Mastodawn

"There is no evidence that any unencrypted credit card data was accessed."

This phrase is infuriating for a few reasons. First, it plays to, and reinforces, the false notion that credit card data is the thing you need to worry about in a breach. It is not.

Second, it relies on the phrase "no evidence". An absence of evidence is not evidence of absence.

The authors of these statements know both of those things. If they spent as much time securing their systems as they did crafting subtly deceptive blog posts, we'd all be better off.

Dan Goodin Dec 27, 2022

@boblord This comment comes up after just about every breach disclosure. I am curious: what does a company say or do when an investigation is ongoing but so far has not come across any sign of credit card access? Consumers and reporters, inevitably ask about cc aces, so it’s not really an option to simply say nothing. How can a company prove a negative anyway? They can either say it was accessed or they have no indication it was accessed . What more can a breach victim say?

Gabe The Engineer

@dangoodin @boblord saying there is no evidence something was taken without disclosing there is no evidence something was not taken is a bit dissinginuious.

Dan Goodin Dec 27, 2022

@boblord @gdbassett yes, people keep saying that, but they don’t say how the disclosure should be worded differently. Do you have specific language in mind?

Gabe The Engineer Dec 27, 2022

@dangoodin @boblord I think you can either caveat the "no evidence" statement with the equivalent of “Absence of Evidence does not mean Evidence of Absence”, or modify the statement to state your lack of evidence in either direction (somewhat unflattering). "We have no evidence for or against breach of unencrypted CC data."

Gabe The Engineer Dec 27, 2022

@dangoodin @boblord even better might be "We lack evidence with regard to whether unencrypted CC data was or was not breached"

Dan Goodin Dec 27, 2022

@gdbassett @boblord you’re splitting hairs

Dan Goodin Dec 27, 2022

@boblord @gdbassett If this this is all the criticism is based on, it feels like a tempest in a shot glass to me.

Gabe The Engineer Dec 27, 2022

@dangoodin @boblord when coding breaches I would code the two statements differently. Saying no information indicating a breach suggests it was not a breach (attribute.confidently.data_disclosure.No in VERIS). Saying not enough information to assess if it's a breach implies it's unknown if it's a breach (attribute.confidentiality.data_disclosure.Unknown)

Gabe The Engineer Dec 27, 2022

@dangoodin @boblord I believe there's a Relevant Sagan quote, “Absence of Evidence does not mean Evidence of Absence”.

Dan Goodin Dec 27, 2022

@gdbassett @boblord if you’re not going to answer my question about the wording, I don’t think there’s much more for us to discuss.

melanie ensign (she/her)Dec 27, 2022

@dangoodin @gdbassett @boblord having written more incident response statements than most CISOs at this point in my career, I find a common pitfall is expecting a single statement to address the concerns of all stakeholders. What works for infosec doesn’t work for everyone.
Good IR comms is an orchestrated symphony of tailored comms that answer different questions for each audience. These various communications align, but they’re not identical.

@Wednesday @dangoodin @gdbassett

Great point and very true. I still think we can get better at this.

Dan Goodin Dec 27, 2022

@gdbassett @Wednesday @boblord This is precisely the kind of IR expert POV needed here. Melanie, any thoughts about the overall adequacy of the Lastpass disclosure or specific things that would have made it better?

melanie ensign (she/her)Dec 27, 2022

@dangoodin @gdbassett @boblord I don’t know anything more than you about what LastPass has to work with here & those details really matter for a credible assessment. Generally speaking, the goal is to uplift people to a higher security literacy than BEFORE the incident, eg explain why you included (or not) certain details, eg “we expect users will be concerned about cc data, so we looked into it, but here’s our primary focus (& why)…”

melanie ensign (she/her)Dec 27, 2022

@boblord @dangoodin @gdbassett I agree & cited your 2015 point about “lack of evidence” in a blog post a few weeks ago: https://discernibleinc.com/blog/remove-these-cardinal-sins-from-your-data-breach-statementsnbsp
As a comms pro, I believe we fail when we treat security comms as crisis comms rather than a proactive never-ending dialogue with stakeholders about ongoing risk. Don’t treat incidents as something that will eventually “be over.”

Scrub these Phrases from Your Data Breach Statements — Discernible Inc

In the event of a security incident, it's critical that your response is both fast and accurate. Unfortunately, many organizations make the mistake of including one or more of the following three elements in their public statements, which impairs the credibility and trustworthiness of their response

Discernible Inc

@Wednesday @dangoodin @gdbassett That last point is the most important. Internally, there is pressure to get back to normal, rather than to establish that "never-ending dialog" about risk. Maybe we can get you to deliver a TED talk on fixing that problem!

melanie ensign (she/her)Dec 27, 2022

@boblord @dangoodin @gdbassett the underlying problem is that Comms pros are promoted for “managing” crisis rather than preventing it.
In my experience, IR comms only becomes crisis comms if you fuck it up. I don’t want my clients to panic & that puts me at odds with most of my profession.

Kaylin Trychon Dec 27, 2022

@Wednesday THIS IS PERFECTION:

“As a comms pro, I believe we fail when we treat security comms as crisis comms rather than a proactive never-ending dialogue with stakeholders about ongoing risk. Don’t treat incidents as something that will eventually “be over.””

Comms is integral to good IR and the teams that see response as an opportunity to increase transparency and help the ecosystem understand what is going on so that we can hopefully prevent it from happening again are the ones that will come out of an incident in better standing. But there are still huge gaps in alignment at the stakeholder level about how public response should be handled. Audience is often narrowed to shareholders/investors and not so much about the end users or security community that is trying to learn and understand what is happening to prevent it.

We have a long way to go until we see strong IR comms across verticals but I’m hopeful that we will get there and it’s dialogues like this one that help.

@boblord @dangoodin @gdbassett

rhcmuts Dec 27, 2022

@Wednesday @dangoodin @gdbassett @boblord what i don't like is other password managers gloating and making fun of the situation. Looking at you, #1Password . You better make sure you're all shored up!

@rhcmuts @Wednesday @dangoodin @gdbassett I have not seen that and hope it's not true.

Back in the day Jim Barksdale warned Netscape employees to not gloat over IE vulnerabilities. He reminded us that airlines don't take out ads touting their safety record when a competitor has a plane crash. It's bad for the entire industry.

rhcmuts Dec 27, 2022

@boblord @Wednesday @dangoodin @gdbassett on Twitter :

rhcmuts Dec 27, 2022

@boblord @Wednesday @dangoodin @gdbassett I mean, even as an unrelated observation, it's pretty tone deaf.

melanie ensign (she/her)Dec 27, 2022

@rhcmuts @boblord @dangoodin @gdbassett
If true, it’s not very smart. We all live in glass houses.

En3pY - Sebastian Zdrojewski Dec 27, 2022

@Wednesday @dangoodin @gdbassett @boblord writing an IR requires also two things that are fundamental (and rare to find):

- knowledge of the topic
- acknowledgment from the top-management

The second part is the weakest link, as usually there's more political concerns about disclosures rather than facing the issue.

In my personal experience, the bigger the company, the more often the answer is "it's your fault (CISO) - farewell". Scapegoating is not the solution, but nobody from "above" will ever accept it with the current mindset IMHO.

There's a cultural issue about data security more than anything else.