question

jimpop1998

Chapter14LearningfromInformationSecurityIncidents_InformationSecurityGovernanceSimplified.pdf

Home >Computer Science homework help >question

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 1/24

Learning from Information Security Incidents

The public seldom forgive twice.

Johann Kaspar Lavater, 1741–1801

The common method of building an information security program is to

(1) review the laws and regulations that apply to the particular organiza-

tion and determine which ones are pertinent, (2) develop a gap analysis

or assessment to determine which controls are missing, (3) create an in-

formation security policy representing the required laws and regulations,

and (4) developing and implementing controls to satisfy the policy that

has been developed.

This process may appear somewhat simplified and make it sound as if

it is a simple, quick exercise, when in fact this process can occur itera-

tively over several years to move an organization to a place where it feels

comfortable with the security controls. And just as the organization is be-

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#ch14

https://learning.oreilly.com/home/

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 2/24

ginning to feel comfortable, new technologies are introduced, mergers

and acquisitions take place, and new breaches are reported in the news.

This chapter focuses on security incidents that have occurred over the

past several years. Why are these important? After all, these are other

companies’ incidents occurring on different infrastructures with differ-

ent applications and “our security is so much tighter ... especially than

our competition’s!” Reality is, we can learn so much from what other peo-

ple have experienced without having to experience it for ourselves. We

do not have to drink alcohol to excess, smoke, or use illegal drugs to know

that these can be harmful to us. We do not have to run a red light to know

that it could be fatal. As children, we are taught not to “jump in a river be-

cause someone else told us to.” We are human beings with the ability to

assimilate information and learn from the mistakes of others. The daily

newspaper provides an excellent vehicle to learn from others’ mistakes.

While it is useful to read as many technical magazines and books on in-

formation security as possible, one does not need to go further than read-

ing USA Today to get a very good idea of the security issues that are occur-

ring. There is rarely a single day that goes by that there is not a USA Today

article that is highlighting an information security concern. Organizations

obviously do not want to be the ones that are associated with the security

issues; however, organizations should view these newspapers and maga-

zines as opportunities to learn what issues are of interest to the general

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 3/24

public to avoid them ever occurring in the first place. Daily scanning of

the newspaper for incidents provides a very proactive way to develop the

appropriate controls to minimize the occurrence of the events within the

organization and keep out of the newspapers.

Verizon also provides an annual report on data breaches that is very in-

teresting and provides much intelligence as to where the breaches appear

to be coming from and the types of exploits that are occurring. Since it

started in 2004, Verizon has analyzed over 1700 breaches and over 900

million compromised records. According to its latest report, 92% of the

breaches were external, 50% utilized some form of hacking, 49% used

malware, and 83% of the victims were targets of opportunity (Verizon

Business, 2011). It is fascinating to note that 92% of the attacks were not

highly difficult, 86% were not even discovered by the organizations them-

selves but rather by third parties, and 96% of the breaches were avoid-

able by simple or intermediate controls. This data suggests that organiza-

tions that can understand what incidents are occurring and have the ap-

propriate information security governance structures in place to imple-

ment and monitor the appropriate controls have the ability to signifi-

cantly reduce the likelihood these incidents will occur. Implementation of

security controls does not necessarily involve large expenditures for tech-

nical solutions, but rather the understanding of the controls necessary

and ensuring their consistent application. Examining the incidents of

other companies can provide insight as to where the people, process, or

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 4/24

technology breakdowns may be occurring within the organization. Just

because an incident is not yet known does not mean that it has not yet oc-

curred, citing that in 86% of the cases they were discovered by third par-

ties. For the small organization that does not have the scale of business

connections a large organization may have, it may have data being stolen

without its knowledge and without knowledge that it was the target until

someone else in a business relationship reports an issue.

Information security governance depends upon effectively communi-

cating the policies, procedures, and controls throughout the company and

ensuring that they are being followed. One method of gaining the atten-

tion of others needed to support the policies is to provide them with an

understanding that the threats are not theoretical, but rather are real and

occur more than they may be aware. Security governance failures at

other organizations, as represented by their security incidents, and espe-

cially those that share the same vertical industry, size, revenue, and geo-

graphic characteristics can provide the incentive necessary to examine

how the organization is ensuring that that same situation will not occur

there.

