Endpoint Protection

A little late in the reporting but a worthy story none the less is the story about the revised National Security Strategy which was published on the 25th June 2009 by the British Government. It includes, for the first time a public cyber security strategy.  There will be a central strategic body set up named the Office of CyberSecurity (OCS). The OCS will be within the Cabinet Office which is supposed to run the strategy and work with industry. The group that will actually undertake operations will be the Cyber Security Operations Centre in GCHQ which for the first time will be offensive actions against hackers, cyber criminals and whoever else they decide is a threat.

This is a new departure for the Government which has taken a more passive stance. Gordon Brown said: “Just as in the 19th century we had to secure the seas for our national safety and prosperity, and the 20th century we had to secure the air, in the 21st century we also have to secure our position in cyber space in order to give people and businesses the confidence they need to operate safely there.”

Funds for this initiative are to come from existing intellignce groups. It would be interesting to see how this group will be measured to assess effectiveness. Will it be by number of threats thwarted or the amount of money that might have been compromised had the attack been successful: an arbitrary measure at the best of times? In addition, is this actually a strategy to thwart threats to our national security or to reduce the £53Billion  of online fraud which benefit industry mostly. There is currently a shortage of skills in the security field so prices for staff will be high.

In a month or two this will be forgotten and another Government funded initiative will consume taxpayers money with little or nothing to show for it.  Anyway if you want the full report from the Government then go to http://www.cabinetoffice.gov.uk

Enjoy!

http://news.bbc.co.uk/1/hi/business/8072524.stm

At the end of May a laptop was stolen from NorthgateArinso, a software company working for The Pensions Trust with 109,000 details including names, addresses, dates of birth, employer, national insurance numbers, salary details and, in the case of those receiving their pensions, their bank details too.  But don’t worry the laptop was password protected. Not sure if I am one of the people whose details were on the laptop but I can rest easy that it was password protected!!!

There are two important points to make:-

• Joe Public has no control on his or her personal information and where it ends up. Personal details are handed to every contractor, software vendor to use as test data or whatever and you and me have no say in it or knowledge of where are details actually are
• Password protection is a joke! The person responsible for protecting over 100,000 names and details with just password protection should be sacked. The drive can be removed from the laptop, mounted on another system, probably on a linux OS and there you are!!

When are organisations going to get serious about security! Reading more of these breaches is get

http://news.bbc.co.uk/1/hi/business/8107737.stm

Great story of Parcel Force, due to problems with their website have been publishing names, addresses, signatures of parcles that are unrelated to the user query. A fraudster could make hay with the information to steal identities.

However, it is worth noting that information in an organisation is like water in a leaky bucket. It will find its way out through any weakness. What is you were storing acid that even a single drop escaping would cause serious problems. Critical data is like the acid - it can cause significant damage and for some time.

Organisations must look at what they are storing and protect ALL ways of exit including all endpoints. A website is an endpoint as it is where the organisation meets the world.

First we have the MPs expenses that have been released under the FOI Act and their release has resulted in pages of blacked out entries which fall under the Data Protection Act! It is quite clear that the two acts contradict each other or at least the distinction between what can be released and what cannot becomes very blurred.

In the opinion of endpoint protect, the Data Protection Act must take precedence as release of personal information is far nore damaging than withholding it. Clearly proper policies are required that define the information within an organisation such that physical controls can be mapped to the policies.

The BBC are reporting a great story on Social Engineers, confidence tricksters who are able to talk their way into organisations and then misappropriate information about that company. Examples include talking on a cell phone with the MD holding the door to let him in unchallenged. Even setting up in an empty office for five days and obtaining account and passwords of employees. Thankfully these examples were performed by a security vulnerability company but a serious point is made. No one knows all employees and yet no one checks identities properly.

The article goes on to report that a recent report from PGP estimated that each piece of data leaked from a firm costs the breached organisation £60. It found that 70% of data breaches were down to insider negligence rather than outside hackers.

http://news.bbc.co.uk/1/hi/technology/7843206.stm