It’s not just the Ukrainians and the Polish that are seeing a surge in demand as the Euro Championships take place. Here at Symantec, we have noticed some curious spikes in data usage, around the time of key games.
For instance, our data processing centres saw a 20% uplift in week on week user traffic in the hour prior to kick off in the game between England and France on June 11th. During the match this increased further, hitting a 75% uplift compared to the previous week. During that peak our bandwidth monitoring saw the equivalent of approximately 7,500 live media streams passing through our UK data centres per second.
I’ve no doubt that businesses of all types experience similar upturns in data demands during big sporting events such as the Euro’s, which leaves open the obvious question; how are people preparing for a whole host of sporting events that are taking place in 2012? With a summer of sport set to be watched by millions across the globe, many are sure to reference the internet consistently throughout to keep up to date with their favourite events and any key developments. The spikes we have witnessed throughout the Euro’s has provided a nice gentle stress test for our systems, which have coped with the increase comfortably. Other organisations should use this tournament just as we have, as a key indication of the likely impact that business is going to face.
Though often hard to calculate the exact amount of data expected to pass through a company’s system, recent spikes should prove very useful in informing how people should equip and prepare for the likely surge we will see over the coming two months. It would be silly to neglect this information, and be caught out when data peaks during busy periods. Being prepared to respond to these increases will ensure a seamless continuation of business, ruling out any potential losses or disruption that might occur to those that have not heeded the early warning signs.
Companies have for some time understood they need to safeguard their IT systems from infiltration and viruses. But in today’s sophisticated cyber environment, the protection of data and data integrity needs not only to match the skill and cunning of the cybercriminal; it also has to be in accordance with strict security rules and regulations. Organisations need look no further than the few months leading up to the end of 2011 to see that cyber threats are becoming more frequent and more complex. The Duqu worm discovered in September 2011 is just one high profile danger facing organisations.
In this sense it is true to say that Governments and enterprise businesses face unprecedented challenges in ensuring the confidentiality of data as it is processed and exchanged across data centres. The use of cryptography in the form of encryption offers the most convenient way to protect sensitive data in transit over high-speed backhaul and backbone connections and that is why we went to the trouble of attaining Common Criteria certification EAL +3 for our automated policy management solution, Control Compliance Suite.
Provision of this worldwide standard verifies that the software has completed a rigorous independent testing process of specification, implementation and evaluation, and conforms to standards sanctioned by the International Standards Organisation.
But why should this matter?
Perhaps a good person to weigh in on this is Jane Doorly, Vice President European Research, IDC who commented on the importance of compliance today: “In recent years, there has been a higher level of adoption and spending in technologies and services that enable companies to meet their compliance objectives. As a result of this trend, we have seen the importance and relevance of independent testing and Common Criteria certification increase, making it a vital element of an organisation’s purchasing process.”
To our mind, being awarded a security accolade of this kind is not just a testament to the hard work and commitment that goes into making products good, it’s about meeting today’s security needs for the customer and industry. In an uncertain world where assets are being stolen for profit, intellectual property infiltrated just to prove it can be done and data integrity tampered with, it is crucial that customers have a high level of confidence and trust in their security solutions. What stronger confirmation is there that a product is up to the job than having an international standard stamp of approval?
Recently, I once again joined delegates from across the globe in Strasbourg to speak at the Council of Europe’s Cooperation against Cybercrime Conference. Bringing together industry, law enforcement, legal and policy experts, the conference marked the 10th year of the Budapest Convention – the first treaty for online crime that has aimed to define a common framework for cybercrime legislation.
In the decade since the treaty opened for signatures, 47 countries have signed, and 32 of those have converted it into local legislation. During the conference, seeing these countries stand up and proudly announce their efforts to implement cyber laws and, in some cases, even highlight early successful prosecutions, was a very powerful experience.
However, while the convention continues to represent a great step forward, with nearly 200 countries in the world it is important to recognise that there is still plenty of work to be done. Although I realise that not all of these countries are part of Europe, a precedent has already been set with non-European countries such as the USA, Canada and Japan signed up.
It was clear that The Council of Europe’s cybercrime initiative isn’t resting on its laurels with the conference highlighting the next phases we can expect. These include plans to implement training for judges and law enforcement, regional workshops and intelligence gathering and sharing, as well as, looking at the broader picture of international cyber strategy and the role that cybercrime plays in this.
The key topic that comes up year after year at the conference is ‘cooperation’ with the need and want for public private partnership seen as a key for success. As an example of collaboration, 2Centre (www.2centre.eu) aims to bring together academia, industry and law enforcement to drive training and create centers of excellence. Thus far centers of excellence are in the process of being created in France, Ireland, Belgium and Estonia, with requests for many others.
