What Do We Mean by “Reasonable Controls?”
Russ CooperJune 19th, 2008
One of the more commonly referenced findings from our “2008 Data Breach Investigations Report” is that 87% of breaches could have been avoided if “reasonable security controls” had been in place at the time of the incident. As this statistic filters through the press and blogs, some are suggesting our use of the term “reasonable” has legal implications, or refers to controls that are “extravagantly hard” to implement. Such interpretation is simply not justified, and we’d like to set the record straight.
What do we mean by “reasonable controls?” We certainly didn’t intend to tread on legal ground with the phrase. “Reasonable” is merely a word we chose to capture the investigator’s professional assessment of whether controls typically included in the information security tool belt would have mitigated the breach had they been implemented on a particular system at a particular time in particular circumstances. Perhaps we should have chosen a different expression, one without unintended implications. In any event, “reasonable” is a somewhat subjective term — what is reasonable for one organization may not be reasonable for another. This is especially true in the context of security controls. Our forensic investigators considered a number of factors about the organization itself and the nature of the breach when making this determination.
Those of you satisfied with that answer are welcome to quit reading at this point. Thanks for dropping by. For the rest of you, we’d like to leave you with a few examples of controls we deemed reasonable from our caseload. Think of this as a last-ditch effort to convince you that the bar was not set too high. We’re big believers in pragmatism and work hard not to make extravagant security recommendations.
• In a number of cases, we found security policies were set for the affected system but not actually implemented. If it’s important enough to warrant a defined policy, then we think it reasonable to make sure the policy is followed.
• Many devices and systems were compromised due to the use of default usernames and passwords. We’re not asking for 5 character types and 15 characters but we do think it’s reasonable to change the default settings.
• Patches for 90% of the known vulnerabilities exploited across all cases were available for at least 6 months prior to the breach. Is it unreasonable to expect that those patches be deployed to all relevant systems at least semi-annually? We don’t think so.
• Another prominent finding in the report was the 66% of cases involving data the organization did not know was on the system. As we stated in the report, keeping track of sensitive data is a difficult challenge, but that doesn’t necessarily mean it requires a difficult solution. In fact, we often prefer lighter-weight, quicker, cheaper mechanisms of data discovery to exhaustive processes that take months. For various reasons, we did not always classify cases involving unknown data as preventable through reasonable controls, but many did receive this designation. One of the first questions we ask during an investigation is “if this type of data was compromised from your organization, which systems must be involved?” All too often we are shown ~6 systems yet, after running a discovery tool for 15 minutes we identify 25 potential systems. We believe it’s reasonable that organizations know a little more about their networks than we can learn in 15 minutes.
Time doesn’t permit us to elaborate on everything our investigators thought were unreasonable, such as business partners that were given ludicrously excessive access for their required activities, the complete lack of log monitoring in many organizations or the silly amount of network connections nobody bothered to deprovision and soon forgot. We just won’t go there. What say you – are we being unreasonable?
Tags: countermeasure, Data Breach Report, InfoSec, mitigation, reasonable control, risk
Learned Friends at Verizon Business Security: Reasonable security implies a cost/benefit analysis. Conventional opinion irrationally assumes the benefit of preventing unauthorized access to data is always high. Conventional thinking ignores alternatives, such as: 1. Maybe compensating external controls make it unlikely a particular breach will amount to anything important (even though the breach would sound bad if reported in the media). 2. Maybe the credit card system as a whole needs to change so criminals who steal little units of data can’t use them.
The cost of locking down data includes much more than merely correcting particular mistakes (e.g., retaining default usernames) that become obvious after an investigator conducts a postmortem on an incident. The true costs include all the vigilance, equipment upgrades, employee training, auditing, policing of business partners, deprovisioning of network connections and on, and on and on that must be performed prospectively, constantly, repetitively, to prevent a breach from happening in any of the myriad ways it can happen. –Ben
Posted by: benjaminwright on June 22nd, 2008 at 2:17 pmhttp://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
Ben, we think that your use of the word “conventional” could be seen to be just as subjective as our use of “reasonable controls.” It may very well carry a different meaning for you, the reader, and us. We don’t necessarily think conventional opinion is irrational. Error was a factor in 62% of our caseload. We think the majority had defined a policy, based on conventional thinking, but they simply hadn’t implemented it, or implemented it contrary to their own policy.
As you say, Ben, “The cost of locking down data includes much more than merely correcting particular mistakes.” We don’t disagree. However, our data shows that eliminating error significantly reduces risk. We believe in many cases one single defensive action can significantly reduce risk, and there are certainly instances where a handful of simple, inexpensive controls can reduce almost all significant risks. There is a point at which implementing more does not achieve equivalent, or even significant, risk reduction. One cannot argue that doing what you have defined in your own policy is a “bad thing,” only, possibly, that your policy need not be as elaborate as you may have it.
I’m sure we agree there are operational costs for any network, and I think we agree those costs include “vigilance, equipment upgrades, employee training, auditing, etc. They may also possibly include “policing of business partners,” and definitely de-provisioning of network connections, etc. I’d hope you’d also agree characterizing them as purely security costs is too narrow in the extreme, versus reasonable network operational costs. Whoops, there goes that word “reasonable” again!
We’re also not suggesting that myriad attack paths be “locked down.” Our risk-based approach considers paths of least resistance and greatest availability (i.e., areas of greatest risk). Our study data shows opportunistic attacks of low skill level can be extremely successful. Such attacks remain successful because the cost of attack is relatively low for the criminal. We believe in implementing controls to the point an organization is no longer a target of opportunity (they become a target of choice). This doesn’t mean the organization has plugged every hole, but it does mean they have made the cost of attack for the criminal higher than for other potential targets.
As you suggest, it is conceivable that the cost of attack could be increased by factors other than the implementation of internal controls. There may well be value, for instance, in making data less desirable or valuable to the criminal. Unfortunately, most organizations simply do not have the capacity to accomplish this, much less influence external changes on a scale comparable to the suggested revamp of the credit card system. It’s hard to argue against such ideas. In the meantime, however, there remains a need for organizations to implement effective and efficient measures of securing the environment over which they have control.
Posted by: Russ Cooper on June 25th, 2008 at 8:26 pm