Endpoint Protection

On the 12th December, it was widely reported that another laptopn was taken from MOD Headquarters in central London. This would not normally cause worry as all laptops are encrypted. However, the encryption key was also taken so exposing the information to the thief. It is not known if there is any exposure whilst investigations proceed. However, news items referred to the laptop as a ’secret data laptop’ which gives an indication. It was only in July thsi year (as reported in this blog) that 658 laptops have been stolen from the MOD in the last four years.

Below is one report on the story but the BBC also have reported it

http://www.pressassociation.com/component/pafeeds/2009/12/12/secret_data_laptop_stolen_from_mod_headquarters?camefrom=regional

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/

The Information Commisioners Office (ICO) or the privacy watchdog has published figures on data breaches that makes disturbing reading. What’s more is that the ICO  is getting so concerned that it will be introducing fines on comapnies and public bodies that recklessly or deliberately break the rules. Fines up to half a million may be imposed on losses of information. In total, 434 organisations reported data security breaches in the past 12 months, up from 277 the year before. This is what Deputy information commissioner David Smith said: “The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough. Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.”

Well what a surprise! But what is really interesting and scary is that there are fines coming! But I thought that if you breached the Data Protection Act then you would be fined or sued anyway. However, what is clear is that this affects all businesses; large or small; SMB or large multinationals. So Data Loss Prevention is for all organisations that have personal data stored but it is not sufficient to just use device control, the ICO is saying any data loss from any channel! So does that mean that first generation products that really only do encryption and device control will be replaced by the second generation products that provide device, IM, and all the goodies? I think this is a call to action for vendors to smarten up their act and work with others to gain functionality rather than buy and try to integrate. You can read some more here http://news.bbc.co.uk/1/hi/uk_politics/8354655.stm

Latest reports on conficker infections include not only Ealing Council (see previous post) but also Oxford Brookes University, Manchester City Council and Whipps Cross University Hospital NHS Trust. Prior to this, the Houses of Parliament and Ministry of Defence were infected.

So AV has been proved to be powerless with this worm and even the DLP vendors do not have any defence as they tend to focus on information passing out of the organisation. Application control should be a part of a DLP solution to stop worms from running and spreading to the rest of the organisation. In most cases it is not as AV and most DLP is focused internally not at the endpoint which is the highest risk. Maybe Windows 7 will save us but how many will implement the application control features and AV and DLP. Not many I fear - Take a look at our sponsors product and if implemented will protect against zero day attacks and Conficker worms as well as the normal DLP features.

It has been reported that Sophos will be giving away programs to prevent loss of sensitive information from organisations under the banner of DLP. Sophos, who purchased Utimaco a little over a year ago for their encryption technology will be distributing the programs to customers who have bought Sophos AV.

What is clearly a sales tactic, it will cause concern to the other vendors of DLP products such as Symantec and McAfee who have traditionally charged customers large amounts for their products. It does introduce an important new turn that DLP is an adjunct to AV rather than a fundamental part of corporate security. Will all the other vendors be forced to follow suit? I hope not as the issue is that customers who take up the Sophos offer, will falsely believe that they are protected when clearly they will not.  As can be seen by the number of organisations that have fallen victim to the Conficker virus, AV can be disabled but a decent DLP product would have stopped.

I hope that other DLP vendors will give away DLP as serious customers will realise that you get what you pay for and leave the field clear for serious DLP vendor products and support models to match.

Ealing Council is facing a bill for over £500,000 after a member of staff plugged in an infected memory stick into a PC. The virus spread. The virus infected Ealing Council systems for several days after introduction at the housing department requiring emergency IT work and interruptions to services such as parking fines and library systems.

It also seems that the council’s telephone systems were affected. It stopped AV functioning and blocked access to Microsoft support sites as well as contacting other websites at random.

What can one say? (I told you so springs to mind but that would be chirlish). There are products that would have stopped this from happening but the reliance on AV as the main security barrier was found lacking.

What is needed is a thing called Application Control. This function stops any application whether a legitimate application started by the user or a malicious virus running on the endpoint. Windows 7 will have this feature as part of the Operating System but that is not out for a while and it will take years before everyone upgrades. So what do you do? Well look at some of the existing products that already provide this capability for XP and Vista such as Versec from Guardian Technologies. It scans permitted application images into a database which is then compared with the image that the user would like to run. It either permits or prevents as required.

So security guys at the councils get wise and look at what employees are doing on your systems. Data is spread everywhere, running unauthorised applications on endpoints, storing inappropriate content, using unsecured IM - all lovely ways for viruses to get in and data to get out!!

