The widespread availability of personal information, along with employees being exposed to more data than they need to know, is making it easier for hackers to bypass the 'human firewall'. SA Mathieson reports on the rising threat of social engineering.
The UK government's well-publicised problems with information security have typically involved public servants losing copies of data, rather than fraudsters gathering it. The child benefit discs carrying 25m people's details, the memory stick with data on every prisoner and prolific offender in England and Wales, the portable hard drive with information on 1.7m armed forces personnel - all unencrypted - are as likely to be lost down the sides of desks than in the possession of criminals.
However, government organisations do have a problem with social engineering attacks on their data, and the potential for these attacks is growing as the state gathers and joins up more information on individuals.
Central government departments and agencies, particularly those with the most valuable data such as the Ministry of Defence, the Home Office and the security services, have become accustomed to attempts to access it. Ken Munro, operational director of security tester NCC SecureTest, says the greatest strength of central government is its Protective Marking System, used to classify material and specifiy how strongly it is protected. "That's where the commercial world could learn volumes from government," he says.
Protective marking classifies material in descending order of sensitivity; as top secret (for which one of the qualifications is that disclosure could "lead directly to widespread loss of life"), secret, confidential, restricted and protect. Access to all protectively marked information is on a "need to know" basis, which is a good start when it comes to frustrating social engineering attacks.
The Cabinet Office's Security Policy Framework (which has recently replaced the Manual of Protective Security) says: "This 'need to know' principle is fundamental to the security of all protectively marked government assets - casual access to protectively marked assets is never acceptable. If there is any doubt about giving access to sensitive assets, individuals should consult their managers or security staff before doing so."
Munro says that the majority of government work his firm carries out involves validating that networks are segregated - protectively marked material has to use separate networks. On the telephone, operators for central government call centres tend to have strict role-based access, with tight rules on what they can and can't see.
The Identity and Passport Service (IPS), the Home Office agency which produces passports and will run the National Identity Register of data supporting identity cards, says it has strict rules in place to frustrate social engineering.
"IPS has clear policy and procedures in place, which are supported by appropriate training, to ensure that staff know when it is and when it is not lawful to disclose personal information. Specialist staff deal with more involved disclosures," says a spokesperson. "Unauthorised disclosure of personal information is a serious matter and IPS takes appropriate action, including disciplinary proceedings, if agreed procedures are not followed."
In 2008, IPS released figures saying it had dismissed 14 people over the last three years, all but one for abusing access to the passport database. This was from a total of 16 disciplined for data protection breaches - the remaining two received a formal warning. IPS employs more than 4,000 staff, the majority of whom have access to personal data.
The agency says it will make rigorous efforts to protect the National Identity Register from social engineering and other security attacks by training staff, implementing a strong user authentication process for anyone requesting data from the register, considering the building design, auditing and monitoring technical security and implementing "both civil and criminal penalties for anyone attempting to access, misuse or bypass the controls used to secure the data".
Munro adds that these high-security departments are strong on physical security, as well as everything else. "Yes, you can blag your way in, but it's harder," he says of getting into one of their buildings compared with the commercial sector, noting that the situation is similar when inside an office.
Other departments may be less secure. Peter Wood, chief of operations for penetration tester First Base Technologies, points out that many departments rely heavily on outsourcing, both for IT and for physical security. "There is no direct link between the guards and the places they are guarding," he says, and security procedures such as the right to audit systems may be lacking when IT systems are transferred to private sector partners.
Things are often worse again at local authorities, although for different reasons. As organisations, they tend to be helpful - which is good in most ways, but less so for security. Councillors are locally elected and accountable. Areas of many buildings are open to the public or used for numerous meetings. They tend to have a strong ethos of serving their local area, and their work focuses on providing assistance to people. Many also have multi-function call centres and enquiry offices, with systems holding a wide range of data on individuals. This all makes them more vulnerable to social engineering.
