Data Breaches, a 3-part Series Breaking Breach Secrecy, Part 2

Data breaches are escalating. Many organizations still do not encrypt their data. If they do, many still use the vulnerable 56-bit "Data Encryption Standard." And breach notification guidelines are still vague. U.S. federal and state legislation need to catch up with the circumstances.

In September, a medical privacy breach led to the public posting on a commercial website of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif. According to "Patient Data Posted Online in Major Breach of Privacy," by Kevin Sack in the Sept. 8 edition of The New York Times, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors to a website called Student of Fortune. Just in 2010, more than 5.4 million have been affected by U.S. health data breaches, according to a recent report from the U.S. Department of Health and Human Services.

Most American states and the U.S. federal government have reacted quickly to consider new legislation to address data breach problems in all sectors and possibly provide some protection to consumers and businesses.

One of the main issues that state and federal legislators address when they write new data breach notification legislation is the timely notice of breaches to consumers.

According to the Consumers Union, "Individuals need to know when there is a breach of the security of their sensitive personal information such as a Social Security number, government identification number, payment card information, or account number which provides access to finances or to financial information. Once the individual gets the notice of breach, he or she can take steps to prevent or detect identity theft. A strong notice of breach requirement creates an incentive for both companies and government agencies to work to prevent future security breaches." ("Key Issues on Financial Privacy and Identity Theft in Congress — 2007") Unfortunately, many organizations that have experienced security breaches do not see it this way.

At the heart of the issue is at what point in time, if ever, does the recognition of a data breach of an organization "trigger" a notice to the consumer whose personal information was compromised? All of the legislation at the state and federal levels has addressed this issue, and their recommendations are classified as "acquisition based" or "risk based."

Bear with me on this. According to U.S. PIRG, a public interest research organization, an " 'acquisition-based trigger' means [a] strong consumer-oriented notification requirement based on loss of information" and a " 'risk-based trigger' means loss of information does not trigger [a] notice automatically. Notice is subject to some analysis by [the] breached entity of the degree of risk to consumers." ("Summary of State Security Freeze and Security Breach Notification Laws")

A loss of information for acquisition-based trigger legislation means a real loss or a reasonable assurance of loss of unencrypted information only. This means that if the information is encrypted, notification of the breach is not required.

For risk-based trigger legislation, the entity whose data was breached has the right to make a judgment about the degree of risk for unencrypted information before it is required to release a notification. Encrypted information does not require notification.

A major weakness of the risk-based trigger approach is that it adds an additional risk standard that will eliminate notice of some security breaches involving sensitive personal information, according to the Consumers Union. "Under a [risk-based] trigger approach, a business does not have to give notice unless it determines that the breach creates a reasonable or even a higher level of a risk of identity theft or other harm. Consumers Union calls a risk trigger 'don't know, don't tell' because it excuses notice when there is insufficient information about the breach." This is comparable to putting the proverbial fox in charge of the chicken coop.

Thus, acquisition-based trigger legislation is considered stronger than risk-based trigger legislation but in reality not by much because in both cases encrypted information is not subject to notification, which is at the heart of the problem.

STATE LEGISLATION

As of publication, 46 states, the Virgin Islands, Puerto Rico and the District of Columbia have enacted data breach notification laws. Kentucky, New Mexico, South Dakota and Alabama have yet to pass a law. The state laws are inconsistent. For example, according to PIRG, "some state breach laws may only apply to breaches by corporations and/or other private entities or to state agencies but not to both. Other state laws may unnecessarily exempt certain institutions, such as financial institutions covered by weak federal financial agency breach notice rules (even though those federal rules explicitly allow stronger state laws)."

