Skip to content

No Fooling: It’s Time to Start Disclosing Breaches

April 1, 2011

Perhaps I’m turning into a curmudgeon, but I just couldn’t think up any wild-and-crazy April Fools article to strain the credulity of you, our dear readers.  But much like Peter Finch in the 1976 classic film Network, I’m not happy with the state of things — and particularly, with the state of breach disclosure.

It seems that almost every time there is a new data breach, the news goes from bad to worse: digital registrar Comodo now tells us that an attack that used compromised digital certs signed by Comodo is “broader than previously thought”, and another recently-attacked organization NASDAQ, now states that the attack against their infrastructure, too, is “more extensive than NASDAQ previously disclosed.”

Now, it’s certainly possible that additional information regarding the depth of these breaches was discovered after the initial disclosure; but of course, it’s the initial disclosure that gets all the press, isn’t it?  Coming in a few weeks later and saying, “remember that breach?  Yeah, turns out it wasn’t just a meaningless blip after all…” may make it easier on the breached organization, but it doesn’t do a lot for consumer confidence.

And of course, as we learned last week, RSA — the world’s leading vendor of two-factor authentication – experienced a breach that (quoting RSA Chairman Art Coviello), “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”.  Details are still woefully minimal as to what this exactly means, but many of us in the security world have a sinking feeling that the pattern established at Comodo and NASDAQ — and long before them with TJX, Heartland Payment Systems, and others – may be ready to rear its ugly head yet again.  We can only hope that it doesn’t.

Of course, in a perfect world, organizations would do a better job of protecting and monitoring their systems to reduce the risk (both likelihood and consequence) of breaches.  Situational Awareness is, of course, a great way to make that happen; while we all know that there’s no such thing as “100% secure”, there’s certainly varying degrees of security.  By making security risk-appropriate, organizations could spend less time worrying about disclosure, and not wind up looking like an April fool (or a fool in any other month, for that matter…)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: