Do we have a wake-up call in the OIG HHS Report on HIPAA Security Rule Compliance & Enforcement?
If you didn’t notice already, the Office of Inspector General (OIG) in the Department of Health and Human Services (HHS) published a report on the oversight by the Center for Medicare and Medicaid Services (CMS) in the enforcement of the HIPAA Security Rule. The report is available to the public here. As we know, CMS was responsible for enforcement of the HIPAA Security Rule until the HHS Secretary transferred that responsibility over to the Office of Civil Rights (OCR) back in 2009.
To quote from the report, the OIG conducted audits at seven covered entities (hospitals) in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas in addition to an audit of CMS oversight and enforcement actions. These audits focused primarily on the hospitals’ implementation of the following:
- The wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);
- The physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and,
- The policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards).
These audits were spread over three years (2008, 2009 and 2010) with the last couple of audits happening in March 2010. The report doesn’t mention the criteria by which these hospitals were selected for audit except that these hospitals were not selected because they had a breach of Protected Health Information(PHI) .
It wouldn’t necessarily be wise to extrapolate the findings in the report to the larger healthcare space in general without knowing how these hospitals were selected for audit. All one can say is that the findings would paint a worrisome picture if these hospitals were selected truly in a random manner. For example, if one were to look at ”High Impact” causing technical vulnerabilities, all 7 audited hospitals seem to have had vulnerabilities related to Access and Integrity Controls, 5 out of 7 had vulnerabilities related to Wireless and Audit Controls and 4 out 7 had vulnerabilities related to Authentication and Transmission Security Controls.
What might be particularly concerning is that the highest number of vulnerabilities were in the Access and Integrity Controls categories. These are typically the vulnerabilities that are exploited most by hackers as evidenced (for instance) by the highlight in this quote from the 2011 Verizon Data Breach Investigation Report – “The top three threat action categories were Hacking, Malware, and Social. The most common types of hacking actions used were the use of stolen login credentials, exploiting backdoors, and man-in-the-middle attacks”.
Wake-up call or not, healthcare entities should perhaps take a cue from these findings and look to implement robust security and privacy controls. A diligent effort should help protect organizations from the well publicized consequences of a potential data breach.
Categories: Access Governance, Data Breaches, HIPAA/HITECH Compliance, Regulatory Compliance Tags: Breach, Compliance, HIPAA, HITECH, Risk, Security
Next time you do a Risk Assessment or Analysis, make sure you have Risk Intelligence on board
I was prompted to write this quick post this morning when I read this article.
I think it is a good example of what some (actually many, in my experience) risk management programs may be lacking, which is a good quality of Risk Intelligence. In this particular case, I think the original article failed to emphasize that vulnerabilities by themselves may not mean much unless there is a good likelihood of them being exploited, resulting in real risk. We discussed some details regarding the quality of risk assessments in a previous post.
A good understanding of information risks and their prioritization needs to be the first and arguably the most important step in any information risk management program. Yet, we often see risk assessment initiatives not being done right or at the right quality. We think it is critical that a risk analysis or assessment is headed by someone or performed by a team that has or does the following:
- A very good understanding of your environment from people, process and technology perspectives
- A very good and up-to-date intelligence on the current threats out there (both internal and external) and is able to objectively define those threats
- Is able to clearly list and define the vulnerabilities in your environment. It will often require process or technology specialists to do a good job of defining the vulnerabilities
- Is able to make an unbiased and objective determination of the the likelihood that the vulnerabilities (from Step 3) can be exploited by one or more threats (from Step 2)
- A very good understanding of the impact to the business if each vulnerability were to be exploited by one or more threats. Impact is largely a function of the organization’s characteristics including various business and technical factors, so it is important that you involve your relevant business and technology Subject Matter Experts.
- Based on the likelihood (Step 4) and impacts (Step 5), estimate risks and then rank them by magnitude.
We just can’t stress the importance of steps 1-5 enough. We think it takes “Risk Intelligence” to do these steps well. Without good Risk Intelligence on your team, you may well be wasting precious time, money and resources on your risk assessments. More importantly, you may not be protecting your business to the extent that you should, with the same budget and resources.
