Vote for me in
IT Security Blogs
Time To Check Your DR/BC Plans?
The UK had some unexpected power outages yesterday and it no doubt caught a few companies off guard. One hospital had to cancel operations as the backup power generator failed. We take power for granted, you switch on a light and it works - but this shows that we shouldn’t. While it was a ‘freak event’ that caused it, this is what usually causes ‘disasters’.
Disaster Recovery / Business Continuity (DR/BC) plans are only any good if they are regularly tested. You don’t need to carry out complete tests every week, but there should be a schedule for partial and complete testing. Power outages are probably the most likely cause of a disaster (although last year it was flooding), so regular testing of emergency generators need to happen. If generators are fired up then they do use fuel, so make sure that it is replaced (unlike one company who didn’t do this and so they stopped after 15 minutes). Regular testing of critical application fail-over also needs to happen. Application dependencies are increasingly complicated, so failing over to a disaster recovery sight becomes more complex. Service Oriented Architectures (SOA) add further to the complexity providing functionality that you may not be in control of - DR plans need to take these into account as well. What if your 3rd party mapping service goes down - what will replace it?
In the US they have rolling brownouts (scheduled blackouts) in South Africa there are regular blackouts (2-3 a week), this keeps the IT department and the DR/BC teams on their feet. We are lucky to have a better power supply, but it isn’t perfect - so check your contingency plans today.
Do You Live Where You Live?
Experian listed the top 25 riskiest postcodes, well riskiest from the perspective of ID fraud - so someone else may be pretending to live where you live! Apparently you are most at risk if you earn >£50k, self-employed or a company director and rents rather than owns your own home.
I can quite believe that there are areas where you are most at risk from ID theft - just as with any theft the criminals are going to go after someone who looks like they have money rather than one that doesn’t. However, I am not sure how they can readily spot company directors or self-employed… or that you earn more than £50k per year. As for renting rather than owning, that can be more readily found and perhaps as it is a rented property and therefore has probably had a number of occupants in recent years so getting an old utility bill from a rubbish bin might be easier.
Still, it makes for interesting reading… and whether or not you live in one of the mentioned postcodes, it does well to remind us to be careful of our personal information. Always shred utility bills, credit card and bank statements rather than throw them away. Shred speculative ‘you have been approved’ credit card junk mail and get yourself off their lists.
Think what the information you are throwing out could be used for if it fell into the wrong hands - and make sure it doesn’t happen.
The Fine Art Of Zippering…
… or ‘enrichment’ as it is sometimes known. Zippering is where you take data from multiple sources and put it together to create something more meaningful. It is usually used in the ‘phishing’ sense, where cyber criminals gather the information to put together a targeted attack (aka spear phishing). However, there is a call to collect all sorts of information in a single database but there are a number of problems - not withstanding the privacy ones!
Firstly, if someone gets hold of all the information, they need look no further as it is a treasure trove for phishers. Secondly, when zippering information it is vitally important that the pieces relate to a specific individual - and this is the tough part. Imagine if it is done based on name… oops… too many John Smith’s out there… what about address… umm… well there are quite a few people at the same address who have different email addresses… by phone record… pay-as-you-go. Email… cyber cafe’s. The list of potential problems is vast. If you do get it wrong the consequences for an individual can be disasterous. There was recently a case where a stolen credit card was used to download illegal material - and the card owner was accused and it, to all intensive purposes, destroyed his reputation and his life.
So… if we are going to collect vast amounts of information it needs to be secure AND accurate - and failure on either of these counts, is not (as the saying goes) an option.
The Wrong Dave
We’ve all done it - a little too quick on the ’send’ button and email has gone to the wrong person. Email systems are just trying to be helpful when they predict which email address you want based on the first few letters.. ‘d’, ‘a’, ‘v’, {return} and you inadvertently have selected the incorrect recipient. Usually it doesn’t matter but in a case this week it did. The consequences are, in this case, not too great - but imagine it was health information, or credit card details. There is technology out there (and yes Symantec has some), which looks at the content of email and can prevent them going outside the organization - or rather can check if that is what you really meant to do.
Content based classification and automated policy management is available today and can solve the problem of ‘the wrong Dave’.
Narrowing The Search…
Yet more unencrypted data has been lost… well, no surprise there to be honest. At least they know where the data is - somewhere between London and the Isle of Wight, except it could be anywhere because it was en route with a courier.
There were two process failures here. The first was the fact that it was unencrypted data - which was making two trips, one to the third party and then one back to the owners. The other was that it took more than a week to know it was missing.
So, what to do… revisit old policies! If it involves confidential customer information and it’s going offsite then it should be encrypted. [Full Stop!] Backup products today can encrypt the information - so there is really no excuse. There should also be an effective tracking mechanism for data that is traveling with or being stored whether it is with a 3rd party or even by internal personnel. That way, even if the data is encrypted and lost the disaster recovery plan won’t be a disaster itself because the data isn’t where it was expected.
The good news, well piece of process, which we should all take heed of in this case was that the data was being verified as readable / usable. Frequently backup data is not checked and you get to the point of needing it and it is inaccessible, or not complete. I remember a case a few years ago when the data was required and there wasn’t any on the tape - except the header. The reason… the data had changed mount point on the system and the backup policy hadn’t been altered. So it regularly backed up ‘nothing’… and was always successful! So, checking the data integrity on a regular basis is a great habit to get into.