Recent Security Incidents

The security incidents that follow can be used as examples within the or-

ganization to explain the need for different security controls. These inci-

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec294

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 5/24

dents are only a handful of the incidents that are reported each year,

each chosen due either by their widespread coverage of the issue or to

provide a good cross-section of security issues as a reference.

Texas State Comptroller

Issue: Texas State Comptroller’s Office exposes 3.5 million personal

records

Company: State of Texas

Date: January 2010; discovered March 31, 2011

Impact: $1.8 million

Lessons learned: The comptroller’s office left information including

Social Security numbers, driver’s license numbers, birth dates, and mail-

ing addresses on their servers unprotected for over a year before it was

noticed. Information that was transferred from three other state agencies

was stored on the computers unencrypted, which was in violation of the

procedures. The comptroller’s office subsequently hired consulting firms

($290,000), established a call center for inquiries ($393,000), and spent

$1.2 million to notify those whose information had been exposed (Rashid,

2011). As expected, the security officer and security staff were terminated

following the incident.

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec295

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 6/24

This was clearly a case where the organization knew the proper ac-

tions, however, due to a lack of following the prescribed procedures, the

organization was placed at risk. Based upon the fact that the exposure

was not discovered until a year later also suggests that there was a lack of

ongoing internal review of the security procedures and subsequent secu-

rity testing that the procedures were being followed. Several years ear-

lier, a Texas attorney general sent a memo to ensure that sensitive data-

bases were protected in reaction to other breaches that were occurring.

This illustrates that the reaction to a security incident by issuing a memo

may provide the appearance that action is being taken and may satisfy

management that they are performing due diligence in being aware of

potential threats, but without adequate implementation of information

security governance in the form of policies, procedures, and internal re-

view processes, the issuance of a memo by itself is not very effective. The

support is admirable and may even be politically motivated versus

amounting to increased protection of the organization’s resources.

Sony PlayStation Network

Issue: Sony PlayStation Network and Qriocity servers breached

Company: Sony

Date: April 17–19, 2011

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec296

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 7/24

Impact: E-mail addresses, birth dates, login, and password details re-

vealed Lessons learned: Hackers were able to gain access to a Sony server

exposing the names, email addresses, birth dates, login/password infor-

mation, and credit card information for Sony’s online gamers. Since infor-

mation was retrieved about the gamers and their purchasing histories,

this opened the possibility of targeted phishing attacks based upon their

prior purchasing histories and tastes in music and online video games.

Subsequent spear phishing attacks could cause some gamers to give up

bank account and Social Security information in the future. Many web-

sites use the e-mail address as the identifier to log into their websites, and

end users may use the same password to authenticate for simplicity

across these sites, exposure of the e-mail address information and login

information can provide the hackers with the means to access other ac-

counts for fraudulent purposes.

Sony has had to provide several public apologies since taking the site off-

line. The real damage to the company is the failure of trust in the network

as well as the time it takes to investigate the breach while the network is

offline. Even though the credit card information may be encrypted as

Sony indicated, the cost of lawsuits and public relations most certainly

will have long-term effects. One question that should be answered is why

did Sony store the credit card information, even encrypted, in the first

place. Since other processing companies typically handled processing,

there really was no need to store this information. Also, was this the re-

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 8/24

sult of a targeted phishing attack against someone with administrative ac-

cess to the information? If so, what extra controls were in place, in terms

of policies, training, separation of IDs, frequency of administrative pass-

word changes, logging and monitoring detection, and so forth to mitigate

the risk of a targeted attack?

Although the long-term financial impact of the breach is unclear, what

is not unclear is that in the minds of 77 million members of the Sony

PlayStation Network, Sony failed to protect their information. As Sony of-

fered free credit protection as well as reimbursement of up to $1 million

per person for identity restoration costs, legal fees, and lost wages within

12 months of the incident, the final costs of the breach could be substan-

tial (Kitten, 2011).

