Endpoint Protection

Now here is a topical subject on the eve of the A level results due out tomorrow. If you have a someone who is waiting for results then you have my sympathies. The waiting is excruciating!

But if you are the ones who do not necessarily get what you hoped for then the DPA is here to help. According to the Information Commissioners Office, an individual can access personal information about themselves from any organisation. This is known as a Subject Access Request (SAR). Students wishing to know more about why they were awarded certain marks can use a SAR to request examiners’ comments from examinations scripts. Students who appeal their results can also request the minutes of appeals.
At last, it seems that the DPA actually has some value to the public as opposed to its oppressive prevention of access to information.

So don’t delay, use your rights and use your SAR. Its nothing to do with SARS!!

Another Microsoft vulerability is exposed in a bulletin by Microsoft dated the 16th July 2010.  Microsoft Windows is prone to a vulnerability that allows a file to automatically run when a folder is viewed in Windows Explorer. This vulnerability is being exploited by W32.Temphid to ensure that malicious code executes when an infected USB drive is inserted into a computer. While current attacks involve executing files from USB drives locally connected to targeted computers, attackers may also exploit this issue by setting up remote network or WebDAV shares and enticing a user to visit them. This possibility presents a remote threat to affected users. Microsoft published an advisory describing a workaround for this issue.

Be aware that as this exposure will be exploited with other methods of attach

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/

It is clear from meeting customers that the technology fix continues with security - the belief that a product will solve all the security problems in an organisation. This misguided expectation is exploited by vendors who sell every flavour and permutation for each identified security flaw. This results in customers wasting a lot of money on shelfware (software that is never installed and sits on the shelf) or problems trying to effectively deploy the product with no clear idea of configuration or threat.

However, simple consideration before buying a product fix could be to consider what are the security policies that an organisation shouid reasonably implement which would then save time and money. With protection of information, it is vital to define the policies that are reasonable and actionable to do the job. Once the policies have been set, agreed and communicated then the tool can be matched to the policy.

So many clients buy a product that they cannot effectively use as there are no existing policies defining what the product should do. It takes time to get the product reflecting the policies. From experience, one should start with strategic policies that, at a high level, define the overarching rules of the organisation. These can then be broken down into tactical policies. From the tactical policies, the standard operating procedures can be defined and written.

In summary, product purchase is used as an excuse for ‘ doing something’ wiht security but with no organisational framework defining its use.