Me, Me, Pick Me…

… says Donkey in the Shrek movie. Anyway… I’ve been nominated to the Computer Weekly shortlist of IT Security blogs. Thank-you. Of course, its now time to pick a winner… “there can be only one”. So… if you would care to vote for me or any of the other nominees, you can do so here. Scroll to the IT Security Blog category and pick me…

 

July 2, 2008 | Filed Under Miscellaneous, Speaking, security | Leave a Comment 

Transformational Government 2008

I am speaking next week (8th July) on the panel at the Transformational Government event in London. Today’s information centric society offers a number of challenges when it comes to sharing information to become more efficient. The panel session is about data security and some of the issues that need to be overcome to assure data security and rebuild trust - It’s bound to be a lively discussion!

July 2, 2008 | Filed Under Information Policy, Speaking, security | Leave a Comment 

Tape Glorious Tape, There’s Nothing Quite Like It

Another data loss incident… 2.2 million billing records. They were on tape, in a car, and the car was broken into - no tapes. The driver had worked for 18 years with the company - alas no more as they had violated the company’s information protection policy - they shouldn’t have taken them home, they should have gone straight to off-site storage. Tapes are great - high capacity, low cost, easy to transport, easy to store, no moving parts (when its on the shelf!), great for long term storage and still an integral part of most companies IT environment. But… also easy to lose… and often the data is stored in an open format - so you don’t need password or anything else to get at it. Far easier to steal a tape, than break into a server…

OK, so it seems cut ‘n’ dried… but… what if the driver had been in an accident and the tapes had been lost. What if the off-site storage (which is run by a 3rd party) was broken into and the tapes stolen? The company is not saying if the data was encrypted or not, but my guess is that it isn’t, so therefore either of these other scenarios could also be valid - and would result in the loss of data.

Part of developing an information security policy is to revisit processes which touch sensitive data - this includes all occasions and possibilities when it can go offsite, or is handled by a 3rd party. It has to include tape backups, CDs, DVDs, USB sticks, and any other physical copies of the data, including laptops.

The simple rule is… if is going offsite, for whatever reason, it needs to be encrypted. Full stop.

(In this case, encrypted backups should have been employed - not just for the car break-in scenario, but also the other ones as well…)

Tapes

June 30, 2008 | Filed Under Information Policy, data-loss, security | Leave a Comment 

Cultural Failures?

Finally the Poynter report is being released into the HMRC data loss and the conclusion… the loss of records can’t be blamed on a single official. For me the good news is that the poor sap junior official who was being blamed now isn’t - it was never their sole fault, after all they were just following orders. The report highlights ‘cultural failures’ and practices that weren’t what they should have been. The former is an interesting comment and the latter rather obvious given what occurred.

Data loss on a massive scale is not new, if you look back a few years (yes years), the American Veteran Association lost millions of records… TJX did the same… and yet things didn’t change. It’s not just the UK, but across the globe. It didn’t used to be a crime to lose a laptop - the change in the environment has (virtually) made it so. We live now in a time where the attitude towards personal data is beginning to change, but like an oil tanker, it is going to take a while to turn around. Most companies (and governments) don’t know where their sensitive data is - and until they know that, how can they possibly protect it? If they don’t know which business processes handle or even touch sensitive data then how can they change them?

Information security policies need to be created, consistently implemented and then audited - on a regular basis.

If you have a bank account, a credit card, pay taxes, do a little shopping online, then your details will be in around 700 databases! If you are one of the people handling sensitive data (or think you have sensitive data) then look at what you do - look at where you can fix potential issues or find someone else who can. Technology alone is not the silver bullet. Above all else, treat the information you handle with the same due care and attention that you would want others to do with yours.

It is only when people truly understand the risks and consequences and change their behaviour that the culture will change.

June 25, 2008 | Filed Under Information Policy, data-loss, security | Leave a Comment 

How Would You Know?

There is a case running in the US at present where a student hacked into his school’s database and changed his grades. This could be considered as malicious data corruption! The allegations arose when some cross checking showed up some anomalies which led to an investigation. The question is, would you know if something similar was going on in your organization?

Data loss is easy to spot if it is a laptop that has gone missing - it was here one minute, now it’s gone. Data skimming is tough to spot, i.e. where data is being slowly an steadily extracted, for example over a wireless network - but it does get eventually found out, however, it sometimes takes years. But what about malicious data corruption, how would you know? In this case it was relatively simple to spot once the cross check event occurred - but what if there hadn’t been the need for a cross check? what if someone had broken in to a system and upped a credit note? The automated cheque system would probably print out the rebate without hesitation - providing it wasn’t over a specific amount.

Audit trails would provide some comeback (should a cross check occur) but the operation to alter credit notes is probably a valid function, so how would you know which was ‘real’ and which was not?

June 24, 2008 | Filed Under Insider, Reputation, security | 1 Comment 

Ransomware Is Back… And It’s Bad

Just so you know - ransomware is making a comeback. For those of you who haven’t come across the term, this is where your machine gets infected with some malware, perhaps through a virus attached to an email, but these days it is more likely to be through a download (especially from a social networking site). The malware encrypts all the data on your drive and then offers to decrypt it - for $50. This is an interesting amount, $50, not much or at least not much to worry about - if it was $5000 then you might think twice. Of course the question is… how are you going to pay them?!?!? Perhaps give them your credit card number or bank details… and they will take $50. And the other $1000+… So, perhaps its better not to pay!

