Category Archives: USB

Some top security tips that ALL employees can use

When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.

Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.

I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role,  to help protect their organisations and enhance their understanding of the vital role they play in securing assets.

  • That email telling you there’s a juicy tax rebate waiting for you but it needs to be claimed immediately, hasn’t come from the Government. It’s  a phishing email. Clicking that link will allow malware to be installed and all your personal information to be stolen. Do not click on links in emails you are not expecting and if in any doubt refer to your security manager.
  • Never set your smartphone to allow download and installation of apps from sources other than an approved store. Changing this setting can allow malware to be installed without your knowledge and could result in you being a ransom ware victim.
  • Always report security breaches immediately to your line manager to facilitate any counter compromise action to be undertaken as deemed necessary. If the organisation isn’t aware of it, the event could worsen or spread. Containment and control is vital as quickly as possible.
  • Archive old emails and clear your deleted & sent folders regularly as a clean and tidy mailbox is a healthy mailbox.
  • Never discuss work topics on social media as your comments may come back and bite you!! You could also be compromising your employers and colleagues security and increasing the likelihood or the ease of an attack.
  • Don’t worry about challenging people you do not know who are not wearing ID or visitor badges. It may seem impolite but Social Engineers use inherent politeness to their advantage and can then move round a site, potentially unchallenged.
  • Don’t allow colleagues to use your login credentials, this goes double for temps and contractors. Think of it like lending your fingerprints or DNA to someone, would you do that so easily? Any activity on your login will be attributed to you…
  • Do you really need to take your work device to the pub with you? More than a quarter of people admit to having lost (or had stolen) up to 3 work devices and more than half of them were lost in a pub!
  • Don’t send sensitive documents to your personal email address. If there is a security measure in place, it is there for a reason..
  • Don’t pop any old USB into your PC. Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer. It could have anything on it! exercise caution.

Some of the findings on Insider Threat from the Vormetric 2015 survey…

2015 Vormetric data Insider Trheat v0.4

Advertisements

Data Protection and Temporary Workers – the Perfect Data Breach Storm?

This morning bought Security News stories from around the globe as usual. One jumped out at me, not because it was unusual but because the wording highlighted to me some dangerous assumptions and errors in thinking that we are guilty of.

advent IM data protection blog

oops there goes the sensitive data. Image courtesy of freedigitalphotos.net

The story was about a temporary worker at a hospital who had sent letters which contained highly sensitive childrens data, to the wrong addresses. Apparently the temporary workers who had made this series of errors had not received any DP training. The story explained that the ICO had given a warning that  “even temporary staff should have Data Protection Training”

Bear with me. Last year another breach occurred in a hospital when a temp worked downloaded a large batch of patient data onto a data stick and took it home to work on. Apparently on this occasion it was assumed that Data Protection training had been done by someone else.

Firstly, assuming someone has had training in something is always dangerous. Surely if you are going to allow temporary workers access to such sensitive data it is a must have.  Secondly, is it appropriate for a temporary worker to have that access? Obviously this will vary by incident or role.

Its not just the NHS, businesses make this mistake too. I have seen temporary workers who have had no vetting, logged into networks by well meaning employees on their own login credentials. There they have been able to access any sensitive data they wished and the trusting employee has handed over that organisation’s data to someone who may well damage, steal or sell it.

Back to my original point, to say that ‘even’ temporary workers should have Data Protection training seems a bit like looking the wrong way down a telescope. Surely we should be saying temporary workers especially need Data Protection training?

The safest place to keep your data…”Cloud” or “Train”..?

How will “Cloud” compete with “Train”?

We all know that the Cloud is the place to store all your data right? We used to think that “Train” was the best place to store our data and some traditionalists, such as the person who left the Olympic Security plans on Train” clearly think it’s still the best data storage option. Of course, there is also “Taxi”  – still popular but you can only get your data to go on a maximum 20 mile round trip, so it’s a bit limited really. Not as limited as “Pub” though this is a data storage concept that is still hanging around after all these years.

“I found this on the back seat of a Taxi.”

OK,  joking aside, are businesses and organisations going into the Cloud fully armed with information? If they aren’t, then they may as well stick with Train and Taxi. We have put together a guide to help inform, dispel some myths – as we see them, and give some real clarity and guidance. With sincere thanks to our gifted and expert Consultants.

SC Magazine published an interesting piece just before Christmas on Cloud computing (http://www.scmagazineuk.com/loglogic-the-public-Cloud-will-be-breached-next-year/article/219907/).

Amongst the issues identified in the article were:

  • That Cloud-based infrastructure has a distinctive threat profile (right);
  • That the answer to Cloud security is through compliance and standards (to a degree); and
  • That Cloud service providers should be regulated by an independent body (we don’t agree).

