Dataloss At The Border?

The US announced this week that they would be able to search laptops, or rather search the information on laptops without any reason being given. They have been able to search laptops for a while, but have needed to have a good reason, or suspicions, to do so. The result of this change is going to mean a number of things, firstly; longer delays to get in (hopefully they won’t be searching everybody’s data… else we could be waiting in line for weeks…) and secondly the possibility of data being compromised.

It is difficult to know what to suggest… if you are waiting to get into the US, especially if you are a visitor rather than a national, then you are unlikely to decline a request for them to look at the laptop contents - as that would no doubt give rise to a quick trip back home on the next plane. You probably wouldn’t want to leave the laptop there - just in case it gets lost. Perhaps it is time to look at all that information on there - and decide that it would be better left ‘at the office’ and the laptop is just a portal that you can use remotely. It will still take customs a while to go through an empty laptop - but at least there will be no chances of the data being compromised.

April 29, 2008 | Filed Under Uncategorized | Leave a Comment 

Minnowing… The Opposite Of Whaling

A couple of weeks ago I wrote about phishing at the top of an organization or whaling. There is, of course, phishing at the lower end of the organization - minnowing. This is where the cyber-criminal targets the people in departments such as Accounts Payable to get them to pay a fictitious bill. We saw this happen late last year when a supermarket chain was targeted and the criminals were caught. This is happening more frequently and is either not reported, or not even noticed.

To begin with you need to pick the company - it needs to be ‘big’ so that people in accounts payable don’t necessarily know what has or hasn’t been done. You then need to find out a little more information about an individual - and this is where social networking sites prove to be a risk. People put other information (along with pictures) including where they work, the department and even phone numbers on the web for all to see. Armed with this, the attack vector is the same as the FAX scams of old, you email to find what has happened to payment and then escalate from there. If impersonating a real supplier, then a quick phone call can ascertain an outstanding bill… “I was just checking to see what happened to payment for invoice 1234″, “Don’t you mean 5678″… “oh, did you get the change in our bank details / address for payment…”

What can be done? In the same way as whaling needs people to pay more attention to the content, the same is true for minnowing. Awareness and education to those staff most at risk that this threat has been seen is important. Additionally, other process changes may be required to establish that the person on the end of the phone, or email is the actual supplier and not an impersonator.

April 29, 2008 | Filed Under Reputation, security | Leave a Comment 

Technology & Regulations: Which Leads, Which Lags?

One great question I was asked during my talk at the Affärsvärlden Bank & Finans Outlook 2008 Conference, was whether the technology to help with compliance and governance was ahead of the regulations or behind.

This is a tough one to answer, primarily because the regulations are always changing. However, from 30,000 feet, the story is the same, you need to be able to prove that you say what you do, and that you do all you can to {protect customer data | ensure that systems are secure | prevent fraud | etc}. To this ends, the technology is there to help with compliance and you can automate a lot of it. Patch management of systems, followed by auditing which ones are up-to-date and which are not can be tedious in the extreme if you don’t have the technology to help. Not to mention the management and monitoring of updates to applications, endpoint protection and password strength checks, the list is (almost) endless. Technology helps and the other big benefit is that you can get a view onto your IT infrastructure and its compliance at any time - not just when the auditors are knocking on the door.

So, if you are looking at compliance, or are just getting into IT governance, look around at the tools available to make it as painless as possible.

April 29, 2008 | Filed Under Compliance, Regulation | Leave a Comment 

InfoSec and Data Destruction

There were a lot of interesting companies and products at InfoSec this year. However, one I was particularly fascinated to see was called Secure I.T. Disposals Limited. They offer a number of services including on-site disk destruction. While a number of companies offer shredding of disks, CDs and tapes, SITD will bring their shredder on-site and grind disks there-and-then. Why is this of interest?

Data loss is not just about the ‘electronic’ copies of information it also covers the physical media as well. Printed reports that haven’t been shredded and are found in skips, or at the side of the road have made the news every year for the last decade or so. This is making people revisit their paper shredding policy - looking at the need to shred particularly sensitive documents on site. This on-site destruction should also be considered for disks, (backup) tapes and CD ROMs which are no longer required. Of course this isn’t for every piece of information, just the really sensitive things - you don’t want your data to disappear on the way to the recycling plant. It is good to see companies, such as SIDL offering such a service.

I have used a picture of a ’shredded’ disk drive in my talks for a while, and my thanks to Mark at SIDL for a small perspex box containing a shredded disk - I’m a great fan of props!
Ground up disk Ground up CD ROM

April 29, 2008 | Filed Under data-loss | Leave a Comment 

InfoSec and BERR

At InfoSec 2008 in Olympia yesterday I helped launch the results of Department for Business & Enterprise Regulatory Reform 2008 Information Security Breaches Survey. This is a study carried out by PricewaterhouseCoopers and sponsored by a number of vendors including Symantec.

The results are promising and gloomy at the same time. The good news is that the number of companies infected by malicious software is down by 60%. The bad news is that minor infections are no longer considered a security incident and so not reported - they are just seen as an everyday occurance that the IT department needs to resolve. While the acknowledgement that anti-virus is no longer the only requirement for endpoint protection and anti-spyware and malware in general is required is good news, there is also a concern among businesses that the more silent and stealthy attacks are going to increase.

