Where the truth is: Logs and breach-disclosure laws
- 03 July, 2008 09:09
Stories detailing the theft of personal information from enterprise databases have filled our news for years and are reaching almost unbearable intensity and frequency. Even back in 2005, it was reported that more than 55 million Americans had their personal data exposed in more than 130 major security breaches. A more recent survey found that nearly 90 per cent of Fortune 500 companies and government agencies have experienced security breaches (that they know of!)
Consider the infamous TJX breach. The US-based retail giant discovered more than a year ago -- and much too late -- that its computer systems were compromised because of an unsecured wireless network and that sensitive customer data was stolen. It wasn't until later that the owners of T.J. Maxx publicly announced the breach, and even when they announced the breach, they were unaware of the full extent of the damage. Later, TJX made public that the number of affected customers had reached 94 million. Even today, years after the breach, there are reports of the company's security not being up to the Payment Card Industry Data Security Standard (which is not, to put it mildly, overly stringent). Similarly, another recent intrusion at Hannaford Bros. highlighted the fact that even complying with PCI does not guarantee that a damaging breach won't happen.
In the wake of each breach came public outcry about corporate responsibility for not only ensuring the security of customer data but also for proper notification of those affected. Compliance mandates such as PCI provide system and information security requirements for companies. Still, as the Hannaford example shows, a compliant firm can still be successfully compromised and have information stolen. And always, the remaining question is: What are the guidelines for breach notification, the other half of the corporate security responsibility story?
The first security breach notification law (enacted in 2003 and called the California Data Security Breach Notification Law, or CA 1386) requires companies to give individuals early warning in the event that their unencrypted personal information is "accessed by an unauthorized person" (which is nothing but an euphemism for "stolen"). The idea was that with knowledge of a breach, affected people can lessen the effects of the crime by taking steps to protect themselves against further identity theft. In reality, these laws work mostly through forcing the companies to safeguard information because of fear of public embarrassment, which essentially becomes mandatory. CA 1386 gives companies permission to delay notification only if it would impede a criminal investigation.
At that time, California was the only state with legislation requiring the disclosure of security breaches involving personal information. Since then, more than 40 states have passed data security breach disclosure laws, each with unique notification mandates, but all modeled after CA 1386. A national notification law, rather than disparate state laws, would help unify corporate reaction to and notification of security breaches; several bills currently making their way through Congress detail potential requirements. Some countries are also considering such laws, including the UK, Australia and New Zealand.
For those of you familiar with my writing, you are probably waiting for logs to make their grand entrance. After all, what data security discussion would be complete without mentioning the topic of logs? Indeed, logging requirements are hidden in many regulatory mandates that do not mention "logs" by name. Breach-disclosure laws are a primary example.
I have always championed log data as one of the cornerstones of IT security and one of the best ways to detect unusual activity as well as audit normal user and system activities. Log data is also useful for mitigating the fallout from security breaches since it reveals who accessed confidential customer data, when access occurred and by what methods.
When it comes to information access, logs document both normal and abnormal system usage. Both are essential to identifying and investigating a data breach. But more importantly than knowing who accessed data and when (and whether they were authorized) is knowing what -- and whose -- information has been accessed.
In this way, logs define the parameters of a breach notification and become an essential component of compliance with state laws; they alone can precisely dictate who needs to be notified in the event of a breach. By extrapolating exactly what and whose information was accessed and when, logs take the guesswork out of breach investigation and notification, potentially allowing companies to notify the appropriate people while avoiding the public relations nightmare of having to notify all their customers or facing the public at large and sheepishly admitting a lack of knowledge of the extent of the breach.
Given the importance of logs to breach-notification laws, you would expect that language about log data collection and organization would fill the pages. However, CA 1386 does not include any specific requirement for tracking log data, thus leaving companies guessing about whom to notify. Of course, that doesn't mean that references to logs can't be found by a discerning eye (the emphasis is mine):
"Notify all affected individuals whose personal information was acquired by an unauthorized person . If you cannot identify the specific individuals whose personal information was acquired, notify all those in the groups likely to have been affected, such as those whose information is stored in the files involved ."
In fact, these phrases are just longer ways of saying, "Look at the logs!" since you can literally save thousands of dollars by notifying only 20,000 people "proven to be affected" as a result of a log review and not the 40 million people whose data happened to have been stored on the server but might not have been taken by the attacker. (Obviously, logs needs to be collected and protected from the attackers for the above logic to be defensible.)
To conclude, logs are essential for compliance with breach-notification laws because you know who exactly to notify. Proper log-keeping will save massive amounts of money while complying with both the letter and the spirit of this law.
A final thought: as indicated by the results of some recent surveys, the notification laws might not reduce identity theft through increased consumer awareness, but "shaming people into security their systems" does seems to be working. Is legislation the answer to data breaches? Some say that software vendors whose insecure goods enable the cybercriminals are the ones to suffer the consequences.
Anton Chuvakin , GCIA, GCIH, GCFA, is a recognized security expert and book author. He's currently chief logging evangelist at LogLogic, a log management and intelligence company. He is the author of Security Warrior and a contributor to Know Your Enemy II, Information Security Management Handbook, Hacker's Challenge 3 and PCI Compliance.