"It feels to me that the training isn't there, and if it is, it's being ignored," says Wood of such authorities. "I've seen the most surprising things stuck on the wall, left on desks, machines logged on and left unattended." He says councils need clear and well thought out guidance for staff: "It seems that the human firewall isn't there in many cases."
Tony McDowell, managing director of Encription, says a large part of his firm's business involves testing local authorities through phishing e-mails, sent to 15 to 30 named e-mail addresses, provided by whichever council wishes to be tested. These state the company's name - which should alert anyone who carries out a web search - include spelling mistakes which should arouse suspicion, and ask the user to do something specific which represents a breach of infosecurity. "Our average [response rate] is 42% to 47% of the people, responding with at least one username and password," McDowell says.
A well prepared organisation should identify the e-mails and block them completely, he adds. "If they don't detect it in four or five hours, they aren't going to detect it." He says that local authorities' levels of preparation leave something to be desired, with lack of staff training a particular problem. "People are generally very trusting and want to help," he says, adding that generally the smaller the council, the bigger the problem.
The weaknesses of some local authorities are currently under examination, as all those in England and Wales are in the process of being linked to the Government Connect Secure eXtranet (GCSx), part of the family of secure networks used by central government. The initial reason is to give staff secure and tracked access to ContactPoint, a £224m database of all children. The point of this is to let teachers, doctors and social workers know who is involved with the care of a particular child.
But councils have to comply with GCSx's Code of Connection, and that is proving a struggle: in January 2009, 106 of the 410 local authorities involved have asked for an extension to the 31 March compliance deadline.
Richard Steel is president of the Society of IT Management, a professional association focused on local government IT managers, and also the chief information officer of the London borough of Newham. "A lot of authorities are struggling with achieving compliance," he says. "We desperately need a pan-government security mechanism, so we're extremely supportive." State sector data losses have often been due the lack of a secure network, leading to the use of insecure media to transfer information - which then gets lost.
Steel says his authority, Newham, should achieve compliance by the end of March, and takes security seriously, such as with two-factor authentication for mobile working and mandatory information governance training for staff before they are allowed to use IT systems.
But he admits that it's likely that councils suffer from social engineering. One specific problem comes from the democratic requirement to be open: "We're acutely aware that there is lots of pressure on freedom of information, in local authorities and on government," he says, adding that Newham employees are encouraged to talk to dedicated freedom of information staff.
"We all have to be aware that the approach to security is changing fundamentally," Steel adds. "We've come from a fortress approach, built on organisational networks with security firewalls, moving to a time where there is a great number of pressures on public authorities to join up and partner. Those partnerships do require us to think very carefully about security, which was previously very simple." This will only increase, he argues, as data is increasingly shared with the wider community through web 2.0 systems.
Mark Brett, policy and programme manager for the society, says that local authorities have suffered from social engineering. "They are beginning to wake up to protective marking, encrypting laptops and memory sticks," he says. "You are finding far more organisations with identity cards and visitor registration."
However, he says that the hardest part involves changing staff attitudes. "If there's one message we need shout very loudly, it's that this is a cultural change. We need to get local authorities to think about security in the way they think about health and safety." A vital first step is to appoint a senior information risk officer to take responsibility, he says.
There is a particular problem in contact centres, Brett adds. "Relatively junior staff have access to huge amounts of information," he says. "Some local authorities bring in agency staff. Harmless questions, when added up, can become less harmless. The easy challenge is, why do you need to know that?" Another simple alternative is to call someone back with sensitive information, rather than trusting that the incoming call has actually come from the person stated.
The work is vital, Brett says, as the GCSx is likely to be used for much more than just ContactPoint. "In time, this will be the main conduit for data transfer between central government and local authorities," he says.
For Peter Wood, this move towards sharing data on individuals - a key policy for the current government - exacerbates the risks from social engineering. "It all links into this joined up government mindset, when they are trying to make information is available as possible," he says. "The security controls that need to be there haven't kept pace, in my opinion."
This article first appeared in Infosecurity magazine