Another data breach. This one is at Butler University and is still under investigation. The breach was discovered when authorities in California found a flash drive on an unrelated identify theft suspect that contained the exposed data.
In other words, the University had no idea that their data had been accessed until law enforcement on the other side of the country happened upon it.
The recent credit card breaches at Specs, Nieman Marcus, Target, and P.F. Chang’s all had long gaps between incident and detection as well. The pattern here is that the victim of the breach doesn’t discover it themselves, and it’s a pattern that’s also been identified in the Verizon Data Breach report.
It’s like finding out your jewelry store was robbed because the police caught someone fencing the merchandise. That doesn’t happen in so often in physical crime because jewelry is stolen, not copied, and people tend to notice missing items of value. It’s different with information security, where your data can simultaneously be “stolen” and stay in the proverbial display case.
In the information security industry we tend to think about this gap between incident and detection, the ‘threat detection gap,’ as making the incident worse because more data can be accessed and copied the longer the gap. There are simply more victims the longer the breach goes on. This is generally accurate, and is one of the reasons to push for better, faster breach detection. It’s not the only reason, and might not be the most important in the long run.
Outside of the increase in the number of victims or even the potential for broader data to be accessed, consider what happens during the threat detection gap. It’s a period of time in which the criminal works to monetize their crime, i.e. sell or otherwise utilize the data they have.
Just like it’s harder to fence jewelry when the authorities are on the lookout for it, it’s harder to sell data, especially credit cards, that have been identified as copied and possibly deactivated. Shortening the threat detection gap not only decreases the severity of the breach, but also decreases the profit margin of the crime itself.
Making crime pay less is a very effective way to reduce that particular crime, as recently evidenced by the iPhone ‘kill switch’ statistics. In that case, making the iPhones effectively useless once stolen also makes them effectively worthless.
By closing off the threat detection gap, we can decrease the value to the criminal of the effort to commit the crime, making it a less worthwhile undertaking in the first place. As information security professionals, we should not only consider how we can improve security in our own organizations, but how we can improve security in the industry as a whole.
- To Pen Test or Not to Pen Test: That is the Question…
- Unified Security Configuration and Vulnerability Management
- How to Detect the Heartbleed OpenSSL Vulnerability in Your Environment
- NETGEAR Wireless Router Configuration Guide
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock