Importance of end-to-end encryption in the retail space
Our attention was caught recently by an interesting article on Retail Week by Verifone, which examined the importance of credit and debit card protection in the retail industry. As Verifone quite rightly points out, the theft of credit and debit card details is a highly lucrative activity and its popularity is growing rapidly worldwide. Indeed, our recent State of Enterprise Security Report revealed that 75% of enterprises have experienced a cyber attack in the past 12 months and that the average associated cost over the year for such attacks was as high as $2million – some pretty striking statistics.
Furthermore, the nature of credit and debit card theft is becoming increasingly sophisticated such that retailers will often process a payment transaction and not even be aware that a data breach has occurred – something that could have a serious impact not only on a retailer’s revenues, but also on their brand reputation. With such serious consequences at risk, Verifone states that it is time for companies to go beyond Payment Card Industry Data Security Standard (PCI DSS) guidelines, and secure entry points across the entire transaction chain.
The article has some good advice to offer retailers and with cybercrime continuing to grow at such a rapid rate, it’s advice that retailers can simply not afford to ignore.
Dominic Cook
UK ID fraud cases jump a third as malicious insiders turn to cybercrime
ID fraud in the UK has increased by nearly a third (31.79 per cent) in 2009, according to a new report from CIFAS, the UK’s Fraud Prevention Service, as compromised identity details continue to be sold over the internet. The report points to an increase in gangs using collusive staff within organisations to steal personal data online for criminal gain. The CIFAS findings are gathered from its 265+ members across industries including banking, retail and telecoms.
Businesses need to be better protected against the dangers of the enemy within, particularly in industries such as finance and banking, where the value of the personal data held in online databases can be incredibly high. Our recent State of Enterprise Security report found that 40 per cent of businesses experienced a high number of internal, malicious attacks in 2009. In addition, a great deal of damage was also done unintentionally by staff, with 39 per cent of IT managers surveyed saying it’s a ‘high’ or ‘extremely high’ problem.
IT security was, for many years, focused on protecting against external threats and attacks. While those threats still remain, a more insidious threat – the malicious insider – has been steadily rising. The fact that cybercriminals are so well networked within UK businesses in order to bring about this kind of ID fraud, points to their increased professionalism and savvyness.
Symantec recommends that companies assess their policies and processes around employee access to sensitive data ensuring that they are appropriate for the employee’s position and are enforced and regularly reviewed. It advises that data loss prevention (DLP) solutions that offer protection at the endpoint, network and storage levels can also help.
Andy Ng, Data Loss Prevention Consulting Manager for EMEA
Survey Said… Ex-Employees Steal Data
We conducted a survey in the US on how many people take data with them when they leave the company… and the answer is 79%. While it is tough to take someone’s memory it’s not so hard to ensure that they are not walking out the door with obvious copies. 82% said that they were not checked when leaving… and a frightening 24% still had access to computer systems even after they had left – with 20% still having access more than a week later.
The other statistic that intrigued me was that of those people who took information, 67% said they used it to get a new job and 68% said they were going to use it in their new position.
It always used to be that executives left with their laptops and companies were not overly worried about some of their proprietary information walking out the door with ex-employees. However, in the current climate, it would no doubt pay dividends to initiate a more formal process to ensure that when an employee leaves, it doesn’t increase the risk of a data leak.
(And on the other side of the coin… it also might pay dividends to the new employer to ensure that inapproprite competitor information information isn’t arriving on their network with a new starter… as the fines for that have been rather large in the past!)
Not Me Guv
So, if you lost your laptop and it resulted in a data loss incident – who would you blame? In a recent surveyonly 17% of office staff and 21% of IT staff thought it would be their fault… the rest thought it was the CEO’s fault or the company’s. Bizarre but true.