How can you prevent it…? Well ensuring that you have anti-virus and anti-malware software installed and up to date is a good start. Then just be vigilant - make sure that when you are asked to download something, (a) you really need to and (b) it is from who you expect. As ‘insurance’, take regular backups - and keep them somewhere safe, not attached to the machine (as they will then be encrypted as well if they are an external hard disk or USB device.) Then if disaster strikes at least you have a copy. You will need to reformat the machine and reinstall the operating system, but at least you haven’t given away your credit card or bank account details and you still have your data.

June 18, 2008 | Filed Under data-loss, security | Leave a Comment 

Just One Cotton Picking Moment

Cotton Traders revealed that their website had been hacked and details of 38,000 transactions had been stolen. They have now worked with experts to fix the problem. OK, so this is ‘yet another’ case of data loss - however, for me I find it interesting that the size of the target organization is relatively small and yet it is obviously still worth the criminals attacking it. Is this because smaller organizations do not necessarily have the security expertise to secure their environments, or because their website was unpatched and therefore open to a well known attack? We don’t know, all we know was that they were attacked and they have now fixed the problem.

Smaller companies seem to think that they will not be a target for an attack… “It won’t happen to me, I’m too small to be on the radar” - this just goes to prove that this is not the case. Hopefully other smaller companies will now sit up and take notice of the potential threats and associated consequences and look how they can prevent it from happening to them.

June 13, 2008 | Filed Under data-loss, security | Leave a Comment 

That Advert Recognised Me

There is some new technology being developed that recognises faces so that adverts can be targeted at you as you walk down the street. All very Sci Fi. However, I wonder what will happen to that data afterwards… and more to the point, where did they get my image in the first place? Did I give permission? Did someone ’sell’ it to them, in the same way that mailing lists get bought and sold? Of course, it is not just face recognition that can do this, RFID can also be used to target advertising. RFID tags are increasingly being put into the things we buy - not by the manufacturers but by the retailers. They can help in tasks such as inventory control, but they can also be used for other purposes… if I know you have a pair of brand X jeans on, then perhaps you would like another pair, or something similar. At this point, they don’t necessarily know you are you, but what if they did, what if the RFID tag was matched to your credit card when at the check-out… then when you next come into the store they can greet you by name and ask how the jeans are.

(At the time RFID first came out, there was a great cartoon with a mugger scanning people to work out which one was worth mugging… sounds a little silly, but then so did adverts based on your face…)

Just because technology exists doesn’t mean we have to use it… there is no doubt that face recognition software can help prevent crime and improve security and access control. However when it comes to tracking me just to sell me more stuff - just say ‘no’.

June 6, 2008 | Filed Under security | 2 Comments 

The Fine Art Of Zippering…

… or ‘enrichment’ as it is sometimes known. Zippering is where you take data from multiple sources and put it together to create something more meaningful. It is usually used in the ‘phishing’ sense, where cyber criminals gather the information to put together a targeted attack (aka spear phishing). However, there is a call to collect all sorts of information in a single database but there are a number of problems - not withstanding the privacy ones!

Firstly, if someone gets hold of all the information, they need look no further as it is a treasure trove for phishers. Secondly, when zippering information it is vitally important that the pieces relate to a specific individual - and this is the tough part. Imagine if it is done based on name… oops… too many John Smith’s out there… what about address… umm… well there are quite a few people at the same address who have different email addresses… by phone record… pay-as-you-go. Email… cyber cafe’s. The list of potential problems is vast. If you do get it wrong the consequences for an individual can be disasterous. There was recently a case where a stolen credit card was used to download illegal material - and the card owner was accused and it, to all intensive purposes, destroyed his reputation and his life.

So… if we are going to collect vast amounts of information it needs to be secure AND accurate - and failure on either of these counts, is not (as the saying goes) an option.

May 28, 2008 | Filed Under Reputation, data-loss, security | Leave a Comment 

1Server, 3 Weeks, 1.4GB Personal Information

A server was found this week chock full of personal information - 1.4GB of personal information. The information had been stolen from around the world and included health records and email - and within the email there was even more information relating to contacts, account details, pension savings plans (401k) and so on… 1.4GB can house a lot of useful information.

This server was quite a find… but it is not alone, we see compromised servers which receive stolen information everyday and there are a lot of them. OK, so most don’t have 1.4GB but they do contain tens of thousands of pieces of information. The latest Internet Security Threat Report (ISTR Vol. XIII, April 2008) reported more than 60,000 bot infected computers per day (a 17% increase over the previous 6 months). These aren’t all collecting information - most are sending it out (spam, phishing, DoS, …) however some of them are. It also highlighted that of the 54,609 applications installed, 65% were malicious.

So (and I’m starting to sound like a broken record)… if you value your information and something asks to install itself, especially if you are in a web browser (also known as a plug-in), be very sure that the source of the request is valid - if not, then just click away. 

May 9, 2008 | Filed Under Spam, data-loss, security | Leave a Comment 

Next Page »