One could make the assumption that Sony was lax in its application of

appropriate security controls. However, it would be difficult to assume

that an organization the size of Sony did not allocate extensive resources

toward protecting the network. The incident should demonstrate how

fragile our networks are. The security staff may close the doors 99.9% of

the time, but the one time that someone lets down their guard, that door

becomes opened and a public relations nightmare ensues. This incident

also suggests that multiple doors need to be in place, whereby there is a

system of checks and balances, and roadblocks that make it difficult to

penetrate the system undetected. Sony attempted to bring up the system

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 9/24

initially in early May 2011, however it was unable to because the hackers

had penetrated the systems deeper than Sony originally thought. Clearly,

100% of the end users will not perform what is asked for in the policies

100% of the time, so there must be other controls within the environment

such as antivirus filtering, spyware detection, vulnerability scanning, log-

ging and monitoring, baseline configurations, administrative access con-

trols, data classification, restricted file access, help desk procedures, and

so forth to mitigate the risk of an elevation of privileges when they are

targeted and give up their keys. For example, the end user’s car keys may

open the car door, but the steering wheel manual locking device prevents

the car from going further. The cliché “defense in depth” is very real and

security departments need to review multiple strategies to answer, “What

if they were able to get through this door, then what?”

Student Loan Social Security Numbers Stolen

Issue: 3.3 million Social Security numbers stolen from student loan

program

Company: Education Credit Management

Date: March 2010

Impact: Social Security numbers revealed

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec297

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 10/24

Lessons learned: The information was not stolen from external Internet

access but rather from information residing on a thumb drive. The com-

pany has not revealed whether the information was encrypted, but one

can make some assumptions here that the information was not encrypted

since the federal loan guarantor is offering 12 months of credit protection

to the 3.3 million individuals, representing 5% of the federal student

loans (Fox News, 2010). Organizations would not incur that expense if

there was no real security breach. As noted in the previous chapter, simi-

lar breaches of a portable device occurred in November 2010 when

Health Net, Inc., lost an unencrypted hard drive containing Social

Security numbers and bank account numbers on 1.5 million people.

The first step in protecting portable media is to ensure that policies are

in place as to what can and cannot be copied to flash drives, USB thumb

drives, CDs, DVDs, and by whom. Policies in themselves may provide the

protections once detected, however, without adequate technical controls,

enforcement of the policies may be very difficult at best. Care also must

be taken to ensure that information is appropriately classified and segre-

gated for access control to reduce the likelihood that the wrong individu-

als will have access to the information. Monitoring also needs to be in

place to see what information is being copied. When people inside the or-

ganization know that monitoring activities are taking place, this can

serve as a strong deterrent toward copying information to external me-

dia. The copying may not even be malicious, but may increase the risk

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 11/24

that the information would be exposed through accidental loss of the

drive.

Social Security Numbers Printed on Outside of Envelopes

Issue: Social Security numbers printed on outside of envelopes

Company: CitiGroup

Date: January 2010

Impact: 600,000 CitiGroup customers

Lessons learned: The annual tax documents that were mailed contained

the Social Security number on the outside envelope. CitiGroup’s commu-

nications indicated, “The digits were not identified as a Social Security

number, and they were printed at the lower edge of the mailing envelope

with other numbers and letters that together resembled a mail routing

number.” It also stated, “We believe there is little or no risk to our cus-

tomers. The error has been corrected for all future mailings.”

These communications sound almost like a denial that there was a real

issue in the public relations announcements, attempting to downplay the

fact that Social Security numbers were printed on the envelopes. Was this

the result of a genuine mistake? Did CitiGroup use the social security

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec298

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 12/24

number as part of a series of numbers to control the printing reconcilia-

tion process? Was this the idea of one programmer? (Fox Business, 2010)

Did this error slip though the peer reviews, and was the design imple-

mentation reviewed by information security before rolling this out the

door? Or was this result of a quick, subcontract relationship by a small

external vendor that was unaware of the security implications? Or was it

the result of all of the above?