The other key topic is capacity planning. As countries develop legislation, a burden moves along the process. It puts new pressures on law enforcement to have the scalable resource to investigate, handle ever-increasing volumes of forensic data and independently take on the challenge of an internationally standardised evidence gathering processes and techniques.
When you consider these two themes together, a clear risk is apparent. As more collaboration takes place, there simply is not, at this point in time, the resource to scale to the evolving scope of cybercrime.
While security vendors, such as ourselves, could provide insight on the scale and scope of what we are seeing, with twenty plus new threats per second and given the increased interdependency of networks and systems, greater coordination between the public and private sector is vital. This can enable a common understanding, identification and recognition of possible cyber threats and ensure efforts and resources to address specific risks are effectively deployed. Information sharing partnerships have a key role to play in effective cooperation against cyber threats and can help to distill information into tangible actionable data that can then be used to address a specific risk and where possible provide alerts.
My overwhelming thought at the close of the conference was, however, that it’s always amazing to see such international cooperation. We all have a role to play and it’s only with all of our participation that we can succeed.
In a recent survey, half of mobile phones that are recycled – and past on to a new owner – contain sensitive information. This shouldn’t really come as a surprise, as organizations are only just getting the message about disposing of old computer systems and ensuring the data has been suitably destroyed.
It is very easy, especially as an individual, to rush in and pick up a shiny new phone when the contract expires, or to request a new phone from the IT department when the corporate one dies. However, there needs to be awareness, by the user, that they should clear down all the data on it first. From a corporate perspective, this should also be done – a second time as a precautionary measure.
A quick email out to employees pointing out the issues with data on old phones when they are returned / recycled will go a long way in creating awareness around the problem – from both the personal and the corporate perspectives. And a check / update on security policies and procedures for mobile phone disposal will go a long way to sorting out the problem. Bearing in mind a lot of mobile devices are now just as powerful as laptops (in that they contain considerable quantities of sensitive data, and often have access to corporate applications over the Internet), the check should be made before the auditors come round and check for you…
OK, so we were digital long before 2002, but it was then that the amount of data stored digitally overtook that which was stored in an analog manner. A recent analysis of ‘all’ storage also showed that we now have enough capacity for 295 exabytes of information… which is about 404 billion CDs.
Of course how much if it is actually used is not presented – and neither is how much of it is repeated, i.e. the amount of unique data is probably just a fraction of that. Finding things you know exist becomes harder each day, and a good friend Adrian Seccombe has written a short post on just this problem… losing things in your digital pocket. For enterprises this particular problem is worse, with thousands of hours of productivity lost each year due to people looking for data they know exist but can’t find – and then trying to reproduce it.
Archiving with full-text indexing is one option – but that is often catching less and less information as more ‘digital pockets’ are used. Furthermore, the loss of an unsecured ‘pocket’ could now result in a £500K fine from the Information Commissioner’s Office (ICO). Data growth is inevitable, but as the legislation evolves to encompass new working practices (the cloud, consumerization of IT, social networking sites, …) so too will the risks. As ever, it is time to revisit policies around security and data management and check that they have moved with the times… and if not, make the change before they become a liability.
ENISA has recently produced a report as part of their cloud computing initiative which looks at Security and resilience in Governmental Clouds (gClouds). The report makes for interesting reading – if you happen to be a government, BUT it is also very useful to other organizations that are considering moving applications to the cloud.
It gives some good examples for carrying out a comparative risk assessment – figuring out which cloud is best for which applications / data. For example whether to use a private cloud or a public one, or a community (share with known others). This is an important step for everyone moving to a cloud solution, but often overlooked – or rather replaced with the simple ‘Cloud: Yes/No’ decision point. There is also an excellent list of resilience threats – all of which are pertinent to the private sector. Well worth a read…
At a time when many organizations are being bombarded on every side, they sometimes forget about the inside. Because so much has been said about the dangers imposed by malicious outsiders and insiders intent on wreaking havoc and reaping money, the non-malicious insider threat remains somewhat unspoken.
I recently wrote a whitepaper outlining the threat posed by well-meaning insiders. See it here.
The well-meaning insider represents a weak link in the security posture of many organizations and few seem to realize the critical role they play in keeping information safe. A survey of office employees in North America and Europe, for example, found that 78 percent think that their IT department solely holds the responsibility for information confidentiality. To be able to fully protect against threats resulting from such misconceptions, companies must identify who constitutes a risk, as well as why and how they might be a threat. Not all insider risk profiles constitute the same type of threat, so security has to be tailored to their particular characteristics.
Well-meaning insiders fall in to the following categories:
- The underminers take the path of least resistance and ignore the spirit of security to make their working lives easier. Creating easy passwords is an example of this. Sharing passwords is another common problem.