======================================
Important Disclaimer
The guidance and content we provide in our blogs including this one is based on our experience and understanding of best practices. Readers must always exercise due diligence and obtain professional advice before applying the guidance within their environments.
Categories: Information Risk, Privacy, Regulatory Compliance, Risk Assessment, Security Tags: Assessment, Breach, Compliance, HIPAA, Risk, Security
Let’s talk some “real” insider threat numbers – How can Access Governance and SIEM be useful as effective safeguards?
If you have been following some of our posts, you probably realize that we don’t advocate security for the sake of security. Nor do we like to do compliance for the sake of compliance though you may not have much choice there if the compliance requirements are mandated by external regulations such as industry regulations (e.g. PCI DSS, NERC CIP etc.) or government regulations (e.g. HIPAA, GLBA, SOX etc.). On the other hand, we think that every investment in security projects or operations (beyond what is required for routine business support) must be justifiable in terms of the risk(s) that we are trying to mitigate or eliminate. And the allocation of IT resources and budgets must be prioritized by risk level which in turn requires every IT organization to conduct periodic risk assessments and rank the risks by severity. This probably sounds all too obvious but we still see a lot of security purchasing decisions being made that are not based on formal risk assessments or discernable risk-aligned priorities. BTW, I talk about the quality of risk assessments in another post.
In this post, I would like to go over some “real” numbers on insider threats, as we know from a few recent survey reports. More importantly, I’ll cover how Access Governance and Security Information and Event Management (SIEM) can be effective safeguards in mitigating risks from insider threats. If you are not up to speed on what Access Governance (sometimes also referred to as Access Assurance) includes, I would point you here (may need registration). For SIEM, I would point you here.
It probably needs an explanation as to why I chose Access Governance and SIEM for this discussion. Insider threats, by definition, are caused by people (employers, contractors, partners etc.) whose identity is known to the organization and have been provided some level of access to one or more of the organization’s information systems. Access Governance can be both an effective detective control (through access reviews) and preventative control (through role based access provisioning and access remediation) for user access. SIEM can be an effective control for detecting anomalous, suspicious or unauthorized user activities. When properly integrated, Access Governance and SIEM solutions can help achieve substantial reduction of risks from insider threats.
Below is a discussion of findings related to insider threats from recent reports. Also provided are notes on how effective implementations of Access Governance and SIEM processes or technologies can be useful safeguards against these threats. I use findings from three recent reports for the analysis – 2010 Verizon Data Breach Investigations Report (DBIR), 2010 CyberSecurity Watch Survey (CSWS)and Securosis 2010 Data Security Survey (SDSS).
Size and significance of Insider Threats
|
Report
|
Finding
|
|
DBIR |
48% of all breaches were attributed to internal agents |
|
CSWS
|
“The most costly or damaging attacks are more often caused by insiders (employees or contractors with authorized access)” “It is alarming that although most of the top 15 security policies and procedures from the survey are aimed at preventing insider attacks, 51% of respondents who experienced a cyber security event were still victims of an insider attack. This number is holding constant with the previous two surveys (2007 and 2006) Insider incidents are more costly than external breaches, according to 67% of respondents |
|
SDSS
|
Among respondents who knew of data breaches in their own organizations, 62 percent said malicious intentions were behind them. Insider breaches comprised 33 percent of incidents, hackers comprised 29 percent, and the remaining breaches were accidental. |
As one can infer from these findings, insider threats are the cause of at least as many security breaches as external threats. It also appears that the cost of breaches caused by internal threats could be higher than those caused by external threats.
Intentional Vs Accidental
|
Report
|
Finding
|
|
DBIR
|
90% of these internal agents’ caused breaches were the result of deliberate and malicious activity. |
|
CSWS
|
Insiders most commonly expose private or sensitive information unintentionally, gain unauthorized access to/use of information systems or networks and steal intellectual property |
|
SDSS
|
Among respondents who knew of data breaches in their own organizations, 62 percent said malicious intentions were behind them. Insider breaches comprised 33 percent of incidents, hackers comprised 29 percent, and the remaining breaches were accidental. |
It appears from the findings that insiders could be causing breaches intentionally more often than accidentally. Access Governance can help reduce malicious insider risk by enforcing “least privilege” user access and "segregation of duties" through role based access provisioning, access reviews and remediation of improper access. On the other hand, a properly implemented SIEM solution can be an effective deterrent (as a detective control) to malicious insider threats by logging user activities, correlation of user activities and alerting on suspicious activities by the user. By suitable integration of SIEM and Access Governance solutions, it is possible to analyze user activities (obtained from SIEM) against a user’s role in the organization and hence what the user is authorized to do (obtained from Access Governance).