Reality is that it is up to everyone to protect the data and the company should provide appropriate technology to help. If you have a company laptop and it contains sensitive information ask about full disk encryption, the same is true for mobile phones (well, the ones which get email, etc, etc). These are relatively simple to install and administer. If you send data out on a CD, then ask if it is encrypted – and if not, ask about encryption solutions to be added into the process. Again, this is not hard to do – and it does reduce the risk.
Finally, if you are really worried about data leaking through email and the like, then ask about content based data loss prevention – it’s not as simple as putting in encryption, but it does create a much better solution.
So… if you lose data – it is your fault. Especially if you haven’t been and asked for help in preventing it from happening in the first place.
When Helpful Doesn’t Help
There is a new hack in town well it will be in Las Vegas next week and it’s simple – create a file that looks like one thing to one application and something else to another. Types of file have always been helpful to the OS, it means that you can ‘click’ on a file and it knows what application to use to open it. In this case, this ‘feature’ is what is being used as the exploit.
Here they have created a file which looks like an innocuous GIF to a web server but is actually a Java applet. The ‘image’ is downloaded but then run by the browser as it thinks it is an applet – result… your machine has just been compromised.
Because it looks like an image, it can be readily uploaded to any and all sites which allow such things (by checking that the upload is a picture), mainly social networking sites – once there, it can then be downloaded by others (who think it is an image) and therefore the infection spreads…
You need to pay a little more attention to what you are downloading – perhaps those latest pictures of Britney are less attractive now?
The Power Of The Internet – small
While I’m talking about the power of the Internet, it is also worth mentioning that while you can attack a whole country it is also very easy to pick up some tools on the web to test your own company’s security. One of my favourites to show how easy it is to get employees to inadvertently give away information is the USB Switchblade / HackSaw. So, here’s the plot: buy a few USB memory sticks, load up Switchblade (it does need a little configuration) and then leave them around the organization. For example, in the cafeteria, or perhaps on the reception desk. When you have done this, just sit back and wait for the results. In this case the results will come when someone picks up a USB key and plugs it into their system – the software then collects and reports back password hashes, LSA secrets and IP information. The whole process takes about 20 seconds… we can’t ignore the fact that these tools exist – because they do… and you can’t keep a secret for long, at least not when the internet is involved.
What now? Well, time to educate folks that picking up USB sticks (and CD ROMs) from un-trusted sources can be ‘dangerous’… and while you should update the relevant policies you can’t rely on them to stop people from doing silly things so this might be the time to put a solution in place to prevent unauthorized USB devices from stealing your data.
Tape Glorious Tape, There’s Nothing Quite Like It
Another data loss incident… 2.2 million billing records. They were on tape, in a car, and the car was broken into – no tapes. The driver had worked for 18 years with the company – alas no more as they had violated the company’s information protection policy – they shouldn’t have taken them home, they should have gone straight to off-site storage. Tapes are great – high capacity, low cost, easy to transport, easy to store, no moving parts (when its on the shelf!), great for long term storage and still an integral part of most companies IT environment. But… also easy to lose… and often the data is stored in an open format – so you don’t need password or anything else to get at it. Far easier to steal a tape, than break into a server…
OK, so it seems cut ‘n’ dried… but… what if the driver had been in an accident and the tapes had been lost. What if the off-site storage (which is run by a 3rd party) was broken into and the tapes stolen? The company is not saying if the data was encrypted or not, but my guess is that it isn’t, so therefore either of these other scenarios could also be valid – and would result in the loss of data.
Part of developing an information security policy is to revisit processes which touch sensitive data – this includes all occasions and possibilities when it can go offsite, or is handled by a 3rd party. It has to include tape backups, CDs, DVDs, USB sticks, and any other physical copies of the data, including laptops.
The simple rule is… if is going offsite, for whatever reason, it needs to be encrypted. Full stop.
(In this case, encrypted backups should have been employed – not just for the car break-in scenario, but also the other ones as well…)
Cultural Failures?
