Vote for me in
IT Security Blogs
Transformational Government 2008
I am speaking next week (8th July) on the panel at the Transformational Government event in London. Today’s information centric society offers a number of challenges when it comes to sharing information to become more efficient. The panel session is about data security and some of the issues that need to be overcome to assure data security and rebuild trust - It’s bound to be a lively discussion!
Tape Glorious Tape, There’s Nothing Quite Like It
Another data loss incident… 2.2 million billing records. They were on tape, in a car, and the car was broken into - no tapes. The driver had worked for 18 years with the company - alas no more as they had violated the company’s information protection policy - they shouldn’t have taken them home, they should have gone straight to off-site storage. Tapes are great - high capacity, low cost, easy to transport, easy to store, no moving parts (when its on the shelf!), great for long term storage and still an integral part of most companies IT environment. But… also easy to lose… and often the data is stored in an open format - so you don’t need password or anything else to get at it. Far easier to steal a tape, than break into a server…
OK, so it seems cut ‘n’ dried… but… what if the driver had been in an accident and the tapes had been lost. What if the off-site storage (which is run by a 3rd party) was broken into and the tapes stolen? The company is not saying if the data was encrypted or not, but my guess is that it isn’t, so therefore either of these other scenarios could also be valid - and would result in the loss of data.
Part of developing an information security policy is to revisit processes which touch sensitive data - this includes all occasions and possibilities when it can go offsite, or is handled by a 3rd party. It has to include tape backups, CDs, DVDs, USB sticks, and any other physical copies of the data, including laptops.
The simple rule is… if is going offsite, for whatever reason, it needs to be encrypted. Full stop.
(In this case, encrypted backups should have been employed - not just for the car break-in scenario, but also the other ones as well…)
Cultural Failures?
Finally the Poynter report is being released into the HMRC data loss and the conclusion… the loss of records can’t be blamed on a single official. For me the good news is that the poor sap junior official who was being blamed now isn’t - it was never their sole fault, after all they were just following orders. The report highlights ‘cultural failures’ and practices that weren’t what they should have been. The former is an interesting comment and the latter rather obvious given what occurred.
Data loss on a massive scale is not new, if you look back a few years (yes years), the American Veteran Association lost millions of records… TJX did the same… and yet things didn’t change. It’s not just the UK, but across the globe. It didn’t used to be a crime to lose a laptop - the change in the environment has (virtually) made it so. We live now in a time where the attitude towards personal data is beginning to change, but like an oil tanker, it is going to take a while to turn around. Most companies (and governments) don’t know where their sensitive data is - and until they know that, how can they possibly protect it? If they don’t know which business processes handle or even touch sensitive data then how can they change them?
Information security policies need to be created, consistently implemented and then audited - on a regular basis.
If you have a bank account, a credit card, pay taxes, do a little shopping online, then your details will be in around 700 databases! If you are one of the people handling sensitive data (or think you have sensitive data) then look at what you do - look at where you can fix potential issues or find someone else who can. Technology alone is not the silver bullet. Above all else, treat the information you handle with the same due care and attention that you would want others to do with yours.
It is only when people truly understand the risks and consequences and change their behaviour that the culture will change.
How High… How Low: Part 2
… OK, so now the story is that there was some confidential information on the stolen PC - and that it was emailed from an internal account to the one on the PC.
How many times have you emailed something either to or from a personal email account - just because it was convenient? Several I suspect. Once again, it didn’t used to be a crime to lose a laptop, but it virtually is now… similarly no-one used to mind (or notice) if email came and went from personal accounts - but that’s all changed. Technology can now be deployed to prevent this type of ‘accident’ from happening - and of course process, procedure and policy should also be changed to prevent it from occurring. Education is once again top of the list. Why is it bad to use ‘public’ email (the data’s in the clear for one thing!), why should you check the recipients (The Wrong Dave…), why does this keep happening… Time to wise up…
24 Percent
A civil servant has been suspended for leaving top secret documents on a train. A recent survey showed that 24% of data loss was through paper records, so perhaps this should come as no surprise. As I think back through the past decade or more there has always been one or two occasions each year where records were found, in a skip or beside the road, and before now it was reported and that was that. However today, as we all know, data loss is taken much more seriously.
Electronic data is easily transported, readily copied and therefore simple to use. You can also get a lot of information in a very small space… losing the details on 20 million people in paper form would require a sizeable truck!