Printing of Social Security numbers on envelopes is not a new phenom-

enon. Several state agencies have been guilty of doing the same and in

some cases multiple times. For example, the State of Wisconsin repeated

the mistake three times in one year, once blaming an external contractor

and another time blaming the error on a malfunction of the folding ma-

chines permitting the Social Security number to be shown in the envelope

window. Obviously a procedure change did not occur by the external con-

tractor to prevent the issue from happening a second time by the same

contractor.

People make mistakes and that is a given. However, care must be taken

when it comes to critical information, such as identifiers like Social

Security numbers, credit card information, driver’s license numbers,

birth dates, maiden names, and security codes. Most organizations do not

have a good handle on where this information resides and where it flows.

Security dollars need to be allocated to the highest risk assets to be effec-

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 13/24

tive, so why not target these high-value information assets when con-

structing the security program. In this case, the printing of the Social

Security numbers should be traced from the birth (receipt) of the Social

Security number, life (storage, printing), to death (no longer needed), and

incorporate the appropriate protection and quality assurance strategies

to ensure that the information is protected throughout the life cycle.

Valid E-Mail Addresses Exposed

Issue: Issuer of 40 billion e-mails per year is breached

Company: Epsilon

Date: March 2011

Impact: Active e-mail accounts of users of at least 50 major companies

disclosed

Lessons learned: Most people have never heard of the company named

Epsilon and have not had a prior relationship with them—until this

breach was revealed. Epsilon provides e-mail services for many major

brands, including Brookstone, Best Buy, Chase, Citi, Capital One,

Walgreens, Marriott, and Kroger. Epsilon sends approximately 40 billion

e-mails per year for over 2500 clients. The breach at Epsilon provided the

active e-mail accounts of customers of these firms, which could be used in

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec299

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 14/24

future phishing attacks. Not only do the hackers have the valid e-mail ac-

count addresses, but now they also have the names of companies where

individuals shop, which can lead to clever phishing attacks (Schwartz,

2011).

The companies issued e-mails offering apologies, while also emphati-

cally stating in bold print, “but did not include any customer account or

financial information.” They also issued further reminders about not re-

vealing personal information in e-mail requests. As in the case of the

Sony PlayStation, this breach represents a public relations issue.

However, in the Epsilon case the organizations involved simply passed

the blame for the breach by stating “we have been informed by Epsilon, a

vendor we use to send e-mails ...” Fortunately, there was enough foresight

to not share customer account and financial information with the e-mail

service provider to limit the risk. There is still the risk when engaging a

subcontractor that their actions will cause issues for the business. While

the full extent of the damage of this may never be known, as it is not clear

who accessed the information and what motives they had (was it the

work of script kiddies or motivated hackers for subsequent financial

gain), these situations illustrate the care that must be taken when subcon-

tracting work to another company. Are they being audited frequently?

Are these audits rigorous? What is their process when a security incident

occurs? What is the liability of the contracted firm versus the liability of

the one contracting? Who determines if credit monitoring must be of-

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 15/24

fered in case of a breach and who pays for it? These items should be dis-

cussed and clearly documented well in advance of the breach.

E-mail addresses when compared to transaction-type information, such

as credit card information, Social Security numbers, or a health care sub-

scriber ID may be considered to be less of a risk to the organization if dis-

closed. This breach illustrates that this thinking may be in error, as the

knowledge of the e-mail address, combined with the company name, pro-

vides the opportunity for hackers to exploit existing account holders

through phishing attacks or provide targeted marketing (i.e., phony ads

requesting personal account information entry) to obtain account

information.

This breach could eclipse the largest breach, which occurred at

Heartland Payment Systems where 130 million credit and debit card ac-

counts were impacted, causing Heartland to examine stronger security

controls, such as end-to-end encryption, tokenization, and chip technol-

ogy. Albert Gonzalez was convicted for the Heartland break-in and

earned the harshest sentence given to date for this type of crime, 20

years, which resulted in losses exceeding $200 million according to fed-

eral prosecutors.

