Vote for me in
IT Security Blogs
You Are What The Internet Says You Are
So if it says that you are going away and all your belongings are up for grabs… then people are going to turn up at your house and take all your stuff, including a horse - without you even knowing. All sounds a little unbelievable? Well it happened this week in the US when a hoax advert was put onto Craigslist and people responded while the owner was out of work…
So what does this mean? Gullible people? People believe everything they read on the internet? We are at the start of a new era of fraud? All of the above? The internet can be seen as an interesting social experiment, with social networking and the influence it has right at the forefront. As we move into the next era of web based technologies and businesses it will become increasingly important to prove that you are who you say you are - and not what someone else says. It will all come down to reputation - protecting and maintaining your own reputation and the reputation of your company… before someone runs off with more than just your belongings.
Traditional IT Departments To Disappear
Traditional IT departments are to disappear according to a comment from a Software as a Service (SaaS) vendor. This reminds me of a similar comment 10 years ago that tape backup was dead. We all know that tape is still here and will be for the foreseeable future (ok, so you backup to disk as well - but tape still has its place.) The same will be true of the IT department, their role may change a little but their basic function will remain.
Applications will be delivered over the web - but that doesn’t mean users won’t have problems with them and need support. There will be a rise in outsourced functionality, you just need to look at salesforce.com to see the revolution that is underway in delivering business applications as a service. There will also be a rise in the number of services available to the small, and the not so small business. For example, outsourcing email for companies with 1,000 employees is now relatively simple and that number will grow over the next few years to 5,000+. However, there will always be core value-adding applications and services that will be developed in-house and need support from the IT department. The changes that occur will enable IT workers to focus on these business focused value-add applications rather than the more mundane ones - which will be a good thing, for the business and for those of us who work in IT and like to innovate.
To USB Or Not To USB
A US agency announced that they were going to give USB drives to its employees in order to mitigate against the risk of data loss and eliminated the use of unsanctioned USB storage. The USB keys have encryption and are password protected - so it all looks good. However, they seem to have missed out on a number of important issues… unless they have additional software based management in place then there is nothing to stop people from using their own devices. USB keys are frequently mislaid (which is why data loss is an issue) however, most people have more than one - ‘just in case’. Not all data is equal (when it comes to data loss) and so there needs to be policy based on content. If the information is sensitive, then it should be encrypted, if it isn’t then perhaps it doesn’t need to be encrypted. USB keys are most often used for transferring benign information such as presentations - by encrypting it and making it harder to share, people will look to at other ways to transfer the information.
The idea of company issued USB flash drives is not a new one - but remember to think through what people actually use them for rather than assuming it is always for sensitive information.
PCI DSS And The Value To The Consumer
I hosted a CIO roundtable and dinner last night and the topic was PCI DSS (Payment Card Industry Data Security Standard). While this has been around for a while, it is only now becoming an issue for companies to become compliant. In essence it is a set of policies and procedures which are designed to optimize the security of transactions, primarily credit and debit cards. The idea being that securing the information makes it harder for criminals to use for fraudulent purposes. Comparisons were made to the indroduction of chip and pin - also to reduce fraud. However, from my perspective (and this was the question I asked) how does the consumer relate to PCI DSS… after all we all know and ‘love’ chip and pin.
There wasn’t an obvious answer - if your credit card is cloned then you can seek recompense from the issuer, so why do you (as a consumer) need to worry? I think the answer is that you don’t - if there is a data breach then you might stop using the shop, you may get a new credit card but you won’t stop using credit cards. (Its a different story if you used a debit card.) However, it does drive down confidence - which will curtail spending, which in turn will curtail growth, which is not good for anyone.
PCI DSS can be used as the lever to begin implementing a more comprehensive information protection strategy - and as an opportunity to show to customers that you do care about their information is no bad thing.
Arthur C Clarke (1917-2008)
He wrote a hundred books and predicted geostationary orbits along with a large number of other things. It must have been amazing not only to have lived through such a great period of technological change but to have made predictions which not only were true but which had such an enormous impact on everyone on the planet - whether they knew it or not. Of course some of his predictions didn’t work out and some - well we shall just have to wait and see.
Arthur C Clarke: thank-you for all you have inspired me with, and may you rest in peace.
