about was labeled company confidential or possibly secret.
There were two events that changed how companies viewed the risk of the data they have gathered in the last decade. The first is the growth of the number of intrusion attempts to company private networks from an outside source. The statistics in the past usually stated that 70% of all security events were caused by internal users. It was generally thought that most intrusion attempts were inadvertent events caused by an employee. Data has shown that this has changed to more than half of all security events being sourced from outside the company private network.
In a Secret Service report, the interesting statistic isn't where the attack events came from but the amount of data that was compromised by the attack. The data showed that more than 90% of the data stolen, spilled, or compromised was accomplished by outside attackers. The report did state that because of the different types of investigations, Verizon had a slightly different statistic than the Secret Service.
The end result is, the attacks have been definitely targeted to taking data out of a company. The above mentioned report states that while the percentage of hackers that were external was just over 50%, the number of records taken by external attackers was more than 84%. These are attributed to organized crime moving from a physical theft to a digital theft. The risk of being caught or eventually prosecuted is much lower for the criminal for a digital theft. They understand risk management also.
One of my favorite analogies is the theft of a server versus the theft of the data on the server. If the server is stolen, it is noticeable since it is no longer physically present. The theft of the data is not so easy to spot since the data isn't physically taken but copied. The evidence of data theft is in the log files of the application, server and other systems that were touched in order to make the theft possible. Hence one of the major reasons most security standards require log monitoring is to alert the IT staff that someone has copied a significant block of important data.
The conclusion we come to for this part of our discussion is, while new exploits are occurring less, the amount of data being compromised is still high and is leaving the company to organized criminals.