Why Don't We Defend Better?
eBook - ePub

Why Don't We Defend Better?

Data Breaches, Risk Management, and Public Policy

  1. 108 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Why Don't We Defend Better?

Data Breaches, Risk Management, and Public Policy

Book details
Book preview
Table of contents
Citations

About This Book

The wave of data breaches raises two pressing questions: Why don't we defend our networks better? And, what practical incentives can we create to improve our defenses? Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy answers those questions. It distinguishes three technical sources of data breaches corresponding to three types of vulnerabilities: software, human, and network. It discusses two risk management goals: business and consumer. The authors propose mandatory anonymous reporting of information as an essential step toward better defense, as well as a general reporting requirement. They also provide a systematic overview of data breach defense, combining technological and public policy considerations.

Features

  • Explains why data breach defense is currently often ineffective



  • Shows how to respond to the increasing frequency of data breaches



  • Combines the issues of technology, business and risk management, and legal liability



  • Discusses the different issues faced by large versus small and medium-sized businesses (SMBs)



  • Provides a practical framework in which public policy issues about data breaches can be effectively addressed



Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Why Don't We Defend Better? by Robert Sloan,Richard Warner in PDF and/or ePUB format, as well as other popular books in Ciencia de la computación & Ciencias computacionales general. We have over one million books available in our catalogue for you to explore.

Information

Publisher
CRC Press
Year
2019
ISBN
9781351127288
Edition
1
Topic
Ciencia de la computación
Subtopic
Ciencias computacionales general
Chapter 1
Introduction
Very conservatively estimated, there are more than three data breaches a day1 with a high aggregate cost. One recent study puts the average cost per business of a breach at $3.86 million.2 Such estimates are controversial,3 but it is clear that breaches impose significant losses on society. Security experts have long explained how to better defend against hackers. Why don’t we defend better? Why instead does society tolerate a significant loss that it has the means to avoid? There is more than one reason, but we focus on what we will argue is the most important one: the lack of sufficient information about the cost of breaches and about the probability of their occurrence. That lack of information can cause organizations to spend the wrong amount on defending themselves against breaches, typically underspending.
Our focus may surprise some. Why concentrate on defense? Isn’t a good offense an important part of the solution? Why not propose better ways for law enforcement to identify and shut down hackers? It would of course be foolish to deny law enforcement an important role, but it is far from a complete solution. There will always be some people who will engage in illegal behavior as long as they see a positive risk-reward calculation, and a significant snumber of people will see a positive reward since it can be hard to locate and prosecute hackers, especially in foreign jurisdictions.
Law enforcement is in the business of locating and shutting down hackers, not in preventing them from being able to hack in the first place. Law enforcement will always make decisions about where to spend their limited resources based partially on the likelihood that they can attribute a breach to a particular criminal or group of criminals, and then locate and successfully prosecute those criminals. Each attribution, location, and prosecution can be quite difficult. So defenses are critical. Defenses benefit the defender by reducing losses, and they benefit law enforcement by reducing the amount of successful hacking it needs to investigate.
We begin by explaining what we mean by a data breach.
What Is a Data Breach?
We characterize data breaches by using the traditional division of information security into confidentiality, integrity, and availability—sometimes referred to as CIA, or as the CIA triad. Confidentiality consists of keeping information away from those not authorized to possess it. We expect confidentiality for telephone conversations, financial transactions, and medical records. Integrity consists of preventing information from being altered by those not authorized to alter it. We need integrity for financial instruments, and both integrity and confidentiality for texts and emails. Availability consists of making computer systems available to authorized users. It’s easy to maintain the confidentiality and integrity of information if you don’t need availability. Simply put the information on one computer and permanently turn off that computer, or put it in a bank vault and leave it there.
From the point of view of the organizations breached and the consumers affected, data breaches are primarily a matter of confidentiality. In many breaches, hackers obtain credit card data that should have remained confidential. Examples include the Wyndham Hotel, Target, and Equifax breaches (which we discuss below), as well as the Home Depot, Macy’s, and Sears breaches of 2018, and many others. In addition, in many breaches, including the Wyndham Hotel, Target, and Equifax, as well as the Anthem and U.S. Office of Personnel Management breaches, other personal information, such as Social Security numbers, emails, and phone numbers that should have stayed confidential, was breached.
From the point of view of the information security defenders, there are also massive integrity violations at play. Software that should not have been allowed to run on a computer ran, violating the integrity of those computer systems. We return to the integrity prong of the CIA triad when we discuss the Internet of Things (IoT) in Chapter 5. Compromised integrity on the IoT can have serious consequences—car accidents, malfunctioning medical devices, failing power grids, and so on.
A narrow use of the label “data breach” restricts it to breaches of confidentiality along with the compromised integrity they involve. When data breaches in this sense involve unauthorized access to sensitive information, they constitute invasions of privacy. A broader use applies the label to events that corrupt, destroy, or block access to information. Data breaches then include denial of service attacks, ransomware attacks, and destructive hacking that corrupts or destroys data. These are not instances of unauthorized possession or viewing of data, but they do interfere with data in ways that can be highly disruptive. The table summarizes the typology.
Data Taken/Viewed
Site Access Denied
Data Hidden
Data Corrupted/Destroyed
Confidentiality
Data breach
Integrity
Data breacha
Denial of service
Ransomware
Destructive hacking
Availability
Denial of service
Ransomware
Destructive hacking
a As a part of the breach of confidentiality.
We focus primarily on data breaches in the narrow “data taken/viewed” sense until we turn to the IoT in Chapter 5, where we consider the “data hidden” ransomware cases and the breaches of integrity involved in destructive hacking.
Four Examples
Before we go any further, let’s take a look at four among the thousands of significant data breaches in the past 15 years or so. For many data breaches, only a limited amount of information is publicly available. For our first two breaches, however, a fair amount is known, which is one reason we are discussing them. The late 2013 Target breach received a great deal of coverage by the news media and was also the subject of a detailed report by the U.S. Senate Committee on Commerce, Science, and Transportation. The Wyndham Hotels breach, or rather, the series of three breaches of Wyndham hotels between 2008 and late 2009, was the subject of legal action by the U.S. Federal Trade Commission (FTC), creating a public record. We will also discuss two more recent breaches where less is publicly known: Equifax, the biggest breach of 2017, and Marriott, the biggest breach of 2018.
Target
On December 19, 2013, Americans learned that Target stores had suffered a massive breach and that tens of millions of credit card numbers had been stolen. This was headline news, and it eventually became clear that about 40 million Target customers had credit card information stolen, and another 70 million had other personal information, such as addresses and phone numbers, stolen.4 In the fullness of time, Target’s CIO and CEO would both lose their jobs,5 banks would reissue about 21 million credit cards to vast numbers of Americans (including one of the authors of this monograph) at a cost of about $200 million,6 and Target’s expenses would total $291 million.7
How could such a thing happen? What went wrong? The short answer is, many things went wrong. A fairly common pattern in disasters in both real life and fiction is that several different things go wrong, and the sum total of those occurrences causes the disaster. This is the...

Table of contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Contents
  6. Authors
  7. Chapter 1: Introduction
  8. Chapter 2: Software Vulnerabilities
  9. Chapter 3: (Mis)Management: Failing to Defend against Technical Attacks
  10. Chapter 4: A Mandatory Reporting Proposal
  11. Chapter 5: Outsourcing Security
  12. Chapter 6: The Internet of Things
  13. Chapter 7: Human Vulnerabilities
  14. Chapter 8: Seeing the Forest: An Overview of Policy Proposals