Endpoint Protection

On the 12th December, it was widely reported that another laptopn was taken from MOD Headquarters in central London. This would not normally cause worry as all laptops are encrypted. However, the encryption key was also taken so exposing the information to the thief. It is not known if there is any exposure whilst investigations proceed. However, news items referred to the laptop as a ’secret data laptop’ which gives an indication. It was only in July thsi year (as reported in this blog) that 658 laptops have been stolen from the MOD in the last four years.

Below is one report on the story but the BBC also have reported it

http://www.pressassociation.com/component/pafeeds/2009/12/12/secret_data_laptop_stolen_from_mod_headquarters?camefrom=regional

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/

The Information Commisioners Office (ICO) or the privacy watchdog has published figures on data breaches that makes disturbing reading. What’s more is that the ICO  is getting so concerned that it will be introducing fines on comapnies and public bodies that recklessly or deliberately break the rules. Fines up to half a million may be imposed on losses of information. In total, 434 organisations reported data security breaches in the past 12 months, up from 277 the year before. This is what Deputy information commissioner David Smith said: “The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough. Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.”

Well what a surprise! But what is really interesting and scary is that there are fines coming! But I thought that if you breached the Data Protection Act then you would be fined or sued anyway. However, what is clear is that this affects all businesses; large or small; SMB or large multinationals. So Data Loss Prevention is for all organisations that have personal data stored but it is not sufficient to just use device control, the ICO is saying any data loss from any channel! So does that mean that first generation products that really only do encryption and device control will be replaced by the second generation products that provide device, IM, and all the goodies? I think this is a call to action for vendors to smarten up their act and work with others to gain functionality rather than buy and try to integrate. You can read some more here http://news.bbc.co.uk/1/hi/uk_politics/8354655.stm

Ealing Council is facing a bill for over £500,000 after a member of staff plugged in an infected memory stick into a PC. The virus spread. The virus infected Ealing Council systems for several days after introduction at the housing department requiring emergency IT work and interruptions to services such as parking fines and library systems.

It also seems that the council’s telephone systems were affected. It stopped AV functioning and blocked access to Microsoft support sites as well as contacting other websites at random.

What can one say? (I told you so springs to mind but that would be chirlish). There are products that would have stopped this from happening but the reliance on AV as the main security barrier was found lacking.

What is needed is a thing called Application Control. This function stops any application whether a legitimate application started by the user or a malicious virus running on the endpoint. Windows 7 will have this feature as part of the Operating System but that is not out for a while and it will take years before everyone upgrades. So what do you do? Well look at some of the existing products that already provide this capability for XP and Vista such as Versec from Guardian Technologies. It scans permitted application images into a database which is then compared with the image that the user would like to run. It either permits or prevents as required.

So security guys at the councils get wise and look at what employees are doing on your systems. Data is spread everywhere, running unauthorised applications on endpoints, storing inappropriate content, using unsecured IM - all lovely ways for viruses to get in and data to get out!!

If you want the full story go here. http://news.bbc.co.uk/1/hi/england/london/8237085.stm

A little late in the reporting but a worthy story none the less is the story about the revised National Security Strategy which was published on the 25th June 2009 by the British Government. It includes, for the first time a public cyber security strategy.  There will be a central strategic body set up named the Office of CyberSecurity (OCS). The OCS will be within the Cabinet Office which is supposed to run the strategy and work with industry. The group that will actually undertake operations will be the Cyber Security Operations Centre in GCHQ which for the first time will be offensive actions against hackers, cyber criminals and whoever else they decide is a threat.

This is a new departure for the Government which has taken a more passive stance. Gordon Brown said: “Just as in the 19th century we had to secure the seas for our national safety and prosperity, and the 20th century we had to secure the air, in the 21st century we also have to secure our position in cyber space in order to give people and businesses the confidence they need to operate safely there.”

Funds for this initiative are to come from existing intellignce groups. It would be interesting to see how this group will be measured to assess effectiveness. Will it be by number of threats thwarted or the amount of money that might have been compromised had the attack been successful: an arbitrary measure at the best of times? In addition, is this actually a strategy to thwart threats to our national security or to reduce the £53Billion  of online fraud which benefit industry mostly. There is currently a shortage of skills in the security field so prices for staff will be high.

In a month or two this will be forgotten and another Government funded initiative will consume taxpayers money with little or nothing to show for it.  Anyway if you want the full report from the Government then go to http://www.cabinetoffice.gov.uk

Enjoy!