Sunday, June 07, 2009

Extending the Information Security Incident Classification with Crisis Levels

Last week I tweaked my Information Security Incident Classification chart. Given recent events I might consider extending it to include Crisis 3, 2, and 1 levels.

Perhaps they would look like this. I previously alluded to "11" in my original post.

  • Crisis 3. 11 / Intruder has publicized data loss via online or mainstream media.

  • Crisis 2. 12 / Data loss prompts government or regulatory investigation with fines or other legal consequences.

  • Crisis 1. 13 / Data loss results in physical harm or loss of life.

I thought about these situations because of the latest Crisis 3, now affecting T-Mobile, as posted to Full-disclosure yesterday:

Date: Sat, 6 Jun 2009 15:18:06 -0400

Hello world,

The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers.

Like Checkpoint[,] Tmobile [sic] has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009.

We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder.

Please only serious offers, don't waste our time.


Name Type Team Application Name ApplicationID Application Operating System IP Address Facility Blank Blank Blank Tier 1 Apps Tier 2 Apps ? Prod
protun03 Prod IHAP Caller Tunes 64 CallerTunes HP-UX 11.11 BOTHELL_7 #N/A 64 1
protun04 Prod IHAP Caller Tunes 64 CallerTunes HP-UX 11.11 BOTHELL_7 #N/A 64 1
protun05 Prod IHAP Caller Tunes 64 CallerTunes HP-UX 11.11 BOTHELL_7 #N/A 64 1
protun06 Prod IHAP Caller Tunes 64 CallerTunes HP-UX 11.11 BOTHELL_7 #N/A 64 1
...edited out 505 more server entries...
proxfr03 Prod Infra Connect Direct 106 Connect Direct HP-UX 11.11 NEXUS #N/A #N/A 1
proxfr04 Prod Infra Connect Direct 106 Connect Direct HP-UX 11.23 NEXUS #N/A #N/A 1

Talk about monetizing an intrusion. Can you imagine your company's data posted to a public forum like this?

This sort of incident is becoming more common. Remember the 8 million Virginian patient records from April?


I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(

For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this shit is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver's license #).

Something similar happened to Express Scripts last year.

If this isn't enough to convince management that every active remote command and control channel presents clear and present danger to the enterprise, I don't know what is. All of these incidents started with an intruder gaining access to at least one system. If the organization doesn't take these incidents seriously, the next step could be public humiliation. You might say "the Feds will grab these guys." True, but what is the cost to the reputation of the victim organization?

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.


Anonymous said...

# Crisis 1. 13 / Data loss results in physical harm or loss of life

While loss of data could certainly hurt a patient or patients, for example drug interactions could be missed or surgery performed on the wrong location. It's the data integrity portion of this equation that really scares me (and not just for health care).

Some of these intruders have been inside the systems longer than the administrators have been employed and certainly longer than our ability to detect the initial set of "anomalous" activity.

I agree these systems must be looked at, immediately and with a much greater scrutiny. If we don't know what data has left a compromised machine, we must assume everything.

Just like poker - if you don't know who the "sucker" is at the table, it's you.

Anonymous said...

Is there a official/formal method to handle this ( other than payiing the ramsom), if so what is it ? is it involving some group in FEDS ?. If there is no official method what do you think is the best way to handle this kind of a situation ?

Tome said...

Can't you just make up a list like this? Anyone dealing with any sort of corporate IT infrastructure planning, application architecture etc., can come up with a list like this. Then add some IP addresses and some scary cryptic stuff to it.

Security Shoggoth said...

I might actually amend Crisis 3 to be "Intruder has publicized data last." IMO, if an intruder begins contacting your customers directly, that is just as harmful as them contacting the media.

Anonymous said...

Any idea what the brief reference to Checkpoint being owned means? I saw this on the original post over the weekend and haven't seen any comments on it.

LonerVamp said...

That reminds me, whatever happened with that Virginia PMP hack? I see the site is still down...

Richard Bejtlich said...

I got my notification this week. :(