Stuart King's Security and Risk Management Blog

What do air disasters and password policies have in common? They were both the subject of anecdotes at last nights IISP lecture on "Security awareness - promoting long term behavioural change" presented by Martin Smith of The Security Company.

Martin was making the point that everybody in an organisation is a stakeholder in information security, and that most businesses are rubbish at getting the right messages across. A copy of the employee handbook, a leaflet and a poster saying "Be Secure" with a picture of a padlock on it do not make for an effective and meaningful security awareness program.

The point was that we need to emphasise messages in terms the business understands. For example, if you lose a pound then that's one pound profit gone which probably took ten pounds revenue to generate. Therefore you need to make another ten pounds to make that same pound profit back. In fact, you need to make twenty pounds because the first ten now only covers your original loss. Make sense?

The password anecdote related to an organisation that fired somebody because he intentionally shared his password with a colleague to, apparently, facilitate a business related task. I can't vouch for all the facts but certainly strict and dogged adherence to policy is not always effective. Beat employees up with too big a stick and you're likely to end up with lots of disgruntled employees who care little for your security regime.

The air disaster was an example of how lots of seemingly unimportant events (lots of little chickens) came together and resulted in a mid-air collision (the crocodile). At any point prior to the incident, somebody should have either raised issues or adjusted their behaviour. Human factors caused the disaster, not technology. An all to real example highlighting the fact that not one single recent data breach has been because of a technology failure. It's human factors each and every time.

I spent yesterday in the company of Jo Ellen Gryzyb and Doug Osbourne of Impact Factory on their excellent presentation skills course. The course was a revelation: rather than being a critique of any bad habits, the course focuses on existing strengths and provides a number of tools for making best use of them. I know that the next time I stand up in front of an audience I'll be able to talk with a lot more confidence and to far greater effect.

Good presentation skills are an important and valuable asset. Selling the benefits of an information security program or project can be challenging so it's good to be armed with a good set of techniques for getting across the right messages regardless of audience or the amount of time available.

Most UK companies are losing data every month a survey has found. The majority of UK businesses, 79 per cent, are losing data at least once per month, according to the survey of 250 senior IT staff at businesses larger than 1,000 staff.. Read the rest of the article here.

The results of such surveys are great marketing for companies such as CA with their portfolio of threat management tools. I suppose the question is how you define "losing data." One record or a thousand records? Do you want to count every lost USB stick and mobile phone? Perhaps you should if they are likely to contain private data. Most of the problem is that we don't know where all our data is. There's no neat perimeter - it's everywhere from in your pocket to the third party company that does your mailshots.

Personally I'd prefer to not play on scare stories and wild statistics. There's a change of attitude required. We're not going to solve data security problems with technology alone and it's not simply an IT problem. It's culture, training, awareness, and technology. We need people to start asking how to protect data rather than waiting to be told.

Another reported theft of a server containing customer data . This time from the HSBC bank in Hong Kong. "The bank said it had lost track of the server during renovation work at a Kwun Tong district branch in east Kowloon on April 26. Police are investigating and say the server was stolen. "

Read all about it here and there's more here.

This is a really careless way to lose data. I thought it might be fun to read the bank's own statement on data security.

Security is our top priority. The Hongkong and Shanghai Banking Corporation Limited ('the Bank') will strive at all times to ensure that your personal data will be protected against unauthorised or accidental access, processing or erasure. We maintain this commitment to data security by implementing appropriate physical, electronic and managerial measures to safeguard and secure your personal data.

I recall one particular far eastern office I visited not too long ago. The main door to the server room was locked fast and the IT manager took delight in demonstrating how secure the room was. Walking around inside the server room I noticed another door. "Where does that one lead to?" I asked. "Outside" was the response. "Is it secured?" was my next question. "Yes" the manager replied, "the sticky tape holds it shut."

It's a fact that most crimes are committed by people known to their victims. Similarly, businesses are most at risk from former and current employees. Most commonly when thinking about information security we consider how to prevent intrusion into our business from the outside. The facts and statistics tell a different story. 62% of large businesses in the UK (source: DTI/PWC Insider Threat Report 2006) have dealt with a security incident instigated by a current or former employee.

I've been writing up some of my research into insider threats in the form of a paper describing the risks posed to a fictional multinational company, Acme Widgets plc.

You can download the paper for free here. If you'd like to leave me feedback or would like more information about insider threats, write to the email address within the digital signature at the end of the document.

If you'd like to make a donation in return for downloading the paper, please give to Children in Need.

How much confidential business data has been compromised over the years as a result of the theft of laptop computers? It's a good question if you ask me because we're all under pressure to ensure that mobile computing devices employ encryption to ensure that appropriate risks are mitigated in the event of them being lost or stolen.