Cause and prevention
|
Report
|
Finding
|
|
DBIR
|
51% of these internal agents’ caused breaches involves regular users or employees, 12% involved accounting or finance staff and 12% involved network or systems administrators “In general, employees are granted more privileges than they need to perform their job duties and the activities of those that do require higher privileges are usually not monitored in any real way.” “Across all types of internal agents and crimes, we found that 24% was perpetrated by employees who recently underwent some kind of job change. Half of those had been fired, some had resigned, some were newly hired, and a few changed roles within the organization.” “With respect to breaches caused by recently terminated employees, we observed the same scenarios we have in the past: 1) the employee’s accounts were not disabled in a timely manner, and 2) the employee was allowed to “finish the day” as usual after being notified of termination. This obviously speaks to the need for termination plans that are timely and encompass all areas of access (decommissioning accounts, disabling privileges, escorting terminated employees, forensic analysis of systems, etc.)” |
|
CSWS
|
“The most costly or damaging attacks are more often caused by insiders (employees or contractors with authorized access)” “It is alarming that although most of the top 15 security policies and procedures from the survey are aimed at preventing insider attacks, 51% of respondents who experienced a cyber security event were still victims of an insider attack. This number is holding constant with the previous two surveys (2007 and 2006) |
The DBIR findings clearly illustrate the need for organizations to enforce least privilege access through business need-to-know (managing user access based on a user’s role), periodic review of user access (access reviews and certification) and prompt remediation of improper user access. Access Governance solutions can help achieve these objectives effectively as well as efficiently.
The CSWS finding seems to suggest a problem with the enforcement of organization’s policies related to user access. As mentioned above, a properly implemented Access Governance program and solution can help with effective enforcement of user access policies.
To conclude, it is obvious that risk management of insider threats needs to be a key focus area of any Information Security or Risk Management program. An effective Access Governance and SIEM program can help with significant mitigation of the insider risk.
————————————————————————
RisknCompliance Consulting Services Note
We at RisknCompliance have extensive advisory and implementation experience in the Access Governance and SIEM areas.
Please contact us here if you would like to discuss your needs. We will be glad to talk to you about how we could be of assistance.
Categories: Access Governance, Data Breaches, Information Risk Tags: Access Governance, Breach, Privacy, Risk, Security, SIEM
You don’t know what you don’t know – Do we have a "detection" problem with the healthcare data breach numbers?
Like some of you perhaps, I have been reading a few recent articles on Healthcare data breaches, especially the one from Dark Reading and a detailed analysis of the 2010-to-date breaches from HITRUST Alliance.
What stood out for me from these articles is something that is not necessarily highlighted in the articles and that is the very low number of breaches involving technology/people/process controls as opposed to physical losses.
These articles focused on the 119 or so breaches that have been reported to Department of Health and Human Services (HHS) or made public to date in 2010. From the HITRUST Alliance analysis, it is clear that an overwhelming majority of the breaches resulted from physical loss/theft of paper or electronic media, laptops etc. Only two breaches resulted from hacking incidents.
I then went back to do a little bit of my own analysis of the 2010 data breach incidents covered in the Identity Theft Resource Center report available here. I came up with the following numbers for breaches other than those that involved physical loss, theft, burglary, improper disposal etc. :
- Malware infection -1
- Unauthorized access to file share – 1
- Database misconfiguration or vulnerability – 2
- Website vulnerability – 1
- Improper access or misuse by internal personnel – 6
As you can see, these account for less than 10% of the healthcare breaches known or reported so far this year. Contrast this with the findings in 2010 Verizon Data Breach Investigation Report which attributes 38% of breaches to malware, 40% to hacking and 48% to misuse. It is pertinent to note that the Verizon report focused on 141 confirmed breaches from 2009 covering a variety of industries, but I think it is still good for a high level comparison to determine if we may be missing something in the healthcare breach data.
