Oz left behind on data breach laws: Verizon
Australia's lack of data breach notification laws and the consequent failure of companies to take basic security measures is hurting the country's reputation as a leader in security standards, according to Verizon global security services director Jonathan Nguyen-Duy.
(No Unauthorised Access image by Nick Stenning, CC BY-SA 2.0)
Speaking to ZDNet Australia, Nguyen-Duy said there was little incentive for companies to disclose that they had been the victim of a breach, especially in cases where they had been extorted for the stability of their site or intellectual property.
"There are four parties involved in a cybercrime: the victim, the criminal, the investigator and law enforcement. No one — none of those four parties — talk about it, with the rare exception of the criminal.
"The criminal gets paid, they don't want the world to know about it. The victim has to pay. It's a loss and they don't want to tell anyone about it. The investigator can't talk about it and law enforcement can't talk about it," he said.
Nguyen-Duy said that landmark changes only happened in the US when companies were fined for non-compliance with Payment Card Industry Digital Security Standards (PCI DSS), which sets out the minimum security requirements for companies holding credit card details, when company directors were held criminally and financially liable for data breaches and when data breach notification laws were enacted.
"There's State Bill 1386, which is a Californian law where if you think you've been breached, not that you have been, you have to notify — that doesn't exist here in Australia.
"A lot of companies in Asia-Pac think it's disappointing because Australia led standards in so many ways. Australia was a leader in financial regulations, standards in information security, standards in business continuity, yet I don't see that," Nguyen-Duy said, referring to the breach earlier this year at Lush cosmetics. In that case, credit card details were stolen and the Federal Privacy Commissioner launched an investigation after it was found the company wasn't PCI compliant.
"There were no PCI penalties there [and] no breach notification. Until that happens, I don't think it's going to change."
Nguyen-Duy's perspective is a change of view from last year for Verizon, as its forensics investigations response chief Mark Goudie said that data breach laws wouldn't help.
However, when it came to identifying who the attackers were, Nguyen-Duy said that the process was often pointless due to the inability to really determine who was behind the attack and the lack of options available to a business in seeking damages.
"[To launch an attack], you don't need to have world-class scientists or engineers, you can hire it. Look at Anonymous and LulzSec — is there any way of really knowing that North Korea did not infiltrate LulzSec and was able to get someone else to do its dirty work? Is there any way of knowing that the Iranian Republican Guards did not go out and hire a cyber criminal to launch a cyber attack?
"But let's say you do find all that. What are you going to do then? Not much. The practical reality is that you're a company. You don't have an air force, so you're not going to launch a smart bomb against them. You don't have a commando force to go take them out. You're not going to send an assassin. Are you really going to launch a DDoS attack? No."
Nguyen-Duy said that despite these threats, companies were failing to do what they could do to protect themselves.
"We find in 92 per cent of [breach] cases, simple to intermediate controls would have detected and prevented the breach. [Those controls] are all reflected in the PCI DSS standard."
Those that did have some measures in place, often didn't realise they had been breached even though there was clear evidence of the fact.
"In more than 84 per cent of the cases, the evidence of the breach was clearly visible in the log files. Which logs? The application server logs, the database server logs, the firewall logs and the [intrusion detection system] logs. The problem was no one was looking there because it's boring, it's voluminous, it's huge amounts of data.
"Everyone in this market has confirmed that the number of data breaches have more than doubled since last year. Data breaches have doubled, but there have been no fines, no levies against PCI compliance. What I really want to know is what will happen once the fines get levied? Will there be a real change in security posture and the number of attacks we know about?"