Sitting in my office this morning I find myself in a reflective mood. I joked a few years ago that it was the "summer of breach” in 2012. Then we saw breaches with LinkedIn, Dropbox, Elections Ontario, Last.fm and eHarmony. Little did I realize that this was little more than a beach head. In 2015 the breaches kept rolling in with such targets as Hyatt, Ashley Madison and the US Office of Personnel Management. I'm doubtful that this will change in 2016.
Have we learned anything from these events? We are more than happy to stand around the smoking crater of a company that gets breached but, do we take away anything from the lessons of the event? We have seen companies who were breached and their tools were screaming that something was wrong but, no one was paying attention the alerts. We have seen sites that were not properly patched. The part that sticks in my craw is that this keeps happening.
A few days ago news came out that the casino firm, Affinity Gaming
, brought legal action against the Chicago based security outfit, Trustwave. Later Affinity had Mandiant do a follow up assessment.
From the complaint filed in Federal Court:
Mandiant’s forthright and thorough investigation concluded that Trustwave’s representations were untrue, and Trustwave’s prior work was woefully inadequate. In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was “contained,” and when it claimed that the recommendations it was offering would address the data breach. Trustwave knew (or recklessly disregarded) that it was going to, and did, examine only a small subset of Affinity Gaming’s data systems, and had failed to identify the means by which the attacker had breached Affinity Gaming’s data security. Thus, Trustwave could not in good faith have made the foregoing representations to Affinity Gaming.
I can’t even imagine how it arrived at this point. I never had Trustwave do work for me when I was a defender so, I can’t speak to the work they did. Neither can I comment on the engagement with Affinity but, I’m given a moments pause. When I was on the defender side of the phone we would have multiple firms providing assessments or audits at any given time depending on the company I was working for at the time.
This is the thing. The firms in question would have a defined box to operate within. They were never given free reign to do whatever they wanted. They had clear marching orders. In some cases there things that were missed simply because they were outside of scope and not part of the engagement.
This is by no means an indictment or defense of Trustwave. It’s simply that they happen to have the unlucky moniker of being, what I assume, is the first such firm to be sued for missing something like this. My first instinctual reaction was that this was a knee-jerk reaction but, not being involved I can’t be sure. If this was something that was clearly within scope of an engagement and they missed it, then by all means, break out the pitchforks and angry villagers.
We really don’t know what transpired here as we’re stuck at the "they said, they said" stage. If this lawsuit proceeds I believe that the particulars will come to light. This is an ugly turn in the data breach saga. We collectively need to do a better job of securing our systems and not get swept up in the side show that legal action like this provides. For the time being I’m going to continue to reflect on lessons learned and watch the news feed roll on.