The widespread availability of personal information,
along with employees being exposed to more data than they need to
know, is making it easier for hackers to bypass the 'human
firewall'. SA Mathieson reports onthe rising threat of social
engineering.
Government data
breaches
The UK government's well-publicised problems with information
security have typically involved public servants losing copies
of data, rather than fraudsters gathering it. The child benefit
discs carrying 25m people's details, the memory stick with data on
every prisoner and prolific offender in England and Wales, the
portable hard drive with information on 1.7m armed forces personnel
- all unencrypted - are as likely to be lost down the sides of
desks than in the possession of criminals.
However, government organisations do have a problem with
social engineering attacks on their data, and the potential for
these attacks is growing as
the state gathers and joins up more information on
individuals.
Central government departments and agencies, particularly those
with the most valuable data such as the Ministry of Defence, the
Home Office and the security services, have become accustomed to
attempts to access it.
Ken
Munro, operational director of security tester NCC SecureTest,
says the greatest strength of central government is its Protective
Marking System, used to classify material and specifiy how strongly
it is protected. "That's where the commercial world could learn
volumes from government," he says.
Protective marking classifies material in descending order of
sensitivity; as top secret (for which one of the qualifications is
that disclosure could "lead directly to widespread loss of life"),
secret, confidential, restricted and protect. Access to all
protectively marked information is on a "need to know" basis, which
is a good start when it comes to frustrating social engineering
attacks.
The Cabinet Office's Security Policy Framework (which has
recently replaced the Manual of Protective Security) says: "This
'need to know' principle is fundamental to the security of all
protectively marked government assets - casual access to
protectively marked assets is never acceptable. If there is any
doubt about giving access to sensitive assets, individuals should
consult their managers or security staff before doing so."
Munro says that the majority of government work his firm carries
out involves validating that networks are segregated - protectively
marked material has to use separate networks. On the telephone,
operators for central government call centres tend to have strict
role-based access, with tight rules on what they can and can't
see.
Crime and Punishment
The Identity and Passport Service (IPS), the Home Office agency
which produces passports and will run the National Identity
Register of data supporting
identity cards, says it has strict rules in place to frustrate
social engineering.
"IPS has clear policy and procedures in place, which are
supported by appropriate training, to ensure that staff know when
it is and when it is not lawful to disclose personal information.
Specialist staff deal with more involved disclosures," says a
spokesperson. "Unauthorised disclosure of personal information is a
serious matter and IPS takes appropriate action, including
disciplinary proceedings, if agreed procedures are not
followed."
In 2008, IPS released figures saying it had dismissed 14 people
over the last three years, all but one for abusing access to the
passport database. This was from a total of 16 disciplined for data
protection breaches - the remaining two received a formal warning.
IPS employs more than 4,000 staff, the majority of whom have access
to personal data.
The agency says it will make rigorous efforts to protect the
National Identity Register from social engineering and other
security attacks by training staff, implementing a strong user
authentication process for anyone requesting data from the
register, considering the building design, auditing and monitoring
technical security and implementing "both civil and criminal
penalties for anyone attempting to access, misuse or bypass the
controls used to secure the data".
Munro adds that these high-security departments are strong on
physical security, as well as everything else. "Yes, you can blag
your way in, but it's harder," he says of getting into one of their
buildings compared with the commercial sector, noting that the
situation is similar when inside an office.
Other departments may be less secure.
Peter Wood,
chief of
operations for penetration tester First Base Technologies,
points out that many departments rely heavily on outsourcing, both
for IT and for physical security. "There is no direct link between
the guards and the places they are guarding," he says, and security
procedures such as the right to audit systems may be lacking when
IT systems are transferred to private sector partners.
No human firewall
Things are often worse again at local authorities, although for
different reasons. As organisations, they tend to be helpful -
which is good in most ways, but less so for security. Councillors
are locally elected and accountable. Areas of many buildings are
open to the public or used for numerous meetings. They tend to have
a strong ethos of serving their local area, and their work focuses
on providing assistance to people. Many also have multi-function
call centres and enquiry offices, with systems holding a wide range
of data on individuals. This all makes them more vulnerable to
social engineering.
