Stuart King's Security and Risk Management Blog

There's something quite sleazy and nasty about the way that this latest data loss story has hit the news. A portable hard-drive has gone missing from the offices of EDS. On that drive are personal details of 5000 people including prison staff. The drive went missing about a year ago but the loss has only just been discovered.  A whistle-blower at EDS has obviously seen an opportunity to make a few quid on the side by reporting this tale to the News of The World.

The predictable cries of indignation once again hit the airwaves, and various officials and politicians are all quick to get in on the act: "When was this incompetent government planning to own up to another data disaster..?" froths the Shadow Justice Secretary, Nick Herbert (see link).

Let the witch-hunt commence!

This is not the first time that EDS have been implicated in a serious data loss: the Burton Report into the loss of unencrypted MOD data has them as one of the central players. Ironically, their own website has an article about the importance of securing data off-site: The encryption of all data that is moved off-site is crucial, but should be mandatory for portable end-user devices such as laptops and PDAs, as well as all removable media.

I notice there are quite a few 500GB USB hard-drives going cheap on E-Bay. Maybe somebody from the government should start buying them up...just in case....

In one particular episode of Black Books - a great sitcom starring Bill Bailey and Dylan Moran - Fran starts a new job. After her first day in the office she reports back that "All I know about my job is that there are biscuits in the stationery cupboard!"

I think we've all had that sort of day where we've gone home and wondered exactly what it is that we do. This, I believe, is particularly common amongst information security professionals. The reason is because everyone seems to have a different perception of what the job is all about.

Take, for instance, Nitesh Dhanjani who says (quoted from Taosecurity) that the job of information security is to make it harder for people to do wrong things. That's definately a better definition than the usual definitions stating that the job is to protect assets, mitigate risks blah blah blah...yes we know. Thank you very much. Mine's black with one sugar please.

Personally, while I like Nitesh's definition I think it's wrong. The job of information security should be to make it easier for people to do the right things. But it isn't. A lot of the time the job is to protect the organisation from people who do stupid or illegal things.

The job could also be simply stated as being to protect revenue. That's a much more emotive approach to take. However, nobody will believe you because the screensaver on their desktop has just activated and they can't find the piece of paper they wrote their password down on. So, in fact, in the eyes of the sales and marketing folk, you job is to prevent them from doing their jobs.

In reality the job is a balancing act between working to prioritise what can be done against what you would like to have done, what you have time to do, and what your management want you to do.

We shouldn't get too hung up on it all though. In the words of the late, great, Harold Bennett - better known as The Young Mr. Grace in "Are you being served?"; You're all doing very well....

A worker at Marks & Spencer (M&S) has been sacked after telling the media that the company planned to cut redundancy pay to staff.

See http://news.bbc.co.uk/1/hi/business/7595969.stm

According to The Times today, Brendan Barber, General Secretary of the TUC, said that the decision was "truly shocking that an employee can be dismissed for exposing underhand and secretive decisions about issues that will directly affect staff in his workplace."

That's not the point. Whether or not M&S are doing the right thing by their employees is not the issue. From my perspective the individual was sacked for gross misconduct: he exposed company confidential information to an unauthorised third party. The action was calculated and designed to cause trouble.

We all have an axe to grind from time to time, but if you deliberately drop your employer in the muck because of it then that makes your position untenable. M&S have done the right thing.

An article by Ron Condon on searchsecurity.co.uk states..

Security experts agree that until the Information Commissioner's Office (ICO) is given the power to impose hefty fines on those who break the Data Protection Act, companies will continue to treat information with what one expert described as "reckless disregard." 

My favorite type of Social Networking remains that which involves chatting with mates over a drink in the pub. Call me old-fashioned. There are, of course, various associated threats to "security" to consider: for instance, the extortionate cost of a pint these days could be considered a crime, and after a few drinks I might reveal information that should otherwise remain secret, which consequently might affect my personal reputation. It's also how I met my wife.

I'm also well versed in more modern socialising. I have 38 "friends" on Facebook most of whom I probably wouldn't recognise if they walked past me in the street, and around a hundred or so contacts on LinkedIn mostly comprising new and old work colleagues, a couple of hopeful recruitment consultants, plus a few folk I met whilst engaging in Social Networking 1.0 (i.e. at the pub).

Anyway, it's been a while since I discussed social networking on this blog. Last December I stated the view that organisations who continue to allow full and unrestricted access to social networking sites need to wake up to the fact that they are putting the security of their data and other assets at risk.

