BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rant: Abandon Ship! Data Loss Ahoy!

From: Adam Shostack <adam () homeport org>
Date: Thu, 20 Mar 2008 17:21:25 -0400
On Thu, Mar 20, 2008 at 04:44:15PM -0400, James Ritchie, CISA, QSA wrote:
| Being compliant does not mean being secure and being secure does not 
| mean being compliant.  What most people forget with all the compliance 
| is that constant vigilance must be maintained.  Does that mean daily, 
| weekly, monthly, quarterly, or annually that you have to verify that the 
| controls are working appropriately? What I think will be the outcome is 
| if appropriate due diligence and due care can be shown as fact, the 
| liability will be reduced or eliminated.  They will compare the actions 
| taken and of similar size companies to see if what they had done was 
| appropriate. To make any company 100% secure, the cost of security would 
| be so prohibited, the company would be bankrupt.  There has to be a 
| balance and reasonable effort shown.

How do you "compare the actions of similar size companies?"  That's a
secret.  What's a reasonable effort?  That's a secret too.  What
happens?  That's no longer a secret, thanks to mandatory breach
disclosure.

ADam

| Adam Shostack wrote:
| > On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote:
| > | >  On the public policy issue, I agree. If you want companies to disclose
| > | >  the exact circumstances around a breach (exact technical details), there
| > | >  will have to be a shield that prevents plaintiffs attorney's from using
| > | >  the information in lawsuits.
| > | 
| > | You highlight an interesting trade-off. It may be the case that more
| > | disclosure would reduce incentives to prevent future breaches,
| > | depending on how we understand the problem.
| > | 
| > | A standard policy tool for enforcing maximum diligence is the threat
| > | of lawsuits, massive ones that can wreck a corporation. If we follow
| > | this liability argument (as advanced by Schneier and other scholars of
| > | the economics of information security) then making concessions to
| > | corporate defendants can impede the end goal of less data retention
| > | and greater data protection.
| > | 
| > | If we don't think we're ever going to get there, then more data about
| > | breaches for the purposes of research is clearly the greater good.
| > | This is a very interesting dynamic. I'll have to think about how to
| > | model it...
| >
| > For this policy to be effective, costs must be aligned with a failure
| > to take effective measures.  Today, we lack the data to asses how
| > effective various 'best practices' or standards are.  Gene Kim and
| > company have done work showing that a few part of COBIT are key, and
| > others are not correlated with they outcomes they studied.  (There's a
| > CERIAS talk video you can find.)  There's claims that Hannaford was
| > PCI complaint. Shouldn't that have made them secure?
| >
| > So lawsuits today are random.  With better data, we may be able to
| > better attribute blame.  Perhaps this shapes a temporary liability
| > shield, with a goal of revisiting it later, or allowing case law to
| > shape it for a while?
| >
| > Adam
| >
| > _______________________________________________
| > Dataloss Mailing List (dataloss () attrition org)
| > http://attrition.org/dataloss
| >
| > Tenable Network Security offers data leakage and compliance monitoring
| > solutions for large and small networks. Scan your network and monitor your
| > traffic to find the data needing protection before it leaks out!
| > http://www.tenablesecurity.com/products/compliance.shtml
| >
| >   
| 
| -- 
| James Ritchie
| CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+
| 
| Linkedin http://www.linkedin.com/pub/1/b89/433 
| 
| Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their 
associated attachments for viruses prior to opening.
| 
| This message and any accompanying documents are confidential and may contain information covered under the Privacy 
Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic 
Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in 
accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information 
may result in civil or criminal sanctions.  
| 
| This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee 
you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly 
requested to inform us of this and to destroy the message.
| 
| _______________________________________________
| Dataloss Mailing List (dataloss () attrition org)
| http://attrition.org/dataloss
| 
| Tenable Network Security offers data leakage and compliance monitoring
| solutions for large and small networks. Scan your network and monitor your
| traffic to find the data needing protection before it leaks out!
| http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
Previous By Date Next
Previous By Thread Next

Current thread: