http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=224200824 By Kelly Jackson Higgins DarkReading March 30, 2010 Most organizations hit by breaches that don't require public disclosure don't call in law enforcement -- they consider it an exposure risk, with little chance of their gaining any intelligence from investigators about the attack, anyway. FBI director Robert Mueller has acknowledged this dilemma facing organizations that get hacked, noting in a speech at the RSA Conference last month that disclosing breaches to the FBI is the exception and not the rule today. But the FBI will protect victim organization's privacy, data, and will share what information it can from its investigation, he said, rather than continue with the mostly one-way sharing that organizations traditionally have experienced when dealing with the FBI. Gary Terrell, president of the Bay Area CSO Council and CISO at Adobe, says different companies have their own rules about reporting to law enforcement. "[Many] won't talk to law enforcement without an NDA [non-disclosure agreement]," says Terrell, who was speaking on behalf of the Council. "The FBI has a hard time signing it. That hasn't been successful so far, so sharing with the FBI has been minimal." He says the feds have their own communications "protocol" for sharing classified information, but they don't have a standard and confidential way to work with the private sector on breach investigations. And until the feds can work with NDAs, there won't be much back-and-forth between companies and these agencies about breaches, he predicts. [...] ___________________________________________________________ Register now for HITBSecConf2010 - Dubai, the premier deep-knowledge network security event in the GCC, featuring keynote speakers John Viega and Matt Watchinski! http://conference.hitb.org/hitbsecconf2010dxb/Received on Tue Mar 30 2010 - 23:00:37 PDT
This archive was generated by hypermail 2.2.0 : Tue Mar 30 2010 - 23:04:26 PDT