The comparison seems to suggest that the healthcare industry probably has much stronger safeguards against malware, hacking, improper logical access etc. I know from my own experience working with healthcare entities that this is not necessarily the case. For further corroboration, I reviewed two Ponemon Institute survey reports – Electronic Health Information at Risk: A Study of IT Practitioners and Are You Ready for HITECH? – A benchmark study of healthcare covered entities & business associates, both from Q4 2009. Following sample numbers from these reports further validate that the state of Information Security and Privacy among HIPAA Covered Entities (CEs) and Business Associates (BAs) is far from perfect:
Electronic Health Information at Risk: A Study of IT Practitioners
|
#
|
Question
|
% of respondents saying “Yes”
|
|
1 |
My organization’s senior management does not view privacy and data security as a top priority |
70% |
|
2 |
My organization does not have ample resources to ensure privacy and data security requirements are met – 61% of respondents. |
61% |
|
3 |
My organization does not have adequate policies and procedures to protect health information |
54% |
|
4 |
My organization does not take appropriate steps to comply with the requirements of HIPAA and other related healthcare regulations |
53% |
Are You Ready for HITECH? – A benchmark study of healthcare covered entities & business associates
|
#
|
HIPAA compliance requirements that are not formally implemented
|
% of respondents saying “Yes”
|
|
1 |
Risk-based assessment of PHI handling practices |
49% |
|
2 |
Access governance a and an access management policy |
47% |
|
3 |
Staff training |
47% |
|
4 |
Detailed risk analysis |
45% |
All this leads me to think of the possibility that some HIPAA CEs and BAs may not be detecting potential breaches. If you study the healthcare breaches that have been reported so far, almost all of them have been through physical losses of computers or media (which is easy to know and detect) or through reporting by third parties (victims, law enforcement, someone finding improperly disposed PHI paper records in trash bins etc.). I don’t know of any healthcare data breach this year that was detected through proactive monitoring of information systems.
As I covered in a related post on breach reports and what they tell us, I would recommend that CEs and BAs focus on certain key controls and related activities (see table below) in order to improve their breach prevention and detection capabilities:
|
# |
Key Controls |
Recommended Activities |
|
1 |
Secure Configuration and Lockdown |
Review configuration of information systems (network devices, servers, applications, databases etc.) periodically and ensure that they are locked down from a security configuration standpoint |
|
2 |
Web Application Security |
· Scan web applications periodically for OWASP Top 10 vulnerabilities and fix any discovered vulnerabilities · For new applications under development, perform code reviews and/or vulnerability scans to fix any security vulnerabilities before the applications are put to production use (Studies show that it is far more cost effective to fix the vulnerabilities before applications are put to production use than after) · Use Web Application Firewalls as appropriate |
|
3 |
Strong Access Credentials |
· Configure PHI systems and applications to have a strong password policy (complexity of the password, periodic change of password etc.) · Implement multi-factor authentication on PHI systems and applications wherever possible
|
|
4 |
Access Assurance or Governance |
· Conduct Access Certifications periodically, preferably at least every quarter for PHI systems and applications. · Review access privileges within PHI systems and applications to ensure all access conforms to the “Least Privilege” principle. In other words, no user, application or service must have any more privileges than what is required for the job function or role · If any excess privileges are found, they must be remediated promptly · Revoke access to PHI systems and applications promptly in the event that a person leaves the organization or no longer requires access due to a change in the person’s job role within the organization |
|
5 |
Logging, Monitoring and Reporting |
· Identify “risky” events within PHI systems · Configure the systems to generate logs for the identified events · Tamper-proof the logs · Implement appropriate technologies and/or processes for monitoring of the events (Refer to our related posts here and here for examples) · High risk events must be identified and monitored through near-real-time alerts · Responsibilities for daily review of log reports and alerts must be assigned to specific personnel |
|
6 |
Encryption (Data at rest, media), Physical security of media |
· Maintain an inventory of locations and systems wherever PHI exists · Implement suitable encryption of PHI on laptops and removable media · Implement appropriate physical security safeguards to prevent theft of devices or systems containing PHI |
|
7 |
Security Incident Response |
· Implement and operationalize an effective Security Incident Response program including clear assignment of responsibilities, response steps/workflows etc. · Test Incident Response process periodically as required |
|
8 |
Security Awareness and Training |
· Implement a formal security awareness and training program so the workforce is aware of their responsibilities, security/privacy best practices and actions to take in the event of suspected incidents · Require personnel to go through the security awareness and/or training periodically as appropriate |
If you are familiar with the HIPAA Security Rule, you will notice that not all of the above controls are “Required” (as opposed to “Addressable”) under HIPAA Security Rule or in the proposed amendments to the rule under the HITECH Act. One may argue however, that the above controls must be identified as required based on “risk analysis” , which of course is a required implementation specification in the HIPAA Security Rule. In any event, CEs and BAs need to look beyond the HIPAA compliance risk and focus on the risk to their business or brand reputation if a breach were to occur.
