Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Thursday 28 August 2008, 2:33 PM
Customer data found on eBay server highlights people as weak link
The recent news about customer details being retrieved from a server sold on eBay is yet another story about the sorry state of information security in the electronic age (see: http://news.zdnet.co.uk/security/0,1000000189,39465455,00.htm). What is important here is not the actors' names, but how it happened, what the response was and how could security procedures be improved in the future.
There are two basic things at play here: people and organisations continue to be, for the most part, reactive when it comes to security. And, secondly, they continue to concentrate on technological measures, when the weakest link is still the people.
So, the answer to this should have been not "can we have our server back, please" or "we take security seriously here", but to immediately set up a team composed of both business and technical people to check exactly how this happened. It would also be good if the ‘actors’ got together and communicated that they are doing this. Communication is very important in any security event!
The servers sold on eBay could have had their hard disk drive (HDD) wiped or reformatted, and that would have been good practice. However, that may have not been enough, if someone could have recovered that data, with a bit more effort. In military applications, there are special programs that rewrite HDDs a certain number of times, to make sure data retrieval by a determined attacker is not possible. Then, there is there is also the option to completely destroy the hard disk if the data on it and the risks to it warrant it.
A very important thing to look at is this: had the people involved with this server, throughout its life, been adequately trained? Were they aware of the value that this type of information could have? Were the risks related to this type of data properly assessed? Were the mitigation measures commensurate with the risks?
These are the questions we, as information security professionals, need to ask. Before computers existed, any employee leaving a firm and wanting to take client info with them to a competitor would have had to photo copy paper files after work. Now, with IT at their disposal, the same action is possible within just a few minutes using an USB stick. The power of modern IT creates this terrible asymmetry, which means that the people and the process are as important as the technological measure, in any security incident, as well as in daily company operations.
In brief: look at security holistically and create security measures commensurate with the risk, for each type of data and technology used for a certain business purpose. Train people, review and enforce good processes and practices. Let's take the right approach to ensure that such incidents are a thing of the past and no headlines need to be written about them.
Ionut Ionescu, CISSP, CISM, GSEC, Member of (ISC)2’s European Advisory Board and EMEA director of security services for Nortel Global Services
There are two basic things at play here: people and organisations continue to be, for the most part, reactive when it comes to security. And, secondly, they continue to concentrate on technological measures, when the weakest link is still the people.
So, the answer to this should have been not "can we have our server back, please" or "we take security seriously here", but to immediately set up a team composed of both business and technical people to check exactly how this happened. It would also be good if the ‘actors’ got together and communicated that they are doing this. Communication is very important in any security event!
The servers sold on eBay could have had their hard disk drive (HDD) wiped or reformatted, and that would have been good practice. However, that may have not been enough, if someone could have recovered that data, with a bit more effort. In military applications, there are special programs that rewrite HDDs a certain number of times, to make sure data retrieval by a determined attacker is not possible. Then, there is there is also the option to completely destroy the hard disk if the data on it and the risks to it warrant it.
A very important thing to look at is this: had the people involved with this server, throughout its life, been adequately trained? Were they aware of the value that this type of information could have? Were the risks related to this type of data properly assessed? Were the mitigation measures commensurate with the risks?
These are the questions we, as information security professionals, need to ask. Before computers existed, any employee leaving a firm and wanting to take client info with them to a competitor would have had to photo copy paper files after work. Now, with IT at their disposal, the same action is possible within just a few minutes using an USB stick. The power of modern IT creates this terrible asymmetry, which means that the people and the process are as important as the technological measure, in any security incident, as well as in daily company operations.
In brief: look at security holistically and create security measures commensurate with the risk, for each type of data and technology used for a certain business purpose. Train people, review and enforce good processes and practices. Let's take the right approach to ensure that such incidents are a thing of the past and no headlines need to be written about them.
Ionut Ionescu, CISSP, CISM, GSEC, Member of (ISC)2’s European Advisory Board and EMEA director of security services for Nortel Global Services
Thursday 21 August 2008, 10:50 PM
Should a security professional have a legal background?
My own experience and talking to colleagues has prompted me to wonder whether the day has arrived that security professionals will need a legal background. The information security management professional is under increasing pressure to cope with the demands of the organization for access to information, to manage the expectations of the data owner on how and where the information is going to be processed and to adhere to regulatory and legal requirements for the data protection and archiving. In 2008, a number of rogue trader and tax evasion cases in the financial sector have heightened this pressure to manage data. See selected articles from (http://www.theregister.co.uk/) Directing IT to maintain a security boundary at the perimeter and assuming the organization will act responsibly when processing data on the internal network, is one assumption that is simply un-realistic. Information security professionals will be aware of standards, such as ISO/IEC 27001:2005. But these standards are not a blue print, and other professional advice and guidance is needed to set adequate and appropriate information security controls. The Legal professional is now in strong demand for many organizations, helping clarify what information needs to be controlled, and furthermore, what expectations the data owner and regulator may have. But Legal also can help with information security policy regarding employees, and what expectations the Human Resources manager might have regarding preventative controls stopping the employee from committing a breach of the organisation’s employment policy or even criminal law.
