Breach data answers security questions

The information crisis is a crisis of credibility. Companies do not have the data to back up what they want to say. They are not observing and not asking the right questions. Moreover, they are not transparent enough when it comes to security breaches.

This is according to Adam Shostack, senior security programme manager, SDL, at Microsoft, in his keynote at the ITWeb Security Summit, in Midrand, this week.

“If we want people to implement complex solutions, we need to understand they will question what we want to build, especially in today's economy. We need to have better answers.”

He sees the rise of breach data laws as helping to solve the information crisis. New laws require notification to customers of certain breaches involving loss of control of personally identifiable info. The goal of this was to reduce the impact of identity theft and impersonation fraud, and give the industry the opportunity to study what goes wrong.

He said it is reported that we are making more and more progress, but questions whether this is the growth we want to see. “What should we measure? Are we measuring the right things? Are we gathering the right statistics?” It does not have to be too hard, he added; people solve complex technological problems all the time, sometimes without computers.

It's all about altering behaviour. Observation, noted Shostack, is key. “We need to look at the world and ask what is happening here. What can I observe? What can I measure? Sometimes you need instruments in order to figure out what is happening, although human motivations are powerful.”

He cited the invention of strobe photography as an example. “It was the result of a bet between two men, who disagreed on whether all four horse's hooves left the ground at one time when it galloped.”

We do not observe enough when it comes to information security, he pointed out. “Sometimes we need to arrange for observations. By doing this we can take action and influence the outcomes. We can form an interesting hypothesis that needs to be surprising, broad, predictive and testable. We need to find a method of testing it and try to prove it wrong. It's all about observation and experimentation.”

This contrasts radically with what is happening with information security at the moment. “In this case, we tend to form an interesting hypothesis, advocate for it really loudly, assert that it's a really big problem and then give it a cutesy name, to attract attention to it.”

This does not advance the security profession at all, he noted. “Nor does it improve our ability to alter the outcomes. Does it help us to achieve value? Where do we get data to test hypotheses?”

There are several possible data sources, but none on its own is enough. “Surveys, for example; how do you measure the data? The definitions of an attack vary from one respondent to another.

“We need to address the key underlying questions such as what causes security issues, how can we reduce them and how effective is this spending versus alternatives, including insurance that will cover costs incurred during security breaches.

“Although data breaches are embarrassing, what they can tell us is the sky does not fall on our heads. Many of the concerns companies have regarding disclosure of data breaches do not materialise, such as customers fleeing, companies going out of business, massive lawsuits.”

It is far better to talk about problems, as real world examples deliver credibility. “Companies need to have the perspective to understand what we can learn from these things, from real world examples - it gives you credibility. Look at breach data, see what it tells you and use this information to examine your own security issues.

“We've seen a spate of laptop losses recently. By understanding the frequency, the impact to the company and customers, it will help us understand why we should spend money on laptop encryption. Having the information helps you back up the 'why' when pitching to executives for budget to purchase this encryption. Look at what caused the problems; this will help you find solutions.”