Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking > Tags

Posts tagged Brian Krebs

Thursday, February 11, 2010

When is Good, Good Enough?

By Toby Weir-Jones, Vice President, Product Development, Managed Security Solutions Group, BT Global Services

Brian Krebs recently shared a familiar-sounding story with a new twist.  Thieves, using valid credentials for PlainsCapital Bank’s online systems, initiated wire transfers from the account belonging to Hillary Machinery to international destinations.  Instead of the victim suing the bank, the bank is preemptively suing the victim. 

PlainsCapital is asking the District Court to certify that the bank’s security practices were commercially reasonable.  The bank’s key argument is that no attack on its systems took place; valid credentials were used, and it processed the wire transfers in good faith.  It therefore claims not to be at fault.  The victim, conversely, suggests that the registration-email tool should have been smart enough to flag source IPs which weren’t assigned to the victim’s network, and therefore the bank is indeed guilty of using inadequate security controls.

This is a real-world example of an idea we blogged about shortly after CyberMonday 2009 — making costs of online activity visible to the end customer.  The current status quo for attacks such as the one against Hillary generally result in the victim suing the bank, and the bank filing a claim against their insurance or otherwise paying out-of-pocket.  PlainsCapital is saying, in essence, that the remaining $200k is the victim’s cost to bear, and the finger-pointing regarding who performed the correct (or inadequate) risk management is taken off the table.  Hillary doesn’t need to enable online wire transfer services, the argument would go, and the choice to use it comes with an inherent cost.  Now, unusually, we are attributing a real-world figure to that abstract cost notion.

Without knowing how the courts will handle this particular case, the key discussion is around whether a service provider online is covered against customer claims if they have employed commercially reasonable controls for that service.  For example, it is no longer adequate simply to say you offer “authentication”; but the costs of managing a large number of tokens is still prohibitive for most systems, and the average customer will not pay an additional fee for the benefits of a third factor.  The industry has offered up a variety of soft tokens in response, and for systems protecting personal financial or credit information, this would seem to be a fair minimum standard of protection.  Customers should also demand some kind of reputable third-party validation on the quality of the implementation, since good controls are worthless if they are poorly setup.  An opportunity exists for a rating scheme which is both technically sophisticated and consumer-friendly.

In addition, customers should require some kind of disclosure about extranet, WAN, and other third-party connections between their primary vendor (online bank, insurance broker, mortgage company, etc.) and any other parties in the supply chain.  Obviously the same standards used for the vendor’s in-house infrastructure should be required to be met or exceeded by those third parties as well.  Banks (and compliance officers) will cringe at the complexities of performing annual audits to certify to this extent, but that is due primarily to cost objections required to do it properly.  If a vendor can’t make it work, it’s probably an indication of inadequate executive-level support as much as it might be too revealing about the poor state of the infrastructure. 

So the strategy appears to have two steps:  first, ensure you really do employ commercially reasonable (“best”) practices, and second, defend them proactively in court by seeking a legal opinion to validate they are robust.  The current mechanism of case law precedent won’t move fast enough to keep up with evolving best practices, but if a few courts do indeed issue judgments that it’s legally possible for a court to take the question of inadequacy off the table, the circumstances may create an unfortunate situation in which the courts are providing an opinion that was previously the domain of specialized assessment engagements and bleeding-edge specialists.

It’s not clear whether that’s better than having dueling experts fight one another in cross-examination, but I think most would agree that the court is unlikely to possess sufficient knowledge to evaluate corner cases reliably.  We therefore end up in a classic conundrum:  how to define the application of best practices with sufficient precision that you remove much of the interpretive spin of the exercise.  Vendors providing such assessments or opinions should be working with legal counsel to ensure the findings are both technically and legally unambiguous, framed in specific, tangible terms, and honest about the boundaries of coverage or testing exposure.  The audience, after all, may not be limited to internal technical company personnel, and the findings should be understandable to someone with a broader point of view.

Posted at 3:22 PM in SecureAlert | No Comments »
Tags: , , , , , ,

Bookmark and Share

subscribe - log in