They Took The Application As Well…
Virtualization is still big news, some would even say that its getting bigger every week. If you are using virtual machines then consider the impact of someone stealing a virtual image. Virtualization offers a lot of opportunities and a great deal of flexibility - however it also offers new threats. There has been a lot of talk of compromising the hypervisor and therefore the virtual machines that sit above it, but there is another interesting threat when it comes to data loss.
One of the benefits of a virtual machine is to be able to lump together everything you need for a machine into a single file, ok, so the file might be 50GB - but its still a file. One of the other benefits is that you can load, unload, move, copy and generally manage the file - as a file. What if that file goes missing - or it is stolen? The answer is that unless it is protected (encrypted or restricted to which physical machines it can be run on) it could be run by anyone on anything - in that case they won’t just get the data in the virtual machine, but also the application needed to access the data as well.
When looking at potential areas where data loss can occur you need to look outside the box - in this case Virtual Machines and how they could be exploited should they fall into the wrong hands.
But It Has To Be Fixed
It was reported in the news that a CD marked ‘Home Office’ and ‘Private and Confidential’ was found behind a keyboard when a system was taken to be repaired. The data was encrypted but it raises an interesting problem: How should you fix systems which contain sensitive data? Sensitive here doesn’t just mean customer information (although that is obviously important) it also means intellectual property as well.
If repairs can be done on-site, then that is obviously the best way as the data will not wander off. However if a system has to be taken away for repair then there is a possibility of data-loss. A new process or procedure may need to be developed and put into operation.
What is the data on the system, does it contain sensitive information, if so, then how will you protect it when it is offsite? If the failure is not a hard drive then perhaps that can be removed and stored safely on-site while the system is repaired. Alternatively, perhaps the disk needs to be completely erased (and the OS re-installed) before it goes away - this would need to be done in another system as the original one is broken. (It’s all backed up… isn’t it?!?!)
If it is the hard disk that has failed and perhaps it is going to a data recovery service then ask a few questions - how will the drive be looked after when it is offsite, is the data encrypted, does it matter if it goes missing? what would happen if it was lost while out of your control?
Life Is Like Waiting For A Bus…
… Nothing for ages and then three come along at once (or in this case four). I do speak at various conferences on a regular basis, but not usually as often as in the last couple of weeks. So… I am out and about speaking again this week with the Symantec Data Loss Prevention (DLP) seminars. We have one in Manchester on Tuesday 11th March and one in London on Wednesday 12th March. See http://www.conferencepage.com/DLP08/ for more information.
Data-Gain… Just As Bad As Data-Loss?
There is a lot in the press about data-loss - some is inadvertent some is by the malicious insider and some is from hackers. However there is another side to this story - data-gain. What if someone brings information into your organization without you knowing - but that then gets you into trouble? OK, so it sounds a little far fetched, let’s use an example… Formula 1. In this case an employee from one team left to go to a rival and took information with him. The first team found out and the result, in court, was a $100m fine for cheating.
In this case the defence was that the information wasn’t known about and wasn’t used and … When looking at data-loss and how you can protect against it, it is also worth looking at data-gain, information that you shouldn’t have and while ‘not knowing’ may seem preferable at first glance, the head-in-the-sand defence doesn’t work in court.
Forewarned is forearmed.
Implicit Trust
There is a legal case going on in Seoul where it is alleged that an employee took Intellectual Property (IP) with him when he changed jobs and that IP (1,1882 files) has cost more than $1billion to the Korean economy. Wow - this is a pretty huge chunk of change. How did one employee get their hands on such valuable secrets - answer… it was part of his job.
From an IT perspective the technology is there to enable the right people to have the right access to the right information at the right time. Access control is in place and authentication and authorization does its job to keep the wrong people from seeing the information. However… this relies upon trust. There is implicit trust that the people with access to the information will do the right thing with it. Unfortuately, as this case proves this is not always the case. All information has a value - to somebody and so can be at risk. Many of the data-loss stories in the media concentrate on customer details, or personnnel records - but it is also IP that needs to be protected.
IP (and customer records) are often held in databases (structured data) as well as in files (unstructured) and so technology is required not just to look at the content but also at the behaviour of the employee to look for anomalous behaviour. Unusual access patterns need to be investigated - new technology, such as Symantec’s Database Security protuct, does exist to help mitigate against this type of data loss.
Implicit trust is now, unfortunately, a thing of the past.
-
Subscribe
-
Podcasts
-
Symantec Security Response Weblog
-
Links, downloads and other resources
Symantec UK
Symantec Podcast Directory
Symantec Security Response