"It feels to me that the training isn't there, and if it is,
it's being ignored," says Wood of such authorities. "I've seen the
most surprising things stuck on the wall, left on desks, machines
logged on and left unattended." He says councils need clear and
well thought out guidance for staff: "It seems that the human
firewall isn't there in many cases."
Tony
McDowell, managing director of Encription, says a large part of
his firm's business involves testing local authorities through
phishing e-mails, sent to 15 to 30 named e-mail addresses, provided
by whichever council wishes to be tested. These state the company's
name - which should alert anyone who carries out a web search -
include spelling mistakes which should arouse suspicion, and ask
the user to do something specific which represents a breach of
infosecurity. "Our average [response rate] is 42% to 47% of the
people, responding with at least one username and password,"
McDowell says.
A well prepared organisation should identify the e-mails and
block them completely, he adds. "If they don't detect it in four or
five hours, they aren't going to detect it." He says that local
authorities' levels of preparation leave something to be desired,
with lack of staff training a particular problem. "People are
generally very trusting and want to help," he says, adding that
generally the smaller the council, the bigger the problem.
The weaknesses of some local authorities are currently under
examination, as all those in England and Wales are in the process
of being linked to the
Government Connect Secure eXtranet (GCSx), part of the family
of secure networks used by central government. The initial reason
is to give staff secure and tracked access to ContactPoint, a £224m
database of all children. The point of this is to let teachers,
doctors and social workers know who is involved with the care of a
particular child.
But councils have to comply with GCSx's Code of Connection, and
that is proving a struggle: in January 2009, 106 of the 410 local
authorities involved have asked for an extension to the 31 March
compliance deadline.
Freedom of
information
Richard
Steel is president of the
Society of IT Management, a professional association focused on
local government IT managers, and also the chief information
officer of the London borough of Newham. "A lot of authorities are
struggling with achieving compliance," he says. "We desperately
need a pan-government security mechanism, so we're extremely
supportive." State sector data losses have often been due the lack
of a secure network, leading to the use of insecure media to
transfer information - which then gets lost.
Steel says his authority, Newham, should achieve compliance by
the end of March, and takes security seriously, such as with
two-factor authentication for mobile working and mandatory
information governance training for staff before they are allowed
to use IT systems.
But he admits that it's likely that councils suffer from social
engineering. One specific problem comes from the democratic
requirement to be open: "We're acutely aware that there is lots of
pressure on freedom of information, in local authorities and on
government," he says, adding that Newham employees are encouraged
to talk to dedicated freedom of information staff.
"We all have to be aware that the approach to security is
changing fundamentally," Steel adds. "We've come from a fortress
approach, built on organisational networks with security firewalls,
moving to a time where there is a great number of pressures on
public authorities to join up and partner. Those partnerships do
require us to think very carefully about security, which was
previously very simple." This will only increase, he argues, as
data is increasingly shared with the wider community through web
2.0 systems.
Mark Brett, policy and programme manager for the society, says
that local authorities have suffered from social engineering. "They
are beginning to wake up to protective marking, encrypting laptops
and memory sticks," he says. "You are finding far more
organisations with identity cards and visitor registration."
However, he says that the hardest part involves changing staff
attitudes. "If there's one message we need shout very loudly, it's
that this is a cultural change. We need to get local authorities to
think about security in the way they think about health and
safety." A vital first step is to appoint a senior information risk
officer to take responsibility, he says.
There is a particular problem in contact centres, Brett adds.
"Relatively junior staff have access to huge amounts of
information," he says. "Some local authorities bring in agency
staff. Harmless questions, when added up, can become less harmless.
The easy challenge is, why do you need to know that?" Another
simple alternative is to call someone back with sensitive
information, rather than trusting that the incoming call has
actually come from the person stated.
The work is vital, Brett says, as the GCSx is likely to be used
for much more than just ContactPoint. "In time, this will be the
main conduit for data transfer between central government and local
authorities," he says.
For Peter Wood, this move towards sharing data on individuals -
a key policy for the current government - exacerbates the risks
from social engineering. "It all links into this joined up
government mindset, when they are trying to make information is
available as possible," he says. "The security controls that need
to be there haven't kept pace, in my opinion."
This article first appeared in
Infosecurity
magazine