Vote for me in
IT Security Blogs
Tape Glorious Tape, There’s Nothing Quite Like It
Another data loss incident… 2.2 million billing records. They were on tape, in a car, and the car was broken into - no tapes. The driver had worked for 18 years with the company - alas no more as they had violated the company’s information protection policy - they shouldn’t have taken them home, they should have gone straight to off-site storage. Tapes are great - high capacity, low cost, easy to transport, easy to store, no moving parts (when its on the shelf!), great for long term storage and still an integral part of most companies IT environment. But… also easy to lose… and often the data is stored in an open format - so you don’t need password or anything else to get at it. Far easier to steal a tape, than break into a server…
OK, so it seems cut ‘n’ dried… but… what if the driver had been in an accident and the tapes had been lost. What if the off-site storage (which is run by a 3rd party) was broken into and the tapes stolen? The company is not saying if the data was encrypted or not, but my guess is that it isn’t, so therefore either of these other scenarios could also be valid - and would result in the loss of data.
Part of developing an information security policy is to revisit processes which touch sensitive data - this includes all occasions and possibilities when it can go offsite, or is handled by a 3rd party. It has to include tape backups, CDs, DVDs, USB sticks, and any other physical copies of the data, including laptops.
The simple rule is… if is going offsite, for whatever reason, it needs to be encrypted. Full stop.
(In this case, encrypted backups should have been employed - not just for the car break-in scenario, but also the other ones as well…)
Cultural Failures?
Finally the Poynter report is being released into the HMRC data loss and the conclusion… the loss of records can’t be blamed on a single official. For me the good news is that the poor sap junior official who was being blamed now isn’t - it was never their sole fault, after all they were just following orders. The report highlights ‘cultural failures’ and practices that weren’t what they should have been. The former is an interesting comment and the latter rather obvious given what occurred.
Data loss on a massive scale is not new, if you look back a few years (yes years), the American Veteran Association lost millions of records… TJX did the same… and yet things didn’t change. It’s not just the UK, but across the globe. It didn’t used to be a crime to lose a laptop - the change in the environment has (virtually) made it so. We live now in a time where the attitude towards personal data is beginning to change, but like an oil tanker, it is going to take a while to turn around. Most companies (and governments) don’t know where their sensitive data is - and until they know that, how can they possibly protect it? If they don’t know which business processes handle or even touch sensitive data then how can they change them?
Information security policies need to be created, consistently implemented and then audited - on a regular basis.
If you have a bank account, a credit card, pay taxes, do a little shopping online, then your details will be in around 700 databases! If you are one of the people handling sensitive data (or think you have sensitive data) then look at what you do - look at where you can fix potential issues or find someone else who can. Technology alone is not the silver bullet. Above all else, treat the information you handle with the same due care and attention that you would want others to do with yours.
It is only when people truly understand the risks and consequences and change their behaviour that the culture will change.
How High… How Low: Part 2
… OK, so now the story is that there was some confidential information on the stolen PC - and that it was emailed from an internal account to the one on the PC.
How many times have you emailed something either to or from a personal email account - just because it was convenient? Several I suspect. Once again, it didn’t used to be a crime to lose a laptop, but it virtually is now… similarly no-one used to mind (or notice) if email came and went from personal accounts - but that’s all changed. Technology can now be deployed to prevent this type of ‘accident’ from happening - and of course process, procedure and policy should also be changed to prevent it from occurring. Education is once again top of the list. Why is it bad to use ‘public’ email (the data’s in the clear for one thing!), why should you check the recipients (The Wrong Dave…), why does this keep happening… Time to wise up…
Ransomware Is Back… And It’s Bad
Just so you know - ransomware is making a comeback. For those of you who haven’t come across the term, this is where your machine gets infected with some malware, perhaps through a virus attached to an email, but these days it is more likely to be through a download (especially from a social networking site). The malware encrypts all the data on your drive and then offers to decrypt it - for $50. This is an interesting amount, $50, not much or at least not much to worry about - if it was $5000 then you might think twice. Of course the question is… how are you going to pay them?!?!? Perhaps give them your credit card number or bank details… and they will take $50. And the other $1000+… So, perhaps its better not to pay!
How can you prevent it…? Well ensuring that you have anti-virus and anti-malware software installed and up to date is a good start. Then just be vigilant - make sure that when you are asked to download something, (a) you really need to and (b) it is from who you expect. As ‘insurance’, take regular backups - and keep them somewhere safe, not attached to the machine (as they will then be encrypted as well if they are an external hard disk or USB device.) Then if disaster strikes at least you have a copy. You will need to reformat the machine and reinstall the operating system, but at least you haven’t given away your credit card or bank account details and you still have your data.
How High… How Low?
It was reported yesterday that an MPs PC had been stolen from a constituency office. There was the usual ‘rush’ to assure everyone that there wasn’t anything ’secret’ or ‘top secret’ on it. This is only really interesting as it reminds us that desktops as well as laptops can be stolen - and it doesn’t matter if you are high up in government or just one of the rest of us. Certainly from a business perspective, the loss of desktops is significantly less than laptops (there are easier targets, although there was a data centre that was targeted and even disk arrays stolen) - however, for small businesses and especially for individuals desktop machines as well as laptops are targeted by burglars.
Most home computers have confidential data on them, perhaps it is a cookie for on-line banking (giving a thief easy access), or maybe other account information for credit cards, or other on-line shopping accounts. For business laptops we talk about full disk encryption as being best practice to protect the data against theft, we should also consider the same practice for desktops and home computers. Of course, you also need to look at doing a backup, while it’s great that your data doesn’t fall into the wrong hands - you will also need a copy yourself.
