[ISN] Plug the holes in your cone of silence

From: InfoSec News (alerts@private)
Date: Tue May 29 2007 - 22:15:05 PDT


http://www.theage.com.au/news/security/plug-the-holes-in-your-cone-of-silence/2007/05/28/1180205158743.html

By Cynthia Karena
May 29, 2007
Next

DATA loss is a significant factor in modern business, dependent as it is 
now on electronic systems. And it occurs in many ways, some inadvertent, 
some through stupidity and some criminal.

One organisation accidentally puts its sensitive market research report 
online before it has been approved; another can't find data that has 
been requested by a government department. Others lose laptops, 
unwittingly send confidential information in emails, or give contractors 
too much access to internal data.

This is lost data and its impact on a business can range from financial 
loss, to damage to its reputation, potential loss of customers, or even 
imprisonment if there is a breach of corporate governance.

So, how good are your data management policies and procedures? How 
secure are your corporate borders?

More than two-thirds of Australian organisations experience six losses 
of sensitive data every year, according to new research by the US-based 
IT Policy Compliance Group. One in five organisations loses sensitive 
data 22 or more times a year.

Lost data includes customer, financial, corporate, employee, and IT 
security data that is stolen, leaked or destroyed.

Loss of sensitive, confidential corporate data can also give a rival 
company a competitive advantage.

It might, for example, include results of market research, competitive 
intelligence analysis of another company, research and development 
results, financial information, or a list of possible staff 
redundancies.

"In most organisations, the most sensitive information is in emails," 
says Milton Baar, the director of IT Security consultants Swoose 
Partnership, and committee member of the ISO 27001 international 
security standard for information management.

Mr Baar says three factors should be considered in assessing data loss: 
confidentiality, integrity, and availability.

The integrity of data is maintained by ensuring that information is 
changed only by those allowed to do so, but organisations also need to 
make sure that data can be accessed when it is required.

Confidentiality is often breached when emails are sent, accidentally or 
intentionally, to people who should not be seeing them, or when emails 
are sent before information should be made public.

Mr Baar says staff should be trained in the use of email, helping them 
understand what information is sensitive.

"Have black and white lists, where the server stops sending out and/or 
receiving emails to or from certain places," he says. "Have word 
searches in outbound emails to ensure that sensitive information isn't 
disclosed, accidentally or intentionally. Mark the information 
physically or electronically with its security classification."

Attachments could be protected from email disclosure by having Access 
Control List entries that allowed them to be sent or blocked depending 
on the classification and destination of the information, he says.

Cybertrust security consultant Andrew Walls says that the "number one 
issue" for organisations is classification of their data. Is it 
important that some data remains confidential no matter whether its 
integrity is critical or how important it is to have the information 
readily accessible.

"The critical thing is for business to say what is important, then apply 
security controls. What role does the data play in an organisation's 
plans, including its profitability? How important is that information?" 
he says.

"At a simple level decide what is a secret, and what is not. If it is a 
secret, talk to us before accessing it or publishing it," Mr Walls says. 
"Don't expect the IT security people to make these decisions; 
classifying the data is a business decision."

Mr Walls says the Australian Government has five tiers of 
classification: public data, internal use only, confidential, protected 
and highly protected. At each tier a decision is made on how important 
are confidentiality, integrity and availability.

Mr Baar says the proper use of information standards, such as 
AS/NZS4360, a risk management standard, would provide a much better 
basis for decision making. "Poor risk analysis means that the real 
risks, likelihoods and consequences are not known in detail, therefore 
the real losses are also unknown," he says. Often, risk was simply 
wrongly estimated.

Symantec systems engineering manager Paul Lancaster agrees that 
compliance is not just about the data, but its integrity and 
availability. Compliance means adhering to regulations that affect a 
business and what that means for its data storage systems.

"Data loss occurs when it can't be accessed," says Mr Lancaster. 
"Organisations have their own products and services they deliver as a 
business and the data behind that is key. Not having the ability to 
obtain data to show the public that their data is intact, with no 
integrity loss, can be detrimental to a business."

Backing up is one obvious strategy, but how many organisations do this 
critical task properly?

Mr Baar says people do back-ups and they usually work. "But most people 
don't verify that their back-ups have worked; that is, restore the data 
to see if it worked, as sometimes you can't read a back-up." Back-ups 
sometimes were not comprehensive enough, missing critical files or 
directories.

Mr Lancaster says an example of compliance procedures not being met was 
when back-up tapes were overwritten and reused to store new data, 
"especially if the data is to be kept for 25 years. There have to be 
strong internal guidelines as to how a business checks the integrity of 
data and the recovery process of data."

Mr Baar says staff training is essential to reduce the incidence of 
"stupid mistakes," such as deleting a whole file set instead of purging 
multiple copies, or allowing devices to be taken off-site without 
appropriate authorisation.

He cites a case at Australian Customs in 2003, when two men posing as 
computer technicians entered the cargo processing and intelligence 
centre at Sydney International Airport. They were given access to the 
top-security mainframe room where they disconnected two computers and 
wheeled them out of the room past the security desk and out of the 
building.

