Tape Glorious Tape, There’s Nothing Quite Like It
Another data loss incident… 2.2 million billing records. They were on tape, in a car, and the car was broken into - no tapes. The driver had worked for 18 years with the company - alas no more as they had violated the company’s information protection policy - they shouldn’t have taken them home, they should have gone straight to off-site storage. Tapes are great - high capacity, low cost, easy to transport, easy to store, no moving parts (when its on the shelf!), great for long term storage and still an integral part of most companies IT environment. But… also easy to lose… and often the data is stored in an open format - so you don’t need password or anything else to get at it. Far easier to steal a tape, than break into a server…
OK, so it seems cut ‘n’ dried… but… what if the driver had been in an accident and the tapes had been lost. What if the off-site storage (which is run by a 3rd party) was broken into and the tapes stolen? The company is not saying if the data was encrypted or not, but my guess is that it isn’t, so therefore either of these other scenarios could also be valid - and would result in the loss of data.
Part of developing an information security policy is to revisit processes which touch sensitive data - this includes all occasions and possibilities when it can go offsite, or is handled by a 3rd party. It has to include tape backups, CDs, DVDs, USB sticks, and any other physical copies of the data, including laptops.
The simple rule is… if is going offsite, for whatever reason, it needs to be encrypted. Full stop.
(In this case, encrypted backups should have been employed - not just for the car break-in scenario, but also the other ones as well…)
Not Waving But Drowning
Hurray, Google and Intel have come up with a way to reduce the impact of email on our daily lives. Turn it off - for fifteen minutes at a time. What!?!?! Simple discipline is all that is needed - you don’t have to respond to email the second it arrives, or Instant Messaging for that matter - what would happen if you didn’t? Would the world stop turning, the lights dim, or any other catastrophe occur - no, of course not.
Introduction of ‘no email days’ is also being hailed as a good thing… I remember when a old colleague introduced the same thing a few years ago and was ridiculed in the press for it! What goes around, comes around.
So - let’s put email back in its place, it is a business tool - which helps us to work more effectively and efficiently - it is not ‘work’ in and of itself. Patience from the sender’s perspective must be expected, if you don’t get a reply in 5 minutes, don’t resend or phone them up to see if they have got the email… if you are a recipient, then don’t think you have to respond immediately - and don’t foster the expectation that you always will. Task switching (in this case in and out of email) destroys productivity and therefore effectiveness! Creating the additional stress of believing that you have to respond to every email ‘first’ is not good for you - or the company. Companies should create and communicate email policies which outline good email practice, perhaps that a response will be given in 24 hours, or 4 hours - you decide, but set the right expectations for everybody’s sake.
There are always exceptions, but lets bring back a little old fashioned common sense.
Cultural Failures?
Finally the Poynter report is being released into the HMRC data loss and the conclusion… the loss of records can’t be blamed on a single official. For me the good news is that the poor sap junior official who was being blamed now isn’t - it was never their sole fault, after all they were just following orders. The report highlights ‘cultural failures’ and practices that weren’t what they should have been. The former is an interesting comment and the latter rather obvious given what occurred.
Data loss on a massive scale is not new, if you look back a few years (yes years), the American Veteran Association lost millions of records… TJX did the same… and yet things didn’t change. It’s not just the UK, but across the globe. It didn’t used to be a crime to lose a laptop - the change in the environment has (virtually) made it so. We live now in a time where the attitude towards personal data is beginning to change, but like an oil tanker, it is going to take a while to turn around. Most companies (and governments) don’t know where their sensitive data is - and until they know that, how can they possibly protect it? If they don’t know which business processes handle or even touch sensitive data then how can they change them?
Information security policies need to be created, consistently implemented and then audited - on a regular basis.
If you have a bank account, a credit card, pay taxes, do a little shopping online, then your details will be in around 700 databases! If you are one of the people handling sensitive data (or think you have sensitive data) then look at what you do - look at where you can fix potential issues or find someone else who can. Technology alone is not the silver bullet. Above all else, treat the information you handle with the same due care and attention that you would want others to do with yours.
It is only when people truly understand the risks and consequences and change their behaviour that the culture will change.
How Would You Know?
There is a case running in the US at present where a student hacked into his school’s database and changed his grades. This could be considered as malicious data corruption! The allegations arose when some cross checking showed up some anomalies which led to an investigation. The question is, would you know if something similar was going on in your organization?
Data loss is easy to spot if it is a laptop that has gone missing - it was here one minute, now it’s gone. Data skimming is tough to spot, i.e. where data is being slowly an steadily extracted, for example over a wireless network - but it does get eventually found out, however, it sometimes takes years. But what about malicious data corruption, how would you know? In this case it was relatively simple to spot once the cross check event occurred - but what if there hadn’t been the need for a cross check? what if someone had broken in to a system and upped a credit note? The automated cheque system would probably print out the rebate without hesitation - providing it wasn’t over a specific amount.
Audit trails would provide some comeback (should a cross check occur) but the operation to alter credit notes is probably a valid function, so how would you know which was ‘real’ and which was not?
How High… How Low: Part 2
… OK, so now the story is that there was some confidential information on the stolen PC - and that it was emailed from an internal account to the one on the PC.
