Federating data breaches

A data breach, as described in the recently published Verizon 2015 Data Breach Investigations Report (DBIR), is an incident that resulted in confirmed disclosure (not just exposure) of information assets to an unauthorized party.

Some of the interesting highlights from the report are:

• Public Sector had the highest confirmed data breaches last year (303) followed by Financial Services (277).

• In 60% of cases, attackers are able to compromise an organization within minutes but the time it takes for an organization to discover a compromise is much, much longer.

• Mobile devices are not a preferred vector in data breaches. 0.03% out of tens of millions of mobile devices, the number of ones infected with truly malicious exploits was negligible.

• Forecasted average loss for a breach of 1000 records is between $52K and $87K. For a breach affecting 10 million records the average loss is forecast to be between $2.1M and $5.2M.

• Web application attacks accounted for 9.4% of incidents with confirmed data breaches

A number that you can shortly expect to hear from many in the identity biz is that 51% of web application attacks, which resulted in data breaches, can be attributed to the use of stolen credentials.

But if you blindly run with that number without digging into incidence patterns and victim industry, you would be making some faulty assumptions on where you should focus your defensive investments and energy.

Web application attacks (the home of that 51% credential compromise number) are clustered around Information Technology (35%) and Financial Services (31%) sectors.

When it comes to the public sector, web application attacks account for only 6% of data breaches with the primary attack vector (51%) being crimeware!

So, if you are in the public sector digital service delivery business, these numbers should be cause for concern and discussion on security investments and identity federation strategies.

I know that this report was rather disturbing to read for me, because it is causing me to question some of the fundamental assumptions I have been operating under:

• Are the security investments allocated properly to defend against the right threats? Crimeware vs. Web application attacks / credential compromise?
• Does the value provided by identity federation combined with compensating controls that can be implemented by public sector digital services, overcome the potential risk of federating identity with entities in sectors that are more likely to have compromised credentials?

Yes… a trade-off discussion - something that is remarkably had to do because it forces us to look at the world as it is, and not how we would like it to be.

Things should do what they’re told

++ The utopia where “all devices would have to be sold with encrypted filesystems by default, so that users whose phones are lost or stolen can be sure that their data is intact, that their bank accounts won’t be raided, that the correspondence with their lawyers and doctors and lovers won’t be read, that their search history and photos won’t be exposed” is something to strive for.

It does, however, require an educated, engaged, discerning customer who is active in how they manage their digital life.

++ Internet of things is indefensible. Solution? More NIST Guidance.

• I’ve heard Ron Ross speak on FISMA Guidance before and he brilliantly advocates a flexible, intelligent approach to risk management.

• The challenge will continue to be that the folks who actually implement the guidance trend towards the check-box mentality where risk is a bad word, and inflexibility and paper generation are the norm.

++ Surprised and shocked at the divergence between the US and many other countries on the value that is placed on health history data.

cyberLinks: random and relevant

++ Last Week Tonight with John Oliver on the Patriot Act, Government Surveillance and a Snowden Interview. You may or may not agree with him, but he puts the points in terms that normal humans can grasp.

++ Kiwis Managing their Online Identity Information provides the results of the research commissioned by the NZ Department of Internal Affairs (DIA) to get a deeper understanding of the online identity information behaviours of New Zealanders.

++ OpenID 2.0 to OpenID Connect Migration 1.0, which defines how an OpenID Authentication 2.0 Relying Party can migrate the user from OpenID 2.0 identifier to OpenID Connect Identifier, has been approved as a Final Specification by OIDF.

++ Request for Information (RFI) from GSA on Connect.gov (formerly known as FCCX) Business Models.