If you want the full story go here. http://news.bbc.co.uk/1/hi/england/london/8237085.stm

It is old news about the security threat from instant messaging (IM) but a reminder of the interesting statistic from IDC on instant messaging is worthwhile. Back in July 2008. IDC predicted that IM would overtake email as the preferred form of business communication by the second half of 2010. As we are half way there and the explosion in IM continues unabated, most of the horror stories to emerge regarding security have focussed mainly on the threat of viruses, worms and botnets. Most IM providers do not encrypt transmission nor can any firewall scan for viruses contained in IM traffic. Few providers store messages for investigatory purposes: all the features that are provided by email.

The other point to consider is that not just messages are sent but files, documents, links - anything can be passed, none of which is encrypted. The reason that IM is so popular is really because of the ease of use over email but with the ease of use comes the lack of security. Once IM has been secured through encryption, message capture, virus scanning, etc then some other method of communication will be invented to circumvent it.

But the question of information protection is the problem here. In any data loss prevention scenario, to stop email, HTTP and USB devices but allow IM to be used unchecked is pure folly.  Organisations need to consider whether IM facilities should be withdrawn for external connections. Certainly any advantage in cost of an IM solution as opposed to email will be negated if all the security protection were to be implemented. I just wonder how much business communication is performed over IM versus chats with your mates. So if it was removed then would productivty suffer? It might actually increase as people get on with their jobs.  cheque please!

It was announced on the 31st July 2009 that Mcafee intends to purchase Mx Logic. According to the Mcafee website, Mx Logic is a leading global provider of cloud-based email and web security, archiving, and business continuity services. The deal is expected to close at the end of the third quarter 2009 subject to legal approval. The purchase price is reported at $140 million.

This follows the purchase by Symantec of MessageLabs towards the end of 2008 for a cool $700M. It is clear that Mcafee has Symantec firmly in its sights posting good second quarter (first quarter 2010)  results as opposed to Symantec’s disappointing ones. So what is going on? It is clear that both Symantec and Mcafee have built a comprehensive suite of security products to help customers protect their environments and both have security managed services to support their customers. However, the play for Software-as-a-Service (SaaS) is the next big thing. Customers are tired of buying licenses and managing complex environments which is not the core business. So if services such as email, archiving, security can be obtained from the cloud with commensurate savings in cost then there is a clear opportunity. Symantec’s purchase of MessageLabs was a clear move in this direction and hence the Mcafee purchase. However, devlivery models for these services have yet to be defined properly. Customers have tended to purchase bespoke services and are happy to work with specific suppliers. Also, using SaaS services has been small so easy to manage. However, as the market develops, customers will tend to purchase from providers who offer a complete range of services not just security or storage. Can Symantec and Mcafee services be delivered through a third party?

And what of integration? The key to success is how quickly can purchased products be integrated into the existing porfolio. For instance, Symantec purchased Vontu for DLP several years ago but it still does not integrate well with the Altiris platform. If Mcafee can integrate MX Logic products and services to deliver other Mcafee products then they will have a distinct advantage. It all comes down to making the customers life easier at lower cost. Well that is my opnion anyway!!

The recent acquisition of DLP vendrs by the more traditional virus scanning giants might give the impression that the market is now the domain of the big players. Such acquisitions such as Symantec buying Vontu, McAffee buying Safeboot and the EMC/RSA acqusition of Tablus has shown the DLP market is real and worth investing cash in order to get big quickly. But the DLP market is growing and developing and, so far, no one has the complete answer. Large security companies are still developing their strategy such as Kaspersky labs to name but one.
However, not all DLP start-ups have been consumed as the Network World article shows. They have reviewed the small independants to show that the small guys are still worth taking seriously. See the link below to see the full article.
http://www.networkworld.com/research/2008/010708-data-leak-prevention-watch.html?nlhtsec=rn_051309&nladname=051309securityal

In a surprising survey, seven per cent of respondents to a survey on data management believed data loss has a “high” impact on a business. This is one of the key findings of a survey launched in Hong Kong yesterday by Kroll Ontrack, a
US-based provider of data recovery solutions. The survey was conducted earlier this year by StollzNow Research. It asked IT managers from 945 small, medium and large companies in Hong Kong, Singapore and Australia about their views and experiences related to data management.

If you want to read the full survey then go here -

http://www.networkworld.com/news/2009/061909-it-managers-under-estimate-the-impact.html (continue reading…)