Ed Smiley's Blog

Interesting...I followed the link to the Breach Notification Symposium and started looking through the speakers and their presentations. Most notably absent in the symposium appear to be organizational/corporate officers who have to deal with this issue, either as a possibility or a reality (either compliance or an actual breach), as well as anyone who investigates breaches.

Looking through some of the PPTs I see references to state notification laws, as well as "peeping" and Lady Godiva...but to what end?

Initial thoughts to start the discussion...

Note that such statements avoid saying that they are 100% sure that the data was not accessed/misused/etc. Once the data was open for improper, it is hard proving the negative.

Why forensic investigation cannot always answer with certainty is that data breach incidents vary. An insider copying off sensitive PII data onto a USB storage device is one thing; a stolen unencrypted laptop or a lost thumbdrive are different matters. Not all of the data storage devices might be available. Not all of the info disclosure may leave data trails. (One method I've used to collect information in research and tests is photographing screens with a camera. Other than the access to the file in question, there would no forensic indication that I took photos that could be OCRed. Especially if the camera was not available for examination.)

Jonathan,

You're correct. Opening a file is one thing...on Windows systems, this can be tracked to a user account, and has been used to avoid notification requirements by clearly demonstrating that a file was NOT opened. However, knowing what file you're interested in and copying it off to another medium is not something that is tracked. You can tell that a USB device was connected/disconnected at a specific time, but you won't be able to definitively tell what was copied to that device without the device itself.

It is true that the comments you posted are seen/heard during (or after) breach investigations...as someone who does these types of exams, I can attest to that. However, these comments are taken in isolation and pulled out of the myriad other comments and circumstances that also surround the suspected breach. Try things like, "...outside third party notification..." (rather than internally discovered), "...three months after the fact..." (rather than the breach being discovered *while* it was going on...), etc.

Also, keep in mind that there are a lot of folks our there who manage these systems every day, who are aware of the PCI (or "name your regulatory body") requirements, but are still completely unprepared for a breach, and they do all the wrong things.

As is many times the case, a "breach notification" begins with a CPP investigation as a result of discovered or reported fraud; when someone is notified that they are the CPP, they are not notified as to how heavily weighted they are, or how if they are the *only* CPP...and they may very well not be.

There is a great deal in the background to these things that few see...

@H. Carvey: Thanks for the response. I would love to hear more about this background that few see. Perhaps a series of blog posts would be in order?

The root of my question that I kinda mention in the reply to Dave is that "the industry" always throw around this magically number (usually $200) for each compromised record. When you are talking thousands of records, to me it would be worth it to use every means possible to see if this data was accessed and (hopefully) prove it was not. I guess it is up to the company as Dave points out but are things ever done this way? How would you be able to successfully prove that the data was not accessed in a court of law?

Great stuff guys! Thanks again!
Ed

"The root of my question that I kinda mention in the reply to Dave is that "the industry" always throw around this magically number (usually $200) for each compromised record. "

Well, I've heard varying numbers. One time, someone told me they roughed an estimate at $10, while the "going rate" was quoted at "$80 - $120".

"When you are talking thousands of records, to me it would be worth it to use every means possible to see if this data was accessed and (hopefully) prove it was not. "

True...but that's not always possible. Yes, it DOES behoove an organization to be able to prove definitively that data was or was not accessed, but you have to understand that the vast majority of the time, organizations are NOT prepared at all for a breach.

"I guess it is up to the company as Dave points out but are things ever done this way? How would you be able to successfully prove that the data was not accessed in a court of law?"

A court of law doesn't usually come into play. When you're dealing with PCI data, you're not dealing with courts, per se. State notification laws are somewhat different, and what may end up happening is that folks may simply decide that its better to notify than to go to court...there may be too much available to the public that way (ie, response and analysis reports that say things like "no 'sa' password on the database" may become part of the public record...)

There is just a LOT more to what goes on behind the scenes than the technical analysis part of things.

Ed

In the case I was referring to, there was active maintenance and usage of the file by authorized personnel. They were ignorant of the fact that the file was in the web root. They were accessing the data through an interactive shell, had sufficiently strong passwords and other appropriate access controls. There was no evidence that the data had been accessed by unauthorized persons, despite the fact that anyone in the world could have accessed the file if they'd known where to look.

Thus when breach notification was made, they really meant what was said. There was no evidence of unauthorized access. They weren't trying to be clever with words. I also know there was disagreement about going forward with breach notification. In the end the lawyers won the argument.

Believe it or not, I have been involved with an incident where things like this were said and it wasn't BS. During the course of normal file system maintenance a directory was discovered within the web root on a web server. Within that directory was a data file containing thousands of records of sensitive information.

The file was there for all the world to see, but there were no links to it and the name of the directory was not obvious and the file name was not obvious. Directory indexing was turned off, so even if someone chanced across the directory name, they would also have to find the file by chance or brute force.

We looked through a year's worth of access logs from the web server and never saw any hits against the file. A thorough forensic investigation of the server showed no evidence of compromise.

However, the general counsel for this particular organization decided that they must go forward with notification, despite the fact that there was "no reason to believe hat this information was accessed by unauthorized individuals..."

So yes, it can happen and companies can say those things with sincerity. I've seen it once. YMMV.

@davehull Thanks for the reply. It adds a different realm of thinking to the statements. I see how the words are cleverly crafted with worlds like unauthorized individuals. It might be hard to tell whether authorized or unauthorized individuals accessed it.

Companies have done SSN conversions years ago but still many of them have PII squirreled away in old databases and spreadsheets. However, I am sure a lot of them have never been touched in years and were only kept by that person who is the pack rat and afraid to delete anything. Would situations like this be easier to forensically tell if they were accessed or not?

Thanks again for the comments!