Hope this is useful! As always, we welcome your thoughts and comments.
RisknCompliance Services Note
We at RisknCompliance maintain a up-to-date database of the current security threats and vulnerabilities at a detailed level. We are able to leverage this knowledge in providing our clients with high quality risk analysis.
Please contact us here if you would like to discuss your HIPAA security or privacy needs. We will be glad to talk to you about how we could be of assistance.
Categories: Data Breaches, HIPAA/HITECH Compliance, Information Risk, Privacy, Regulatory Compliance, Security Tags: Breach, HIPAA, HITECH, Logging, Privacy, Risk, Security
May we suggest some priority adjustments to your PCI DSS Compliance program?
It isn’t any news that achieving PCI DSS Compliance continues to be onerous for many merchants out there. PCI DSS is after all an all-or-nothing regulation meaning that not passing even one of over 200 requirements could prevent you from getting there. And then, if you do become compliant, there is really no assurance that you will have 100% security. This is something we have known all along to be true for any regulation and now we have one more statistic from the 2010 Verizon Data Breach Investigation Report to prove it … 21% of organizations facing payment card data breaches were compliant with PCI DSS at the time of the breach.
So, may be it is time to rethink our approach to PCI DSS compliance, in terms of how do we get there by way of addressing controls that carry higher breach risks before the others. That will at least help improve your organization’s security posture against potential breaches even if you are nowhere close to meeting all PCI DSS requirements. I think recent breach surveys or reports are a great source to identify such controls with an objective of prioritizing the remediation initiatives in the right order. Such prioritization should help in achieving a better security posture sooner, as we’ll see below.
I am not the first one to suggest a prioritized approach to achieving PCI DSS compliance. In fact, PCI SSC already has guidance on this, though the guidance itself is somewhat dated having been issued back in February 2009. Since then, the threat environment has probably evolved somewhat and exploitation of certain vulnerabilities isn’t quite of the same order relative to others. Therefore, I suggest leveraging the data breach findings to make necessary prioritization adjustments.
Here are some findings from three recent reports on which I am basing my recommendations:
|
#
|
Report
|
Findings
|
Relevant Controls (Our Analysis)
|
|
1 |
Verizon Data Breach Investigations Report 2010 |
· 61% of the breaches were discovered by a third party · 86% of victims had evidence of the breach in their log files |
· Technology – Monitoring, correlation, reporting and alerting off the log events · Process – Regular reviews of logs, log reports or alerts · People – Clear definition and assignment of responsibilities around log reviews and incident response |
|
2 |
Verizon Data Breach Investigations Report 2010 |
· 94% of breached records had malware as one of the causes and 96% of breached records involved hacking · 51% of malware was installed or injected remotely by the attacker (by obtaining privileged access to the system or other means such as SQL Injection) · 85% of records breached by malware involved the attacker gaining backdoor access to the system · 81% of records breached by malware involved data being sent to an external entity or site · 86% of records breached by hacking involved use of stolen login credentials · 86% of records breached by hacking involved use of stolen login credentials · 89% of records breached by hacking involved SQL Injection · 92% of records breached by hacking used web applications as the attack pathway |
· Technology – Proper configuration and lockdown of systems, strong access credentials, access controls or assurance, assessment of web applications and remediation for OWASP Top 10 vulnerabilities, deployment of Web Application Firewalls, Logging/Monitoring/Reporting/Alerting of important events on critical systems · Process – Configuration reviews, OWASP Top 10 vulnerability management, access assurance in the form of ongoing role/privilege management processes and periodic access certifications, regular reviews of logs, log reports or alerts, effective security incident response · People – Clear definition and assignment of responsibilities around configuration reviews, access certifications, log reviews and incident response
