Unfortunately, finding out specifics about these types of high-profile failures is difficult. Companies rarely admit to breaches in the first place, much less reveal the surrounding details. That information would help. For example, what kind of authentication mechanisms did Experian employ for validating those Ford IDs? Are we talking about simple user names and passwords here, or something a bit stronger? Were there any types of expert systems monitoring inbound data queries? Could the systems trigger an alert based on anomalous query behavior? While this is speculation, strong authentication mechanisms, such as the use of hardware tokens, may have protected these systems from attack. Further, one would suspect that some type of behavioral-based intrusion-detection mechanism could have detected a spike when an additional 13,000 records were queried.
While we all know that successful information security efforts require the marriage of technology and process, sometimes simple controls -- such as the use of strong authentication and behavior profiling -- can make a big difference.
I also found it strange that an Experian official was quoted in the Times article as saying, "It just shows that today, even big companies can be victimized." While large companies are indeed juicy targets, in this particular case the real victims are those 13,000 people whose confidential information was stolen. While Experian may be able to cancel the stolen Ford IDs, those consumers will never be able to put their genies back into the bottle.
In the real world, you can't just reset your Social Security number and change all your bank accounts through a Web browser. This complexity brings up an additional point: Data varies not only in value and confidentiality but in usefulness over time. For example, if I'm going to steal someone's identity, chances are that the victim's Social Security number is going to be the same 10 years from now as it is today. Organizations need to take the life span of their data into consideration when examining the controls they'll want to use to protect it.
Which leads me to my final observation: As an information security consultant, I am constantly challenged when my suggestions revolve around implementing stronger security mechanisms. Our industry talks about "standard" and "best" practices, but when push comes to shove, many managers simply want to know what the other guys are doing. This might be an acceptable practice if most organizations weren't in a completely vulnerable position. But if the standard practice is to exist in a "pants down" state, which companies are going to be the first to admit that they're naked?
While cases such as this Experian/Ford Motors fiasco may be black eyes for the parties involved, the real story is how these organizations, and the industry as a whole, are going to react. If we choose to grow from these mistakes, dig into the details and learn where we could have been stronger, perhaps we will be able to move to a less vulnerable state. But with a flat-out refusal to admit that we are indeed without protection, we're going to continue to face a lot of nakedness in an increasingly cold climate. Here's hoping for more details, without more destructive actions.
--Greg Shipley, gshipley@nwc.com
RSS
