Endpoint Protection

Now here is a topical subject on the eve of the A level results due out tomorrow. If you have a someone who is waiting for results then you have my sympathies. The waiting is excruciating!

But if you are the ones who do not necessarily get what you hoped for then the DPA is here to help. According to the Information Commissioners Office, an individual can access personal information about themselves from any organisation. This is known as a Subject Access Request (SAR). Students wishing to know more about why they were awarded certain marks can use a SAR to request examiners’ comments from examinations scripts. Students who appeal their results can also request the minutes of appeals.
At last, it seems that the DPA actually has some value to the public as opposed to its oppressive prevention of access to information.

So don’t delay, use your rights and use your SAR. Its nothing to do with SARS!!

First it was the cuts in private sector firms and now it is the public sector. The easiest and quickest cuts that make a difference to the bottom line are to remove people who are usually the largest cost item. Sadly redundancy is now a major occurrence in a working life. I know of many capable, intelligent and hard working people who have been made redundant two or three times in their lives sometimes more. It is increasingly a tool of organisations to quickly get rid of people. In general, redundancy is never executed against the legal guidelines which results in court cases and compromise agreements.

So what has all this to do with Information Security. The removal of staff from an organisation is currently the biggest threat to an organisations information. Redundancy or whatever method is used can result in animosity, resentment, and malicious intent on the part of the former employee. Of course most organisations are understanding and sensitive to emplyees and most follow the rules. However, sales of DLP software has been rising and the most sited reason for purchase is protection of contact databases, intellectual property and sales information from disgruntled employees.

The threat is real and active and who knows how much critical informaiton has been taken by upset and revengeful emplyees without anyone knowing. Please add any comments to this post on your experiences of cost cutting and data loss.

Apologies for the lack of posts - Had some personal problems that took me away.

There has been a lot happening in the security market in the last few months particularly in the data loss prevention and encryption side of things.  Encryption is hotting up as customers are, at last, trying to understand it and make informed decisions about what is required for their environment. Vendors still continue to ‘throw in ‘ some licenses just to mess things up but that is business

On the DLP front we are also seeing proper investigation by customers who want to understand what it can do and if it will work for them. For so long vendors have used the acronym without any cost or risk justification. Well that is starting to change thanks to Firewalls, IDS, AV and encryption still not able to stop determined efforts at data removal. Customers are waking up to adding more products is not the answer but proper risk assessment and the reduction is the highest threats.

I also see a change in tack of vendors who are now trying to justify the spend. See my next post - can just DLP be justified on a cost basis?

Anway it is good to be back and sorry for the delay - all comments, suggested topics are very welcome

On the 12th December, it was widely reported that another laptopn was taken from MOD Headquarters in central London. This would not normally cause worry as all laptops are encrypted. However, the encryption key was also taken so exposing the information to the thief. It is not known if there is any exposure whilst investigations proceed. However, news items referred to the laptop as a ’secret data laptop’ which gives an indication. It was only in July thsi year (as reported in this blog) that 658 laptops have been stolen from the MOD in the last four years.

Below is one report on the story but the BBC also have reported it

http://www.pressassociation.com/component/pafeeds/2009/12/12/secret_data_laptop_stolen_from_mod_headquarters?camefrom=regional

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/

A little late in the reporting but a worthy story none the less is the story about the revised National Security Strategy which was published on the 25th June 2009 by the British Government. It includes, for the first time a public cyber security strategy.  There will be a central strategic body set up named the Office of CyberSecurity (OCS). The OCS will be within the Cabinet Office which is supposed to run the strategy and work with industry. The group that will actually undertake operations will be the Cyber Security Operations Centre in GCHQ which for the first time will be offensive actions against hackers, cyber criminals and whoever else they decide is a threat.

This is a new departure for the Government which has taken a more passive stance. Gordon Brown said: “Just as in the 19th century we had to secure the seas for our national safety and prosperity, and the 20th century we had to secure the air, in the 21st century we also have to secure our position in cyber space in order to give people and businesses the confidence they need to operate safely there.”

Funds for this initiative are to come from existing intellignce groups. It would be interesting to see how this group will be measured to assess effectiveness. Will it be by number of threats thwarted or the amount of money that might have been compromised had the attack been successful: an arbitrary measure at the best of times? In addition, is this actually a strategy to thwart threats to our national security or to reduce the £53Billion  of online fraud which benefit industry mostly. There is currently a shortage of skills in the security field so prices for staff will be high.