Below is a picture of me and the team at InfoSec launching the Interactive Theatre.
 Guy Bunker and Interactive Theatre Team at InfoSec 2008

April 29, 2008 | Filed Under Speaking | 1 Comment 

Phishing From A Great Height

Most people think of phishing as something which is done across millions of people at a time - and only the daft fall for it. However, this is not always the case - how about going for CEOs? CEOs are busy people and when they get an email about a subpoena in a civil case then you end up fooling a few. This happened this week as reported in the NY Times and just points to how crafty the cyber criminals are getting. The email looked official, with official looking graphics and a link to a site with the full details. Of course if you followed the link - and you didn’t have up to date anti-malware you got infected with a nasty keylogger.

What could the CEO have done? The obvious comment is that they should have checked the content and the validity. BUT… who has the time to do that? In this case the fear factor from a social engineering perspective comes into play and the knee-jerk reaction is tough to control. However, that is what you need to do - if you receive an email which you were not expecting then sit back and think about it. We live in a world where people think they should respond to email instantly - sometimes a little additional thinking time would help. In this case there were names and addresses - it looked real, but there were no telephone numbers - and would the district court rely on email to issue a subpoena? No… if it was that important it would come via the mail, probably as a registered letter. So, there were a few pointers that should have raised alarms. The truth is that everyone needs to remain vigilant - and become a little more wary of unsolicited and unexpected email.

As for a catchy term for this new kind of phishing… Whaling… after all, this is all about going after the biggest fish in the sea. (I know, whales are mammals… but you can’t have it all!)

April 17, 2008 | Filed Under Reputation, security | Leave a Comment 

Eat In And Take-Away

It was reported this weekend that a member of the military popped into a MacDonald’s and while there an opportunist took his laptop from under his chair. Bad News. However, the laptop was encrypted and password protected. Good News. The laptop apparently contained no sensitive information. Strange News.

It’s good to hear that government laptops are now being protected appropriately, although if there is no sensitive data, then why does it need to be encrypted - perhaps a little overkill? Maybe, the definition of sensitive is different, or perhaps it might contain sensitive data in the future? When it comes to laptops full disk encryption is the best bet - that way you can be sure the data is reasonably well protected - and if you happened to be in the US then you wouldn’t have to disclose the fact it was lost. Perhaps this was disclosed over here to start re-building confidence in the government’s data handling policy?

April 15, 2008 | Filed Under Reputation, data-loss, security | Leave a Comment 

Post A Picture… End Up In Jail?

When is a picture on a social networking site a threat to national security? According to a report, Israeli defence chiefs have realised that pictures of sensitive military installations are being posted on Facebook. People now have a fascination with social networking, taking pictures and posting them online for the world to scrutinize.

The story might seem a little draconian, but they are still allowing pictures of people - just not with sensitive information in them. If you look around the web you can find pictures of other people at work (including myself - if you look hard enough) however, on some of them you can read what is written on yellow stickies attached to monitors and cube walls. Another source of information for the enterprising criminal… so just beware, cyber criminals may well be more interested in the background of a picture than the foreground…

April 15, 2008 | Filed Under Speaking | Leave a Comment 

London & Stockholm

Symantec are at InfoSec 2008 next week in London’s Olympia. We are sponsoring the first of the Interactive Theatre sessions on Tuesday 22nd April - a Cyber Attack Special. So come along, take a look and vote on the questions we will be asking. Bruce Schneier is one of the special guests - it should be entertaining and informative at the same time.

I’m also in the Opening Keynote for the presentation of PwC Department for Business, Enterprise and Regulatory Reform Information Security Breaches Survey - which has some great information and a few scary statistics.

Later in the week, on Thursday 24th, I’m presenting at the Affärsvärlden Bank & Finans Outlook 2008 in Stockholm, where I will be talking about IT governance, risk and compliance.

So, if you are around, come and say hello.

April 15, 2008 | Filed Under Speaking | Leave a Comment 

Don’t Take Sweets From Strangers

We spend a lot of time educating children about the dangers of strangers. Don’t speak to strangers, don’t get in cars with people you don’t know and don’t take sweets from them. This education starts from an early age and so becomes part of their philosophy.

It is time we do the same thing for information that is requested online - and the education needs to start just as early. Why would you give your name and address to someone online when you wouldn’t dream of doing the same thing if someone asked you for them in the street? What about credit card and bank details - of course not. But… online… well anything goes. When you do need to use a credit card, in a shop, then you are ‘in the shop’ and that goes a long way to  that it is a bona fide shop which has a (hopefully) good reputation - when you are online how do you know who you are dealing with? What additional precautions do you take to ensure that you will not be ripped off, or become another identity theft statistic?

Of course this is not just about children - it is about everyone who is active on the Internet. Education that changes behaviour is tough - the earlier you start the more you remember and the behaviour becomes second nature.

At the moment, I guess most cyber-criminals talk of their latest exploits and the gullibility of their victims as “it’s as easy as taking candy from a child”.

April 11, 2008 | Filed Under Reputation, security | Leave a Comment 

Next Page »