How many times have you emailed something either to or from a personal email account - just because it was convenient? Several I suspect. Once again, it didn’t used to be a crime to lose a laptop, but it virtually is now… similarly no-one used to mind (or notice) if email came and went from personal accounts - but that’s all changed. Technology can now be deployed to prevent this type of ‘accident’ from happening - and of course process, procedure and policy should also be changed to prevent it from occurring. Education is once again top of the list. Why is it bad to use ‘public’ email (the data’s in the clear for one thing!), why should you check the recipients (The Wrong Dave…), why does this keep happening… Time to wise up…
Ransomware Is Back… And It’s Bad
Just so you know - ransomware is making a comeback. For those of you who haven’t come across the term, this is where your machine gets infected with some malware, perhaps through a virus attached to an email, but these days it is more likely to be through a download (especially from a social networking site). The malware encrypts all the data on your drive and then offers to decrypt it - for $50. This is an interesting amount, $50, not much or at least not much to worry about - if it was $5000 then you might think twice. Of course the question is… how are you going to pay them?!?!? Perhaps give them your credit card number or bank details… and they will take $50. And the other $1000+… So, perhaps its better not to pay!
How can you prevent it…? Well ensuring that you have anti-virus and anti-malware software installed and up to date is a good start. Then just be vigilant - make sure that when you are asked to download something, (a) you really need to and (b) it is from who you expect. As ‘insurance’, take regular backups - and keep them somewhere safe, not attached to the machine (as they will then be encrypted as well if they are an external hard disk or USB device.) Then if disaster strikes at least you have a copy. You will need to reformat the machine and reinstall the operating system, but at least you haven’t given away your credit card or bank account details and you still have your data.
How High… How Low?
It was reported yesterday that an MPs PC had been stolen from a constituency office. There was the usual ‘rush’ to assure everyone that there wasn’t anything ’secret’ or ‘top secret’ on it. This is only really interesting as it reminds us that desktops as well as laptops can be stolen - and it doesn’t matter if you are high up in government or just one of the rest of us. Certainly from a business perspective, the loss of desktops is significantly less than laptops (there are easier targets, although there was a data centre that was targeted and even disk arrays stolen) - however, for small businesses and especially for individuals desktop machines as well as laptops are targeted by burglars.
Most home computers have confidential data on them, perhaps it is a cookie for on-line banking (giving a thief easy access), or maybe other account information for credit cards, or other on-line shopping accounts. For business laptops we talk about full disk encryption as being best practice to protect the data against theft, we should also consider the same practice for desktops and home computers. Of course, you also need to look at doing a backup, while it’s great that your data doesn’t fall into the wrong hands - you will also need a copy yourself.
Just so as you know… encryption does give a little overhead (i.e. it slows it down a little) but probably not so as you would notice. From both an enterprise and a consumer perspective there are tailored solutions on the market, and for individuals you can use the solution built into the operating system or there are a number of ‘free’ solutions as well. There is no excuse.
Data protection begins at home! (As well as in the office, or on the road, …)
Time To Get Personal?
Gartner has now recommended that employees buy their own laptops. There is nothing new in the concept, otherwise known as consumerisation. The idea is simple, employees buy and use their own hardware for work. In the US, it was the iPhone which has driven the move to consumerisation, lots of people rushed out to buy one and then asked their IT departments to support them. Here in lies one of the issues - support. The other one being licensing.
From a licensing perspective, who owns the software? Is it the company or the individual, what happens when they leave? From a support perspective what happens when a machine goes wrong? If there is a standard build, with a standard machine, then it is simple to fix or just to deliver a replacement. If it is down to the employee to get it fixed, do they do that on their own time? What happens if they don’t - laptops are an essential business tool if not available then productivity can drop to zero! What happens with backup? Who is responsible for doing it and how is it done? What about data loss prevention? If the machine has company information on it, what happens to it when the employee leaves?
There have been a number of successful schemes, but it is still early days. Before rushing in to save costs companies need to work through the issues and ensure that their corporate policies cover all eventualities.
Symantec Vision Conference - Day 3
The big wrap-up today. However, before that some great sessions on topics like using software to reduce power consumption, a big part of green IT and the Veritas Virtual Infrastructure. Some repeated sessions - due to popular demand and a last chance to wander around the partner / exhibit hall.
Mark Bregman closed the conference with a look at trends for the future: consumerization of IT, the boundaryless enterprise and yet more green IT. More on those topics in the coming months.
The final wrapup was with the Mythbusters, Adam Savage and Jamie Hyneman from the Discovery Channel - which made for a great close. All-in-all it was a good conference, as I had hoped there was time to meet old friends and make some new ones. Several people liked the fact that they could download sessions they had missed onto their iPods, and one customer was frantically trying to fill his iPod up before heading back home to Australia. Until next year… I hope you all had a safe journey home.
24 Percent
A civil servant has been suspended for leaving top secret documents on a train. A recent survey showed that 24% of data loss was through paper records, so perhaps this should come as no surprise. As I think back through the past decade or more there has always been one or two occasions each year where records were found, in a skip or beside the road, and before now it was reported and that was that. However today, as we all know, data loss is taken much more seriously.
Electronic data is easily transported, readily copied and therefore simple to use. You can also get a lot of information in a very small space… losing the details on 20 million people in paper form would require a sizeable truck!
We now protect electronic information, either by encryption (if you have a laptop or mobile device) or by content analysis and classification - preventing emails being sent to the wrong people or data being copied unencrypted onto CD ROMs etc. But what to do about paper records? We are back to people and processes. Awareness that paper can be just as damaging as electronic records needs to happen and the processes whereby records are printed out need to be re-examined - especially to ensure the appropriate destruction, eg shredding. In the same way that we are questioning the need for people to have copies of sensitive or confidential electronic information on their laptops, companies should also look at why they need to take bundles of papers home… this would be one case where an electronic version could be more secure.
-
Subscribe
-
Podcasts
-
Symantec Security Response Weblog
-
Links, downloads and other resources
Symantec UK
Symantec Podcast Directory
Symantec Security Response