Most of the states that have passed data breach notification laws and, prior to the current session of Congress, all the bills written at the federal level the past three sessions have adopted the risk-based trigger approach. According to the Consumers Union article, "The strongest state notice of breach laws, including those in California, New York and Illinois, require notice when the security of certain types of sensitive information has been breached." For example, the data notification law in California states that it:  

• would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  

States that have adopted the acquisition-based trigger approach include California, Delaware, Florida, Georgia, Hawaii, Illinois, Indiana, Maine, Minnesota, Nevada, New York, North Dakota, Oklahoma, Rhode Island, Tennessee, Massachusetts, Virginia and Texas.

States that have adopted the risk-based trigger approach include Arkansas, Arizona, Colorado, Connecticut, Idaho, Kansas, Louisiana, Montana, Maryland, Nebraska, New Hampshire, New Jersey, North Carolina, Ohio, Pennsylvania, Utah, Washington, Alaska, Iowa, Michigan, Mississippi, Missouri, Oregon, South Carolina, Vermont, West Virginia, Wyoming and Wisconsin.

FEDERAL LEGISLATION

As of publication, the U.S. Congress has not passed a comprehensive data breach notification law. Addressing the acceleration of security breaches in 2005, Congress has written and introduced more than 15 pieces of legislation in the three sessions from 2005 through 2010. However, all of these bills are now considered dead because they were never enacted into law. Like most of the data notification laws passed at the state level, the federal bills were risk based and gave organizations much leeway in judging if they should notify consumers of a security breach and, if so, when.

A few new bills have been introduced. For example, the Data Security and Breach Notification Act (Senate), which was originally introduced in 2010, and The SAFE Data Act (House) were both introduced or reintroduced in 2011. Like all the other data notification bills, these two provided an exemption to notification of a breach. This is the wording in The SAFE Data Act, which is similar to the other bill: 

• If the data in electronic form containing personal information is rendered unusable, unreadable, or indecipherable through encryption or other security technology or methodology (if the method of encryption or such other technology or methodology is generally accepted by experts in the information security field), there shall be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption or other security technologies or methodologies in a specific case have been or are reasonably likely to be compromised. 

The important phrase above is "if the method of encryption or such other technology or methodology is generally accepted by experts in the information security field." This is a big improvement from prior legislation because the encryption of information by itself would no longer be a reason to not provide notification of a breach, because the encryption standard must be "generally acceptable" by the experts. If given the chance to make a judgment, the experts should agree that the 56-bit Data Encryption Standard (DES) is not acceptable because hackers continuously have broken its key. Although this proposed federal legislation would be stronger if it directly stated that the 128–bit AES is a required minimum, it does provide the "teeth" to help safeguard information and protect consumers and businesses.

The legislation goes on to say that: 

• (B) METHODOLOGIES OR TECHNOLOGIES. — Not later than 1 year after the enactment of this Act and biannually thereafter, the Commission shall issue rules (pursuant to section 553 of title 5, United States Code) or guidance to identify security methodologies or technologies which render data in electronic form unusable, unreadable, or in decipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that any such methodology or technology in a specific case has been or is reasonably likely to be compromised. 

This is important because the experts, not the organizations, determine those methodologies or technologies that are appropriate to safeguard personal information. We can assume that the experts understand that the Data Encryption Standard (DES) – 56 bits is outdated and should not be allowed. But again, we could avoid the experts' misinterpretation if a new federal law bans the use of the DES and, instead, requires the AES. In addition, the experts have to evaluate them over time to determine their relevancy.

WHERE RISK- AND ACQUISITION-BASED TRIGGER APPROACHES FAIL 

Let us look at a situation in which the risk- and acquisition-based trigger approaches will not protect personal information of consumers but will probably lead to identity theft.

As noted above, both of these approaches would waive notification to the consumer if the breached data is encrypted, and all of the data breach notification bills introduced in the past three sessions of the U. S. Congress prior to 2011 exempt organizations from notifying consumers of breaches if certain conditions exist. For example, Section 3(b) (1B) of Senate bill number S. 139, the Data Breach Notification Act, which was reintroduced in 2010, mentions that "An agency or business entity shall be exempt from notice requirements … if (A) a risk assessment concludes that there is no significant risk that a security breach has resulted in, or will result in, harm to the individual whose sensitive personally identifiable information was subject to the security breach." This is interrupted in 3(b) (2A) of the bill under the "presumptions" section where it is stated that "There shall be a presumption that no significant risk of harm to the individual whose sensitive personally identifiable information was subject to a security breach if such information—(A) was encrypted or (B) was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms that are widely accepted as an effective practice, or an effective industry standard."

