http://www.theage.com.au/news/security/plug-the-holes-in-your-cone-of-silence/2007/05/28/1180205158743.html By Cynthia Karena May 29, 2007 Next DATA loss is a significant factor in modern business, dependent as it is now on electronic systems. And it occurs in many ways, some inadvertent, some through stupidity and some criminal. One organisation accidentally puts its sensitive market research report online before it has been approved; another can't find data that has been requested by a government department. Others lose laptops, unwittingly send confidential information in emails, or give contractors too much access to internal data. This is lost data and its impact on a business can range from financial loss, to damage to its reputation, potential loss of customers, or even imprisonment if there is a breach of corporate governance. So, how good are your data management policies and procedures? How secure are your corporate borders? More than two-thirds of Australian organisations experience six losses of sensitive data every year, according to new research by the US-based IT Policy Compliance Group. One in five organisations loses sensitive data 22 or more times a year. Lost data includes customer, financial, corporate, employee, and IT security data that is stolen, leaked or destroyed. Loss of sensitive, confidential corporate data can also give a rival company a competitive advantage. It might, for example, include results of market research, competitive intelligence analysis of another company, research and development results, financial information, or a list of possible staff redundancies. "In most organisations, the most sensitive information is in emails," says Milton Baar, the director of IT Security consultants Swoose Partnership, and committee member of the ISO 27001 international security standard for information management. Mr Baar says three factors should be considered in assessing data loss: confidentiality, integrity, and availability. The integrity of data is maintained by ensuring that information is changed only by those allowed to do so, but organisations also need to make sure that data can be accessed when it is required. Confidentiality is often breached when emails are sent, accidentally or intentionally, to people who should not be seeing them, or when emails are sent before information should be made public. Mr Baar says staff should be trained in the use of email, helping them understand what information is sensitive. "Have black and white lists, where the server stops sending out and/or receiving emails to or from certain places," he says. "Have word searches in outbound emails to ensure that sensitive information isn't disclosed, accidentally or intentionally. Mark the information physically or electronically with its security classification." Attachments could be protected from email disclosure by having Access Control List entries that allowed them to be sent or blocked depending on the classification and destination of the information, he says. Cybertrust security consultant Andrew Walls says that the "number one issue" for organisations is classification of their data. Is it important that some data remains confidential no matter whether its integrity is critical or how important it is to have the information readily accessible. "The critical thing is for business to say what is important, then apply security controls. What role does the data play in an organisation's plans, including its profitability? How important is that information?" he says. "At a simple level decide what is a secret, and what is not. If it is a secret, talk to us before accessing it or publishing it," Mr Walls says. "Don't expect the IT security people to make these decisions; classifying the data is a business decision." Mr Walls says the Australian Government has five tiers of classification: public data, internal use only, confidential, protected and highly protected. At each tier a decision is made on how important are confidentiality, integrity and availability. Mr Baar says the proper use of information standards, such as AS/NZS4360, a risk management standard, would provide a much better basis for decision making. "Poor risk analysis means that the real risks, likelihoods and consequences are not known in detail, therefore the real losses are also unknown," he says. Often, risk was simply wrongly estimated. Symantec systems engineering manager Paul Lancaster agrees that compliance is not just about the data, but its integrity and availability. Compliance means adhering to regulations that affect a business and what that means for its data storage systems. "Data loss occurs when it can't be accessed," says Mr Lancaster. "Organisations have their own products and services they deliver as a business and the data behind that is key. Not having the ability to obtain data to show the public that their data is intact, with no integrity loss, can be detrimental to a business." Backing up is one obvious strategy, but how many organisations do this critical task properly? Mr Baar says people do back-ups and they usually work. "But most people don't verify that their back-ups have worked; that is, restore the data to see if it worked, as sometimes you can't read a back-up." Back-ups sometimes were not comprehensive enough, missing critical files or directories. Mr Lancaster says an example of compliance procedures not being met was when back-up tapes were overwritten and reused to store new data, "especially if the data is to be kept for 25 years. There have to be strong internal guidelines as to how a business checks the integrity of data and the recovery process of data." Mr Baar says staff training is essential to reduce the incidence of "stupid mistakes," such as deleting a whole file set instead of purging multiple copies, or allowing devices to be taken off-site without appropriate authorisation. He cites a case at Australian Customs in 2003, when two men posing as computer technicians entered the cargo processing and intelligence centre at Sydney International Airport. They were given access to the top-security mainframe room where they disconnected two computers and wheeled them out of the room past the security desk and out of the building. So