So what should organisations do to keep their data confidential, 
uncorrupted, and available?

MR BAAR says most hospitals in NSW have multiple secure systems, with 
servers in two locations to keep patient records secure. There is also 
"role-based security access" where only certain people can access or 
alter information, for example where a nurse can read or annotate a 
patient record, but not delete or create one or where administration can 
create a record, but not add information.

The Justice Department and offices of state and federal 
attorneys-general are "paranoid about leakage," says Mr Baar. For 
example, witness protection program lists are closely guarded, and kept 
on a computer system accessible to only a few, not including the systems 
administrator.

Macquarie Telecom is one of the most highly certified commercial data 
centres in the Asia Pacific region. It has Defence Signals Directorate 
(DSD) certification for its internet gateway service for Australian 
Commonwealth customers. The gateway provides protection from external 
threats appropriate for systems and data.

National security information, such as used by the Cabinet and Prime 
Minister's offices, is carried on a private secure network, says Mr 
Baar. "The data centre is locked down - its physical security 
configuration has met ASIO T4 requirements." It also follows procedures 
to obtain ISO 17799 Information Security Management System 
certification.

"Everyone on a computer in a secured area can be recorded on video. All 
staff have ASIO security checks."

Pharmaceutical companies are "bristling with physical security 
controls", says Mr Walls. They have millions of dollars invested in the 
research and development of their drugs and guard their design 
information carefully, with physical and procedural controls. PDAs and 
mobile phones with cameras are usually banned.

"Their information is a major corporate asset," he says. "It cannot be 
allowed to leave the company until it is patented or copyrighted."

Keeping research data confidential is one thing, corruption or loss of 
integrity in the data is another.

Mr Walls says an extreme case would be getting a new drug accepted by 
the Australian Government. The company might have invested 10 years of 
research and development to reach a point where authorities would accept 
data from tests and clinical trials.

"If the validity of the data is questioned, then 10 years have been 
lost," he says. "To recreate the data in a clinical trial would cost 
millions of dollars, and a few thousand for a lab test. But it's when 
the information is irretrievable that it's costly."

Pharmaceutical companies have high security networks, cut off from all 
other networks. They encrypt their entire networks, "down to the 
hardware," Mr Walls says. "If someone is working on something that isn't 
encrypted, they'll stand out. This approach is being adopted more and 
more by companies.

"Islands of security don't work in a sea of insecurity. In critical 
environments, we will encrypt everything," he says.

But not all security is electronic. Physical protection remains 
relevant, Mr Walls says.

If data is to be stored for a long time it may be better to lock it in a 
safe rather than encrypt it, because staff changes and "someone needs 
the keys to unlock encrypted data". If data is needed in a court case 
and it can't be decrypted, then courts will "assume that you are 
deliberately hiding it, are incompetent (therefore not allowed to be a 
company director), or obstructing justice," Mr Walls says.

Mr Lancaster notes that, in the US, companies are fined tens of millions 
of dollars when they are unable to provide data required by a court, 
something not yet seen in Australia.

Identity theft is a more common problem in Australia, Mr Lancaster says, 
with fraudsters trying to access laptops and servers to get credit card 
details or personal information.

"Online banking is a key target for security breaches," Mr Lancaster 
says. "Users need to know that they (are connected to) the real banking 
online site."

Mobility is increasing the problem, he says. It means the walls of a 
corporation are becoming increasingly permeable. Laptops could be 
mislaid in the field, or stolen from cars. How does a company balance 
the need for such tools with security concerns?

"Any PC or laptop that goes outside an organisation should have a file 
system that is encrypted," he says. "Otherwise (a thief) can just bypass 
the password by ripping out the hard drive and putting it into another 
machine to read it."

Mr Lancaster says that, with 250 million smart phones in the market, 
mobile devices need the same security infrastructure, such as firewalls 
and Virtual Private Network access.

It also comes down to what the telcos are doing, he says. "There has to 
be a degree of lockdown at their end to secure devices. They need to 
have intrusion detection, firewall device, anti-virus, and instant 
messaging security".

And then there is the human factor. "Data loss occurs primarily because 
of people," says Mr Baar. "Most information loss is through 
inappropriate behaviour - someone talking about it in the pub or a lift, 
for instance. People could go to a cafe with, say, patient records and 
leave them behind."

Employees may have ASIO checks and security clearances for their staff 
but what about the cleaning staff? And what if there's a last-minute 
replacement? A cleaner could easily slip into an office where sensitive 
material was stored unencrypted.

"Everybody always underestimates the likelihood of data theft. It is 
usually unreported, which (distorts data on occurrences) but given the 
choice of attempting to hack an organisation from the outside or getting 
inside to its soft centre, you would always take the easiest option. 
External hacking is uncommon now, because it is too difficult. It's 
easier to find an insider through money or threats," Mr Baar says.

What about disgruntled employees taking information with them when they 
leave the company? Mr Lancaster says data needs to be locked down. 
Departments should be able to retrieve only their own documents. 
Finally, says Mr Walls, organisations should not reveal their security 
controls to their own personnel.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue May 29 2007 - 22:22:37 PDT