Why are there more breaches?

Adam has posted a note on Emergent Chaos called 2008 Breaches: More or More Reporting?

I’ll take the bait.

First, I find it interesting that the number he quotes from the ITRC is so far ahead of other accounts. I did a breakdown of all breach data from 2000 to August and the numbers were quite a bit lower at datalossdb.org than the ITRC estimates. I will go back and include the September numbers and then cross-reference to ITRC data to see where there might be gaps.

Back to the question at hand, all the evidence I have seen points to the fact that more organizations are gaining the capability/awareness to report breaches.

A couple of years ago many people operated under the idea that the absence of evidence meant they had evidence of absence (to paraphrase Carl Sagan). I have worked with people in important positions in large global organizations, as well as small business, who literally believe that it is better to keep a positive attitude about things until there is absolutely no way to avoid the facts. This rather lazy attitude towards security and investigations means quite a number of breaches relied on sufficient mass of angry consumers complaining to regulators before companies could be bothered to look around. The case against Senator Stevens of Alaska, as well as the evidence of Governor Palin’s management style, are prime examples of the pervasiveness and widely accepted nature of this attitude.

Prior to the California breach law, executives commonly used ignorance of breach evidence, or even harm of breaches, as an excuse for inaction as well as accountability. Destroying evidence and gagging negative data was considered a natural reaction when trying to keep things “on track”. This should no longer be as much a problem wherever executives are responsible for reporting breaches and maintaining awareness of the safety and security of data.

Therefore, I would argue that the breach numbers are increasing because of two things:

  1. The ability of organizations to detect breaches has improved. Due to regulation, an increasing number of companies are starting to actually monitor well enough to detect unauthorized activity and breaches. This includes appointing people who are responsible for determining whether official notification is required — thinking about risk on behalf of those affected.
  2. The underground economy is expanding, meaning more skilled workers are actively trying to breach companies. I believe the actual number of breaches is increasing because the value of assets has been widely demonstrated, while the security of companies holding the assets remains questionable. This is a simple economic model where threats are expected to increase until countermeasures can either reduce the value of the assets (make them harder to use) or control them better (make them harder to steal).

It may also be worth noting here that I found 99% of all reported breaches are in the US, Canada, and UK (90% are in the US). I’m working on a deeper analysis of why and how, so I’ll post more later. Much of the data also will be presented in my webinar next Thursday on PCI DSS 1.2.

Italy and the Mafia

by Alan Coren

Italy is boot-shaped, for reasons lost in the mists of geology. The South is essentially agricultural, and administered by local land authorities, called the Mafia; the North is industrial, and run by tightly interlocked corporations, called the Mafia. The largest Italian city is New York, and is linked to the mainland by a highly specialized and efficient communications system, called the Mafia

Here he is on Democracy:

Democracy consists of choosing your dictators, after they’ve told you what you think it is you want to hear.

A nice explanation of the economy in the Netherlands:

Apart from cheese and tulips, the main product of the country is advocaat, a drink made from lawyers.

He even tried to explain Swiss exports:

Since Switzerland has nothing else to identify it and since both its national products, snow and chocolate, melt, the cuckoo clock was invented solely in order to give tourists something to remember it by.

Palin Termed a Threat to National Security

Carl Bernstein argues in The Palin Pick — The Devolution of McCain that America’s security will be in danger if left to the GOP’s VP candidate:

Three weeks after the 2008 Republican convention, on the cusp (maybe) of the first presidential debate, it is time to confront an awkward but profound question: whether in picking Sarah Palin as his running mate, John McCain has committed — by his own professed standards of duty and honor — a singularly unpatriotic act.

“I would rather lose a political campaign than lose a war,” he has said throughout this campaign. Yet, in choosing Palin, he has demonstrated — whatever his words — it may be permissible to imperil the country, conceivably even to “lose” it, in order to win the presidency. That would seem the deeper meaning of his choice of Palin.

Indeed, no presidential nominee of either party in the last century has seemed so willing to endanger the country’s security as McCain in his reckless choice of a running mate.

I certainly agree. From a security perspective Palin clearly is unfit for office. Moreover, for all her redeeming qualities, she serves primarily as a token to the extreme right and to the “poison” of fundamentalists:

Above all, the John McCain I covered in 1999-2000 was — he said — convinced that two factors were undermining the interests of the United States: its cultural wars, causing political gridlock in Washington and civic discontent across the land; and the unbending agenda of the right-wing of the Republican party that, in his view, had been captured by the Christian conservative movement and bore disproportionate responsibility for the poisonous state of American politics. Exhibit One: the scorched-earth campaign that George W. Bush was then waging against McCain’s insurgent run for the Republican presidential nomination.

Yet, McCain, is, in fact, running the kind of campaign against Barack Obama that George Bush ran against him in 2000, which he regarded rightly as dishonest, dishonorable and diversionary in terms of the truth about him and about the nation’s problems.

Will he sacrifice the long-term security and stability of the country just to win an election? Does he think his dubious deal with the fundamentalists will give him any freedom or independence once he is in the hot seat? That was not how things turned out in Iran.