And Your Password Is… Password
A report into the Top 10 passwords for 2008 puts ‘Password’ at the top of the list. It’s been in the top 5 for years - why? You would have thought that people would realise that if it (whatever it is) is worth protecting by a password then they would realise that it is of value to someone else.
‘But… it’s only my blog’ or ‘It’s just my social networking account’ or … there is an endless supply of excuses as to why people chose weak passwords - listen up, if it has a value to you, it has a value to someone else. So, now let’s play a game of ‘What If’… and this is what you need to do when setting a password (partner’s name, child’s name, pet’s name - they are all in the popular list - and easily guessable - by machine, don’t think that someone is typing them in, oh no, its all done by machine)… so what if someone gets onto your site and defaces it, perhaps posts objectionable content or pictures, perhaps emails all your friends and tells them that you hate them… it’s coming from your account, they will be impersonating you, how do they know it’s not you? How long will it take to repair the damage caused? Hopefully the picture is clearer now… so when you chose a password make it a strong one - put in a number or two, perhaps some punctuation and have it at least 8 characters long. That way someone won’t come along and hijack your account and maybe your reputation as well.
(Just so you know… the same goes for work passwords as well - many companies have policies and protection in place for work based passwords… and for good reason. Imagine if someone could impersonate you and therefore your company…)
Tape Glorious Tape, There’s Nothing Quite Like It
Another data loss incident… 2.2 million billing records. They were on tape, in a car, and the car was broken into - no tapes. The driver had worked for 18 years with the company - alas no more as they had violated the company’s information protection policy - they shouldn’t have taken them home, they should have gone straight to off-site storage. Tapes are great - high capacity, low cost, easy to transport, easy to store, no moving parts (when its on the shelf!), great for long term storage and still an integral part of most companies IT environment. But… also easy to lose… and often the data is stored in an open format - so you don’t need password or anything else to get at it. Far easier to steal a tape, than break into a server…
OK, so it seems cut ‘n’ dried… but… what if the driver had been in an accident and the tapes had been lost. What if the off-site storage (which is run by a 3rd party) was broken into and the tapes stolen? The company is not saying if the data was encrypted or not, but my guess is that it isn’t, so therefore either of these other scenarios could also be valid - and would result in the loss of data.
Part of developing an information security policy is to revisit processes which touch sensitive data - this includes all occasions and possibilities when it can go offsite, or is handled by a 3rd party. It has to include tape backups, CDs, DVDs, USB sticks, and any other physical copies of the data, including laptops.
The simple rule is… if is going offsite, for whatever reason, it needs to be encrypted. Full stop.
(In this case, encrypted backups should have been employed - not just for the car break-in scenario, but also the other ones as well…)
Time To Get Personal?
Gartner has now recommended that employees buy their own laptops. There is nothing new in the concept, otherwise known as consumerisation. The idea is simple, employees buy and use their own hardware for work. In the US, it was the iPhone which has driven the move to consumerisation, lots of people rushed out to buy one and then asked their IT departments to support them. Here in lies one of the issues - support. The other one being licensing.
From a licensing perspective, who owns the software? Is it the company or the individual, what happens when they leave? From a support perspective what happens when a machine goes wrong? If there is a standard build, with a standard machine, then it is simple to fix or just to deliver a replacement. If it is down to the employee to get it fixed, do they do that on their own time? What happens if they don’t - laptops are an essential business tool if not available then productivity can drop to zero! What happens with backup? Who is responsible for doing it and how is it done? What about data loss prevention? If the machine has company information on it, what happens to it when the employee leaves?
There have been a number of successful schemes, but it is still early days. Before rushing in to save costs companies need to work through the issues and ensure that their corporate policies cover all eventualities.
Post A Picture… End Up In Jail?
When is a picture on a social networking site a threat to national security? According to a report, Israeli defence chiefs have realised that pictures of sensitive military installations are being posted on Facebook. People now have a fascination with social networking, taking pictures and posting them online for the world to scrutinize.
The story might seem a little draconian, but they are still allowing pictures of people - just not with sensitive information in them. If you look around the web you can find pictures of other people at work (including myself - if you look hard enough) however, on some of them you can read what is written on yellow stickies attached to monitors and cube walls. Another source of information for the enterprising criminal… so just beware, cyber criminals may well be more interested in the background of a picture than the foreground…
Security Or Usability
In a recent report 68% of employees admitted to bypassing their employers’ information security policies. While few details were forthcoming on exactly what had been done, there were some anecdotal points. Using USB sticks to take data home to work on, printing out reports and then not disposing of them correctly. The list all seems ‘reasonable’ after all people have to do their jobs - don’t they?
Herein lies the issue, security controls (and security in general) is often implemented at the expense of usability and work process. If we are to see a change in attitude we need to encourage change and understanding from the top down. If employees need to take work home, then companies need to buy adequate equipment and security technology for them to do that - otherwise, they will just have to put up with the work taking longer.
Work practices have to change if we are to protect information and that isn’t going to happen overnight. If processes are awkward or overly time consiming then people will work around them - regardless of the consequences. Often they don’t know what the real consequences are. The time to educate is now - from the top to the bottom.
They Took The Application As Well…
Virtualization is still big news, some would even say that its getting bigger every week. If you are using virtual machines then consider the impact of someone stealing a virtual image. Virtualization offers a lot of opportunities and a great deal of flexibility - however it also offers new threats. There has been a lot of talk of compromising the hypervisor and therefore the virtual machines that sit above it, but there is another interesting threat when it comes to data loss.
One of the benefits of a virtual machine is to be able to lump together everything you need for a machine into a single file, ok, so the file might be 50GB - but its still a file. One of the other benefits is that you can load, unload, move, copy and generally manage the file - as a file. What if that file goes missing - or it is stolen? The answer is that unless it is protected (encrypted or restricted to which physical machines it can be run on) it could be run by anyone on anything - in that case they won’t just get the data in the virtual machine, but also the application needed to access the data as well.
When looking at potential areas where data loss can occur you need to look outside the box - in this case Virtual Machines and how they could be exploited should they fall into the wrong hands.
Out and about…
So, this week I am speaking at a couple of events. The first is at Aon’s “Cyber Risks and Data Management Seminar” on Wednesday 5th March at the HAC in London. The focus for my talk is around data loss and what you can do to prevent it - not least understanding where the data is (for example, it could be at risk inside your photocopier) and some of the new threats to be aware of, social engineering attacks using roadapples is one that springs to mind.
The second is at the first of the Symantec Data Loss Prevention Seminars in Dublin on Thursday 6th March. Once again the talk is about preventing data loss, although my talk focuses on the three P’s - People, Process and Product, with the emphasis on the first two. This is the first of a number of seminars around the UK, see http://www.conferencepage.com/DLP08/ for more information.
Decrypting DRAM…
Princeton University announced last week that they could break some of the most popular full disk encryption products, including BitLocker. It basically comes from exploiting some of the properties in DRAM and the fact that the data remains for a period of time after the power is removed, enabling the contents, which includes the encryption key to be read - and therefore used to break the encryption on the disk. While it is unlikely for a criminal to access the machine in the time between a ‘real’ power off and the data disappearing, it is a risk when the system is in hibernate mode. If you are worried about this attack (and remember that this is an attack which requires physical access) then now is the time to revisit your Information Security Policy - the suggestion being that if you are going to switch off your laptop, then switch it off fully - rather than just close the lid and let it hibernate.
-
Subscribe
-
Podcasts
-
Symantec Security Response Weblog
-
Links, downloads and other resources
Symantec UK
Symantec Podcast Directory
Symantec Security Response
