Endpoint Protection

It has been a long time since the last post and apologies for that but lets get the new year started with some interesting news.

Complaints against Microsoft have been many and varied but Active Directory continues to be the primary method to control access to corporate data. However, it is great if your environment is small or well organised. In my experience, most administrators inherit a mess and do not have the time to sort it out. Employees may have access to information that they have no need. There may be circular permissions where access is granted by mistake. Exposing your data to employees unnecessarily is a major issue.

There are several software companies that will sell complex visualisation tools with security monitoring and all the bells and whistles that anyone could  want. There is usually a price tag to match also and the complexity of the software will be very hard to integrate into your organisation. These software products are too expensive for the smaller companies that still need to control access.

So there is a new company that has recognised this and is providing access control software without the large price. They are Protected Networks and the product is 8MAN. It provides complete visualisation of your AD environment, full control through an intuitive GUI to quickly make changes as required. It will show and manage by user, account, groups and permissions of who can access your data. It comes in three forms: firstly, to just allow visualisation without ability to change; secondly, visualisation and change for one fileserver; thirdly for full control on any sized environment. It will make audits and reporting easy and stress-free.

If you need more information or a demo or copy or just need someone to talk to then Guardian Technologies Ltd has exclusive access to the product. Please comment on your thoughts or problems when using AD and maybe we can start with improving security at the start.

It seems not to be well publicised but General Atlantic has taken a stake in Kaspersky Lab. The press release on the US Kaspersky site gives little away but it seems that the aove average growth in Kaspersky has attracted investment such that Kaspersky can now expand even further. It is clear that Kaspersky provide industry leading antivirus solutions which has fuelled their growth over the last few years. However, a stronger product portfoli is required to compete more effectively with the incumbents. Expect to see Kaspersky make acquisitions over the coming months to broaden their appeal particularly further into the corporate space. To read the full press release go to:-

http://usa.kaspersky.com/about-us/press-center/press-releases/kaspersky-lab-partners-leading-global-growth-equity-investment-

Now here is a topical subject on the eve of the A level results due out tomorrow. If you have a someone who is waiting for results then you have my sympathies. The waiting is excruciating!

But if you are the ones who do not necessarily get what you hoped for then the DPA is here to help. According to the Information Commissioners Office, an individual can access personal information about themselves from any organisation. This is known as a Subject Access Request (SAR). Students wishing to know more about why they were awarded certain marks can use a SAR to request examiners’ comments from examinations scripts. Students who appeal their results can also request the minutes of appeals.
At last, it seems that the DPA actually has some value to the public as opposed to its oppressive prevention of access to information.

So don’t delay, use your rights and use your SAR. Its nothing to do with SARS!!

Listening to the local radio this morning I heard the story that the BBC has been forgetful with its laptops and mobile phones. Apparently, as reported by the Guardian and various other sites following a Freedom of Information request, that the BBC over two years has misplaced 146 laptops, 65 mobile phones and 17 blackberry devices. It is unknown if these devices were lost or stolen but the main complaint seems to be the cost to the tune of about £240,000. Although about 10% has been recovered this should not be the primary concern.

The primary worry should be the data on those laptops – If we assume that they contained 250Gbyte disks and that on average each disk would be 50% full then that means over 18Tbytes of data in total not including the mobile phones and blackberrys. I accept that a lot of the data is applications and internet related stuff but the implication is there. There is no indication if the data was encrypted or if any of the data was personal or in anyway potentially damaging to the organisations or employees. Perhaps a further FOI request should be made to further clarify.

If the BBC is capaable of losing this amount of information then consider all the organisations of similar size losing similar amounts of information to understand the scale of loss.

The case for DLP is clear. Keep those comments coming!!

First it was the cuts in private sector firms and now it is the public sector. The easiest and quickest cuts that make a difference to the bottom line are to remove people who are usually the largest cost item. Sadly redundancy is now a major occurrence in a working life. I know of many capable, intelligent and hard working people who have been made redundant two or three times in their lives sometimes more. It is increasingly a tool of organisations to quickly get rid of people. In general, redundancy is never executed against the legal guidelines which results in court cases and compromise agreements.

