black hat 2015
TechTank

New cybersecurity mantra: “If you can’t protect it, don’t collect it”

Richard Bejtlich

In early August I attended my 11th Black Hat USA conference in sunny Las Vegas, Nevada. Black Hat is the somewhat more corporate sibling of the annual DEF CON hacker convention, which follows Black Hat. Since my first visit to both conferences in 2002, I’ve kept tabs on the themes expressed by computer security practitioners. This year I heard a new refrain: “If you can’t protect it, don’t collect it.”

Reducing risk of cyberattack

A deluge of breaches continues to plague corporate, non-profit, educational, and public organizations. In my recent Brookings article “If you can’t keep hackers out, find and remove them faster,” I offered strategic guidance on how to detect and respond to intruders. By catching attackers after they gain unauthorized access, but before they steal, alter, or destroy data, defenders can prevent an intrusion from becoming a breach.  A complementary strategy, reflected by several colleagues at Black Hat, involves reducing the amount of information at risk.

This “data minimization” strategy is more than theoretical. I participated in a day-long Black Hat summit for chief information security officers. One of the speakers was Stacey Halota, Vice President for Information Security and Privacy at the Graham Holdings Company (GHCO), a publicly traded education and media company. Halota’s briefing on the GHCO security program caught my attention for two reasons. First, she drives a concept of “least data” throughout the business. This is a concentrated effort to reduce the amount of data held by the organization, thereby reducing the risk to employees and customers. For example, if a business unit needs to process credit card data, they seek to use it as quickly as possible and then remove it from storage as quickly as possible.

Protecting social security numbers

The second surprising aspect of Halota’s security program was her work to remove, or at least reduce, the processing of Social Security numbers when conducting business. Social Security numbers (SSNs) present a terrible risk for American citizens because public and private institutions continue to use them as an authentication mechanism. An institution tends to believe that an individual who knows a particular SSN is the owner of the SSN.

In reality, the bearer of the SSN could be an identity thief. Alternatively, the bearer of the SSN could even be a foreign intelligence service agent, as appears to be the case in the breaches of the Office of Personnel Management and several health insurance providers.

Halota’s SSN minimization program relies on two approaches. First, where possible, business units simply no longer collect and retain SSNs. Second, where SSNs are required for business purposes, Halota encourages the use of “tokenization,” the replacement of the SSN with another number that serves as an index to the actual SSN. Rather than recording the SSN directly within business records, the token is stored instead.  

Should the SSN be required, a call to a separate, carefully maintained “tokenization server” is required. While the tokenization server remains a security risk, the introduction of a separate, second system presents an additional hurdle for intruders. Should an attacker breach business records, they would need to then make an additional leap to compromise the tokenization server. The delay could be all that a company’s computer incident response team needs to detect the first compromise and respond by removing the intruder from the organization.

Room for improvement

Halota explained to me that the data and SSN reduction programs aren’t perfect. Certain government processes and regulations require the collection and retention of SSNs. For example, one of her business units is required by the U.S. Department of Education to uniquely identify students by SSN when processing financial aid documents. In other business units, service representatives need methods to “prove” that callers are the customers they claim to be with the last four digits of a SSN. Furthermore, some legacy systems require SSNs in order to interoperate with other computers and business processes. These three examples demonstrate the challenges facing organizations that try to adopt “least data” principles while conducting business.

The concept of data minimization is one that every private or public sector manager and employee should consider. In addition to collecting, processing, and retaining as little sensitive data as possible, leaders should determine how to help breach victims recover should their data be stolen, altered, or destroyed by intruders. The last 15 years have witnessed the evolution of the detection and response programs for restoring computer systems to a state of trustworthiness. The next stage of the information revolution requires rethinking the business processes surrounding sensitive data. Data minimization must be a key theme in cybersecurity going forward.