Sunday, June 07, 2009

Crisis 0: Game Over

A veteran security pro just sent me an email on my post Extending the Information Security Incident Classification with Crisis Levels. He suggested a Crisis beyond Crisis 1 -- "organization collapses." That is a real Game Over -- Crisis 0. In other words, the cost of dealing with the crisis bankrupts the victim organization, or the organization is ordered to shut down, or any other consequence that removes the organization as a "going concern," to use some accountant-speak.

I guess the hunt is on now to discover example organizations which have ceased to exist as a result of information security breaches. The rough part of that exercise is connecting all the dots. Who can say that, as a result of stealing intellectual property, a competitor gained persistent economic advantage over the victim and drove it to bankruptcy? These are the sorts of consequences whose timeline is likely to evade just about everyone.

Putting on my historian's hat, I remember the many spies who stole the manufacturing methods developed by the pioneers of the Industrial Revolution in Great Britain, resulting in technology transfers to developing countries. Great Britain's influence faded in the following century.

I'm sure some savvy reader knows of some corporate espionage case that ended badly for the victim, i.e., bankruptcy or the like?

Incidentally, I should remind everyone (and myself) that my classification system was intended to by applied to a single system. It is possible to imagine a scenario where one system is so key to the enterprise that a breach of its data does result in Crisis 3, 2, 1, or 0, but that's probably a stretch for the worst Crisis levels. Getting to such a severe state probably requires a more comprehensive breach. So, let's not get too carried away by extending the classification too far.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.


Roland Dobbins said...

Yet again, the fixation on breaches is inexplicable. You'll definitely find organizations which were DDoSed out of existence.

Why ignore DDoS? I'm really curious.

Richard Bejtlich said...

Roland, DDoS is a non-issue for me. Although I am not a subscriber, if I had a DDoS problem I would turn to Prolexic. They seem to have solved it.

Roland Dobbins said...

Yes, 'clean pipes' solutions like those offered by Prolexic and other SPs are quite helpful - but they're focused on protecting the endpoints and the applications/services running on them, not the network infrastructure itself.

Also, they generally aren't set up to deal with the effects of outbound DDoSes launched by botted hosts on the enterprise network.

Finally, I thought you were writing here in order to provide security guidance to your readership, not just focus on what you perceive to be your priorities in your particular situation? That seems to be the case with your taxonomy/matrix, yet DDoS is inexplicably missing.

Anonymous said...

Crisis 0 examples:

An argument could be made for the cracking of the Enigma algorithm as being a good mid-term example. This cracking/breach led to significant Allied military advantage, leading to the end of the 3rd Reich as a going concern.

A more recent example would be CardSystem Solutions, which suffered a breach which damaged its finances enough that it got bought out for pennies on the dollar (by an organization that subsequently went bankrupt paying legal fees).

I'm certain there would be a number of military tales over the ages, corporate stories are likely a little more difficult to come by (less prone to have a single demonstrable 'battle').

- Michael Argast

Richard Bejtlich said...

Roland, you wrote:

"Finally, I thought you were writing here in order to provide security guidance to your readership, not just focus on what you perceive to be your priorities in your particular situation?"

This isn't PBS. I write about whatever I want.

Roland Dobbins said...

And arbitrarily leave importance things out of your taxonomy/matrix - as is also your right, but at the same time disappointing.


Security Shoggoth said...

Not sure if this fits your criteria exactly, but Egghead Software was hurt in Dec 2000 when it was found that its credit card data had been compromised. It filed for bankruptcy 8 months later.

While I don't think the compromise was 100% the cause for the bankruptcy, it didn't help.

Anonymous said...

What about companies that go under as a result of lacking disaster recovery/business continuity plans. I remember there being a lot of business that went under as a result of Katrina simply because their data, backups, and any hope of retrieving it was gone.

Marcin said...

As unfortunate as this incident may be, I believe it can sum up 'Game Over' for some people. Loss of life is worse than business failure.

Phil said...

Well I can think of one Crisis 0 example: Recently hacked and lost all their backups (mostly because they're backup controls we're awful). The site is still down as we speak.

celevorne said...

To reiterate what Marcin said, I think Crisis 0 and Crisis 1 should be swapped... no organizational failure is worse than physical harm or loss of life, though in the case of the military, the two may be equivalent.