We now protect electronic information, either by encryption (if you have a laptop or mobile device) or by content analysis and classification - preventing emails being sent to the wrong people or data being copied unencrypted onto CD ROMs etc. But what to do about paper records? We are back to people and processes. Awareness that paper can be just as damaging as electronic records needs to happen and the processes whereby records are printed out need to be re-examined - especially to ensure the appropriate destruction, eg shredding. In the same way that we are questioning the need for people to have copies of sensitive or confidential electronic information on their laptops, companies should also look at why they need to take bundles of papers home… this would be one case where an electronic version could be more secure.
The Wrong Dave
We’ve all done it - a little too quick on the ’send’ button and email has gone to the wrong person. Email systems are just trying to be helpful when they predict which email address you want based on the first few letters.. ‘d’, ‘a’, ‘v’, {return} and you inadvertently have selected the incorrect recipient. Usually it doesn’t matter but in a case this week it did. The consequences are, in this case, not too great - but imagine it was health information, or credit card details. There is technology out there (and yes Symantec has some), which looks at the content of email and can prevent them going outside the organization - or rather can check if that is what you really meant to do.
Content based classification and automated policy management is available today and can solve the problem of ‘the wrong Dave’.
Narrowing The Search…
Yet more unencrypted data has been lost… well, no surprise there to be honest. At least they know where the data is - somewhere between London and the Isle of Wight, except it could be anywhere because it was en route with a courier.
There were two process failures here. The first was the fact that it was unencrypted data - which was making two trips, one to the third party and then one back to the owners. The other was that it took more than a week to know it was missing.
So, what to do… revisit old policies! If it involves confidential customer information and it’s going offsite then it should be encrypted. [Full Stop!] Backup products today can encrypt the information - so there is really no excuse. There should also be an effective tracking mechanism for data that is traveling with or being stored whether it is with a 3rd party or even by internal personnel. That way, even if the data is encrypted and lost the disaster recovery plan won’t be a disaster itself because the data isn’t where it was expected.
The good news, well piece of process, which we should all take heed of in this case was that the data was being verified as readable / usable. Frequently backup data is not checked and you get to the point of needing it and it is inaccessible, or not complete. I remember a case a few years ago when the data was required and there wasn’t any on the tape - except the header. The reason… the data had changed mount point on the system and the backup policy hadn’t been altered. So it regularly backed up ‘nothing’… and was always successful! So, checking the data integrity on a regular basis is a great habit to get into.
Don’t Send The Password With The Data
It emerged this week that one organization had to send out a memo to its staff reminding them not to send out encrypted documents with the password! I won’t mention which organization it is - as I have a feeling there are quite a few with this problem. The other one I have seen very recently, is the yellow sticky with the password attached to the laptop!
These are great examples of where the people, process and product story has broken down. In both cases encryption is the technology - and that works to protect data. The process is in place - encrypt sensitive data if it might get lost (so, on a laptop, or in an email going out of an organization, or on a CD, or on a mobile phone, or … you get the picture) but the process is incomplete - what do you do with the password, how do you communicate it, if required. Finally there is a lack of education to the staff (or in this latest case the education is retrospective and reactive rather than proactive) - why are we doing this… to protect individuals’ information, or corporate information… and so if you send the password at the same time you may just as well have not encrypted it. Of course, there is some irony here - in the US with its disclosure laws if the data was encrypted when it was lost, then that is the end of it - no disclosure - even if the password was on a note!
Education needs to happen from the top to the bottom of an organization and processes need to reflect every step which includes how to communicate passwords when needed.
How do you send a password… well that just depends… in many cases you can just phone the person up and tell them, or you could send it by SMS text message… or… well you decide - it’s your organization. Just make sure that there is a policy and people know what it is.
Don’t Read The Interesting Stuff
It emerged that more than 600 HMRC staff have been disciplined for reading information about UK citizens that they shouldn’t have - unless they have a specific need to do so. I wrote about the decline of implicit trust a while ago and this is just another example. Of course it is impossible for people to avert their eyes if there is something sensitive on the screen - and human nature is always drawn to things that are interesting (just think of surfing the web and the tangents you follow). There is technology that can help in this instance…
Automated redaction technology has been around for a while - in essence this ‘hides’ interesting information from unauthorized eyes from within a document. For example it might hide names and addresses, or bank details - or tax return information.
With a database application, it is the application that need to be altered so that sensitive information is not displayed. Not only is it time to revisit who has access to applications but also exactly what information they have access to - and is it really necessary.
In the cases where information is needed to be viewed on occasion, then a well communicated corporate policy coupled with an on-screen question / warning followed by an audit trail works… That way people won’t be tempted to look at the interesting stuff that’s out there.
-
Subscribe
-
Podcasts
-
Symantec Security Response Weblog
-
Links, downloads and other resources
Symantec UK
Symantec Podcast Directory
Symantec Security Response
