Crisis 0: Game Over
A veteran security pro just sent me an email on my post Extending the Information Security Incident Classification with Crisis Levels. He suggested a Crisis beyond Crisis 1 -- "organization collapses." That is a real Game Over -- Crisis 0. In other words, the cost of dealing with the crisis bankrupts the victim organization, or the organization is ordered to shut down, or any other consequence that removes the organization as a "going concern," to use some accountant-speak. I guess the hunt is on now to discover example organizations which have ceased to exist as a result of information security breaches. The rough part of that exercise is connecting all the dots. Who can say that, as a result of stealing intellectual property, a competitor gained persistent economic advantage over the victim and drove it to bankruptcy? These are the sorts of consequences whose timeline is likely to evade just about everyone.
Putting on my historian's hat, I remember the many spies who stole the manufacturing methods developed by the pioneers of the Industrial Revolution in Great Britain, resulting in technology transfers to developing countries. Great Britain's influence faded in the following century.
I'm sure some savvy reader knows of some corporate espionage case that ended badly for the victim, i.e., bankruptcy or the like?
Incidentally, I should remind everyone (and myself) that my classification system was intended to by applied to a single system. It is possible to imagine a scenario where one system is so key to the enterprise that a breach of its data does result in Crisis 3, 2, 1, or 0, but that's probably a stretch for the worst Crisis levels. Getting to such a severe state probably requires a more comprehensive breach. So, let's not get too carried away by extending the classification too far.
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.
Comments
Why ignore DDoS? I'm really curious.
Also, they generally aren't set up to deal with the effects of outbound DDoSes launched by botted hosts on the enterprise network.
Finally, I thought you were writing here in order to provide security guidance to your readership, not just focus on what you perceive to be your priorities in your particular situation? That seems to be the case with your taxonomy/matrix, yet DDoS is inexplicably missing.
An argument could be made for the cracking of the Enigma algorithm as being a good mid-term example. This cracking/breach led to significant Allied military advantage, leading to the end of the 3rd Reich as a going concern.
A more recent example would be CardSystem Solutions, which suffered a breach which damaged its finances enough that it got bought out for pennies on the dollar (by an organization that subsequently went bankrupt paying legal fees).
I'm certain there would be a number of military tales over the ages, corporate stories are likely a little more difficult to come by (less prone to have a single demonstrable 'battle').
- Michael Argast
"Finally, I thought you were writing here in order to provide security guidance to your readership, not just focus on what you perceive to be your priorities in your particular situation?"
This isn't PBS. I write about whatever I want.
;>
While I don't think the compromise was 100% the cause for the bankruptcy, it didn't help.
http://www.theregister.co.uk/2009/06/09/lxlabs_funder_death/