Yesterday, Sue Marquette Poremba, writing on IT Business Edge about the alleged breach of over a billion personal records by a Russian gang, brought up the long-running question of the treatment of security breach disclosures.
The reported billion records are eye-catching, but Triumfant CEO John Prisco told Poremba that the number isn’t the point:
“So many cyber breaches today are not actually reported, often times because companies are losing information and they are not even aware of it. Today, we have learned of a huge issue where it seems like a billion passwords were stolen overnight, but in reality the iceberg has been mostly submerged for years – crime rings have been stealing information for years, they’ve just been doing it undetected …”
Not exactly reassuring talk. But even the question of whether these breaches should be disclosed and reported at all is still up for discussion. And many of the pros and cons of that discussion are illustrated in the story of this breach report.
Alexander Holden, founder of Hold Security LLC, who reported on his discovery of the billion-record breach at the Black Hat security conference, is having his decisions questioned. He’s even finding himself under the microscope regarding his personal background, educational and otherwise.
Detractors say that he shouldn’t have offered his paid breach notification service (available for $120) at the same time that he shared the breach report. Some say that his description of his background and credentials doesn’t look right, and puts his information and motives in the sketchy category.
Supporters, who include well-known security researcher Brian Krebs, say that Holden did the right thing, has a right to be paid for his work, and has a history of solid cybersecurity research, according to the Milwaukee Wisconsin Journal Sentinel.
Holden responds to the criticism of the timing of his paid breach product by pointing out that he has informed victimized companies of large breaches in the past (with no expectation of payment) – and they did nothing about it.
So, while the constant call is for someone to do something about cyber threats and breaches, the definition of the best method of accomplishing that is far from being determined. And the desired results of various approaches remain elusive. InfoWorld’s take on this particular situation, for example, is that since many experts say Holden has not provided enough details of the attack to convince them that it is quite as deep and serious as it might appear on the surface, we should not consider it very serious. The problem really is that the mainstream press has run with the sensational aspects of the report and inflamed fears that may not be warranted, according to the site.
But that’s the sort of response that hackers, whether they are major or minor, love to see. It also puts security researchers back in the same tough spot. To disclose or not, and to whom? If nobody is going to be compelled to do much in response, no matter which path the researchers take, will they be relegated to saying “I told you so” too much of the time?
I asked Luis Corrons, technical director of PandaLabs, the malware research lab at Panda Security, for his thoughts around breach disclosures. He is following this case closely, and maintains an optimistic view of the value of communicating breach information widely:
“Transparency is always good and nothing can change that, however, it is important to do it in a responsible way. Involving law enforcement at some point (when you have good enough evidence) is really important. Talking to victims too, although this will depend on the approach that law enforcement wants to take.
There are two different types of victims here, the companies that were breached and the individuals whose information was stolen. The companies should be warned as soon as possible in order to investigate what, why, how it has happened and informing their customers/users accordingly.”
Corrons expects that law enforcement agencies will soon become involved in investigating the details of this breach, which may shed light or further muddy our view in the next few days.
Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+