I have added a new feature, “InfoSec Site”, to the Discovering Identity blog.

I frequently come across sites on the web that are relevant to the Information Security community. I may not have time to blog about each in detail, but want to provide a way to announce that I have found the documents and provide a way to easily find them again.

A new category “InfoSec Site” has been added to the blog, so these documents can be easily selected via the “Select Category” drop down list box.  They can also be found by searching for key words.

My previous post is an example of a InfoSec Site post.  It references a useful Data  Breach reference site.  I hope you find it useful.

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide.

The Open Security Foundation, as well as our volunteers, feel that there is a distinct need for tools that provide unbiased, high quality data regarding data loss. There are no other open, downloadable, machine parse-able resources out there that facilitate research into this subject matter. By providing this sort of resource, we feel we can help accomplish the following:

• Improve awareness of data security and identity theft threats to consumers.
• Provide accurate statistics to CSO’s and CTO’s to assist them in decision making.
• Provide governments with reliable statistics to assist with their consumer protection decisions and initiatives.
• Assist legislators and citizens in measuring the effectiveness of breach notification laws.
• Gain a better understanding of the effects of, and effectiveness of "compliance".

The following column shows the latest Data Loss incidents:

I learned an astounding bit of statistics yesterday in a webcast presentation by Andrew Jaquith, Senior Analyst, Forrester Research.  Using source data from DatalossDB.org, Andrew reported that in 2009, 138 million data records were breached.  By any measure, that’s a lot of data, resulting in large financial losses to corporations and lots of consternation to individuals whose identities may be included in those data breaches.

Did the majority of these losses result from stolen or lost laptops or thumb drives or backup tapes that fell off the truck? 

Surprisingly, NO! Of the 138 million breached records, a full 133 million breached records occurred at the server level.

Reinforcing this concept, the Verizon 2010 Data Breach Investigations Report stated that compromises of database servers comprised 25% of breaches, but 98% of total records.

So, while we may hear about more case of data breaches occurring from edge devices, the real challenge is protecting the core database from threats.

This reminds me of the Henry David Thoreau quote: “There are a thousand hacking at the branches of evil to one who is striking at the root.”

Robert Mullins posted an interesting article this week highlighting the tension between people who warn of impending danger from information security threats …

“Mark Bregman, chief technology officer of security company Symantec … spoke at the first-ever NASA IT Summit and said the space agency is ideally suited to promote global cooperation among nations on cybersecurity. … ‘There’s an urgent need for diplomacy to kick start international cooperation on cybersecurity,’ Bregman said.”

and people who think InfoSec vendors are just fear mongers seeking to sell products …

”comments that followed Montalbano’s story suggested Bregman was hyping the threat for the sake of Symantec sales. “See, Symantec created the panic so as to sell its products,” wrote one. “If Symantec is not the one starting all the cybersecurity mess, the whole world would be much more peaceful,” wrote another.”

As an employee of an vendor of InfoSec software, as a student of the technology of security and as a private citizen concerned about the potential for international terrorism, I tend to side with those who point out our immense vulnerability.  I hope that our technology can help combat the real-world threats that exist.

I hope the world is not lulled to passive inactivity by those who are skeptical of such threats.

Thanks to Network World for inserting a link in the middle of Dave Kearn’s article, leading to an intriguing slide show, “10 Worst Moments in Network Security.”

Ranging from

“Digital Equipment Corp. marketing guy Gary Thuerk gets technical assistance to send what’s regarded as the first ‘spam’ message to thousands on the government-funded Arpanet”

to

“Societe Generale, the large French financial services firm, discloses that one of its low-level options traders, Jerome Kerviel, has committed stock fraud worth an astonishing $7 billion, the largest in history traced to rogue trading.”

this slide show provides a somewhat nostalgic, but provocative view of bad stuff happening out there in cyberspace.

Dave Kearns of Network World posted a thought-provoking article today,  “Data breach demonstrates need for access control policies.”

Highlighting a case where a tax collector in British Columbia, Canada, used government computers to look up “private tax files of hundreds of high-income individuals, apparently in the hopes of hitting them up for a business she ran on the side,” Dave observed:

There are so many things wrong here.

1. Why weren’t controls in place to prevent, or at least raise a flag, when an agent accessed files randomly? Were they at least audited?
2. Why did it take four years for someone to realize that there were shady dealings going on?
3. How did CRA determine the "risk of injury"?
4. Why aren’t the affected parties notified whenever there’s a breach?

In light of increasing government regulations covering data breaches, and hard evidence that the number of data breaches continues to grow, companies can be well-advised to

“review your governance, oversight and access control policies now — before your organization features prominently (and ashamedly) in a newspaper headline!”

The 2010 Data Breach Investigations Report covers a study conducted by the Verizon Business RISK team in cooperation with the United States Secret Service.

In some ways, data breaches have a lot in common with fingerprints. Each is unique and we learn a great deal by analyzing the various patterns, lines, and contours that comprise each one. The main value of fingerprints, however, lies in their ability to identify a particular individual in particular circumstances. In this sense, studying them in bulk offers little additional benefit. On the other hand, the analysis of breaches in aggregate can be of great benefit; the more we study, the more prepared we are to stop them.

Not surprisingly, the United States Secret Service (USSS) is also interested in studying and stopping data breaches. This was a driving force in their decision to join us in this 2010 Data Breach Investigations Report. They’ve increased the scope of what we’re able to study dramatically by including a few hundred of their own cases to the mix. Also included are two appendices from the USSS. One delves into online criminal communities and the other focuses on prosecuting cybercrime. We’re grateful for their contributions and believe organizations and individuals around the world will benefit from their efforts.

With the addition of Verizon’s 2009 caseload and data contributed from the USSS, the DBIR series now spans six years, 900+ breaches, and over 900 million compromised records. We’ve learned a great deal from this journey and we’re glad to have the opportunity to share these findings with you. As always, our goal is that the data and analysis presented in this report proves helpful to the planning and security efforts of our readers.

Presentation by Gerry Gebel of Axiomatics at Kantara workshop. Includes good overview of XACML and coverage of v3.0 enhancements.

Presentation by Ashish Jain, Andrew Nash and Jeff Hodges of PayPal Information Risk Management at OpenID Summit, 2 November 2009.

Thanks to my colleague Simon Thorpe for pointing out Cloutage.org, a website which provides up to date information about outages and security incidents in public cloud computing:

”Cloutage exists to empower organizations by providing cloud security knowledge and resources so that they may properly assess information security risks. The project aims to document known and reported incidents with cloud services while also providing a one-stop shop for cloud security news and resources.”

The Cloutage home page shows this a list of “Latest Cloud Incidents”:  Here are the most recent three:

I was particularly interested in the Evernote data loss, because I am a heavy Evernote user.  I don’t think I lost anything, but it makes me rather nervous – and thankful for the local repository of everything stored in the Evernote cloud.

I suppose the message this brings most strongly home to me is this: Cloud Computing is not invulnerable.  Our trust in cloud computing must be based on solid evidences of sufficient information security.  We must demand (and, as security professionals help enable) auditable security technology and processes in cloud computing.