Security Bullet In
Communiques from the security front, sir
Tuesday 4 November 2008, 5:35 PM
And the data loss goes on...
According to the Financial Times, the stick was encrypted, and turned up fairly soon after being lost:
"It emerged on Saturday night that ministers ordered the temporary shut-down of the [Gateway] site after the loss was reported, although the memory stick was subsequently discovered in a pub car park in Staffordshire where the company is based," wrote the FT.
The Gateway site is used for such activies as tax payments and benefit claims -- not information UK citizens want to be compromised. The Department of Work and Pensions, which administers the site, took the incident seriously, and is now investigating the incident, even though the USB stick was encrypted.
It seems the government is taking data loss more seriously, which is a good thing. Companies with public sector contracts will as a consequence take data loss more seriously, which is also good.
However, the government still wants more data-sharing between departments, and with the private sector. It wants to put all sorts of data in massive databases, such as the National Identity Register, and asks citizens to trust it with that data, while losing valuable information hand over fist. Moreover, there are no guarantees how that information will be used in the future.
PreviousComments on this post
It seems that this story is being blown out of all proportions - the Government has confirmed that the data stick was encrypted, meaning there is no data loss. Whoever was responsible for ensuring the USB stick was encrypted should be congratulated.
A suggestion was made that removable media should be banned but that is somewhat out of kilter with business requirements. The main issue is for organisations to have control over which employees or contractors can use USB sticks, whether or not the data is sensitive and to ensure that all sensitive data is encrypted. And of course, that controls are in place as to who and where it can be decrypted.
Data loss can be eliminated if Government departments and their contrators take control of removable devices and govern the flow of inbound and outbound data to and from mobile devices, ensuring data is encrypted during transmission.
I think all sensitive removable media being moved around could do with RFID tracking chips. That would make much more sense than hiding them in retail items. Even more so now that Gorden Brown has said that he can't promise it won't happen again!!
What could be highlighted is that device specific protection was finally responsible for preventing further damage.
Many software solutions continue to approach protection against removable media based on USER privileges (policy deployment) when for example usb removable drives are govern by the operating system not user account.
So in fact to actually effectively prevent data entrance from a usb storage device you have to block the usb at operating system level not at user level.
Adequate protection against data extraction has to go together with data entrance prevention.
That is why many organizations start to realize that their per USER based protection security policies deployment either by native means or endpoint security solutions "enhanced policy deployers" are not adequate protection.
Removable media should be controlled at operating system level and at device specific level, not USER level.
In such a way that only a specific usb device can be used on a specific machine, for a specific time period, and that the authorized device is monitored, and that information on the device can be easily encrypted and auto destroy itself in case of falling on the wrong hands.
All that effortlessly managed remotely in real-time.
Endpoint usb Security levels at a glance:
1) BIOS (machine level):
Pros
-Strongest
Cons
a) Would not allow non-storage usb devices usage.
a) Requires restart for changes in security to take affect.
2) Operating System
Pros
-Strongest that allows the usage of non-storage usb devices
-Strongest that allows remote control to be effective in real-time without restart.
-Blocks effectively incoming as well as outgoing.
3) User level
Cons
-Not adequate to prevent data incoming to the system by removable usb storage or smartcards.
Endpoint security software needs to be straightforward else it becomes redundant or ineffective.