Office Copier Hard Disk Contained Confidential Information

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec300

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 16/24

Issue: 409,000 records breached after being left on office copier

Company: Affinity Health Plan

Date: March 2010

Impact: Medical information, Social Security numbers, date of birth

released

Lessons learned: Information was left on a company copier that was re-

turned to the leasing company (Rey, 2010). Who knew the copier had a

hard drive? Many of the copiers today have the capability to scan and e-

mail information, and may have remnants left on the copier. Who has ac-

cess to this information? How was it configured? Can information from

the copier be sent to people outside of the organization, unencrypted?

What processes are in place for media saniti-zation and disposal? What

are the procedures to prevent access of the information by the firm ser-

vicing the equipment?

The incident illustrates that when new technology is introduced to an

organization, the policies need to ensure that information security is in-

volved. This situation could have been avoided if some simple questions

about storage and encryption were answered with respect to the copiers.

The incident also highlights that information security governance must

take a holistic approach to information security and consider information

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 17/24

in all forms—written, oral, and electronic—when considering the security

controls that may be required.

Advanced Persistent Threat Targets Security Token

Issue: RSA issues letter explaining advanced persistent threat on

SecurID tokens

Company: RSA Security

Date: March 2011

Impact: Uneasiness of RSA token security

Lessons learned: Advanced persistent threats (APTs) whereby targets are

chosen and a series of ongoing attacks against a specific, targeted organi-

zation to achieve a particular objective are on the increase. As opposed to

the typical phishing attack whereby millions of potential targets are pre-

sented with a phishing e-mail and the hope is that a small percentage will

bite, the advanced persistent attacks attempt to penetrate a particular tar-

get over a period of time to gain access to valuable information. In this

case, RSA Security’s security token was the target. The token generates a

random number every 30 to 60 seconds based upon the token ID, time,

and a seed value. The algorithm was reverse engineered about 10 years

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec301

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 18/24

ago, so with the token ID or the seed value, it would be possible to gener-

ate the pass code. A pin number also has to be supplied by the end user

and the login ID would need to be known, each of which could be ob-

tained through social engineering, thus reducing the strength of this

method of authentication. RSA had not yet disclosed what information

was accessed through the APT (Kirk, 2011).

Eventually, hackers working to defeat a security control, given enough

time and resources, may defeat the control. While it is still unknown as to

the impact of the RSA Security breach, it may require that millions of to-

kens be invalidated and reissued if this is the case. The lesson here is not

so much about the viability of the RSA product, but rather that an organi-

zation needs to fully understand what software, hardware, and security

controls are in place to protect the organization and if there are issues

with any of those products. This is not to suggest that an organization dis-

continues the use of an industry product upon the initial news, especially

if there is not a better alternative. However, when these events do occur,

it demonstrates that products that were once secure may require some

additional controls or require an upgrade or replacement as a result of a

breach. This is part of the cost of doing business.

The organization needs to be aware of technology changes and when

they become insufficient to protect the information assets. Wired

Equivalent Privacy (WEP) was a standard approved in 1999 to protect

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 19/24

wireless networks. However, the standard was replaced by the Wi-Fi

Protected Access (WPA) standard and WPA2 standards in 2003 and 2004,

respectively, after it was determined that the WEP standard was too eas-

ily broken into and was no longer sufficient. WEP was one of the vulnera-

bilities that caused the T.J. Maxx company to be breached. The Payment

Card Industry’s Data Security Standard (PCI DSS) subsequently required

all companies handling credit card data after June 2010 to implement

WPA security or better.

Who Will Be Next?

Financial services firms have long understood the need for information

security to protect the financial information and provide contingencies

for the losses by replacing the funds in the customer accounts and mak-

ing them whole again. This becomes more difficult in the case of medical

information. Once the disclosure has happened and the individual’s per-

sonal information is disclosed, it is impossible to “put the information

back in the bottle.” The damage is already done after the disclosure and it

is then up to civil penalties to make it right. However, unlike the banking

scenario, the confidentiality breach cannot be undone and appear as if it

never happened to the consumer.