what should organisations do to keep their data confidential, uncorrupted, and available? MR BAAR says most hospitals in NSW have multiple secure systems, with servers in two locations to keep patient records secure. There is also "role-based security access" where only certain people can access or alter information, for example where a nurse can read or annotate a patient record, but not delete or create one or where administration can create a record, but not add information. The Justice Department and offices of state and federal attorneys-general are "paranoid about leakage," says Mr Baar. For example, witness protection program lists are closely guarded, and kept on a computer system accessible to only a few, not including the systems administrator. Macquarie Telecom is one of the most highly certified commercial data centres in the Asia Pacific region. It has Defence Signals Directorate (DSD) certification for its internet gateway service for Australian Commonwealth customers. The gateway provides protection from external threats appropriate for systems and data. National security information, such as used by the Cabinet and Prime Minister's offices, is carried on a private secure network, says Mr Baar. "The data centre is locked down - its physical security configuration has met ASIO T4 requirements." It also follows procedures to obtain ISO 17799 Information Security Management System certification. "Everyone on a computer in a secured area can be recorded on video. All staff have ASIO security checks." Pharmaceutical companies are "bristling with physical security controls", says Mr Walls. They have millions of dollars invested in the research and development of their drugs and guard their design information carefully, with physical and procedural controls. PDAs and mobile phones with cameras are usually banned. "Their information is a major corporate asset," he says. "It cannot be allowed to leave the company until it is patented or copyrighted." Keeping research data confidential is one thing, corruption or loss of integrity in the data is another. Mr Walls says an extreme case would be getting a new drug accepted by the Australian Government. The company might have invested 10 years of research and development to reach a point where authorities would accept data from tests and clinical trials. "If the validity of the data is questioned, then 10 years have been lost," he says. "To recreate the data in a clinical trial would cost millions of dollars, and a few thousand for a lab test. But it's when the information is irretrievable that it's costly." Pharmaceutical companies have high security networks, cut off from all other networks. They encrypt their entire networks, "down to the hardware," Mr Walls says. "If someone is working on something that isn't encrypted, they'll stand out. This approach is being adopted more and more by companies. "Islands of security don't work in a sea of insecurity. In critical environments, we will encrypt everything," he says. But not all security is electronic. Physical protection remains relevant, Mr Walls says. If data is to be stored for a long time it may be better to lock it in a safe rather than encrypt it, because staff changes and "someone needs the keys to unlock encrypted data". If data is needed in a court case and it can't be decrypted, then courts will "assume that you are deliberately hiding it, are incompetent (therefore not allowed to be a company director), or obstructing justice," Mr Walls says. Mr Lancaster notes that, in the US, companies are fined tens of millions of dollars when they are unable to provide data required by a court, something not yet seen in Australia. Identity theft is a more common problem in Australia, Mr Lancaster says, with fraudsters trying to access laptops and servers to get credit card details or personal information. "Online banking is a key target for security breaches," Mr Lancaster says. "Users need to know that they (are connected to) the real banking online site." Mobility is increasing the problem, he says. It means the walls of a corporation are becoming increasingly permeable. Laptops could be mislaid in the field, or stolen from cars. How does a company balance the need for such tools with security concerns? "Any PC or laptop that goes outside an organisation should have a file system that is encrypted," he says. "Otherwise (a thief) can just bypass the password by ripping out the hard drive and putting it into another machine to read it." Mr Lancaster says that, with 250 million smart phones in the market, mobile devices need the same security infrastructure, such as firewalls and Virtual Private Network access. It also comes down to what the telcos are doing, he says. "There has to be a degree of lockdown at their end to secure devices. They need to have intrusion detection, firewall device, anti-virus, and instant messaging security". And then there is the human factor. "Data loss occurs primarily because of people," says Mr Baar. "Most information loss is through inappropriate behaviour - someone talking about it in the pub or a lift, for instance. People could go to a cafe with, say, patient records and leave them behind." Employees may have ASIO checks and security clearances for their staff but what about the cleaning staff? And what if there's a last-minute replacement? A cleaner could easily slip into an office where sensitive material was stored unencrypted. "Everybody always underestimates the likelihood of data theft. It is usually unreported, which (distorts data on occurrences) but given the choice of attempting to hack an organisation from the outside or getting inside to its soft centre, you would always take the easiest option. External hacking is uncommon now, because it is too difficult. It's easier to find an insider through money or threats," Mr Baar says. What about disgruntled employees taking information with them when they leave the company? Mr Lancaster says data needs to be locked down. Departments should be able to retrieve only their own documents. Finally, says Mr Walls, organisations should not reveal their security controls to their own personnel. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue May 29 2007 - 22:22:37 PDT