Attacks/Breaches
10/23/2008
04:45 PM
50%
50%

Data Breach? Who Ya Gonna Call?

Our latest CSI survey shows few organizations bring in law enforcement after an attack. That's bad policy.

Whether a data breach is accidental or the result of a targeted malicious attack, the results can be devastating to a company's financial stability and reputation. To compound the problem, many CIOs fear that reporting the incident will only make matters worse. In the 2008 CSI Computer Crime & Security Survey, only about one in four respondents said that they contacted a law enforcement agency in the wake of a breach. Most said they worry about negative publicity and that the authorities can do little to help deal with cybercrime.

It's reasonable to fear negative press. Sales may be adversely affected, and the public's confidence can be shaken. Furthermore, many states have enacted data breach notification laws that can cause a company's legal fees to mount. On the other hand, a decision not to come forward could work against you in court later, and law enforcement has sophisticated forensic and legal tools not available to private industry. However, reporting isn't as simple as it sounds. The President's Identity Theft Task Force has recommended the creation of national standards for data protection and data breach notification requirements that would pre-empt the multitude of existing state laws. The Task Force also recommended the establishment of a national identity theft law enforcement center to harmonize identity theft and data breach reporting. But as of this writing, neither of these recommendations has been acted on. Unfortunately, this makes reporting to law enforcement confusing, as there's no clear-cut hierarchy. In our report, we describe a methodology for reporting to law enforcement agencies that deal with cybercrime.

Return to the main story:
Forensic Teams Take On Hackers

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.