death by a thousand cuts…the details will kill us

UCLA just announced the disclosure of private data on 800,000 persons. I find it disturbing that the “attacks occurred between October 2005 and November 2006.” I almost suspect that that is only as far back as backup tapes and/or logs go. And there were multiple attacks? I would be willing to put money down on the detection being accidental on the part of the network admins. Maybe someone just looking at something they normally don’t, or seeing something odd when troubleshooting an extraneous error as opposed to an IDS barking alerts or alarms going off or the attacker(s) being noisy.

Information security and insecurity isn’t going away, and it is very hard to ultimately protect juicy targets. IT is understaffed and underbudgeted. We complained about this 8 years ago and we still complain about it because technology and information have grown along with staffs.

We also have an inability to share information. We work in an industry that cannot disclose details without the very real fear of lawsuits. But we desparately need to share this. We need to share what broke down in UCLAs detection strategies. We need to share how they learned of the incident and investigated it. We need to share the goods and the bads, what works and what doesn’t work, the internal political barriers and the champions who push through them. Otherwise this issue just cannot go away and we’ll only have analysts and journalists telling us (and our management) what “should” be done with absolutely no regard to the feasiibility of those measures. (Of note, I love analysts/journalists telling companies how easy it is to encrypt full hard drives just because they were able to encrypt their own hard drive once, two weeks ago, and then didn’t like it and removed it…)

If we are to start making headway, we need the details. Otherwise the details, in their silence, will kill prevention.