Amongst all the high profile attacks of late, this incident serves as a reminder that threats to information security come from different directions at all times. It could be an external or internal attack, it could be malicious or accidental. So it’s important to take a step back from time to time and make sure you’re not focussing all your attention on fixing one potential threat avenue whilst ignoring others. It’s like my Grandad taking great care to make sure his sugar levels remain within range whilst completely overlooking his blood pressure.

 When looking at what went wrong in Sosasta’s case, it would be all wrong to put the issue down to a simple user error. It does raise some questions.

 Managing changes

Did Sosasta have a change management process? On the surface, it appears as if an administrator was simply able to make some changes to the live environment. Not only that, there was no checking or validation of the changes he made. In fact, if this hadn’t been picked up and publicised, who knows how long this could have remained out in the open.

 Unencrypted data

There is simply no excuse for not encrypting your sensitive data let alone user passwords. By having unencrypted passwords, not only do you render them pretty much useless, if you have to investigate fraudulent activity, you will pretty much have no legal basis upon which you can prove in court that a particular user committed an illegal act. You lose the confidence in knowing who is really logging onto your system.

 The wider impact

The typical defence touted around usually is that this was a small company and even if someone accessed another persons account, there is little to no impact. Which may be true if you were looking at the incident in isolation. Unfortunately, the internet does not operate in isolation. Users end up re-using the same password for all sites they access. So don’t be surprised if someone already took the list of usernames and passwords and started using the combination to see if they could get into peoples emails, Facebook or Paypal accounts.

 Ultimately, all companies, regardless of their size have a very real duty of care as to how they protect their customers information. If your company has poor security and your customer details are leaked. They could be used to attack those customers registered for another website. Conversely, if your customer details are leaked by another website, all of a sudden you may start receiving calls from your customers asking why there has been unauthorised transactions on their account. You end up having to pay for someone else’s lack of security.

 Because of that, information security isn’t just restricted to your organisation and your customer details. It’s everybody’s problem. Are you doing your bit?

Compared to news of companies being breached by hacking groups, on the surface, this could appear to be a trivial case of theft. However, it does indicate failure of security controls at multiple levels.

1. Does the NHS have the right Information Security Policies and Standards in place? Specifically around information classification that would define how information should be classified, labelled and handled throughout its lifecycle. If these are in place, have they been effectively and clearly articulated to the users?

2. If we assume the policies and standards were in place, and assuming that the business had a legitimate reason to have confidential data on these lost laptops. The question arises whether there was any form of Information Security Risk Management framework in place to assess the risk of having the data on the laptop. Was this an exception to the rule, or do most NHS laptops contain millions of customer records?

3. Most mature organisations have various controls (technical, procedural and management) to monitor compliance against defined policies and standards. Did the compliance monitoring controls not pick the fact that there was any issue with copying vast amounts of customer records onto a laptop, were there no controls in place, or did the people responsible for monitoring simply choose to ignore the warnings?

4.  Assuming the NHS has well a defined Information Classification and Handling standard, do they have an effective Security Awareness program that helps to disseminate key messages to their staff members. How do they check effectiveness of their awareness program to ensure key messages are understood by everyone.

It is correct that impact would have been much lesser if these laptops were encrypted. But it raises a key question, is encrypting laptop sufficient? Can we only rely on technical security controls? This incident makes it clear that effective management of information security controls is much more than technical security controls and organisations must ensure that controls at various levels are operating effectively.

Read the rest of the whitepaper here.

Download the whitepaper here

Download the whitepaper here.

Smartphone Challenges Infographics

Click the image to view in full size.

http://www.quantainia.com/wp-content/uploads/2011/02/Quantainia-Mobile-security-Infographic.jpg

There has been great change in how people perceive social media. It’s shifted from debating over the value social media provides to mass acceptance at a grass roots level.

Now the discussions are more about figuring out how to use social media, and looking at social media shaping world events. Not so long ago, we witnessed how satellite and cable broadcasters redefined exposure of news with 24 x 7 coverage. Now social media provides a 24 hour open communication platform for these issues to be broadcasted, shared, and discussed – sometimes even in countries and organisations where it has been difficult for people’s voices to be heard.

