A leading New Zealand security expert is calling for data breach disclosure laws requiring consumers to be notified of security failures when personal information is at risk.
California introduced such a law, called the California Information Practice Act or Senate Bill 1386, in 2003. It requires organisations that hold the personal information of California residents to notify them if there has or may have been a breach of security affecting that information.
Auckland based IT security expert Peter Benson, chief executive of Security-Assessment.com, says New Zealand should have a similar law.
“The point is accountability,” Benson says. “Under current New Zealand law, there is no obligation for companies to disclose that they have had a data breach, in which case a lot of security incidents that occur, simply don’t make it into the public domain. This also potentially involves the loss of customer or private individual information, for which the public or customers have no real comeback.”
Benson says there is the opportunity for civil cases under tort law, around negligence, lack of due care, lack of reasonable practices, but there have been no precedents set for this.
“As a result, we have often seen a systemic failure of senior management and directors to either acknowledge, or to take action around security issues. We are aware of a number of reasonably significant attacks over the last few years, which did not make it into the public awareness.
“In some cases the work undertaken after the fact did improve the situation, but the reality is that there is no accountability for security issues that affect customer or private information. Until this type of regulatory control is in place, New Zealand (along with other, similar Commonwealth countries) will fall behind the levels of security required to provide an ‘appropriate’ level of security to prevent security breaches.”Benson says there is an ‘inconvenient truth’ out there that a lot of senior management are simply denying, or presenting as an IT issue.
Neither the Consumers Institute nor the Retailers Association seemed aware of the California example when phoned last week, though retailers spokesman Barry Halberg said his gut reaction was there would be no harm in looking at the proposal’s merits.
Security-Assesment.com was recently cited by the organiser of the US venture capital show DEMO as one of the most interesting technology companies in the Australasian region. Benson says that could be because he is planning to take the company global very soon.
“We do security research as well as consulting work,” he explains, and this includes building tools. The tools side of the business, effectively a software development shop, operates under the name Codescan Labs. The tools automatically scan source code to identify security problems in web applications.
“Breaching systems from the outside is not the most effective way to find vulnerabilities,” Benson explains. Far more effective is to have access to the code and even better is to be able to automate the code scanning, a market segment Gartner has dubbed “source code security”.
“It’s an emerging market space and in some ways we are ahead of the market,” Benson says. “Venture capitalists are reticent if you are too far ahead of the market.”
The tools are made to be sold to vendors and developers to check code and provide independent compliance review before such third party code is accepted by the client. If introduced as part of the development cycle, code can be secure from the word go, he says. The main market would be banks, telecommunications companies, large corporates and government.
Benson says he is talking to VCs and to a potential US distributor for the company’s tools, but emphasises its “just talk” for now.
On the consulting front, Benson says the company has broken ATM networks, broken most 3G mobile applications it has come across and found major flaws in 80% of all VoIP implementations.
“It has matured, but there are a number of standard flaws in the way people deploy VoIP,” he says.
“We break anybody’s kit. We don’t care whose it is and we are extremely good at it.”
Security-Assessment.com is the largest specialist ICT security assessment firm in Australasia, with 25 or more staff plus contractors. It employs people like Brett Moore as its chief technology officer. Moore has spoken at major security events such as Ruxcon and Black Hat in Las Vegas and at Microsoft’s Blue Hat security event.
The other staff are not necessarily computer people. Benson says some have commerce degrees, some philosophy and some no degrees at all.
“They just love IT and love pushing the envelope,” he says.
Benson says the company has hardly done any marketing but finds business through word-of-mouth and cold calling. It has become well known for its research into vulnerabilities and for “responsible disclosure” when issuing advisories.
In 2003 the company was second worldwide in the number of Microsoft security advisories it issued and has been in the top five ever since.
Benson does not personally like the term hacker, even in its “white hat” sense but admits some of his employees consider themselves hackers “in the original sense of the word”.