Finally the Poynter report is being released into the HMRC data loss and the conclusion… the loss of records can’t be blamed on a single official. For me the good news is that the poor sap junior official who was being blamed now isn’t – it was never their sole fault, after all they were just following orders. The report highlights ‘cultural failures’ and practices that weren’t what they should have been. The former is an interesting comment and the latter rather obvious given what occurred.
Data loss on a massive scale is not new, if you look back a few years (yes years), the American Veteran Association lost millions of records… TJX did the same… and yet things didn’t change. It’s not just the UK, but across the globe. It didn’t used to be a crime to lose a laptop - the change in the environment has (virtually) made it so. We live now in a time where the attitude towards personal data is beginning to change, but like an oil tanker, it is going to take a while to turn around. Most companies (and governments) don’t know where their sensitive data is – and until they know that, how can they possibly protect it? If they don’t know which business processes handle or even touch sensitive data then how can they change them?
Information security policies need to be created, consistently implemented and then audited – on a regular basis.
If you have a bank account, a credit card, pay taxes, do a little shopping online, then your details will be in around 700 databases! If you are one of the people handling sensitive data (or think you have sensitive data) then look at what you do – look at where you can fix potential issues or find someone else who can. Technology alone is not the silver bullet. Above all else, treat the information you handle with the same due care and attention that you would want others to do with yours.
It is only when people truly understand the risks and consequences and change their behaviour that the culture will change.
How High… How Low?
It was reported yesterday that an MPs PC had been stolen from a constituency office. There was the usual ‘rush’ to assure everyone that there wasn’t anything ’secret’ or ‘top secret’ on it. This is only really interesting as it reminds us that desktops as well as laptops can be stolen – and it doesn’t matter if you are high up in government or just one of the rest of us. Certainly from a business perspective, the loss of desktops is significantly less than laptops (there are easier targets, although there was a data centre that was targeted and even disk arrays stolen) - however, for small businesses and especially for individuals desktop machines as well as laptops are targeted by burglars.
Most home computers have confidential data on them, perhaps it is a cookie for on-line banking (giving a thief easy access), or maybe other account information for credit cards, or other on-line shopping accounts. For business laptops we talk about full disk encryption as being best practice to protect the data against theft, we should also consider the same practice for desktops and home computers. Of course, you also need to look at doing a backup, while it’s great that your data doesn’t fall into the wrong hands – you will also need a copy yourself.
Just so as you know… encryption does give a little overhead (i.e. it slows it down a little) but probably not so as you would notice. From both an enterprise and a consumer perspective there are tailored solutions on the market, and for individuals you can use the solution built into the operating system or there are a number of ‘free’ solutions as well. There is no excuse.
Data protection begins at home! (As well as in the office, or on the road, …)
24 Percent
A civil servant has been suspended for leaving top secret documents on a train. A recent survey showed that 24% of data loss was through paper records, so perhaps this should come as no surprise. As I think back through the past decade or more there has always been one or two occasions each year where records were found, in a skip or beside the road, and before now it was reported and that was that. However today, as we all know, data loss is taken much more seriously.
Electronic data is easily transported, readily copied and therefore simple to use. You can also get a lot of information in a very small space… losing the details on 20 million people in paper form would require a sizeable truck!
We now protect electronic information, either by encryption (if you have a laptop or mobile device) or by content analysis and classification – preventing emails being sent to the wrong people or data being copied unencrypted onto CD ROMs etc. But what to do about paper records? We are back to people and processes. Awareness that paper can be just as damaging as electronic records needs to happen and the processes whereby records are printed out need to be re-examined – especially to ensure the appropriate destruction, eg shredding. In the same way that we are questioning the need for people to have copies of sensitive or confidential electronic information on their laptops, companies should also look at why they need to take bundles of papers home… this would be one case where an electronic version could be more secure.
-
Subscribe
-
-
UK Orders
US Orders -
UK Orders
US Orders -
Links, downloads and other resources
Symantec UK
Symantec Podcast Directory
Symantec Security Response
