What InfoSec can learn from the insurance industry

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itnews.com.au/BlogEntry/390408,what-infosec-can-learn-from-the-insurance-industry.aspx

Step into the branch of any bank and you can see they are clearly designed
to resist robbery at several levels and - up to a certain point - keep the
instituion's teller staff safe.

That design comes from empirical experience, as in bank robberies. Years of
being at the wrong end of a sawn-off shotgun or pistols have taught banks
what to do when the bad people roll up and demand the cash, and also how to
deny them the opportunity whenever possible.

Banks - and their customers or clients - are robbed in different ways these
days. Putting a gun in a teller's’ face, with the inevitable ensuing police
chases, is very risky compared to remotely conducted internet heists which
are often more profitable too.

The problem is, experience-led security isn’t the easiest to achieve in the
internet era.

An acquaintance in the IT security business firmly believes that in order
to assess the real risk of a potential security breach, a bank or financial
institution security officer should know the enemy, its organisation and
infrastructure.

They should be close to them, hear them, maybe even mingle with them to
gather sufficient information to understand what spurs the digital
miscreants to attack systems.

How many do though, instead of relying on second-hand intelligence through
government response teams, media, consultants and vendor alerts for their
decisions?

It’s unlikely that many security officers at the banks hang out in Russian
cybercrime forums. If they did, they might learn how their sector is being
targetted as well as the changing methods and the economics of the
criminals.

Learning, for instance, who is offering specialist skills to steal data,
and who can verify it and who can on-sell it for a slice of the action,
could help halt an outsourced internet crime spree.

Likewise, knowing which gangs provide full service would also be incredibly
valuable information when it comes to risk assessments.

There’s no easy way to go on such intelligence gathering missions in the
digital underworld.

High tech criminals with ties to old-school gangsters and even the Italian
mafia aren’t the sort of people you approach lightly, especially when
you're approaching them from within a corporate network.

Even so, such information is necessary and needs to be gleaned and kept on
record to assist in mapping out risks and impacts of breaches.

One industry does just that already: the insurance business. They have
actuary tables that are based on actual data so that they get a good idea
how likely it is that bush fires, floods and quakes will strike a certain
area in the future.

That’s for malicious and non-malicious risks such as thefts, burglaries,
and more. With the data at hand, collected over decades, insurers can make
informed decisions and build businesses.

Now, you’re not going to have much luck relying solely on probability based
risk assessment methodologies like the insurance industry does in the IT
security business. The threat actors are too opportunistic for that.

But having access to data would help identify the context in which
attackers work and be valuable in its own right to assess the impact of
breaches.

This is where mandatory data breach reporting could be extremely useful, to
build up an information source along the lines of actuary tables.

Too often, reporting of data breaches is dismissed because of consumer
fatigue - there have been absolutely masses of them, and they show no signs
of stopping. Besides, the data can only be stolen once.

What if we can look at several breach situations and compare them for risk
assessment? How much more tempting will a certain data set be for
opportunistic intruders, in a given situation?

That kind of raw data - rather than the vendor-sponsored and spun surveys
that nobody trusts - would make life a great deal easier for my infosec
acquaintance and colleagues.

It also makes(yet another) strong case for mandatory data breach reporting.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!