These three assertions are worth some further digging and clarification.

The distinguishing threats relating to Cloud services have been well publicised but here is a quick run-down of our top Cloud-based information security threats:

I.            System Complexity – Public Cloud services offered by providers have a serious underlying complication—subscribing organisations typically share components and resources with other subscribers that are unknown to them. Threats to network and computing infrastructures continue to increase each year and have become more sophisticated. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and requires a high level of assurance for the strength of the security mechanisms used for logical separation.

II.            Shared Multi-tenancy – While not unique to Cloud computing, logical separation is a non-trivial problem that is exacerbated by the scale of Cloud computing.  An attacker could also pose as a subscriber to exploit vulnerabilities from within the Cloud environment to gain unauthorized access.

III.            The Internet – Applications and data that were previously accessed from the confines an organisation’s network, but moved to the Cloud, must now face increased risk from network threats that were previously defended against at the perimeter of the organisation’s network and from new threats that target the exposed end-points.

IV.            Compliance – When information crosses borders the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns. Consequently, constraints on the trans-border flow of sensitive data, as well as the requirements on the protection afforded the data, have become the subject of national and regional privacy and security laws and regulations. Among the concerns to be addressed are whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits.

V.            Loss of control – Remote administrative access as the single means of managing the assets of the organisation held in the Cloud also increases risk, compared with a traditional data centre, where administrative access to platforms can be restricted to direct or internal connections

VI.            Mechanism cracking – With Cloud computing, a task that would take five days to run on a single computer takes only 20 minutes to accomplish on a cluster of 400 virtual machines. Because cryptography is used widely in authentication, data confidentiality and integrity, and other security mechanisms, these mechanisms become, in effect, less effective with the availability of cryptographic key cracking Cloud services. Granted this isn’t just a Cloud based threat – traditional types of system are also possible targets.

VII.            Insider Access / Threat – Data processed or stored outside the confines of an organisation, its firewall, and other security controls bring with it an inherent level of risk. The insider security threat is a well-known issue for most organisations and, despite the name, applies as well to outsourced Cloud services. With the Cloud, insider threats go beyond those posed by current or former employees to include contractors, organisational affiliates, and other parties that have received access to an organisation’s networks, systems, and data to carry out or facilitate operations. Incidents may involve various types of fraud, sabotage of information resources, and theft of confidential information. Incidents may also be caused unintentionally—for instance, a bank employee sending out sensitive customer information to the wrong Google mail account.

VIII.            Data Ownership – The organisation’s ownership rights over the data must be firmly established in the service contract to enable a basis for trust. The continuing controversy over privacy and data ownership rights for social networking users illustrates the impact that ambiguous terms can have on the parties involved. Ideally, the contract should state clearly that the organisation retains ownership over all its data; that the Cloud provider acquires no rights or licenses through the agreement to use the data for its own purposes, including intellectual property rights or licenses; and that the Cloud provider does not acquire and may not claim any ownership interest in the data.

IX.            Data Sanitisation – The data sanitisation practices that a Cloud provider implements have obvious implications for security. Sanitisation is the removal of sensitive data from a storage device, including servers, in various situations, such as when a storage device is removed from service or moved elsewhere to be stored. Data sanitisation also applies to backup copies made for recovery and restoration of service, and also residual data remaining upon termination of service. In a Cloud computing environment, data from one subscriber is physically combined with the data of other subscribers, which can complicate matters. For instance, many examples exist of researchers obtaining used drives from online auctions and other sources and recovering large amounts of sensitive information from them.

So what is the answer to these Cloud-based security conundrums?  Compliance with information security standards as Mr Churchward* suggests.  Well, in part is the rather cryptic answer to that one, I think.  There are some very good information security standards and control sets out there (COBIT, ISO/IEC27001:2005 and the UK government’s HMG Information Assurance Standards being just some examples).  However, every experienced information security professional will know or have known at least one organisation for which the having the standard is the means as well as the ends and that frustratingly they maintain a visage of information security competency when the assessor arrives for their next audit but that in-between audits security is just a byword for inconvenience.  So if

The sight of a Cloud services provider brandishing a given security certification is not sufficient assurance, what is?  We suggest these three steps to Cloud contractual heaven:

  1. The right to audit.  And then do it.  And don’t pick a service provider who is based a 36 hour flight away unless you – and your management – are prepared to send someone to their data centre to do the audit!
  2. Talk to prospective service providers about the threats above.  If they are coy, defensive, or babble techno-speak make sure you are content to receive the same level of effrontery when you have a query, business interruption scenario or concern about your data.
  3. Does the would-be service provider sub-contract out its storage, security, administration or anything else?  The very flexibility of Cloud-based services means your data or responsibility of your data can be syndicated out by your nominal provider in the blink of an eye.  You wouldn’t sub-contract out your office space so readily would you…?