|
|
3 |
Verizon Data Breach Investigations Report 2010 |
· More than 50% of breaches remain undiscovered for months or more · 61% of the breaches were discovered by 3rd parties, and not the victim organization itself
|
· Technology – Monitoring, correlation, reporting and alerting off the log events · Process – regular reviews of logs, log reports or alerts · People – Clear definition and assignment of responsibilities around log reviews and incident response, User awareness and training |
|
4 |
Verizon Data Breach Investigations Report 2010 |
· Few breaches were caused due to exploitation of vulnerabilities for which a patch was available. · Likelihood of exploitation of an unpatched vulnerability is far less as compared to a vulnerability caused by a configuration issue. |
Lockdown (secure configuration) of systems may receive higher priority over application of vendor patches unless there is a specific reason not to do so |
|
5 |
Leaking Vault – Five years of data breaches – July 2010 |
· Drives/Media and hacking were the top two breach vectors · Documents and Fraud (Social Engineering) have been increasing in prominence as threat breach vectors recently · Of the breaches that involved hacking, SQL Injection, stolen credentials and malware accounted for most breaches |
· Technology – Disk/Tape encryption, appropriate system lockdown to prevent use of media such as USB drives , Encryption of unstructured data (documents), Refer to controls in #2 against hacking · Process – Physical Security, Encryption and Key Management · People – Awareness and Training |
|
6 |
Ponemon Institute – Annual Cost of Cybercrime study – July 2010 |
· The most costly cyber crimes are those caused by web attacks, malicious code and malicious insiders, which account for more than 90 percent of all cyber crime costs per organization on an annual basis. · The average number of days to resolve a cyber attack was 14 days with an average cost to the organization of $17,696 per day. The survey revealed that malicious insider attacks can take up to 42 days or more to resolve. |
Refer to #2 above |
Here then is a summary of the key controls in the above table, relevant PCI DSS requirements and priorities from the PCI SSC Guidance.
|
Key Control (Our Analysis) |
Relevant PCI DSS Requirement Numbers (See Notes below) |
|
Secure Configuration and Lockdown |
1.1.5 (2), 1.2 (2), 2.1 (2), 2.2.3 (3), 2.2.4 (3), 2.3 (2) |
|
Web Application Security |
6.5 (3) |
|
Strong Access Credentials including periodic changes in credentials (e.g. password) |
8 (4) |
|
Access Assurance (Least Privilege access based on users’ business or job roles, timely revocation of access privileges) |
7 (4), 12.2(6), 12.5.4(6), 12.5.5(6) |
|
Logging, Monitoring and Reporting |
10.1(4), 10.2(4), 10.3(4), 10.4(4), 10.5(4), 10.5(6), 10.7(4), 12.2(6), 12.5.2(6), |
|
Encryption (Data at rest, media), Physical security of media |
3.3(5), 3.4(5), 3.5(5), 9.5(5), 9.6(5), 9.7(5), 9.8(5), 9.9(5) |
|
Security Incident Response |
12.5.3(6), 12.9(6) |
|
Security Awareness and Training |
12.3(6), 12.3.10(6), 12.4(6), 12.6(6) |
Note: Numbers in brackets are the priority numbers from the PCI SSC guidance. Numbers in the guidance range from 1 through 6. A lower number indicates a higher priority.
As we can see from the table, there are several requirements which if addressed sooner, will actually improve an organization’s security posture against potential breaches, based on what we know from the recent breach studies. I would recommend increasing the priority of the requirements in red to at least 3 if not 2. I do realize that organizations may not be able to afford to address too many requirements at a higher priority. If that is the case, you may want to review the current priority 2 and 3 requirements against the key controls in the table above and then decide to push some of them lower down the priority order as applicable.
Hope this is useful! As always, we welcome your thoughts and comments.
