Shostack + Friends Blog Archive


Information Security Magazine on Choicepoint

Information Security Magazine has an interview with Choicepoint CISO Richard Baich. It’s behind a subscriber-wall, so I’m excerpting bits of it after the read more.. (Via Run-DMZ.)

ChoicePoint’s Rich Baich faced the perfect storm: a huge security breach, intense media attention and a shareholder revolt. What he needed was a response plan to get him out of the HOT SEAT.

Despite its best efforts and spin control, ChoicePoint has joined the American lexicon as the next symbol of shoddy data protection. [Data Protection? Are we living in Europe?] The Georgia-based data collector didn’t suffer a traditional network hack. No firewall was bypassed. No AV subverted. No IDS tricked. Rather, a fraudulent scheme duped the processes that guarded the sensitive information of 145,000 people. It’s an instance where a company’s most precious asset was compromised because security and business managers failed to properly assess the risk of a business process. It’s also an example of how a company’s public disclosure of a security breach can quickly spin out of control once the mainstream media begins ripping into the story.

“I’m in awe of how this has gone to the dinner table,” says ChoicePoint CISO Rich Baich. “It’s not possible to assess the damage to our reputation.”
Baich bristles at headlines proclaiming the fraud perpetrated against ChoicePoint as the work of “hackers.” With identity theft a sexy topic, the news media will latch on to a story like ChoicePoint’s, which is fluid with details following an arrest and prosecution in the case in February, as well as the compulsory disclosure of the breach under California’s Security Breach Information Act (SB 1386). Managing the message sent to shareholders and customers via the press has been paramount.

Again, Choicepoint fails to comment on the need for message to go to the affected public, on whom they make money.

“The mislabeling of this event as a hack is killing ChoicePoint,” says Baich. “It’s such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don’t.”

If even Choicepoint can’t use their systems to prevent fraud, perhaps those systems are worth less than they’d have you believe?

Regardless of the incident’s true classification, or what the media calls it, ChoicePoint has quickly become a case study in the importance of an incident response plan that takes into account working with law enforcement, publicly disclosing breach information and dealing with overwhelming press coverage.

From here, the article is really inside baseball: Why the magazine’s audience needs a response plan, etc. Just one more comment.

Enterprises shouldn’t downplay or mislead the severity of a breach, but instead be as straightforward as investigators will allow. In ChoicePoint’s case, though the breach was discovered six months ago, investigators wouldn’t allow public disclosure until after an arrest and conviction were made.
ChoicePoint had a plan for dealing with the actual incident and followed it to the letter.

That’s patently false. The latest LA incident came to light on Feb 15th. Oluwatosin was arrested October 26. He was sentenced Feb 17, but a case becomes public on arrest. The New York Times quotes “Lt. Ronnie Williams, project director of the Southern California Identity Theft Task Force, which is investigating the ChoicePoint case” as saying that Choicepoint could have talked on Jan 1st.

And here’s a sidebar. It’s more inside baseball, but it provides good insight into how security folks think.

By: Michael Assante and Gerald Freese

It’s ironic that ChoicePoint went out of its way to emphasize that it wasn’t the victim of a “hack,” as though the lack of a digital intrusion lessens the damage caused by identity thieves who circumvented its procedures.

ChoicePoint’s failure to safeguard thousands of individuals’ records was systemic. Once the fraudlent accounts were open, the identity thieves needn’t bothered trying to break through the layers of security devices and applications guarding ChoicePoint’s data treasure trove.

The ChoicePoint incident underscores many companies’ and security professionals’ misplaced faith and inflated reliance on technology. We as security professionals do a reasonably good job of assessing threats and erecting technology-based barriers–firewalls, antivirus, IPS/IDS, access control, application checks, etc. What we stumble with is assessing business operations and exposure to risk, and guarding them against potentially devastating threats.

Defense-in-depth requires intimate knowledge of business drivers and continuous risk assessments. These have to be flexible enough to recognize the digital and human threats to the enterprise–threats with constantly changing exploitation methods and purposes. In today’s business environment, even the most effective layered technical security architecture simply isn’t enough.

Security professionals need to adopt a more holistic, operational approach to risk assessment. Instead of focusing exclusively on technology, we need to “operationalize” risk methodologies that incorporate process identification, analysis and hardening to help prevent compromises of integrity–regardless of the attack vector–to sustain core business processes and protect critical data.

ChoicePoint’s apparent lack of understanding of the interdependencies between the business model, technology architecture and security infrastructure prevented it from conducting effective risk assessments and developing a meaningful mitigation strategy. And they’re not alone. The disciplines of operational risk management and comprehensive security risk analysis are just beginning to mature.

To be fair to Choicepoint, the company had weathered a number of storms, including one over the Florida voting scandals, another regarding their acquisition of Mexican voting rolls, and a fair number of these sorts of ID theft scandals. It’s hard to argue that what’s worked in the past won’t work in the future.

The information security profession is in the midst of an accelerated evolution from its origins as a technology-centric backroom black art to an operational business necessity. Consequently, the security practitioner is evolving in parallel, increasingly aligning technical information protection initiatives with business needs and objectives.

These changes shift the focus of enterprise information security away from primarily reactive technical solutions to value-based technology implementations tied to business risks and requirements.

MICHAEL ASSANTE is CSO at American Electric Power. GERALD FREESE, CISSP, is managing director of information security at American Electric Power.

[Update: fixed some html]

One comment on "Information Security Magazine on Choicepoint"

Comments are closed.