Fwd: Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry

[Jeffrey Walton <noloader () gmail com>]

> From the folks at Attrition and the DataLossDB.

---------- Forwarded message ----------
From: security curmudgeon <jericho () attrition org>
Date: Jun 10, 2009 2:40 PM
Subject: Using Science to Combat Data Loss: Analyzing Breaches by Type
and Industry
To: dataloss-discuss () datalossdb org, dataloss () datalossdb org

 http://web.interhack.com/publications/interhack-breach-taxonomy.pdf

 Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry
 C. Matthew Curtin, CISSP and Lee T. Ayres, CISSP

 Abstract

 Where should defenses be deployed? Security managers can answer the
 question by knowing what types of breaches there are, and the rates that
 they occur relative to one another. A number of methods for determining
 such rates have been proposed with a view to helping with this decision
 making. Unfortunately, such methods sometimes tend towards anecdote, might
 be part of a marketing campaign, or lack the context needed to drive
 informed decisions.

 We propose a taxonomy to classify incidents of the loss of control over
 sensitive information. The taxonomy is hierarchical in nature, allowing
 classification of incidents to a level of precision appropriate to the
 amount of information available. Analysis of incidents using the taxonomy
 may also work with the precision appropriate given the question at hand
 and data available. We then explore the proportion of breach types in a
 subset of data losses accumulated by the Identity Theft Resource Center
 (ITRC). Using the 2002 North American Industry Classification System
 (NAICS), we classify breach events according to the industry sector in
 which they occurred.

 We conclude that the taxonomy is useful and that analysis of incidents by
 type and industry yields results that can be instructive to practitioners
 who need to understand how and where breaches are actually occurring. For
 example, the Health Care and Social Assistance sector reported a larger
 than average proportion of lost and stolen computing hardware, but
 reported an unusually low proportion of compromised hosts. Educational
 Services reported a disproportionately large number of compromised hosts,
 while insider conduct and lost and stolen hardware were well below the
 proportion common to the set as a whole. Public Administrations proportion
 of compromised host reports was below average, but their share of
 processing errors was well above the norm. The Finance and Insurance
 sector experienced the smallest overall proportion of processing errors,
 but the highest proportion of insider misconduct. Other sectors showed no
 statistically significant dif- ference from the average, either due to a
 true lack of variance, or due to an insignificant number of samples for
 the statistical tests being used.
 _______________________________________________
 Dataloss Mailing List (dataloss () datalossdb org)

 Get business, compliance, IT and security staff on the same page with
 CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
 from Four Critical Perspectives. The eBook begins with considerations
 important to executives and business leaders.
 http://www.credant.com/campaigns/ebook-chpt-one-web.php

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------