[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Plug the holes in your cone of silence
By Cynthia Karena
May 29, 2007
DATA loss is a significant factor in modern business, dependent as it is
now on electronic systems. And it occurs in many ways, some inadvertent,
some through stupidity and some criminal.
One organisation accidentally puts its sensitive market research report
online before it has been approved; another can't find data that has
been requested by a government department. Others lose laptops,
unwittingly send confidential information in emails, or give contractors
too much access to internal data.
This is lost data and its impact on a business can range from financial
loss, to damage to its reputation, potential loss of customers, or even
imprisonment if there is a breach of corporate governance.
So, how good are your data management policies and procedures? How
secure are your corporate borders?
More than two-thirds of Australian organisations experience six losses
of sensitive data every year, according to new research by the US-based
IT Policy Compliance Group. One in five organisations loses sensitive
data 22 or more times a year.
Lost data includes customer, financial, corporate, employee, and IT
security data that is stolen, leaked or destroyed.
Loss of sensitive, confidential corporate data can also give a rival
company a competitive advantage.
It might, for example, include results of market research, competitive
intelligence analysis of another company, research and development
results, financial information, or a list of possible staff
"In most organisations, the most sensitive information is in emails,"
says Milton Baar, the director of IT Security consultants Swoose
Partnership, and committee member of the ISO 27001 international
security standard for information management.
Mr Baar says three factors should be considered in assessing data loss:
confidentiality, integrity, and availability.
The integrity of data is maintained by ensuring that information is
changed only by those allowed to do so, but organisations also need to
make sure that data can be accessed when it is required.
Confidentiality is often breached when emails are sent, accidentally or
intentionally, to people who should not be seeing them, or when emails
are sent before information should be made public.
Mr Baar says staff should be trained in the use of email, helping them
understand what information is sensitive.
"Have black and white lists, where the server stops sending out and/or
receiving emails to or from certain places," he says. "Have word
searches in outbound emails to ensure that sensitive information isn't
disclosed, accidentally or intentionally. Mark the information
physically or electronically with its security classification."
Attachments could be protected from email disclosure by having Access
Control List entries that allowed them to be sent or blocked depending
on the classification and destination of the information, he says.
Cybertrust security consultant Andrew Walls says that the "number one
issue" for organisations is classification of their data. Is it
important that some data remains confidential no matter whether its
integrity is critical or how important it is to have the information
"The critical thing is for business to say what is important, then apply
security controls. What role does the data play in an organisation's
plans, including its profitability? How important is that information?"
"At a simple level decide what is a secret, and what is not. If it is a
secret, talk to us before accessing it or publishing it," Mr Walls says.
"Don't expect the IT security people to make these decisions;
classifying the data is a business decision."
Mr Walls says the Australian Government has five tiers of
classification: public data, internal use only, confidential, protected
and highly protected. At each tier a decision is made on how important
are confidentiality, integrity and availability.
Mr Baar says the proper use of information standards, such as
AS/NZS4360, a risk management standard, would provide a much better
basis for decision making. "Poor risk analysis means that the real
risks, likelihoods and consequences are not known in detail, therefore
the real losses are also unknown," he says. Often, risk was simply
Symantec systems engineering manager Paul Lancaster agrees that
compliance is not just about the data, but its integrity and
availability. Compliance means adhering to regulations that affect a
business and what that means for its data storage systems.
"Data loss occurs when it can't be accessed," says Mr Lancaster.
"Organisations have their own products and services they deliver as a
business and the data behind that is key. Not having the ability to
obtain data to show the public that their data is intact, with no
integrity loss, can be detrimental to a business."
Backing up is one obvious strategy, but how many organisations do this
critical task properly?
Mr Baar says people do back-ups and they usually work. "But most people
don't verify that their back-ups have worked; that is, restore the data
to see if it worked, as sometimes you can't read a back-up." Back-ups
sometimes were not comprehensive enough, missing critical files or
Mr Lancaster says an example of compliance procedures not being met was
when back-up tapes were overwritten and reused to store new data,
"especially if the data is to be kept for 25 years. There have to be
strong internal guidelines as to how a business checks the integrity of
data and the recovery process of data."
Mr Baar says staff training is essential to reduce the incidence of
"stupid mistakes," such as deleting a whole file set instead of purging
multiple copies, or allowing devices to be taken off-site without
He cites a case at Australian Customs in 2003, when two men posing as
computer technicians entered the cargo processing and intelligence
centre at Sydney International Airport. They were given access to the
top-security mainframe room where they disconnected two computers and
wheeled them out of the room past the security desk and out of the
So what should organisations do to keep their data confidential,
uncorrupted, and available?