On the point of standards, it is probably worth clarifying a couple of points for the unwary arising from the SC Magazine article:

  • ISO/IEC27001:2005 is the international (not just UK) standard for Information Security Management Systems.  ISO/IEC27002:2005 is the accompanying guidance for the implementation of the security controls listed in Annex A of ISO/IEC27001:2005;
  • Neither ISO/IEC27001:2005 or ISO/IEC27002:2005 mention Cloud computing however most of the 133 controls are or could be applicable to a Cloud computing environment.  The explicit inclusion of reference to Cloud services is amongst proposals for changes to the Standard in the future; and
  • There are already two approved international standards for Cloud-based technology relevant to security (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=53458 and http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=59388), though they are definitely for the propeller-heads amongst you!!

And what of Mr Churchward’s* assertion that “we need something externally policed, not self-certified, and a recognised industry body”?  Well, I am not sure we agree insomuch as regulatory, and enforcement bodies already exist for all sorts of activities relating to information security, Cloud-based or otherwise, and it seems an unnecessary burden to introduce another.  Bodies with an interest in maintaining and improving Cloud security include statutory regulators such as the Information Commissioner’s Office (ICO), and indeed the Irish Data Protection Commissioner is currently working with one well-known international Cloud operation (Facebook) to improve their compliance arrangements (http://dataprotection.ie/viewdoc.asp?DocID=1175&m=f).

So to wrap up, we recommend that organisations considering entering in to agreements with Cloud service providers:

Conduct appropriate due diligence before doing so, including a full risk assessment, considering the risks laid out above;

  1. Make sure that they have the right contractual security clauses in place falling out from the risk assessment (e.g. if data sanitisation is a major issue for your organisation, make sure it is robustly referenced in the contract); and
  2. Ensure that your external service providers, including Cloud operators, are part of your audit and assurance programme (this programme should also be risk based – looking at the higher priority areas more frequently and in more depth).

www.advent-IM.co.uk

*LogLogic CEO Guy Churchward – quoted in SC Magazine article

USB – Ubiquitous Security Breach?

The Ubiquitous Data Breach or as we know it - the USB

“Organisations do not understand the risks they face because of employee negligence but are not taking the necessary steps to secure USB drives.”

This forms part of the introduction to the findings of the UK part of the survey by the Ponemon Institute on behalf of Kingston Technologies.

The results of the survey show the level of UK organisations negligently inactive when it comes to unauthorised use of USB devices. With a shocking 73% of those surveyed reporting within their organisations, employees using USB’s without obtaining permission and 72% said that data breaches had been caused by sensitive or confidential data on USBs being lost.

These results come as no surprise to many of us, the amount of stories we all read on a weekly basis about data sticks being lost, laptops being lost, or discs being left in taxis etc.is large.

The surprising thing in many ways is that despite these incidents, organisations are still  uncontrolled USBs to become prevalent – picked up at trade fairs and expos, the survey said 55% – I suspect this is actually much higher. And so business is relying on the common sense and integrity of its employees to use the devices sensibly. In fact, the sensible thing to do is have a policy, implement and educate in to your staff.

The survey shows a disappointing 32% has policy and controls in place to stop or limit employees misuse of USBs in the workplace. and 29% the technology to prevent or detect a virus or malware on USB drives before use by employees. Some organisations, as we know will create policy and then not educate it in to their people, lip service to a policy never works, hence the 73% of respondents having lost sensitive data.

We have said it before and will say it again, assess the risks (ask for help if you need to), design the policy and procedures (ask for help if you need to) implement and check it works, then educate it in.

Ellie

www.advent-im.co.uk

From the report:

The following are 10 USB security practices that many organizations in this study do not

practice:

1. Providing employees with approved, quality USB drives for use in the workplace.

2. Creating policies and training programs that define acceptable and unacceptable uses of

USB drives.

3. Making sure employees who have access to sensitive and confidential data only use secure

USB drives.

4. Determining USB drive reliability and integrity before purchase by confirming compliance with

leading security standards and ensuring that there is no malicious code on these tools.

5. Deploying encryption for data stored on the USB drive.

6. Monitoring and tracking USB drives as part of asset management procedures.

7. Scanning devices for virus or malware infections.

8. Using passwords or locks.

9. Encrypting sensitive data on USB drives.

10. Deploying procedures to recover lost USB drives.