1Server, 3 Weeks, 1.4GB Personal Information
A server was found this week chock full of personal information - 1.4GB of personal information. The information had been stolen from around the world and included health records and email - and within the email there was even more information relating to contacts, account details, pension savings plans (401k) and so on… 1.4GB can house a lot of useful information.
This server was quite a find… but it is not alone, we see compromised servers which receive stolen information everyday and there are a lot of them. OK, so most don’t have 1.4GB but they do contain tens of thousands of pieces of information. The latest Internet Security Threat Report (ISTR Vol. XIII, April 2008) reported more than 60,000 bot infected computers per day (a 17% increase over the previous 6 months). These aren’t all collecting information - most are sending it out (spam, phishing, DoS, …) however some of them are. It also highlighted that of the 54,609 applications installed, 65% were malicious.
So (and I’m starting to sound like a broken record)… if you value your information and something asks to install itself, especially if you are in a web browser (also known as a plug-in), be very sure that the source of the request is valid - if not, then just click away.
Don’t Send The Password With The Data
It emerged this week that one organization had to send out a memo to its staff reminding them not to send out encrypted documents with the password! I won’t mention which organization it is - as I have a feeling there are quite a few with this problem. The other one I have seen very recently, is the yellow sticky with the password attached to the laptop!
These are great examples of where the people, process and product story has broken down. In both cases encryption is the technology - and that works to protect data. The process is in place - encrypt sensitive data if it might get lost (so, on a laptop, or in an email going out of an organization, or on a CD, or on a mobile phone, or … you get the picture) but the process is incomplete - what do you do with the password, how do you communicate it, if required. Finally there is a lack of education to the staff (or in this latest case the education is retrospective and reactive rather than proactive) - why are we doing this… to protect individuals’ information, or corporate information… and so if you send the password at the same time you may just as well have not encrypted it. Of course, there is some irony here - in the US with its disclosure laws if the data was encrypted when it was lost, then that is the end of it - no disclosure - even if the password was on a note!
Education needs to happen from the top to the bottom of an organization and processes need to reflect every step which includes how to communicate passwords when needed.
How do you send a password… well that just depends… in many cases you can just phone the person up and tell them, or you could send it by SMS text message… or… well you decide - it’s your organization. Just make sure that there is a policy and people know what it is.
Technologies For Data Loss Prevention
I am speaking at the SNIA Europe Academy on 20th May 2008 in London - and “Technologies For Data Loss Prevention” is the title of my session. So… two things here… firstly, I have been involved with SNIA since it first started and it is good to see an organization ‘grow up’ with its customers needs and the ever changing technology. So while there are some sessions on fibre channel and other more usual storage related items, there are also sessions like mine and on compliance challenges which talk at a different level - not the just physical storage but the information that is there and what it means to the enterprise.
Secondly, I was in with an account team at a customer to talk about futures in both storage and security and data loss came up. The rep did a great job of explaining our latest and greatest technology (which we acquired late last year when we bought Vontu), but missed out on some of the obvious ones… such as encrypting backup tapes if they are going off-site, or keeping anti-virus definitions up to date - some of the things we often think of as obvious but, as with all good management books, it is not until the obvious is pointed out that it becomes ‘obvious’.
Anyway… my session will cover the range of technologies that can (and should) be considered and it is most definitely not a ‘one size fits all’ - to be effective and cost efficient you need a holistic approach - some of which will be ‘obvious’ and others, less so. Hope to see you there.
5 Million And Counting
The White House has lost 5 million emails which is a pretty impressive feat. More worrying is that there is confusion over what is there, what isn’t, and who is responsible. If this had been a company then they would have been hauled up in front of a judge and forced to answer diffcult questions, however governments are a different story and seem to operate on their own rules. When it comes to data loss a government does have a reputation, but there isn’t the competition - you can’t choose to pay your taxes to country X… however it is up to a government to set a standard and precedent which will give give its citizens confidence that, if nothing else, they can look after your information.
Perhaps it is time to have a watchdog for governments and information protection?
There Goes The Neighbourhood
In this case it was the neighbourhood that funded a glamorous lifestyle - even if they didn’t know it. This is a case of identity theft taken to a whole new extreme with multiple neighbours of a Philadelphia couple being defrauded of $100,000. The couple had keys to neighbours flats and post boxes and used them to take all kinds of information, including bank account details as well as installing spy-ware on their computers.
How didn’t the neighbours realize? Well, it seems that the couple had opened bank accounts and credit cards in their neighbours names - in this case they used a fake driving license. (So you wouldn’t know until you tried to open an acocunt or a credit card and the credit check fails.) Try a Google image search for driving licenses and you will be amazed at how many there are… people need to realise the importance of the information they hold and more to the point the consequences of what can happen if it falls into the wrong hands. So… if you happen to have just past your driving test, and you want to tell your friends about it - then tell them, but please don’t post a picture of your license on your social networking site!
-
Subscribe
-
Podcasts
-
Symantec Security Response Weblog
-
Links, downloads and other resources
Symantec UK
Symantec Podcast Directory
Symantec Security Response