Your information management and data classification policy needs a revamp with a Legal view before even considering defining the future technical information security strategy. There are a number of reference sites and firms providing this, see (http://www.out-law.com/) . Many organizations follow simple rules and classify data sensitivity levels as “Confidential”, “Internal Only”, “Public”. But this is not enough when considering the information protection requirements across the organization. Assuming the current technical security model works, the next steps are to have the Legal input. Establishing a joint initiative will bring credibility to you as an information security professional (ISC2 certification in hand of course) and enable the first enhanced definitions of an information / data management policy. My first suggestion is to start with the topic of employee investigations. Most organizations will have at least some employees! Whilst this topic is not for the faint hearted, you can approach this in a constructive way with both the Legal and Human Resources department, and it will further define approaches for other sensitive information e.g. customer data. By approaching the issue under the premise of protecting employees from themselves, preventative controls can be discussed. But thereafter, the topics of electronic discovery, computer forensics, archiving, and regulatory information barriers may well be raised. I am not suggesting not having a “customer” centric business model, rather enhancing your information security policy inside out, will bring closer working relationships for your organisation’s professionals, to address the other thornier information management topics. And at this point you may be well considering going back to school to brush up on Legal cases!
Alessandro Moretti, CISSP, Member of (ISC)2's European Advisory Board and Executive Director of IT security risk management at an investment bank
Your information management and data classification policy needs a revamp with a Legal view before even considering defining the future technical information security strategy. There are a number of reference sites and firms providing this, see (http://www.out-law.com/) . Many organizations follow simple rules and classify data sensitivity levels as “Confidential”, “Internal Only”, “Public”. But this is not enough when considering the information protection requirements across the organization. Assuming the current technical security model works, the next steps are to have the Legal input. Establishing a joint initiative will bring credibility to you as an information security professional (ISC2 certification in hand of course) and enable the first enhanced definitions of an information / data management policy. My first suggestion is to start with the topic of employee investigations. Most organizations will have at least some employees! Whilst this topic is not for the faint hearted, you can approach this in a constructive way with both the Legal and Human Resources department, and it will further define approaches for other sensitive information e.g. customer data. By approaching the issue under the premise of protecting employees from themselves, preventative controls can be discussed. But thereafter, the topics of electronic discovery, computer forensics, archiving, and regulatory information barriers may well be raised. I am not suggesting not having a “customer” centric business model, rather enhancing your information security policy inside out, will bring closer working relationships for your organisation’s professionals, to address the other thornier information management topics. And at this point you may be well considering going back to school to brush up on Legal cases!
Alessandro Moretti, CISSP, Member of (ISC)2's European Advisory Board and Executive Director of IT security risk management at an investment bank
Monday 18 August 2008, 3:56 PM
Biometrics needs to keep the bad guys out not the good guys
I was interested to read recently that the biometric market was about to double. This market has been around for almost as long as modern information security. In some respect it’s a bit like PKI, a solution looking for a problem. The difference with biometrics however is not that there are no problems to solve but rather that there is always a trade of between “false negatives” and “false positives”. The paradox for us in information security is keeping the bad guys out without restricting access to people who need it.
When I was at the Royal Bank of Scotland, we undertook quite a detailed study of how biometrics could be used for banking customers and for managing internal systems. Our conclusion at that time was that the technology was still not sufficiently mature to implement on a wide scale. I believe that this is gradually changing and, in agreement with the recent report, that we will see more and more biometric technology being implemented. In fact, our last survey of the information security workforce found that biometrics was high on the list of technologies that were being planned for deployment, with 14 percent of the total survey saying they planned to deploy biometrics. It was also one of the top 5 technologies already being deployed across EMEA.
While biometrics is relatively good for authentication, it can be relatively slow and not so accurate for identification. Take for example the UK immigration’s (or I should say UK border Agency – to give it it’s new name) rather tautologically named “Iris recognition immigration system” - IRIS system. This system allows users that have pre-registered to get through UK immigration by iris recognition without the need to visit an immigration officer. This is interesting as it is using biometrics as a form of identification rather than verifying a claimed identity. I’ve used this system a number of times and the disadvantage that I have found is that at busy times, there is so many problems getting accurate results that it is often quicker to queue up to see an immigration officer. I’m sure this will improve once more reading stations are installed and users get better used to using it. So if biomterics is going to feature at the 2012 Olympics games, I hope that by then the existing problems will have been solved and that we don’t see long queues of people waiting for computer verification before they can enjoy a sporting event. Biometrics needs to keep the bad guys out but not the good guys as well!
John Colley, CISSP
Managing Director (ISC)2 EMEA
When I was at the Royal Bank of Scotland, we undertook quite a detailed study of how biometrics could be used for banking customers and for managing internal systems. Our conclusion at that time was that the technology was still not sufficiently mature to implement on a wide scale. I believe that this is gradually changing and, in agreement with the recent report, that we will see more and more biometric technology being implemented. In fact, our last survey of the information security workforce found that biometrics was high on the list of technologies that were being planned for deployment, with 14 percent of the total survey saying they planned to deploy biometrics. It was also one of the top 5 technologies already being deployed across EMEA.
While biometrics is relatively good for authentication, it can be relatively slow and not so accurate for identification. Take for example the UK immigration’s (or I should say UK border Agency – to give it it’s new name) rather tautologically named “Iris recognition immigration system” - IRIS system. This system allows users that have pre-registered to get through UK immigration by iris recognition without the need to visit an immigration officer. This is interesting as it is using biometrics as a form of identification rather than verifying a claimed identity. I’ve used this system a number of times and the disadvantage that I have found is that at busy times, there is so many problems getting accurate results that it is often quicker to queue up to see an immigration officer. I’m sure this will improve once more reading stations are installed and users get better used to using it. So if biomterics is going to feature at the 2012 Olympics games, I hope that by then the existing problems will have been solved and that we don’t see long queues of people waiting for computer verification before they can enjoy a sporting event. Biometrics needs to keep the bad guys out but not the good guys as well!
John Colley, CISSP
Managing Director (ISC)2 EMEA