- The overly-ambitious employees knowingly take risks to purposefully bypass bureaucratic security processes in order to be more effective in achieving what they think are organizational goals. Encryption, for example, might be overlooked because the employee thinks it’s too cumbersome.
- The socially engineered are those employees, usually in low paid positions at the public facing end of the organization, who are prone to being duped by malicious outsiders into sharing sensitive information or even giving out access codes to systems.
- The data-leakers are the growing cadre of ‘whistleblowers’ who, for various ethical or unethical reasons, leak to the public via social network technology, such as wiki-leaks, information they feel that the public should be informed about.
- The data spillers are employees who have legitimate access to information or databases, but are prone to spill data because of (sometimes routine) organizational practices not checked by lax IT policies. Data spillers may:
- Accidentallydiscloseinformation by losing a laptop or smartphone, else a CD-Rom or USB drive. While such incidents (often unreported) represent a statistical outlier, they do garner much attention—both from other organizations and media outlets.
- Take data out of the secure environment to use out of the office and not deleting it.
- Leave data on discarded computers.
- Not carefully manage data shared with third parties.
- Send unsecured data through public delivery systems.
- Not review and update access inventories or email distribution lists
Resolving these problems can happen through increased IT intervention and employee education. In both cases, the goal is to preserve both human and technological resources. For instance, demonizing these insiders and treating them as willfully malicious will not improve situations. It will either cause a loss of talent or a loss of good relations. Training and educating as well as establishing a culture of security through improved and automated IT will reduce risk and maintain effectiveness.
The well-meaning insider is a different type of problem to the malicious outsider. Both can result in data loss and information breaches, but the motivations and relationships to the company vary widely. Because the industry has focused on outsider threats, many companies are unprepared and even unaware of who may be causing the loss of sensitive information. This issue can be addressed. To get more information on the who, how and why of the well-meaning insider – along with recommendations on how to deal with them effectively – read the whitepaper, Organization Security and the Insider Threat: Malicious, Negligent and Well-Meaning Insiders.
About the Author
David S. Wall (BA, MA, M Phil, PhD, FRSA, AcSS) is Professor of Criminology at Durham University where he conducts research and teaches in the fields of cybercrime, policing and intellectual property crime. He has published a wide range of articles and books on these subjects which include amongst others: Cybercrime: the Transformation of Crime in the Information Age (Polity, 2007).
… And, you’re not at home. There was a recent article in the US about burglars targeting houses based on social network entries. The problem of Facebook updates being used for more nefarious purposes has been written about before, but it is worth mentioning again.
There are now a number of new technologies which are useful for the individual… and unfortunately for the cyber-criminal. The first one is GPS based co-ordinates in photos… great idea, you can tell exactly where you were when the picture was taken. Unfortunately, while you might not advertise your address on your social networking site, if you have a picture with embedded co-ordinates, it is now as good as the address. The second is having geo-location on your mobile device reporting where you are… again, useful for your friends to know you are now at work (and standing next to the coffee machine), but also good for the cyber-criminals to know you are not at home! (And they know where your home is, as that is the location your phone is reporting most nights…)
As with all technology, it has it’s advantages – but you also need to be aware of the risks that are associated with them should the information fall into the wrong hands. Now is a good time to talk to employees, co-workers, spouses and children as to some of the risks and how to mitigate against them. Don’t post pictures with co-ordinates in them, especially not with the caption “Here I am at home…”, and perhaps broadcasting your every footstep to the world is not ideal… think twice about signing up for a service which publishes that information online.
A really cool bit of research from the University of Pennsylvania has looked at how smudges on your smart phone touch screen can be used to guess your password. So, while this is all research at present, as per usual it will only be a matter of time before it is exploited.
So… along with wiping SatNav marks off the windscreen so the burglars don’t pinch your SatNav, you should also think about wiping the marks off the smart phone as well after you have entered your password… bring back the mini-keyboard, all is forgiven!
There have been a couple of stories in the news recently about cached credentials. In essence, you enter your username and password and it enables you to, in this case, easily buy things from the online shop. Making it easier to use compromises the security and here meant that someone else could readily buy stuff when they shouldn’t have been able to.
Move to the business environment… what sort of compromises do you make with your security in the name of user convenience? When it comes to enterprise applications, especially those on mobile devices and / or accessed through a web browser, what is your policy on cookies and caching? If someone were to pick up your mobile phone, or iPad how easy would it be to get access to your data?
Now is the time to revise security policies and usage polices, especially where the IT equipment is used by the employee. Ensure passwords are required when the devices are switched on, have auto-lock policies after a short period of time (5-10 minutes should be ample) and review cookie credential caching for enterprise apps.