Data Breach DigestAs the World Turns, Security Incidents Multiply
Then, on Wednesday, came news from Google that numerous Gmail accounts had been attacked, allegedly by foreign hackers seeking access to the e-mail accounts of government and military officials.
This, of course, happened on the eve of Sony and Epsilon appearing before Congress to take their public beatings for the high-profile data breaches those organizations recently suffered.
We need a CNN or ESPN of data breaches just to keep up with the latest hacks and humble apologies
Meanwhile, as Tim Schaaff, president of Sony Network Entertainment International, sat and told Congressional leaders "We've been reminded that no one is immune to a cyberattack," came news from the hacker group LulzSec that it allegedly attacked Sony Pictures Entertainment websites and gained access to personal information of more than 1 million Sony customers.
Why do I feel like I've just written a week's recap for Soap Opera Digest?
It's clear that major data breaches have become not just a topic of mainstream news, but they're occurring with such frequency and potential devastation that they're almost deserving of a soap opera - or at least a 24-hour news desk. We need a CNN or ESPN of data breaches just to keep up with the latest hacks and humble apologies.
And while it's good that recent incidents are urgent enough to have received congressional attention, I'm not sure much came out of Thursday's hearing, except a few congressional leaders got the chance to posture and look concerned.
Mary Bono Mack, R-Calif., stated the obvious when she said "Cyberattacks against consumers to get credit card information are a problem in the United States and around the world."
And Rep. Pete Olson, R-Texas, didn't exactly suggest landmark policy reform when he offered "It's clear there is a need for [federal] legislation."
What I did find interesting - and a bit revisionist - was Schaaff underscoring the need for a federal breach notification law. "We look forward to a national initiative that protects consumers," he said. Mind you, Sony is the organization that doesn't even have a CISO and is regarded as having responded embarrassingly slow to the PlayStation breach.
Aside from the troubling news headlines, there are a couple of new interviews that merit your attention this week:
Scott Charney, Microsoft's vice president of trustworthy computing, engineering excellence and environmental sustainability, says cybersecurity can be improved if governments approach it the way they did the hazards of smoking.
Charney, in an interview with Eric Chabrow, sees a parallel between smoking bans and restrictions to be placed on individual computer users. "We used to say, 'If a user chooses not to patch and chooses not to run anti-malware products, they're putting themselves at risk, but that's their choice,'" he says. Today, though, those choices put other individuals and organizations at risk, too, and so we need to start tackling the topic of "second-hand breaches."
Also from Chabrow is an interview with Dan Geer and Mukul Pareek, creators of a new cybersecurity index that attempts to reflect the relative security of cyberspace by aggregating the views of information security industry professionals.
The cybersecurity index features 15 sub-indices that measure malware threats, intrusion pressures, media and public perception, to name a few. "It allows (security officers) to compare their views with what others are reporting and if their efforts are focused on the right track," Pareek says.
Interesting insights, and they speak to the same common challenge: the data breach du jour. As incidents such as Lockheed, RSA, Google, Sony and Epsilon add up and make daily news, we all need to get wiser about current threats, their potential impact and what we can do to mitigate the harm.
Hard to believe it wasn't so long ago when an incident response plan was seen as just an exercise in the "what could be."