Encryption is the best method to secure plain text in electronic communication and messages. When you type in your password, an encryption scheme converts it into a "password hash" that might look something like this: 7l9g0m4eel8mv75k2f0o4q2k6. Your username and password hash are stored in a Registry and/or SAM (Security Accounts Manager) File. Every time you reenter your password, it is encrypted again and compared to the stored encryption. If they do not match, you will be told that your reentered password is incorrect.

When hackers breach a network they can collect the exposed encrypted information such as password hashes, return them to plain text and then possibly use them to commit identity theft, assuming they can crack the key or underlying algorithm of the encryption scheme.

The size or length of the key used in a cryptographic algorithm is measured in bits. Theoretically and generally speaking, with today's standards, the longer the key size or length, the more secure the encrypted information. The DES, introduced in 1977 and still used today, has a key size of 56 bits. The more commonly used Advanced Encryption Standard (AES) uses the Rijndeal algorithm, invented in 2001 by Vincent Rijndeal and Joan Daemen, as its underlying security algorithm. The bit-key sizes or lengths of this algorithm are referred to as AES-128, AES-192 and AES-256.

According to an Aug. 8, 2011 article, "AES Encryption Explained in a Nutshell," by Mark Muller on the "Bright Hub — The Hub for Bright Minds" website, the Rijndeal algorithm "implements the mathematical operations substitution, transposition, as well as permutation to plaintext, the term used to describe input in the cryptography domain."

Let us simplify this jargon somewhat: We will be more successful in encrypting plain text (and it will be less vulnerable to hackers breaking it up and returning it to that plain text) if we create as many possible combinations as we can when we encrypt the plain text. For example, looking at the mathematical concept of permutation alone, the possible outcomes of number 12 are 12 and 21. If we add the number 3, the combinations of outcomes increases — 123, 132, 231, 213, 312, 321. The more complicated the encryption scheme the more difficult it is for the hackers to break the code.

The AES uses 10 rounds of these algebraic operations in a complex scheme to produce encrypted output or cipher text as it is called in expert terms. The Advanced Encryption Standard AES-192 (bits) and AES-256 (bits) have 12 and 14 rounds, respectively. 

BRUTE FORCE AND CRYPTANALYSIS

Brute force and cryptanalysis are two well-known ways to break an encryption key.

According to SearchSecurity.com, brute force is a trial-and-error method "used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies."

Most traditional computers cannot crack the stronger algorithms, such as AES, because they use larger "integer factorization" — the decomposition of a composite number into smaller non-trivial divisors when multiplied together equal the original integer.

However, hackers have been successful in using brute force tactics to crack the algorithm key underlying DES because its key size or length is only 56 bits. In the recent Gawker Media Network breach the hackers posted the compromised information including the password hashes on a site available for other hackers to attempt to crack.

Jon Oberheide, co-founder of Duo Security, wrote in a Dec. 13, 2010, blog post in the Duo Bulletin online newsletter that "The hacker group Gnosis [took responsibility for the breach and] posted a torrent containing a full dump of Gawker's source code as well as the entire user data base consisting of 1.3 million usernames, e-mail addresses, and DES-based crypt password hashes." [The Gawker attack came on the heels of a similar attack about two years ago by Imperva (a data security company) on RockYou, a Facebook application developer, which exposed 32 million unencrypted passwords.]

If Gawker had used the AES, the hackers may have still caused the data breach but they would not have been able to convert the password hashes to plain text and use it for identity theft. Duo Security, a two-factor authentication provider (a company that helps organizations set up a more stringent security system with extra questions, along with a user name and password), obtained a copy of Gawker's compromised information and used some available technology to attempt to decrypt it back into plain text.

