Yet Another Case of Third-Party Breach Discovery

On the front page of the Business Day section of The New York Times of November 1, 2014, is an article by Matthew Goldstein and Nicole Perlroth with the title “Luck Helped in Discovery of Breach at JPMorgan.” It never ceases to amaze me how few publicized data breaches are actually discovered by victim organizations, despite, as the article points out, their spending hundreds of millions of dollars a year on InfoSec, as in JPMorgan Chase’s case. As the VerizonBusiness annual Data Breach Investigations Report points out, most discoveries of breaches come from non-internal sources … see the 2014 report, which can be downloaded free of charge from

Again this points to a failure of businesses and other organizations to be able to detect breaches themselves. As a result, they end up depending on third parties—often Visa, MasterCard, law enforcement, threat researchers, and security consulting firms—to notice anomalous customer and/or user behavior or, as with JPMorgan Chase, a huge cache of customer credentials (usernames, passwords, etc.). Granted, once the evidence is presented to victim organizations, they usually get on the case right away. But by then, it may be too late to stem the damage.

My claim has been that much of the problem resides has to do with two deficiencies: first, the lack of security-related instrumentation built into applications, and secondly, insufficient software assurance, particularly minimal attention to functional security testing. I have written about these topics numerous times in this column and elsewhere so will not go into details here.

My colleague at the United States Cyber Consequences Unit, director and chief economist Scott Borg, is quoted at the end of the NYT article as saying: “The most notable thing about these recent breaches is … that they went on so long without being detected … Companies are being blindsided because they are not watching for the specific kinds of cyber attack that are really going to hurt them.”

I agree with Scott and contend that they are not able to detect these attacks because the tools that they have adopted are not capable of monitoring specific kinds of activity within hugely complex and interoperating systems and networks. Incorporation of necessary instrumentation has to take place throughout the system development lifecycle with InfoSec experts establishing security-related requirements at the very beginning of the lifecycle and ensuring that they are adhered to through the design, development and assurance stages. This endeavor has to be supported by senior management as inserting the necessary subsystems will undoubtedly add to costs and delay production schedules. However, they will go a long way towards detecting malicious intruders and have the potential of greatly reducing enormous money losses and reputation costs resulting from a major breach.

Let’s see some proactive efforts in this space.

Post a Comment

Your email is never published nor shared. Required fields are marked *