Research carried out by digital marketing agency twentysix showed that social media usage in particular developing markets, such as China, is evolving faster than in Europe and North America – 49 % of Chinese respondents access their favourite social media sites from work, compared to 24  % in the UK and only 20 % in the US. Moreover, Chinese consumers are also much more amenable to promotions and special offers provided by social media: over two-thirds  ( 68 % ) are likely to take up these offers, as opposed to 42 % in the US and only 40 % in the UK.

Download the rest of the whitepaper here

This year however, I’ve decided that I should make some specific professional resolutions with regards to information security.

Once I sat down to think about it, I realised it wasn’t an easy task. In order to make a resolution, you have to first admit there is a deficiency that needs correcting to begin with. So when someone asks you “what’s your resolution” what you’re really telling them is what you think is wrong with you.

Information security is not unlike most professional industries. Whenever anything goes wrong, it’s never really our fault. With a large number of people to point the finger at, it’s almost too easy to shift the blame. If there’s a security breach, you can blame the “lazy” developer for coding it wrong, the “incompetent” IT department for not patching it on time, the “ignorant” manager for not doing anything with the risk report you issued them with, or if all else fails, simply blame the “dumb” user.

So, this year, I’d like to set off on a more positive and accountable route. Not just personally, but hopefully something that my friends and colleagues in information security will also adopt:

If you’ve heard me talk about security but still don’t think it’s important.

That’s my fault not yours.

If you’ve seen my solution but don’t endorse it.

Then I haven’t understood your problem correctly

If you’re bored of my presentation

That’s due to my lack of passion and engagement.

If I fail to persuade you to implement a policy

That’s my fault too.

If a system is so secure it reduces your efficiency.

Then I need to design solutions that meet your business needs.

Wishing you a happy and prosperous 2011.

2010 has been notable for a number of reasons, the advent of a coalition government in the UK, followed by swinging spending cuts, and a turbulent economic picture. In a regulatory sense, too, 2010 stands out: increasingly active regulators have increased fines for organisations which are found to have failed to comply with basic levels of protection around data. A new record was set with the £17.5 million FSA fine on Goldman Sachs. Moreover, the emphasis has broadened – rather than the ICO and FSA focusing solely on the financial sector. Both Hertfordshire County Council and A4E were the subject of fines for weak controls around personal data. At the same time, other regulation continues to apply – many organisations are struggling with PCI-DSS compliance, not only in the commercial sector, but also in the state sector, where cards are important for covering payments for basic services.

Download the rest of the whitepaper here

But how can this effect a business? Let’s scratch beneath the political issues and scandalous accusations to see what led to the leak and how it could happen in any company.

1. The Disgruntled Employee

Ultimately, in these types of scenario’s someone on the inside with access to information passed it on to an unauthorised 3rd party. In this case it was Wikileaks, but for a private company, it may as well be your fiercest competitor. Unless you have a small organisation where everybody knows each other very well, this can be extremely difficult to detect.

When was the last time you conducted an employee satisfaction survey?

2. Excessive levels of access

In a response to criticism about the lack of intelligence sharing, so they ended up creating a repository of data which where information was accessible by nearly everyone regardless of their rank and authorisation. Businesses are also guilty of such practises, for example where marketing departments collate all their data in crude repositories such as spreadsheets to which there is no control over who has access. Or where a user moves departments and over time accrues access far beyond what they are entitled to.

How many users in your organisation have access to information they don’t need?

3. Removable media

Portable removable media such as USB memory sticks, writeable CDs and DVDs make it extremely easy to extract large quantities of information out of organisations. Had the U.S. military prevented the use of removable media, the WikiLeaks incident could have probably been avoided altogether. But it’s not just the conventional media that are culprits. Backup tapes, mobile phones and even laptops are tools which can be used to extract information from right under your nose.

What data can be removed from your organisation on a USB stick?

4. Monitoring controls

Independent monitoring controls are your fail-safe. Adequate monitoring controls should raise alerts when a user accesses data types and volumes they shouldn’t. Or where sensitive information is being transferred to outside its protected environment such as portable media or across the internet. Much like a burglar alarm, it may not stop the actual deed in realtime. But it gives you a heads up as to what’s happening so the appropriate steps can be taken.

If 100,000 customer records were emailed out of your organisation, would you know?

Most organisation suffer lost information. Sometimes they are highly visible like WikiLeaks and other times no-one hardly notices. But by having a layered approach and adopting good security practices, you can greatly reduce the chances of a major loss.