Chain of Custody Controls
powers-old-account 270000NC1K Visits (1920)
Credit.com has a story about the Morgan Stanley Data Breach that happened a few weeks ago and I'd like to make two observations about the incident because I think it highlights an often overlooked security control, the chain of custody control. First let's recap what happened.
Morgan Stanley was sending information about its clients who are investors in tax exempt bonds and investments to the New York State Department of Taxation and Finance. The news article doesn't say why this information was being sent, but presumably it was required to do so by law. Morgan Stanley opted for a decidedly low-tech method of sending the data. They took the information for the 34,000 relevant accounts and burned the information on to a CD ROM. According to the news report, the CDs were "password protected" but the data itself on the CDs was not encrypted. I'll admit I have no idea what that means. But I assume that it means it would take more effort than a casual user might be willing to devote to getting at the data. But chances are the password protection is not enough to thwart a determined criminal intent on identity theft. The CDs were mailed. The article doesn't explicitly say, but I always assume the US Postal service is used unless otherwise specified.
The CD ROMs were delivered to the offices in tact. "but by the time it arrived on the desk of its intended recipient the CDs were missing," according to a Morgan Stanley spokesman. The state office notified Morgan Stanley that the CDs were missing. Morgan Stanley then led the investigation to try to figure out at what point the CDs were lost.
Observation #1: The Disconnect Between Who Is Responsible and Who Is Blamed
I'd bet a dollar that if you put this scenario in front of anyone they'd tell you that the root cause is the New York State Department of Taxation and Finance. Someone in that organization either deliberately stole or mistakenly lost the CD. The internal mail delivery process was the vulnerability that allowed the data breach to happen. But it's Morgan Stanley whose name is on the headline of the news article. It's Morgan Stanley that's incurring the cost of the credit monitoring. It's Morgan Stanley that's getting asked the uncomfortable questions from the press.
The data owner always gets the blame no matter who actually caused the loss.
Observation #2: Encryption Doesn't Assure The Public.
Adam Levin, founder and chairman of credit.com is quoted in the article as saying:
I think a better question might be, "how strong do you think the encryption needs to be and how secure do the key exchange methods need to be before you'd let Morgan Stanley off the hook for an incident like this?" If they used PKZIP encryption would that be good enough for Morgan Stanley to not have to notify its customers? What about PGP encryption or some other Public Key Scheme? What about military grade encryption?
My sense of these scenarios, just based on reading oh I dunno, hundreds of stories about lost/stolen media, is that the the press relations nightmare never goes away with sufficiently strong encryption and therefore the company that owns the data always has to notify the affected customers and always has to incur the remediation costs like credit monitoring no matter how strong the encryption might be.
If anyone is aware of an actual case where media is lost in transit, ether tapes or CDs or memory cards, but the data was sufficiently encrypted that the data owners decided they didn't need to notify their customers. I'd like to hear about it.
I'm not arguing against encryption as a control for transporting media across physically non-secure physical spaces, but I am going to claim that it is usually not sufficient, at least not sufficient to avoid the PR nightmare.
Which leads me to an often overlooked control, the chain of custody control. This is a well established concept in criminal justice and as I understand the concept, there are three parts of it.
1) Testimony that the evidence is what is claimed at the source.
2) Documentation and supporting testimony of continuous possession of control by each person that has had the evidence
3) Testimony by each person that had possession of the evidence that it is did not substantially change while it is in their possession. I.e. no one else had a chance to tamper with it.
In this case, item 2 is the most important. I wonder, if Morgan Stanley had invested in a chain of custody control for sending the data to the New York State Department of Taxation and Finance, would there would have been less chance of the PR nightmare? A chain of custody control could take several forms including hiring a courier service like UPS or Federal Express to make sure names, ID and Signatures are acquired to create that chain of custody all the way to the point that it is delivered to the intended recipient. Heck, they could have hired a courier to hand deliver the CD ROMs and still spent less money than the cost of credit monitoring.
If a chain of custody control had been in place and some hypothetical Joe Smith at the New York State Department of Taxation and Finance had signed for the CDs and subsequently lost (or "lost") them, there would be another person/organization involved in the scenario who had taken some of the responsibility of the CDs' safekeeping. Then one could legitimately raise questions to both the sending and receiving organization. Could Morgan Stanley then legitimately claim that they had taken enough reasonable precautions to protect the data?
I'm not sure. How far removed the Data Owner has to be from the security breach to no longer be ultimately responsible? Let's suppose for example, that Morgan Stanley assigned their most trusted employee to hand deliver the CDs to the intended recipient at the New York State Department of Taxation and Finance. Suppose the Morgan Stanley employee personally loaded the CD ROMs data on the the computers at recipients office. And then suppose the the trusted employee melted down the CD ROMs in his microwave oven in order to totally destroy the data. Now suppose that the data is lost because a the computer is stolen from the New York State Department of Taxation and Finance? Would the data breach still be Morgan Stanley's fault? Or would it be someone else? Who would then need to pay for the credit monitoring?
As usual, my goal is not to point fingers and assign blame to any of the parties involved in this particular breach. I applaud Morgan Stanley for sending out the notifications and helping out with the credit monitoring. Kudos to them for doing that. Kudos to them for their transparency so that we can all learn from it.
But I do think that IT security people tend to overlook the value of chain of custody controls and we over look the value of being explicit about when responsibility for safekeeping is transferred. Sometimes chain of custody controls may be more effective both at preventing the losses in the first place but also mitigating the PR nightmare when the losses happen.