Friday, February 20, 2009

Crowd-sourcing Intrusion Detection

DataLossDB assembles data breach reports from small media across the country and uses the results to spot trends.  Most interesting result?  They were able to identify a common source for many small breach disclosure and infer that the breaches were all due to a single credit card processor who'd been hacked.

That's innovative, but I've got some doubts about the methodology for purposes of measuring intrusions and trends.  For example, the site reports massive increases in breaches in recent years.  But if the source of that trend is media reports, and the media only reports public announcements, couldn't much of the trend simply reflect the growing number of state laws requiring public announcements of breaches?  If so, the trend is unverifiable using this data.  And, later, when state laws are largely in place, can't we expect the media to stop reporting so enthusiastically on every breach, much as they don't report every mugging?  So we'll still  be imprudent to treat the media reports as providing a valuable estimate of trends.

Another example of the same bias risk is the surprising assertion that 22 percent of data breaches are caused by lost laptops and PCs.  That's a surprisingly high number of breaches; I'd have thought that hacking was a greater source of serious breaches.  But I'm not surprised that lost laptops produce a large number of public disclosures.  The laws in question don't require proof that the data has been used to cause harm.  Just the fact of compromise usually triggers the duty to warn.  For those of us who doubt that laptop theft is usually aimed at getting access to personal data, these disclosures forced by state law are not a good measure of how data thieves actually get their information.  By aggregating the data without taking account of the bias built into the law, the site is likely to mislead us about where the risks are in aour infrastructure.


1 comment:

maheswari said...

I have read your blog, i got valuable information from your posting. Thanks a lot Intrusion Detection