Adding some more fuel to the fire is an article just published on Dark Reading entitled The Seven Deadliest Social Networking Hacks where Kelly Jackson Higgins proposes the case that Social networks are the next major attack venue for trolls, spammers, bot herders, cybercriminals, corporate spies -- and even jilted ex-lovers or enemies -- to make money, or just plain wreak havoc on their victims' personal lives.

The seven deadly hacks discussed are:

1) Impersonation and targeted personal attacks
2) Spam and bot infections
3) Weaponized OpenSocial and other social networking applications
4) Crossover of personal to professional online presence
5) XSS, CSRF attacks
6) Identity theft
7) Corporate espionage

Personally, I think the following cartoon (from here) neatly sums up one of the biggest risks....

 

A bank that not only refuses to allow customers to have passwords deemed unacceptable but, more worryingly, allows it's employees to view customer passwords and change them seemingly at a whim. Read about it on the BBC website here.

"Lloyds TSB stressed there was no security lapse in this case"

So, an unauthorised alteration to a customer password is not a security lapse?

An acquaintance is one of a team developing a new website - Surfing Safer - providing practical advice on security to home and business users.

It promises to be a useful companion to sites such as GetSafeOnline. For instance, that one recommends you use a firewall, Surfing Safer will provide product reviews on which ones are best to use from people with experience of using them.

Visit the new website here: www.surfingsafer.com

 

 

We could do with having a time out in which to reconsider our approach to dealing with data loss. We're currently inundated with stories - the latest being about the PC purchased on eBay containing sensitive data about bank customers - it's clear that we need a new approach.

The sheer number of reported incidents is indicative of a general failure across all industry sectors to provide adequate controls. It's also fair to say that legislation and regulatory compliance controls are not having much impact.

What can we do? In my opinion, we are engineers of our own downfall, making data ever more accessible and portable, and believing that an antiquated approach to security - it's all about IT and checklists, init - can afford enough protection.

Many of us have been saying for years that we need to invest more time and money in security awareness. I'll stick my neck out and take a position that it's the single most important thing in reducing the risk of a data breach. And I'm not talking about a few posters on the notice board and handing out mouse-mats stating trite messages such as "think before you click." I'm talking about the sort of security awareness that makes every individual personally responsible for the data they handle, making them stakeholders armed with the right knowledge and willing to question security.

Let's be clear. This is not a technical problem and it wont be solved with technical solutions. If the organisation wants to collect data then the organisation needs to learn how to handle it and stop relying on outdated concepts. Fair enough?  

The actual scope of the Best Western data breach is open to speculation. The Sunday Herald scoop was that "stolen login details were..put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia... Once the information was online, experts estimate that it would take less than an hour to write and run a software bot..capable of harvesting every record on Best Western's European reservation system". However, this has been refuted with the company claiming there was "some evidence" of unauthorized access to customer data by someone using a valid employee username and password. But the compromise was limited to just one property..adding that the total number of potentially affected customers was 115.

There are some messages for all of us to take home from this incident.

- The press and blogging community will be quick to latch onto speculation about data breaches. News will spread fast. Having a good incident response and communication plan is essential. The messages that do come out from your organisation will be analysed and pulled apart. For instance - how can they be sure only 115 records were compromised? It's a very precise number.

- The reported fact that an account was compromised because of malware on a PC has not been refuted. It's a good opportunity to remind company employees to be vigilant and for network teams to double-check that all servers, devices and desktops are patched and up to date. Use this incident as an example of what can go wrong.

- We obviously don't know how the Trojan code got onto the compromised device. Perhaps the malware signatures weren't up to date, it may have been unknown malware for an unknown vulnerability, or it may have been deliberately installed by a malicious company employee.

- Don't down play the value of the data your own business holds. Given the opportunity, criminals will steal it and trade it.

Whether or not Best Western have been the subject of one of the most audacious cyber-crimes ever this incident serves as a timely reminder that hackers are still after our systems.

 

Best Western have publicly refuted the story reported in the Sunday Herald and stated that "Claims reported about our Central Reservations customer records are not accurate" (read the full statement here).

The statement is fairly vague and as Information Week point out:

the release states that there is "no evidence" to support the sensational claims in the news story...Yet, fascinatingly, the company is admitting that the very reporter, for which there is "no evidence to support sensational claims," brought the fact that there was a breach to Best Western's attention. So, at least there is some evidence to support the claims. So what, exactly, is accurate, and what, exactly, is not in the story. We're not told.

The compromise, as originally reported, appears to be the result of an unidentified and unseen Trojan placed on a computer: we can speculate how: maybe because the system was unpatched for some period of time or via an as yet unknown vulnerability. It may even have been installed deliberately by a malicious insider or might be the result of somebody downloading something that contained the undetected malware. It's almost certainly a well targeted attack: the database will have represented rich pickings.