The disclosures in the preceding examples may or may not result in ac-

tual financial damages to the consumer or the company, depending upon

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec302

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 20/24

to whom the information was provided. In the copier example, the com-

pany was able to retrieve some of the hard drives from the leasing com-

pany. Had anyone seen the data at the leasing company? If they had, were

they the type of individual that would have acted or sold the informa-

tion? If the disclosure was accidental, odds are that the information

would not have fallen into malicious hands unless the attack was initi-

ated in that manner. An organization may misplace a tape, CD, DVD, or

USB drive, but unless the whereabouts are clearly known, there is the

possibility that it was accidentally discarded in a place that no one would

have accessed it (e.g., shredded, thrown out in the garbage). This does not

suggest that the follow-on precautions do not need to be observed in in-

vestigating the incident, reviewing policies and procedures to reduce the

likelihood of the event happening again in the future, and increasing the

security controls, but rather that it is possible that no one was harmed by

the incident. In today’s world where we fear having our identities stolen,

organizations need to be on the conservative side of providing the proper

assurance after a breach, or the company risks losing the customer base.

On the other hand, when an organization thinks that the compromise is

the result of a targeted attack (versus an accidental mishandling of infor-

mation), since the attack is the result of malicious intent, the organization

needs to assume that any information disclosed will be used in subse-

quent activities by the hacker for financial gain.

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 21/24

Unfortunately individuals who have been victims of identity theft may

need to spend years to undo the damage done to their credit histories and

encounter problems in purchasing new houses, cars, or even applying for

credit at the local big-box store. Assuming that each of the individuals af-

fected will tell at least 10 of their friends of the breach, if they know the

source of the breach, such as identity theft occurring shortly after the

Heartland Payment Systems breach or the Epsilon breach, they may cre-

ate a loss in revenue for the organizations issuing their credit cards even

though they did not directly cause the breach. As noted earlier, the work

of the subcontractors is often attributed to the company that hired them.

It is doubtful that few people could name the subcontractors that printed

viewable social security numbers in the State of Wisconsin example, but

surely the State of Wisconsin was viewed as not appropriately managing

the process.

So, what organization will be next? Hopefully, lessons can be learned

without having to experience them firsthand. It becomes very costly once

a breach occurs, not only for the cost of the actual breach in terms of

breach notification, credit monitoring, public relations, restoring the in-

frastructure, and upgrading security controls, but also in legal fees to

fend off lawsuits, fines, and increased use of external audits, vulnerabil-

ity assessments, and penetration testing. After an incident these services

are also usually needed very rapidly, and as a result, the costs for the ser-

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 22/24

vices may be much higher than if the processes were built into and prices

negotiated as part of an ongoing information security program.

Every Control Could Result in an Incident

One way to view security controls is, “What could happen if we didn’t im-

plement the control?” The answer to this question can be answered by

scanning the USA Today articles referred to at the beginning of this chap-

ter. A useful exercise would be to construct what the headline would be:

“UPSTARTXYZ Company Fails to Protect Millions,” “ABCHealth Reveals

500,000 AIDS Patients,” or “Local Newspaper buys 123Company

Intellectual Property Hard Drive on e-Bay.” The information security gov-

ernance program must focus on the risk of the assets and ensure that the

appropriate controls are in place. Examining the lessons learned on a pe-

riodic basis from other companies and subsequently testing the informa-

tion security policies, results in asking the right questions to examine

where there may be new vulnerabilities.

From a cost perspective, reviewing the incidents of other companies is

a very cost-effective way to enhance the security governance. What is

learned is not only what the incident was, but the press releases also typi-

cally indicate what actions the company is planning to provide comfort to

the public that the company can again be entrusted with its customers’

sensitive information. Information gleaned from these incidents should

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/007-9781466551282-contents.xhtml#sec303

4/23/23, 2:42 PM Chapter 14 Learning from Information Security Incidents | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/025-9781466551282-014.xhtml 23/24

be regarded as “free research.” Someone else has already done their

homework after the incident to reduce the risk of the occurrence happen-

ing again, and much can be learned from the incident and subsequent

resolution.