David Spark here reporting for Tripwire at the 2010 RSA Conference in San Francisco.
Businesses’ fear of negative publicity actually benefits cybercriminals. A company gets negative press, they fear retaliatory lawsuits, and therefore climb into a shell refusing to work with law enforcement or other organizations. This makes us all vulnerable. Today’s panel of regulators, lawyers, law enforcement, and victim companies walked through the chain reaction after a breach to get a better understanding of what happens and if we can prevent the continuance.
On the panel were:
David Burg, Principal, PricewaterhouseCoopers
Troy Leach, Technical Director, PCI Security Standards Council
Kimberly Kiefer Peretti, Senior Counsel, U.S. Department of Justice
John Woods, Partner, Privacy and Information Management Practice Litigation and Intellectual Property Practice, Hunton and Williams
Moderator: Kim Getgen, Principal, Trust Catalyst
Here are some highlights from the discussion, “A 360-Degree View into Data Breaches: Are We Our Own Worst Enemy?”:
- “More money is stolen electronically or in data breaches than through bank robberies,” Shawn Henry, Assistant Director, FBI’s Cyber Division.
- Referring to the Gonzalez case, Peretti was involved with the indictment. In the case, Alberto Gonzalez gathered credit card information that was resold multiple times. Gonzalez used malware that wasn’t detected by any of the antivirus systems. As a result they were able to stay on systems for years. He had unlimited time to do network reconnaissance and look around networks for credit card information.
- Some companies when presented with evidence that they’ve been compromised put their head in the sand and say go away. Others get involved and spend a lot of money doing forensics.
- PriceWaterhouseCoopers said that giving information to law enforcement has not affected their company in any way. Your information is going to come out in litigation. By giving information to law enforcement you are able to limit exposure. For example you can show that only account data was compromised and not more personal information which is responsible for identity theft.
- A standard doesn’t prevent a breach. The people and processes implemented on that standard can prevent a breach.
- If you don’t have the mechanisms to find where that data is to begin with, your costs go up dramatically.
- While one merchant had a vulnerable system, they bragged about a breach because they had the controls in place to catch the breach. They immediately took that breached system off line and contacted law enforcement.
- Number of cases law enforcement investigates is a small fraction of hacking rings that are going on out there.
- How do you get victims who are reluctant to get involved with law enforcement? Hard question to answer, but they respect victim’s needs. Peretti claims of the cases she’s worked on and others she’s seen, she hasn’t seen one where they disrupt the business and take systems offline against the organization’s desires.
- When law enforcement does have a positive story with a client, we make sure we get that information out into the press. It’s a working relationship.
- Sometimes you only find out if you’ve been compromised through a working relationship with law enforcement.
- If there are material weaknesses in your financial auditing infrastructure, then that’s another issue you’ll have to deal with during a breach. You have a new issue of how do you know your data financials are accurate.
- Attributes of a sophisticated attack, there’s clear motive because there’s economic incentive to perform an intelligent hack.
- Active sharing with DOJ and FBI allowed PriceWaterhouseCoopers to better understand attacks much faster.
- In the Estonian hacking ring, the hackers used compound SQL statements to probe databases to understand the content in different applications. This was just a learning process to understand the infrastructure. Over this time they pushed additional tools into the environment to be able to pass content, chunked up, to another web server. After the effective job of pulling out the data of the ATM network, he was able to wash up the digital crime scene.
Check out more of Tripwire’s coverage from the 2010 RSA Conference in San Francisco.