Monday, January 4, 2016

Maybe the Triad Needs a New Member?

Hey everyone - I hope you had a safe and happy new year.  A lot happened in 2015: breaches, greater visibility into some APTs, and more breaches.  The events of 2015 will likely cause ripple effects into 2016, and perhaps beyond.  The cat and mouse game of defender versus adversary will likely continue.  I think what will be an interesting factor is mainstream awareness.  This post is not about information security awareness amongst the masses, but seeing as it is a new year, I wanted to touch on this a bit because there is a lot of talk about 2016 might bring.

With breaches affecting so many people nowadays between health insurers, retailers, and anyone else that deals in information that someone else would want, it seems that more people realize how much of their information is out there for the taking.  I see it going one of two ways: breaches will become so common that they are no longer news (which may already be happening), or people will push for change when it comes to keeping their information secure.  That could mean that people take it into their own hands by taking proactive steps to keep their data safe (which is not trivial, and some might say impossible to do one hundred percent).

It will be interesting to see what happens.

I want to switch gears now to talk about something along this vein, but it is a topic that might be somewhat controversial.

News came out recently of yet another breach, this time involving Hyatt.  Here is an article in the New York Post about it.  The reason I call out the New York Post article specifically among the articles I read about this breach is one quote in particular:
The Chicago-based hotel giant did not comment further on why it delayed notifying customers, but the spokesperson said a probe into the matter was launched in November.
The company also hired third-party experts in cybersecurity.
No customers had complained to the company, she said. It’s not yet clear how many Hyatt customer accounts were affected.
In the other articles I read about this breach, the bit about no customers had complained to the company about their information being compromised was only in this one.  I think that is a bit telling about this organization's attitude towards information security: they are reactive.  I think that describes many other organizations, so that is not a knock against Hyatt in particular.  It should not be their customers' responsibility to inform them of potential breaches however.  In theory, their defenses should have sent up red flags.

A common theme in the articles I read on this however, is that Hyatt waited roughly a month before coming out and admitting there was a breach.  Here is the announcement from their site.  I understand that they need time to figure out what happened and who might have been affected, but vague statements like "We have taken steps to strengthen the security of our systems, and customers can feel confident using payment cards at Hyatt hotels worldwide." do not inspire confidence.  Obviously, they cannot disclose the changes they made to their systems specifically because that would give away information that another attacker could use.  However, it is interesting to me that they chose to single out the security of their systems.  The security of an organization is more than sum of the security of the software and hardware in the organization.

There are also policy and organizational culture components to the security of an organization that must be continuously reviewed and revised when necessary.  Maybe the steps alluded to above include these changes, but that is not how it comes across.  I think that it is an easy trap to fall into however.  Some people believe that there is a device or software configuration that will be their silver bullet in terms of security.  Unfortunately, that is never the case.  Any defensive measure must be paired with a policy and culture that is cognizant and serious about information security.  It is not just confidentiality, integrity, and availability of information (the classic C-I-A triad of information security).

The concept that I believe underpins the triad is trust.  The reason an organization implements measures to ensure the confidentiality, integrity, and availability of their information is trust.  Organizations that are responsible for information (either their own and / or the information of others) protect that information to ensure that the security of that information can be trusted.

Trust is the underlying concept in protecting information:
  • Confidentiality is the concept that an organization will not let data that it is the custodian for be seen by anyone without a need to know.  The subject or owner of the data must be able to trust the responsible organization that his or her data will be safe from unauthorized access.
  • Integrity is the concept that data can be trusted, i.e. that someone has not tampered with it.
  • Availability is the concept that data is there when you need it.  This means that the mechanisms to access data must be trusted (reliable and robust).
So whenever a measure is put in to ensure of the three traditional concepts, there must be a discussion about how it addresses ensuring the trustworthiness of the process or policy that makes up the measure in question.  There is also another component of trust that is not directly tied in with the concepts in the triad, but is derived from them.

Perception is a big deal.  Trust plays into perception.  People may not want to do business with an organization they do not trust, especially if they have a choice.  If you are a retailer, for example, and you are known to not take information security seriously, it could impact your business.  Take the Target breach for example.  While things have started to get better for the retailer, things were not good for a while:
Target reported a 46 percent drop in net profit in the crucial holiday quarter and reported $61 million in costs related to the breach, much of which was covered by insurance. It did not provide an estimate on future expenses related to the cyber attack, though it said they "may have a material adverse effect" on results of operations through the end of the current year [2014] and beyond.
To maintain trust in terms of perception, it is important to make sure that the information security policy and culture of an organization project an attitude that security is not an afterthought.  This could be through internal processes, like encouraging behavior that is beneficial to security and a policy that does not punish but encourages users to report potential issues.  It can also be through being open to responsible disclosure of vulnerabilities from third parties, having outside, trusted parties evaluate your security posture, and quickly responding to potential security events.  Of course some of this is easier said than done, but Rome was not built in a day, and neither is a comprehensive and robust security posture.  It takes time, and it is tough work, but that is no reason to shirk responsibility.

The Hyatt statement read to me like they do not have to worry so much about protecting customers' payment information because credit card issuers will pick up the tab in the event that the information is used fraudulently.  In my opinion, that is not the right way to do business, and does not inspire trust.

So maybe we need to think about a CIAT rhombus or the CATI quartet.  What do you think?  Do you believe the CIA triad is fine as is or that it needs to be reworked?

Thanks for reading!

No comments:

Post a Comment