Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The...
-
Upload
threat-stack -
Category
Technology
-
view
121 -
download
0
description
Transcript of Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The...
![Page 1: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/1.jpg)
Dan Geer’s Mandated Breach Reporting
Vision of the Cyber-Future: Can the Security Industry Help?
By Jen Andre, Co-Founder Threat Stack
![Page 2: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/2.jpg)
THE WORLD HAS CHANGED !
!
!
!
!
!
It’s in the Earth. It’s in the packet loss. !
Dan Geer lit up the security community during his opening
keynote at Black Hat 2014 with his controversial vision of
security and privacy in the internet of the near future.
![Page 3: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/3.jpg)
In one proposal…
He outlines a policy where organizations are mandated to report security breaches
(within a certain scope).
![Page 4: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/4.jpg)
A corollary to the CDC
Currently, medical providers are required to report any observed instances of ‘certain communicable disease’ to the Center for
Disease Control (CDC), in order to mitigate the public health risk of a widespread
pandemic.
![Page 5: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/5.jpg)
Dan posits:
“Should we have similar mandates for reporting security breach events?”
![Page 6: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/6.jpg)
To anyone who has been the victim of identity theft or privacy violations due to
mismanaged security practices, the answer to the previous question
is a resounding “OF COURSE!”
![Page 7: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/7.jpg)
The argument for mandated security breach reporting is not new,
though it remains controversial…
![Page 8: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/8.jpg)
If we look at the state of breach reporting today…
• There is already legislation in the United States that mandates this for certain classes of data.
!
• PCI-compliant entities are required to report credit card breaches to their private financial institutions
• This comes with serious consequences !
• Many states (California leading the charge) also require reporting directly to the owners of the data stolen
!
• HIPAA mandates similar disclosures !
• (And no, the US isn’t the only country where this kind of legislature is being mandated).
![Page 9: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/9.jpg)
Can we presume a similar trend for other classes of data going forward?
![Page 10: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/10.jpg)
Proponents argue: !
The mandated breach reporting is a compelling impetus for organizations to be
better stewards of data that is increasingly replicated across cloud services worldwide.
![Page 11: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/11.jpg)
There are several philosophical, organizational, and technical challenges that make this difficult to
execute on at best, and infeasible at worst — except in the most regulated of industries.
![Page 12: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/12.jpg)
If we presume such legislation is inevitable, what kinds of challenges do
businesses and other organizations face for compliance?
![Page 13: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/13.jpg)
What kind of technological solutions can we expect to evolve as an industry to
make this easier?
![Page 14: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/14.jpg)
How does this affect the widespread explosion of SaaS businesses (which have been enabled by the explosion of IaaS)
in today’s “cloud”-enabled world?
![Page 15: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/15.jpg)
Let’s start with some of the technical challenges.
![Page 16: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/16.jpg)
1. How do I know if I’m breached?
Most of the time, organizations have no idea they’ve been compromised. According to the Verizon DBIR,
70-80% of all breaches are reported by unrelated 3rd parties.
![Page 17: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/17.jpg)
This is an interesting challenge when it comes to penning legislation…
![Page 18: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/18.jpg)
It makes little sense to have mandates on breach reporting without a specified time window.
!
(Otherwise, anyone could take advantage of a loophole and postpone notifications for years)
![Page 19: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/19.jpg)
Yet, many SaaS businesses operating today do not have the expertise in-house
to even know if they are breached, never mind have the capability of response within a certain time window.
![Page 20: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/20.jpg)
Which brings us to the other problem…
![Page 21: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/21.jpg)
2. How do I know the scope of the data compromised?
Technically, it’s quite difficult to reconstruct the path of an attack.
![Page 22: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/22.jpg)
As Dan pointed out in his keynote, the security industry is becoming increasingly specialized, and not everyone
can afford to have a security forensics expert on-hand or pay for breach notification services.
![Page 23: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/23.jpg)
The security industry innovation in audit logging for systems, APIs and applications can put this kind of data in
the reach of non-specialized systems operators, but in the meantime:
!
Is a single point of entry in an application log good enough to assume the best case,
or the worst possible scenario?
![Page 24: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/24.jpg)
3. Who is responsible?
Even if you limit the scope of a breach to certain classes of data, data lives online in complex systems.
There are many attack vectors, and the scope of the entities responsible for breach reporting remain fuzzy.
![Page 25: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/25.jpg)
Think of the proliferation of shared Facebook authentication:
!
If you use your Facebook credentials to log into a medical records site, is Facebook now mandated to report breaches
within a certain time frame to the users of its auth services so that the medical records site can respond accordingly?
![Page 26: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/26.jpg)
Never mind if you legislate widespread PII breach reporting — the personal
information embedded in private social networking sites could allow
an attacker to do real damage. !
(i.e. impersonate you well enough to get access to your Amazon account)
![Page 27: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/27.jpg)
If I’m an internet service provider and a router is compromised that allows hijacking in such a way that I’m able to compromise a medical records site,
am I responsible for reporting? !
As a common carrier, should I even care about the content that I serve?
Taking it down a level
![Page 28: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/28.jpg)
The philosophical argument
![Page 29: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/29.jpg)
The internet’s power lies in its roots as an open communications platform.
![Page 30: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/30.jpg)
If a kid creates a web app that calculates my personality type based on a quiz that asks for
my birthday, full name, and my blood type, do we enforce breach reporting?!
![Page 31: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/31.jpg)
Certainly we can enforce that person’s ability to establish a business and make money within the
purview of the government that holds jurisdiction, but that raises new concerns…
![Page 32: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/32.jpg)
We will start to see micro-internets whose boundaries are dictated by the government entities that
control the underlying infrastructure and who has access to what?
![Page 33: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/33.jpg)
It’s not hard to see that mandated breach reporting would impose real
cost to innovation.
![Page 34: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/34.jpg)
Will internet startups choose to launch their businesses in the darker, freer
parts of the internet whose infrastructure is controlled by the more
friendly governments? !
(a la what’s happening with online gambling)
![Page 35: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/35.jpg)
The compartmentalization of internet security policy given the power of state actors and the tension between
what we value as our freedom on the internet, and the role of cyber security.
Geer alludes to this…
![Page 36: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/36.jpg)
Already, the Chinese internet is a very, different place from
the one you and I know…
![Page 37: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/37.jpg)
In such a world… !
How can technology help?!
![Page 38: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/38.jpg)
Can the security industry provide software that mitigates the costs of breach reporting requirements with better-automated ways of
detecting breaches?
![Page 39: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/39.jpg)
Will such technology be usable and affordable by masses of
startups that are out there today building real businesses and driving
technology forward?
![Page 40: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/40.jpg)
What do you think? !
Are Dan’s ideas about mandated breach reporting farfetched, or do they represent a world we could soon live in?
![Page 41: Dan Geer's Mandated Breach Reporting: Can The Security Industry Help With His Vision Of The Cyber-Future?](https://reader034.fdocuments.in/reader034/viewer/2022051609/547a7402b47959a9098b4a1a/html5/thumbnails/41.jpg)
Tweet your thoughts: !
@threatstack !
!
To learn more about Threat Stack, visit threatstack.com