Over the years I have been expressing the implications of out of wallet authentication information and “personally unique” data of individuals. My journey led me to write the book, IT Compliance and Controls, where I sought to humbly draft operational activities for businesses to defend their intellectual property (and customer data, of course). I launched multiple businesses with partners; created technology; filed patents, and even helped elevate the risk related to publicly available data used by data analysis companies (unfortunately still not able to disclose details here).
Despite this journey, the data that makes up information identifying individuals is still not operationally or industry-wise protected. To be clear, the information I refer to here (a limited list) includes that which is a fact about a person. The value of that fact is directly related to the frequency of change. So as an example:
- Last name = Only changes rarely (not very valuable on could argue though)
- First pet = Never changes (very valuable for OOW authentication questions)
- Last 4 digits of Social = Never changes (very valuable)
- Last 4 digits of fav credit card = Changes maybe every 3 years (somewhat valuable)
Other data is also valuable but requires a bit of Google hacking / FB / LinkedIN skimming … Simply enough .. code is executed to create a full database of personally relevant data of a target person and that is used to construct targeted phishing emails and password generation attack databases. Needless to say, public information and those used when setting up accounts are VERY vital to information security moving forward.
The most recent breach that hit a good company is Zappos. I as a customer received the regular breach email stating what data was lost. They setup the site to orchestrate the password reset process and made it extremely simple. (There are challenges here but to be discussed shortly). The communication did state though that such details as full name; email; billing and shipping address. All vital and still sensitive, but not yet protected as mentioned above.
The process of the password reset and refreshing of customer data is a challenge post breach. What to protect and what not to protect? A prime question when setting up the post-breach authentication and refresh process. I would posit that the email link is not sufficient to protect the consumer, as that information could easily be leveraged as a secondary attack against the user. I would also state I manually went to the Zappos website to see if it was a real notification or trick. It was real, but the simplicity of their process drew into question the validity still – I actually began checking registries to determine if DNS poisoning / redirection was occurring.
The takeaway of this post is … consider the value of the data on hand and the implications of security safeguards – both regulated and as proper custodians of such information. Second, how would you recover from a breach and what data would you rely upon? Have you secured that data in a manner representative of the dependence you place upon that information?
Simply enough .. consider the types of data you are custodian; today, historically, and in the future .. and how could that information be leveraged – for and against you, the customer, and society. I draw this distinction out as businesses and the data they rely upon is interrelated. An example is the email software as a service company that was breached, and suddenly vendor third party arrangements became strikingly naked when the tide went out.
Don’t be left standing naked my dear security industry.
James DeLuccia IV
*Join me in RSA SFO for security forward discussions, and at the IIA GAM 2012 Conference in March on Social Media Technology Risks.