So what has all this to do with Information Security. The removal of staff from an organisation is currently the biggest threat to an organisations information. Redundancy or whatever method is used can result in animosity, resentment, and malicious intent on the part of the former employee. Of course most organisations are understanding and sensitive to emplyees and most follow the rules. However, sales of DLP software has been rising and the most sited reason for purchase is protection of contact databases, intellectual property and sales information from disgruntled employees.

The threat is real and active and who knows how much critical informaiton has been taken by upset and revengeful emplyees without anyone knowing. Please add any comments to this post on your experiences of cost cutting and data loss.

Another Microsoft vulerability is exposed in a bulletin by Microsoft dated the 16th July 2010.  Microsoft Windows is prone to a vulnerability that allows a file to automatically run when a folder is viewed in Windows Explorer. This vulnerability is being exploited by W32.Temphid to ensure that malicious code executes when an infected USB drive is inserted into a computer. While current attacks involve executing files from USB drives locally connected to targeted computers, attackers may also exploit this issue by setting up remote network or WebDAV shares and enticing a user to visit them. This possibility presents a remote threat to affected users. Microsoft published an advisory describing a workaround for this issue.

Be aware that as this exposure will be exploited with other methods of attach

It is really worrying that organisations are completely blind when asked if they know what critical information exists and what their employees are doing with it. So many customers regard DLP as only a product that will solve all security ailments.

At the moment employers have no choice but to trust their employees as there is no alternative. Organisations have no real idea what data is confidential, where is it being held and where it is going to. However, as disgruntled ex-employees continue to take all their data with them whether unintentionally or maliciously the result is the same. The potential for important information to be removed. As more organisations rely on outsourcing and the use of partners to advise, project manage, augment skills so the problem gets worse. 
So the trust is breaking down particularly as cuts are coming but still organisations have no idea what to do

So what is the answer? Not an easy one for sure. First thing is to work out what data there is and where. Look for something that will index your endpoints so that live keyword searches can be used to identify what data is stored and where. Secondly, start to categorise your data into no more than four levels such as Internal Use Only, Confidential, Confidential and Restricted, Critical. Then decide on the policies required at each level. Once you have a classification and the policies for security then you can start to develop the DLP policies to protect the data.

So the basic answer is ‘No you don’t trust them’ but until work is done there is no choice.

See my next post on the economic climate and the impact on data loss

Apologies for the lack of posts – Had some personal problems that took me away.

There has been a lot happening in the security market in the last few months particularly in the data loss prevention and encryption side of things.  Encryption is hotting up as customers are, at last, trying to understand it and make informed decisions about what is required for their environment. Vendors still continue to ‘throw in ‘ some licenses just to mess things up but that is business

On the DLP front we are also seeing proper investigation by customers who want to understand what it can do and if it will work for them. For so long vendors have used the acronym without any cost or risk justification. Well that is starting to change thanks to Firewalls, IDS, AV and encryption still not able to stop determined efforts at data removal. Customers are waking up to adding more products is not the answer but proper risk assessment and the reduction is the highest threats.

I also see a change in tack of vendors who are now trying to justify the spend. See my next post – can just DLP be justified on a cost basis?

Anway it is good to be back and sorry for the delay – all comments, suggested topics are very welcome

On the 12th December, it was widely reported that another laptopn was taken from MOD Headquarters in central London. This would not normally cause worry as all laptops are encrypted. However, the encryption key was also taken so exposing the information to the thief. It is not known if there is any exposure whilst investigations proceed. However, news items referred to the laptop as a ‘secret data laptop’ which gives an indication. It was only in July thsi year (as reported in this blog) that 658 laptops have been stolen from the MOD in the last four years.

Below is one report on the story but the BBC also have reported it

http://www.pressassociation.com/component/pafeeds/2009/12/12/secret_data_laptop_stolen_from_mod_headquarters?camefrom=regional

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/