Such pressure mounts when we also see organisations being fined when laptops go missing. For instance The Nationwide Building Society got hit last year for nearly £1m when a device that was taken from an employees home "contained confidential customer information and may have put millions at risk of identity theft." Full story here. Chances are that this was a nothing more than a random burglary committed by thieves who probably don't even have opposing thumbs capable of opening the lid. So, the chances of them being able to get any data out of it are slim. Most likely is that the drive was formatted by the new owner after it was sold for a quid and that it's now being used by a local education authority somewhere, in west Africa. As also stated on this blog, the "majority of laptop thefts are not targeted, they're just carried out by someone who sees the laptop as a portable asset that can be easily resold."

But, let's suppose that the theft could have been targeted, and somebody could specifically have been after the data. A real enough scenario for some organisations. Encryption certainly mitigates the risk up to a point. However, if such effort is going into capturing a device then you can bet that some forethought would also be going into obtaining the relevant keys. For a good example, remember the case where car thieves cut off the index finger of the owner of a Mercedes in order to get around the biometric security. Where there are motivated, capable, and dangerous adversaries, operating for profit, then is your personal safety worth holding out on the password to your laptop?

In my mind, a much better solution is to keep confidential data off mobile devices in the first place. But let's come back to the original point and question: How much confidential business data has been compromised over the years as a result of the theft of laptop computers? I don't know and it doesn't matter because if your laptops get stolen, and if they contain confidential or personal data, and if you have not used encryption, then you're stuffed because if the Press don't get you then the regulators will, and when encryption is so cheap and easy to implement these days then you've just been neglegent.

So, in fact the biggest risks to your business may well be from the negative perception and the resulting fines and damage to your reputation than from the probability of the data being compromised and used.

That is good enough reason even if you, like me, don't rate highly the risk of data actually being compromised in this way. So now all you have to do is choose your encryption product. And that's another story....

Reported on Slashdot today is the news that Peter Gabriel's web server has been solen from the data center where it was being hosted. I have my own thoughts on a possible motive; mostly related to some of the dreadful noise he's produced over the past 30 years.

Physical security has been a previous topic of this blog (see entry from 10 Dec 2007).

1. Don't make assumptions about third party security controls. Check them for yourself.

2. Make sure your incident response plans include actions to take in the event of critical equipment being stolen.

Some good guidance on physical security for small businesses here on GetSafeOnline.

Some further related information here.

My mother-in-law is, to give her some credit, an intelligent lady. However, faced with an upgrade from Windows XP to Vista and IE7 from IE6 and you have a situation akin to explaining quadratic equations to a two year old. Both circumstances will result in heavy objects being thrown around in frustration.

So, the idea of Microsoft to provide a range of "Senior PC packages" is, in my mind, borderline genius and something I wish I had thought of first. Computer Weekly mock the idea in this weeks magazine, something I think is very unfair given that I'm sure some of their editorial team are getting on a bit and would probably be able to make good use of the built-in prescription software...

If home computing can be made as easy as taking the PC out of the box, plugging it in and turning it on (not a word from the Mac users please - I know you've been able to do this for years) then that's to be encouraged for everyone, not just the elderly. And if it stops the "support" calls from my mother-in-law then that's priceless!

Here are my top five information security related blog posts of the moment

1) ID theft – Facebook and MSN exploited by Kai Roer. This is a great example of a malware infection resulting in a compromised Facebook account and the resulting damage that can be done. There are plenty of other Facebook related stories around at the moment including this one from the BBC who were able to create their own malware for compromising private data.

2) Stopping at compliance by Michael Farnham. Michael hits the nail on the head when he says "compliancy does NOT equal security." I couldn't have put it so well myself.

3) Evolving Schneier’s Security Mindset . An interesting discussion on the perception of risk. The question the risk analyst must answer however, is really “What is *probable*?”. And we should really belabor the point that “What is probable?” is not just a “Can it be done?” question.

4) Swiss Army Knife – The Personal Portable Security Device posted by Mark Diodati. This discusses what is, from my point of view, an exciting new class of authentication product for the corporate network. Well worth reading about.

5) ROSI - Security Returns? by C Warren Axelrod. Interesting because I'm more likely to take an opposite stance and argue against trying to demonstrate an ROI for security related investments. Frankly, I don't think you can prove it.

Those who fall for spam based scams such as the Nigerian 419 emails or fake lottery wins make themselves easy targets for ridicule from those wise enough to be "in the know." However, there is a deadly serious side because many of the scams appear to be very plausible on first read, people do fall victim, and lives do get ruined as a result.

No better example than that reported by the BBC today. Read the full, tragic story here of how a university student killed herself after giving "more than £6,000 in the belief she had won half a million pounds in a lottery after being contacted over the internet."

Some people are vulnerable to scams because of their circumstances, not because they are overly gullable or stupid. If the scam is plausible enough and catches us at the right time in the right circumstances then any of us could get taken in. So, we need to remain vigilant to spam and we need to continue our warnings and security awareness messages.