3. Why Regulation?
• Trying to get a
handle on large
problems that
affect many
individuals
– Monopoly
– Poor conditions
– Unbound risk
– Consumer
protection
Image from Hugh MacLeoud of Gaping Void
3
Monday, July 5, 2010
4. Pattern of Data Loss
• Large Data Breaches (in millions)
– 3.9 :: Financial institution in 2005
– 4.2 :: Supermarket chain in 2008
–5 :: Online bill pay in 2007
– 6.3 :: Online trading company in 2007
– 8.5 :: Banking service provider in 2007
– 12.5 :: Bank in 2008
– 17.7 :: Online adult entertainment in 2006
– 28.6 :: Government agency in 2006
– 40 :: Payment service provider in 2005
– 45.7 :: Retail store in 2007
– 76 :: Government agency in 2009
– 130 :: Payment processor in 2009
• Evolution of Methods
– Flat files, network sniffing, serial port
sniffing, custom malware
– EU: retail moved to e-commerce
4
Monday, July 5, 2010
5. History of Regulatory Time
5
http://www.informationshield.com/papers/A%20History%20of%20Regulatory%20Time.pdf
Monday, July 5, 2010
6. Vaccinations & Regulatory Compliance
• The problem is that although most all agree that vaccination is positive for
the population not everyone agrees that it is positive for the individual
• Individuals say:
– My environment is already secure
– I know how to manage risk better than the regulatory bodies
– My environment is special and unique and does not fit into your Procrustean boxes
• Are we as secure as we think we are?
– Do we rely on third parties?
– Who do we share data with?
– Who do we give access to our data and systems?
6
Monday, July 5, 2010
7. Vaccinations & Regulatory Compliance
• Economics of Immunization and Compliance
– A poorer population will benefit more strongly from an immunization program than one
that maintains a high level of sanitation, health care, and treatment programs
– A more vulnerable population (e.g. retail, restaurants, higher education, e-commerce,
etc.) will benefit more from regulatory compliance than one that is more highly secure
• The cause of action to vaccinate a population is to immunize them from
each other
– Card data stolen from one location can affect fraud at another location resulting in
mutually assured negative impact
• Tipping point of vaccination
– “An aggressive vaccination program that first targets children and ultimately reaches
70% of the US population would mitigate pandemic influenza H1N1”
»Vaccine and Infectious Disease Institute (VIDI) at Fred Hutchinson Cancer Research Center
7
Monday, July 5, 2010
8. Inflection Points and Traffic Jams
• Inflection Points (“Tipping Point”)
– “An inflection point occurs where the old strategic picture dissolves and gives way to the
new” – Andy Grove in Only the Paranoid Survive
• Where are we on the
“Sine Wave of Pain”?
Image from UnderstandingCalculus.com
8
Monday, July 5, 2010
10. Traffic Patterns and Modeling
• Kurt Vonnegut's Cat's Cradle “Ice Nine”
– Polymorph of water that freezes at 45.8 °C (114.4
°F) instead of 0 °C (32 °F)
– One shart of Ice-Nine is the catalyst
• “Hysteresis” (physics)
– “A state of traffic depends not only on its density
but on its history – on whether it was previously
denser or less dense. As the traffic rate rises and
then falls, the flow rate follows a loop.”
»Critical Mass by Philip Ball
• Nagel-Schreckenberg (NaSch) model
10
Monday, July 5, 2010
11. Traffic Jams and Industry Regulation
Critical event
Critical density
http://www.myhomezone.co.uk/project/Report.htm
11
Monday, July 5, 2010
12. Traffic Jams and Industry Regulation
http://www.myhomezone.co.uk/project/Report.htm
12
Monday, July 5, 2010
13. Entering and Exiting a Traffic Jam
1) Traffic density
rises over time
2) Critical event
occurs
3) Critical traffic
density
maintained
4) “Regulation” to
ease traffic
5) Traffic density
eases over time
6) “Deregulation”
when no longer
necessary
http://www.myhomezone.co.uk/project/Report.htm
13
Monday, July 5, 2010
14. What’s the Solution?
• “Building more roads to ease traffic is like trying to cure obesity by
loosening the belt”
– Richard Moe, Head of the US National Trust for Historic Preservation
• Simply applying “more” security does not necessarily mean you achieve
“better” security
– Can you put fewer cars on the road rather than building more roads?
• Help prevent data sprawl
– Security is required where data is maintained
»Data, data, anywhere?
»Data, data, everywhere?
– Reduce scope through grouping of systems
– The more complex a system the harder (and more costly) it is to maintain
14
Monday, July 5, 2010
15. What’s the Solution?
• Examine Use Cases
– Medical record data vs. Payment card data
– Data retention sometimes required, but what do you retain?
»Dept collection agencies
»Reoccurring payments
»Data mining and analysis
• Cost to secure data vs. Business need for data
– Cost to securing data can be proportional to the volume of it
• Brute force is effective but costly, while the elegant solution is simple and
secure
– “PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.”
– Tokenization
– Point-to-Point (End-to-End) Encryption
15
Monday, July 5, 2010
16. Measuring the Problem
• “If all economists were laid end to end, they would not reach a conclusion.”
– George Bernard Shaw
• Solve tomorrows problems with today’s technology
– Problems are not hard if we know which ones to solve
• Plugging one hole doesn’t save the levee
– Reducing card present fraud drives attackers online
– Reducing fraud in one country drives them to others
– Only a holistic solution will work on such interconnected systems
16
Monday, July 5, 2010
17. 3 Habits of Highly Effective Regulation
• Education!
– Drives adoption and adherence
• Flexibility of controls
– 100 % compliance is not the goal when system failures occur in groups
– PCI DSS “Compensating controls”
– EU Data Protection Directive “Comply or explain”
• More data for Risk Modeling
– Can we ever manage risk on a moving target?
– Frequentist vs. Bayesian statistics
17
Monday, July 5, 2010