Duo Security, in its analysis of the Gawker information dump, first filtered the 1.3 million entries down to 748,000 password hashes. It then used a defacto tool, "John the Ripper" or "JtR," written by Solar Designer, for cracking the password hashes. Duo Security cracked nearly 400,000 passwords (and returned them to plain text in less than a day), most of which were alarmingly simple.

Again, this is strong proof that the algorithm underlying the DES, even though commonly used, does not protect encrypted information from being converted into plain text, which makes it useful for identity theft.

The cryptanalysis method involves trying to find weaknesses in the inner workings of an encryption algorithm to try to break the key. Hackers have been trying unsuccessfully for years to break the AES. According to Muller, those "who apply more sophisticated methods than brute-force believe the margin is narrowing." Yes, but it appears to be years away.

We can conclude two things: 1) The algorithm underlying the DES has been cracked and should not be used and 2) The strong algorithm aligned with the AES provides adequate protection of information for computer users, probably for years to come. Muller in "AES Encryption Explained in a Nutshell," quotes Bruce Schneier: "For new applications I suggest that people don't use ASE 256. ASE 128 [a shorter bit-key size] provides more than enough security for the foreseeable future."

The good news is that more organizations are using the AES. The power of computers increases every year, and Muller writes that eventually "traditional cryptography [will] no longer be secure" when computers are more powerful. Hopefully, the experts also will invent formidable encryption to combat hackers.

LEGISLATION CONSIDERATIONS

Recent state and U.S. federal data-breach notification legislation allow entities to be exempted from notification if certain conditions are met, such as encrypting to safeguard information. Unfortunately, except for one state, legislation does not specify what types of encryption schemes businesses can use, so the algorithm underlying the 56-bit DES, which hackers have cracked, is allowed as an exemption.

Hopefully, Congress will soon enact a data breach notification law that will help to significantly reduce identity theft. If it does, the law will supersede all state legislation, so it is extremely important that any new federal legislation be, at least, stronger than any state law.

The U.S. Congress, as it writes a new data breach notification law, could consider that it would:

• Apply to all entities that use personal information of consumers, including profit and not-for-profit organizations.
• Supersede all other federal laws that address the data breach notification problem.
• Ban the use of the 56-bit Data Encryption Standard and require the use of the Advanced Encryption Standard, which uses symmetric cryptography of the Rijndael algorithm in key lengths of 128, 192 and 256 bits.
• Require all organizations be monitored annually to provide proof at the state or federal level that they are abiding by the law. Significant fines should be put in place for those organizations that do not abide.
• Require that all organizations that are hit by data breaches notify pertinent parties if the data were not encrypted or if the outdated vulnerable DES was used.

Congress might not enact a new data breach notification law for some time, so states could amend their laws to not require data notification if organizations are implementing the 128-bit Advanced Encryption Standard. Otherwise all other data breaches should require notification.

Many believe that hackers solely cause data breaches. Actually, sloppy control of information within organizations and through third parties cause most breaches. Also, individuals who do not know how to protect their personal information drive a significant amount of identity theft.

Congress also would do well to develop a comprehensive plan to help protect electronic information. The plan could include recommendations for organizations on developing policies to make their infrastructures more secure against intrusions and malware and enhance their internal systems to protect personal data from unauthorized use. Also, the data security policies of organizations should be subject to periodic audits to evaluate the validity and integrity of their control systems to protect personal information.

The last part of this series in the January/February issue will present an analysis of six years of data breaches using a new system to classify them. The analysis will reinforce the importance of the development of a comprehensive national data security program. If successful, it could instill needed confidence, trust and security in those who use the electronic system to transact business so the country would be less susceptible to data breaches and put a significant dent in identity theft. It would be a "win/win" situation for all.

Robert E. Holtfreter, Ph.D., CFE, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.