Are you “in the club?” Do you receive regular (daily) updates of information security news and events right in your inbox?  I do, and I find the services very helpful (as long as I keep up on my end).  For example, the SANS Institute provides a free subscription service to by filling in some data at their portal.  SC Magazine provides a similar SC Magazine Newswire service, , for subscribers who register here.

If you are “in the club” then you have probably noticed that just about every issue of every newsletter contains a description of some information breach happening somewhere.  In fact, the SANS NewsBites has a section entitled “ATTACKS, INTRUSIONS, DATA THEFT & LOSS” that invariably describes yet another data breach (or two or three or more), sometimes with commentary relating the breach to previous events or conditions.  That’s no wonder considering that the Privacy Rights Clearinghouse lists 274 data breaches so far in just 2007 alone!

Why is it …?
The sheer repetitiveness of data breach reports begs the question: “Why is it that data breaches happen over and over and over ... ?” There can be only two logical conclusions:

1.  The technologies to protect against data breaches and information protection violations are available and simply not being deployed (it has happened before);

or

2.  Technologies to protect against certain kinds of information violations simply do not exist.

Sometimes the technologies do exist to blunt the breach (even if they do not stop the source of the breach).  For example, technology to encrypt entire hard drives or prevent the storage of data on ultra-portable peripherals (e.g., thumb drives) is readily available and would certainly be useful as antidotes to this circumstance.

On the other hand, sometimes, even when we do everything perfectly with the security technologies available, nasty things happen to good digital enterprises.  This is the condition examined in Volume 6 of the Digital Trust report series, eThreats and Countermeasures.

eThreats are eTernal
In the Digital Trust report series, eThreats are those exposures that occur “even when you’ve done everything right.” And, digital trust technologies are those security technologies that are capable of generating value for the enterprise as well as reducing the risk of loss for the value that is already present.  The question in Volume 6 revolves around what digital trust can be used to respond to eThreats.

The research effort explores the pernicious problems of eThreats by examining four specific techniques as representative of the general class of eThreats:

• Cross-site scripting
• Phishing (in all its variety)
• Open source information gathering (a.k.a. Google hacking)
• No-tech hacking

While there are partial digital trust answers, the major conclusion is that “eThreats are eTernal” (for now).  Digital trust can make a helpful dent in consequences, but it is not able to solve the problem (and generate enterprise value).

For now, we can rest easy that the security newsletters will always have breaches (and consequences) to report.  I repeat: eThreats (and data breach consequences) are eTernal.