Just so as you know… encryption does give a little overhead (i.e. it slows it down a little) but probably not so as you would notice. From both an enterprise and a consumer perspective there are tailored solutions on the market, and for individuals you can use the solution built into the operating system or there are a number of ‘free’ solutions as well. There is no excuse.
Data protection begins at home! (As well as in the office, or on the road, …)
24 Percent
A civil servant has been suspended for leaving top secret documents on a train. A recent survey showed that 24% of data loss was through paper records, so perhaps this should come as no surprise. As I think back through the past decade or more there has always been one or two occasions each year where records were found, in a skip or beside the road, and before now it was reported and that was that. However today, as we all know, data loss is taken much more seriously.
Electronic data is easily transported, readily copied and therefore simple to use. You can also get a lot of information in a very small space… losing the details on 20 million people in paper form would require a sizeable truck!
We now protect electronic information, either by encryption (if you have a laptop or mobile device) or by content analysis and classification - preventing emails being sent to the wrong people or data being copied unencrypted onto CD ROMs etc. But what to do about paper records? We are back to people and processes. Awareness that paper can be just as damaging as electronic records needs to happen and the processes whereby records are printed out need to be re-examined - especially to ensure the appropriate destruction, eg shredding. In the same way that we are questioning the need for people to have copies of sensitive or confidential electronic information on their laptops, companies should also look at why they need to take bundles of papers home… this would be one case where an electronic version could be more secure.
Just One Cotton Picking Moment
Cotton Traders revealed that their website had been hacked and details of 38,000 transactions had been stolen. They have now worked with experts to fix the problem. OK, so this is ‘yet another’ case of data loss - however, for me I find it interesting that the size of the target organization is relatively small and yet it is obviously still worth the criminals attacking it. Is this because smaller organizations do not necessarily have the security expertise to secure their environments, or because their website was unpatched and therefore open to a well known attack? We don’t know, all we know was that they were attacked and they have now fixed the problem.
Smaller companies seem to think that they will not be a target for an attack… “It won’t happen to me, I’m too small to be on the radar” - this just goes to prove that this is not the case. Hopefully other smaller companies will now sit up and take notice of the potential threats and associated consequences and look how they can prevent it from happening to them.
Where’s The Boundary?
A man has been accused of stealing clients using LinkedIn. In this instance, the person involved is a recruiter and he allegedly ‘linked’ to clients while working at one company and then left to start a rival firm - with his contacts from LinkedIn.
Is this data theft? Or is this something that people used to do all the time but because it wasn’t on the ‘web’ people couldn’t find out about it? I think it is the latter. We all create contacts while at work, and some are more organized than others and file them, others, like myself, have a large pile of business cards with notes on them. I guess that if you are a recruiter, you too would have a large pile of business cards - and if you invite people on LinkedIn, well, isn’t that also something we all do?
Should companies look at banning LinkedIn, in the same way as they did with FaceBook? Only to find it wasn’t practical, people would spend more time finding a way around the system, than they would using it - so we have seen a reverse of this trend. So, no, it shouldn’t be banned. Should it be subject to (yet another social networking) policy? Something that defines the boundary between work and not-work. Perhaps… but I would think that people would just add the contacts while at home. I don’t think you can be banned from doing that after all it’s what LinkedIn is all about - keeping up with friends and colleagues in a business context. Maybe companies need to create their own ‘company’ LinkedIn accounts - so that, if nothing else, they have a copy of the information as well.
The way to look at this is that when someone new joins your company, they bring with them their contacts - rather than when they leave, they take them away.
What The FAX…
Bad process strikes again. A businessman was convicted and jailed for fraud after one of his employees accidentally sent a FAX to the wrong person resulting in some unfortunate data-loss! While sending email to the wrong person is commonplace, sending a FAX to the wrong person is seldom reported. However, it does show that data can be lost in a variety of ways and the risks and consequences can be quite dire.
Businesses need to start thinking out-of-the-box when looking at processes in order to catch all the different ways in which data can accidentally (or otherwise) be lost, leaked or breached. FAX machines, printers, photo-copiers all pose a risk as they tend to take a copy of the data before processing it. So, if someone walks out with the physical device they could retrieve the data. New(er) copiers now encrypt the data to disk making it harder to walk out with the disk and recreating the data… is this true of the devices in your organization?
Do You Live Where You Live?
Experian listed the top 25 riskiest postcodes, well riskiest from the perspective of ID fraud - so someone else may be pretending to live where you live! Apparently you are most at risk if you earn >£50k, self-employed or a company director and rents rather than owns your own home.
I can quite believe that there are areas where you are most at risk from ID theft - just as with any theft the criminals are going to go after someone who looks like they have money rather than one that doesn’t. However, I am not sure how they can readily spot company directors or self-employed… or that you earn more than £50k per year. As for renting rather than owning, that can be more readily found and perhaps as it is a rented property and therefore has probably had a number of occupants in recent years so getting an old utility bill from a rubbish bin might be easier.
Still, it makes for interesting reading… and whether or not you live in one of the mentioned postcodes, it does well to remind us to be careful of our personal information. Always shred utility bills, credit card and bank statements rather than throw them away. Shred speculative ‘you have been approved’ credit card junk mail and get yourself off their lists.
Think what the information you are throwing out could be used for if it fell into the wrong hands - and make sure it doesn’t happen.
-
Subscribe
-
Podcasts
-
Symantec Security Response Weblog
-
Links, downloads and other resources
Symantec UK
Symantec Podcast Directory
Symantec Security Response
