More critical infrastructure data breaches...not terribly surprising

Josh Beckett An interesting read about a data breach involving critical infrastructure, a subject near and dear to my heart since having worked in the field for a few years.

It's always curious to me that many people that deal with such tidbits of information are often very cavalier with the data and habitually underestimate the value to any potential adversary, including the potential field of adversaries and their related capabilities.  Typical responses that always gave me the willies were "No one could ever get to that information, and if they did, they wouldn't know what to do with it anyway."  Really?  The only smart people in the world that know about this matter are in this room?

Beware of what you ask for

There are far too many people asking for knowledge or documentation and immediately failing to realize that once they have such information they are bound by regulations to protect it.  More often than not, they are unfamiliar with, or outright unaware, such regulations exist and the associated requirements to protect the data with specific measures as well as report any such loss in a required time frame.

It reminded me of going to a client site to perform a security assessment and being requested to present ID at the security desk.  I presented my passport, since it is a very convincing form of ID.  The guard immediately went to make a copy of it.  I asked him what he was doing and he explained that their process requires that they keep a copy of it in their files.  I asked him why.  He said it is our process.  I asked, "Are you aware that under this state's law that you are required to notify me, in writing, within a week, if there is any unauthorized exposure of my personal information in your custody?"  Standard blank and confused look when people 'just following policy' are questioned.  Since you seem to have no idea what I'm talking about, I'm afraid I'm going to have to take that copy of my ID and refuse to let you keep it in your possession.  Needless to say, I was required to wait while 'the boss' was called.  I quietly waited, silently knowing that it was exactly 'the boss' that hired me to perform the assessment.  It took about 10 minutes, but eventually they admitted that they didn't need to keep a copy of my passport, by special authorization, of course.  It certainly made for an interesting bullet item in the final report.

Who Watches the Watchers?

Ideally, in our society, there are supposed to be regulators that enforce industry rules.  The problem is that there are far too regulators operating in an environment of overwhelming data using methods that were better suited for the days of paper files and filing cabinets.  Maybe they didn't even work well back then, for all I know.  It is certainly obvious that it is much more difficult to audit all the nooks and crannies of a computer network that data can be stored, much less being aware that some of that data is subject to the myriad of rules that exist today, the body of which is growing daily.

The real problem is that people are often so over-worked that following the rules or plain making them up, lacking someone else writing them down, is all they have time to do.  Practiced procedures are a great safeguard, don't get me wrong; however, the end result of collecting data is a piece of information that could be more of a risk to keep as proof that you did the job than to simply have verified that it was correct at the time you checked.

"I'm just doing my job" simply isn't a sufficient justification for anyone to possess sensitive information.  Need I remind you of what everyone's parents asked them in their youth?  "If all of your friends were jumping off a bridge...?"  Consider that having a copy of what you ask for can be more of a burden than simply knowing the answer.

When data reaches a critical mass

Obviously, there are times when we begin with a question and the best intentions.  Suddenly, in finding the information we realize that the answer we have collected might be interesting to someone else too.  That needs to be an "A-HA" moment for us all.  Don't ever let that go unnoticed or half-jokingly laughed away.  Think like the adversary.  Who might also be interested in knowing this, for good or for ill?  When you ask this question, never underestimate or over-trivialize the possibilities that may come back as an answer.  Might it be prudent to protect this information?  Is there a governing body that might have some rules that could help me know what I should be doing with this info?  Is keeping it and having to adhere to those rules going to be cumbersome and risky in its own right?  Do I have time to do the right thing with regard to protecting that information?

It is important for all of us to realize that if one of us is interested in the answer to a particular question or data set, there could be someone else out there that would love to know the same for other purposes.  Stop and ask the question "what might someone with ill intentions do with this data?" If the thought crosses your mind, for even a fleeting second, 'oh, that could be bad;' then you need to seriously begin to start your planning for protective measures...or hire someone to do a thorough job of it for you.

No comments :

Post a Comment