« IT Security Policy Documentation | Main | Investigator Ethics | Forensics Professional Integrity »

05/18/2010

Risk or Breach?

Definition of Data Compromise | Significant Risk of Harm?

In data security, what is the difference between a vulnerability and a compromise? How can one distinguish the two in practice?

In common parlance, a vulnerability in information security is a shortcoming in control, such as the use of weak wireless encryption (WEP) rather than strong wireless encryption (WPA). The shortcoming opens a potential opportunity for a wrongdoer to access data without authority. But the existence of the vulnerability does not establish there has been a compromise.

A compromise, on the other hand, is commonly understood to be an event.  It is actual access to or acquisition of data by someone without authority. 

In the event that personal data has been compromised, many laws require the holder of the data to give official notice to a data subject. These laws are not uniform or consistent in their definition of compromise.

* According to one leading data notification law, California’s Senate Bill 1386 , notice must be given when “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

* According to another leading law, 45 CFR §164.402 applicable to healthcare entities, notice is required when “acquisition, access, use, or disclosure” of data “poses a significant risk of financial, reputational, or other harm to the individual.”

So roughly speaking, vulnerability is potential, and compromise is an event.

But in a functioning information system, the data holder’s knowledge of the difference between potential and event must be based on evidence. Rarely is that evidence strong and conclusive.  Rarely does the data holder have something like sworn testimony from an unauthorized person that she acquired the data or that she intends to misuse the data. 

More often, the data holder has only snippets of evidence about the (in)security of the data. In any given situation, these snippets might be interpreted as a vulnerability, or they might be interpreted as a compromise.  See good discussion on the SANS Forensics blog.

Example: Data holders commonly issue notice when a unit of data-holding hardware, such as a tape or a laptop is lost. But the fact that one cannot confirm the physical location of hardware does not necessarily mean that an unauthorized person possesses the hardware, understands how to use it, harbors the desire or ability to misuse it, and so on.  The data holder’s ignorance of the hardware’s location is really just a vulnerability. But this vulnerability is often treated as a breach, which results in the delivery of a strange notice to data subjects.

Vulnerabilities are an inescapable fact of modern life.  In functioning commercial and government systems, virtually all data are subject to multiple vulnerabilities all the time.  Any auditor worth his salt can always find vulnerabilities, even in well-managed systems.   [Even the mighty National Security Agency has to assume that adversaries will succeed in breaking into its highly secure systems.]

Suppose the data holder’s IT system has logs that show an unauthorized computer did or could have accessed data. Is that proof of a breach/compromise?

Rarely do such logs constitute forensically conclusive proof of a breach.  The fact that one computer registers the movement of data to another computer does not necessarily mean that the person or persons who may from time to time control the second computer saw any data, remembered any data, retained any data, intended to possess the data, exercised any meaningful dominion over the data, possessed the ability to exploit the data and so on. In this age of data overload, people often touch computers will little meaningful comprehension of most of the data that may reside in or pass through them.

In fact, owing to all of the attention given to identity theft in the past decade, and efforts like the FACTA Red Flag rules to intercept identity thieves in the act, I hazard to guess that ID theft is harder to execute today than it was in the past. (This is a topic for a future blog article.)  Data abuse is risky, and would-be criminals know it. Many of the unauthorized people who might have some fleeting contact with personal data will stay away from it or will be unable to exploit it.

My sense is that data holders issue more beach notices than is required by law or is good for society. They treat many vulnerabilities as breaches. Individuals are hence bombarded with notices.  Individuals become jaded and learn simply to ignore so many of these notices.

The breach notices become like the mind-numbing “Proposition 65" signs one sees posted on buildings – hotels, restaurants, apartments, grocery stores, coffee shops, etc. -- all over California:  “This area contains chemicals known to the State of California to cause cancer, birth defects or other reproductive harm.”



Mr. Wright teaches data security law at the SANS Institute.

Posted at 01:55 PM in breach, evidence |

Tags: infosec

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Wright's Online SANS Education

My Photo

Blogger

  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

IT Administrators

Custom Professional Training

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

SANS Quote

  • Professional Education
    "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

About

MY BLOGS HAVE LOADS OF CONTENT. SEARCH! ↓

Twitter

  • Follow benjaminwright on Twitter

Become a Fan

Benjamin Wright
Benjamin Wright

Find More on This Blog

Subscribe to this blog's feed