RisknCompliance Services Note
We at RisknCompliance track about a dozen of such reports every year and maintain a up-to-date database of the current security threats and vulnerabilities at a detailed level. We are able to leverage this knowledge in providing our clients with a much-wanted third-party assessment of their risk management or audit methodologies and programs. After all, security risk assessments and audits form the very foundation of risk management or audit programs, so we believe it is critical that every organization fine-tunes its methodologies and knowledgebase.
Please contact us here if you would like to discuss your needs. We will be glad to talk to you with the details and how we could be of assistance to you.
Categories: Information Risk, PCI DSS Compliance, Regulatory Compliance, Security Tags: Breach, Compliance, PCI DSS, Risk, Security
Verizon 2010 Data Breach Investigations Report – Key takeaways for Security Assessors and Auditors
The Verizon 2010 Data Breach Investigations Report (DBIR) released last week has some interesting findings, just as it did last year. What makes it special this year is that Verizon partnered with the United States Secret Service in developing this report. I don’t intend to discuss all the statistics in this blog (will do so in another upcoming blog) but as you will see explained in the report, the Secret Service’s involvement has thrown new light into some of the findings.
My intention here is to highlight the significance of such a report to security and audit practitioners with the objective of improving the quality of their risk assessments or audits and more importantly, help make the right recommendations to management. From my experience as a security practitioner and an occasional auditor, I can tell that we may not always be using all the available information to help improve the quality of our risk assessments or audits. And, I think reports such as the Verizon DBIR can provide some valuable help from that standpoint.
Let me explain what I mean… Deliverables for any risk assessment or audit typically include a list of findings and for each finding, we provide an explanation of the risk, the risk severity (High, Medium, Low) and suitable recommendations for risk mitigation or remediation. The management would then proceed to remediate various gaps in priority based on our risk rankings. Considering that risk is a product of likelihood and impact (I like the OWASP risk rating methodology, so will use it here), it is important that we get the impact and likelihood right. Impact is largely a function of the organization’s characteristics including various technical and business factors seen in the methodology. On the other hand, likelihood is a function of threats and vulnerabilities. I think the DBIR can be a useful reference in estimating the likelihood.
For example, the DBIR says that external agents were responsible for about 78% of the breaches whereas about 48% were caused by insiders. These numbers can be used to arrive at a better objective estimate of the likelihood that these threat agents may cause any harm. Similarly, the DBIR also says that 48% of the breaches involved privilege misuse, 40% resulted from hacking and 38% utilized malware. These numbers can be used for objective estimation of the likelihood that associated vulnerabilities could be exploited. The OWASP methodology has an illustration for such objective risk estimation.
These are but a couple of examples. The DBIR has a wealth of information that can be useful to auditors and security practitioners alike, both in improving the quality of their work as well as in being able to defend their risk rankings. We all realize that risk rankings almost always have a level of subjectivity in them but I think reports like the DBIR can be leveraged to make them as objective as possible. A very good example is the risk level one might normally assign to a case of unpatched vulnerability versus a configuration issue. It may not be readily obvious that one might need to be assigned a higher risk level over another until you read the DBIR. The DBIR tells us that the likelihood of exploitation of an unpatched vulnerability is far less as compared to a vulnerability caused by a configuration issue. If we didn’t leverage the DBIR (and assuming both issues had equal impacts), we might assign equal risk levels to both the findings or worse, we might assign the unpatched vulnerability a higher risk level.
Over the next couple of weeks, I plan to be blogging with a detailed commentary on some of the findings in the report including a special post on how the report can be leveraged to enhance the effectiveness of PCI DSS programs.
Hope this is useful! As always, we welcome your thoughts and comments.
RisknCompliance Services Note
We at RisknCompliance track about a dozen of such reports every year and maintain a up-to-date database of the current security threats and vulnerabilities at a detailed level. We are able to leverage this knowledge in providing our clients with a much-wanted third-party assessment of their risk management or audit methodologies and programs. After all, security risk assessments and audits form the very foundation of risk management or audit programs, so we believe it is critical that every organization fine-tunes its methodologies and knowledgebase.
Please contact us here if you would like to discuss your needs. We will be glad to talk to you with the details and how we might be of assistance to you.
Categories: Information Risk, PCI DSS Compliance, Risk Assessment, Security Tags: Assessment, Audit, Breach, Risk, Security