[BreachExchange] The new DHS breach illustrates what's wrong with today's cybersecurity practices

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 8 20:22:03 EST 2018


This month, the Department of Homeland Security notified affected employees
about a 2014 breach of 247,167 employee records. There are many interesting
details in the department’s disclosure, including the fact that there was
six-month privacy investigation between the discovery of the breach and the
notification, and the fact that the records were uncovered during a
criminal investigation. DHS even revealed that the records were found in
the possession of a former DHS Office of Inspector General employee.

But the part that jumped out the most was how explicit DHS was about
characterizing this as a “privacy incident.” In its public statement, the
department made no mention of the incident as an insider threat issue,
despite the records being found in the possession of a former employee.

Rather than question DHS’s designation of this as a “privacy incident,” we
should focus on what that designation means. Labeling this a privacy
incident suggests that a distinct cyber incident would require an outsider
gaining access through the network. It could also indicate that the
categorization was made after DHS waited until their forensics demonstrated
it was not exposed to malicious activity.

If malicious access is a requirement, any reporting timeline that agencies
or companies are required to follow will need to be much longer than
previously thought. This extra time would give the forensics team room to
do their jobs accurately and fairly, without rushing to conclusions in
order to fulfill a reporting timeline.

 Further, privacy incidents can have different reporting requirements than
cyber incidents — a disparity that likely needs to be addressed, since user
data is ultimately compromised in both instances. This differentiation is
made harder in examples such as data being available on an open Amazon S3
storage bucket without malicious accent. Should this be categorized as a
privacy incident or a cyber incident?

The lines between privacy incident, security incident, insider incident,
and fraud are blurry at best. We hope regulation, policy, and — most
importantly — stakeholder expectations evolve, ensuring all parties receive
the same notification, reporting and remediation standards for any data
lost, compromised, or impacted. These basic standards should apply
regardless of how the incident may be categorized. Viewing technology,
incidents or practices in terms of existing buckets such as fraud, privacy
or security are no longer sufficient. Instead, the focus should be on trust
and safety.

Regardless of how this event and any others are categorized, it doesn't
really matter — the organization has already lost some of the trust of its
employees, customers, and other stakeholders. In DHS’s case, the incident
was reported without mentioning privacy in the headline, instead using the
term “data breach.” In this situation, the verbiage is appropriate, as it
does not matter to many people what is it designated — just that their
personal data was compromised.

For DHS and other federal agencies, these designations — and the different
requirements tied to them — can directly impact the actions of people
responding to the incident. For government to successfully implement
incident response programs, whether responding to a PII breach or a nation
state actor hack, the legislative branch and the executive branch must
provide an atmosphere that encourages CIOs/CISOs to look under those rocks
and report the events.

Such reporting should be done with the acknowledgement that it often takes
a long time to fully understand any incident. If Congress and agency
leadership are demanding real-time updates, they need to understand the
information they first receive will be not only incomplete, it will also
frequently be inaccurate.

Great progress has been made with regard to focusing more on outcomes
versus compliance, but there is still much work to do. Organizations should
focus less on how a breach occurred (hacking, insider, fraud, etc.) and
focus more on building up and preserving customer trust in their products
and services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180108/c065af44/attachment.html>

More information about the BreachExchange mailing list