MR BAAR says most hospitals in NSW have multiple secure systems, with
servers in two locations to keep patient records secure. There is also
"role-based security access" where only certain people can access or
alter information, for example where a nurse can read or annotate a
patient record, but not delete or create one or where administration can
create a record, but not add information.
The Justice Department and offices of state and federal
attorneys-general are "paranoid about leakage," says Mr Baar. For
example, witness protection program lists are closely guarded, and kept
on a computer system accessible to only a few, not including the systems
Macquarie Telecom is one of the most highly certified commercial data
centres in the Asia Pacific region. It has Defence Signals Directorate
(DSD) certification for its internet gateway service for Australian
Commonwealth customers. The gateway provides protection from external
threats appropriate for systems and data.
National security information, such as used by the Cabinet and Prime
Minister's offices, is carried on a private secure network, says Mr
Baar. "The data centre is locked down - its physical security
configuration has met ASIO T4 requirements." It also follows procedures
to obtain ISO 17799 Information Security Management System
"Everyone on a computer in a secured area can be recorded on video. All
staff have ASIO security checks."
Pharmaceutical companies are "bristling with physical security
controls", says Mr Walls. They have millions of dollars invested in the
research and development of their drugs and guard their design
information carefully, with physical and procedural controls. PDAs and
mobile phones with cameras are usually banned.
"Their information is a major corporate asset," he says. "It cannot be
allowed to leave the company until it is patented or copyrighted."
Keeping research data confidential is one thing, corruption or loss of
integrity in the data is another.
Mr Walls says an extreme case would be getting a new drug accepted by
the Australian Government. The company might have invested 10 years of
research and development to reach a point where authorities would accept
data from tests and clinical trials.
"If the validity of the data is questioned, then 10 years have been
lost," he says. "To recreate the data in a clinical trial would cost
millions of dollars, and a few thousand for a lab test. But it's when
the information is irretrievable that it's costly."
Pharmaceutical companies have high security networks, cut off from all
other networks. They encrypt their entire networks, "down to the
hardware," Mr Walls says. "If someone is working on something that isn't
encrypted, they'll stand out. This approach is being adopted more and
more by companies.
"Islands of security don't work in a sea of insecurity. In critical
environments, we will encrypt everything," he says.
But not all security is electronic. Physical protection remains
relevant, Mr Walls says.
If data is to be stored for a long time it may be better to lock it in a
safe rather than encrypt it, because staff changes and "someone needs
the keys to unlock encrypted data". If data is needed in a court case
and it can't be decrypted, then courts will "assume that you are
deliberately hiding it, are incompetent (therefore not allowed to be a
company director), or obstructing justice," Mr Walls says.
Mr Lancaster notes that, in the US, companies are fined tens of millions
of dollars when they are unable to provide data required by a court,
something not yet seen in Australia.
Identity theft is a more common problem in Australia, Mr Lancaster says,
with fraudsters trying to access laptops and servers to get credit card
details or personal information.
"Online banking is a key target for security breaches," Mr Lancaster
says. "Users need to know that they (are connected to) the real banking
Mobility is increasing the problem, he says. It means the walls of a
corporation are becoming increasingly permeable. Laptops could be
mislaid in the field, or stolen from cars. How does a company balance
the need for such tools with security concerns?
"Any PC or laptop that goes outside an organisation should have a file
system that is encrypted," he says. "Otherwise (a thief) can just bypass
the password by ripping out the hard drive and putting it into another
machine to read it."
Mr Lancaster says that, with 250 million smart phones in the market,
mobile devices need the same security infrastructure, such as firewalls
and Virtual Private Network access.
It also comes down to what the telcos are doing, he says. "There has to
be a degree of lockdown at their end to secure devices. They need to
have intrusion detection, firewall device, anti-virus, and instant
And then there is the human factor. "Data loss occurs primarily because
of people," says Mr Baar. "Most information loss is through
inappropriate behaviour - someone talking about it in the pub or a lift,
for instance. People could go to a cafe with, say, patient records and
leave them behind."
Employees may have ASIO checks and security clearances for their staff
but what about the cleaning staff? And what if there's a last-minute
replacement? A cleaner could easily slip into an office where sensitive
material was stored unencrypted.
"Everybody always underestimates the likelihood of data theft. It is
usually unreported, which (distorts data on occurrences) but given the
choice of attempting to hack an organisation from the outside or getting
inside to its soft centre, you would always take the easiest option.
External hacking is uncommon now, because it is too difficult. It's
easier to find an insider through money or threats," Mr Baar says.
What about disgruntled employees taking information with them when they
leave the company? Mr Lancaster says data needs to be locked down.
Departments should be able to retrieve only their own documents.
Finally, says Mr Walls, organisations should not reveal their security
controls to their own personnel.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com