Contrast's CTO and Co-Founder, Jeff Williams, was interviewed by Forbes Magazine at Black Hat USA 2016 earlier this month. The interview focused on recent healthcare breaches and why we (the industry) should score data breaches. Jeff is quoted heavily throughout the piece on what a data breach scorecard would look like, as well as how the Banner Health data breach fared in terms of this scoring system. A few of Jeff's recommendations are listed below. If you would like the read the article in entirety check it on the Forbes website.
Quoted from an article written by Dan Munro appearing on Forbes:
Why We Should Score Data Breaches
....I was meeting with Jeff Williams at Black Hat when I saw the headline announcing the breach at Banner Health and I asked him for his thoughts.
We’re a country obsessed with metrics, but breach disclosures are almost always a lawyerly exercise in obfuscation and misdirection. Some types of breaches require “disclosure,” but we never find out anything that would enable people to make informed decisions about whether their data is safe enough. All we typically hear or read is that the organization ‘takes their customer data very seriously.’ We need a system for scoring data breaches and corporate response across key variables as a critical and tangible way to change the dynamic quickly after an announcement. Actually applying an independent score to a data breach could be an effective way to accelerate the path to remediation and restoring trust. Jeff Williams – Co-Founder and CTO of Contrast Security.
Jeff’s been in the security industry for more than 20 years (and he just happens to have a JD from Georgetown) so he’s very well versed in industrial-sized security challenges. As soon as he suggested the idea – I couldn’t help but wonder why it hasn’t been implemented – and then also what a scorecard would look like. Jeff offered this draft:
- Tone – Is the announcement apologetic and not blaming? Does it acknowledge that there should have been better defenses and that the breach should have been detected and been able to stop the attack?
- Timeline – When was the initial break-in? When was it discovered? How long to disclose?
- Scope – What information was stolen and what control was lost?
- Size – How many people were affected? How many servers?
- Root Cause – What was the underlying vulnerability that was exploited? What defenses are in place and how did the attack bypass the defenses?
- Discovery – Who discovered it? Victims? Security firm? Why didn’t you know earlier?
- Remedy – Are you really making victims whole? For how long? [Personal Health Information – PHI is literally lifelong]
- Future – What are going to do to prevent future/similar attacks?
- Blame – Did you state or imply that the attack was “sophisticated” or “advanced?” Did you provide any evidence of that?
- Oddities – Were there any oddities to the timeline not making sense – or details that stretch credulity?
Developing a robust application security program does not need to be a daunting task...
Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program.