In a month or two this will be forgotten and another Government funded initiative will consume taxpayers money with little or nothing to show for it.  Anyway if you want the full report from the Government then go to http://www.cabinetoffice.gov.uk

Enjoy!

I would be very interested to here from any clients who use some kind of managed security services from a third party to understand any motivation or benefits of these services might be. In any outsourced service, the definition of what needs to offered needs to be defined to strict requirements such that the third party can be measured against agreed SLAs.  However, in practice, this is rarely done well so that service expectations are never set correctly. For security services that are complicated and diverse then it would be great to see what the benefit of security services provided by a third party. In addition, any provider of security products usually has an array of products and other services that it can push in through the managed services. Independence in service delivery is very hard to find, often undervalued and badly understood.

So is there a market for managed security services that is not provided by one of the security vendors?  I say not - as it is too hard for independent providers to be seen through the vast array of products offered to the client.

The BBC are reporting a great story on Social Engineers, confidence tricksters who are able to talk their way into organisations and then misappropriate information about that company. Examples include talking on a cell phone with the MD holding the door to let him in unchallenged. Even setting up in an empty office for five days and obtaining account and passwords of employees. Thankfully these examples were performed by a security vulnerability company but a serious point is made. No one knows all employees and yet no one checks identities properly.

The article goes on to report that a recent report from PGP estimated that each piece of data leaked from a firm costs the breached organisation £60. It found that 70% of data breaches were down to insider negligence rather than outside hackers.

http://news.bbc.co.uk/1/hi/technology/7843206.stm

Computing reports despite yet more data losses, more organisations are waking up to the need to encrypt mobile devices. How many times do significant data losses have to occur before both private- and public-sector organisations face up to the fact that encryption, whether applied to laptops, USB memory devices, or other mobile devices, is the only sure-fire way of stopping personal and business-critical data from going astray? Recently, four NHS trusts have been found in breach of the Data Protection Act (DPA) by the Information Commissioner’s Office (ICO), and all of them have agreed in future to encrypt all portable and mobile data on devices.

The market for endpoint protection has been rapidly evolving over the years and emerging from the traditional virus protection has come two new areas namely Data Loss Prevention (DLP) and Content Monitoring and Filtering (CMF). Both these areas have been adopted by Gartner to support their 2008 Magic Quadrant. It is clear that anti-virus and its associated companions of Spam protection, phishing prevention, etc is not enought to protect an endpoint. Large vendors try to spice up their ‘endpoint’ offerings with PC tune ups, backups, in order to maintain their price points or way to expand the footprint of software into the customer. A term suitably named as ‘bloating’ out the customer.

It seems that the fragmentation into nebulous components of offerings is required in order for software vendors to maximise their revenue opportunity and to expand their foot print within the customer to ward off competition. But how many of the multitude of products actually do what the customer needs which is a combination of many things in order to protect, manage, control, monitor, capture the vital information resident on or passing through the endpoint. I would argue that none of the current vendors who have based their current offerings on out-dated network security models provide what the customer really needs.

In reality, protecting data from entering or leaving an organisation begins and ends with the endpoint. It is here that thorough protection is required and where the battle is won or lost. Even if that endpoint is a laptop or a virtual desktop then the same logic applies. However, just protecting at the point won’t sell network scanning, database security and all the add-ons so frequently mentioned. In addition if the protection is managed at the endpoint then the need for heavy backend infrastructure is nullified.

Here is a list of functionality that true, customer-oriented endpoint protection and control should have as standard. Included should be the monitoring, control and prevention of any method of moving data off the corporate network via an endpoint such as USB sticks, CD/DVD writing, HTTP uploads, IM, email, etc. There should be targeted and configurable encryption. There should be sophisticated search facilities to look for any text, credit card numbers, whether embedded in files to multiple and compressed levels. It should have inventory collection, audit capability and collection. It should have executable protection for malicious code. It needs to have ICA filters, prevention of copying forbidden files onto the endpoint. I think you get the picture that endpoing protection is all of these in one package not broken out seperately - A customer does not know which of these he may need or not need but all of the above attributes are required for a complete endpoint protection capability.