Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, June 01, 2007

Plug the holes in your cone of silence

DATA loss is a significant factor in modern business, dependent as it is now on electronic systems.  And it occurs in many ways, some inadvertent, some through stupidity and some criminal.  One organisation accidentally puts its sensitive market research report online before it has been approved; another can’t find data that has been requested by a government department.  Others lose laptops, unwittingly send confidential information in emails, or give contractors too much access to internal data.  This is lost data and its impact on a business can range from financial loss, to damage to its reputation, potential loss of customers, or even imprisonment if there is a breach of corporate governance.  So, how good are your data management policies and procedures?  More than two-thirds of Australian organisations experience six losses of sensitive data every year, according to new research by the US-based IT Policy Compliance Group.  One in five organisations loses sensitive data 22 or more times a year.

Lost data includes customer, financial, corporate, employee, and IT security data that is stolen, leaked or destroyed.  Loss of sensitive, confidential corporate data can also give a rival company a competitive advantage.  It might, for example, include results of market research, competitive intelligence analysis of another company, research and development results, financial information, or a list of possible staff redundancies.

“In most organisations, the most sensitive information is in emails,” says Milton Baar, the director of IT Security consultants Swoose Partnership, and committee member of the ISO 27001 international security standard for information management.  Mr Baar says three factors should be considered in assessing data loss: confidentiality, integrity, and availability.  The integrity of data is maintained by ensuring that information is changed only by those allowed to do so, but organisations also need to make sure that data can be accessed when it is required.  Confidentiality is often breached when emails are sent, accidentally or intentionally, to people who should not be seeing them, or when emails are sent before information should be made public.

Mr Baar says staff should be trained in the use of email, helping them understand what information is sensitive.  “Have black and white lists, where the server stops sending out and/or receiving emails to or from certain places,” he says.  “Have word searches in outbound emails to ensure that sensitive information isn’t disclosed, accidentally or intentionally.  Mark the information physically or electronically with its security classification.”  Attachments could be protected from email disclosure by having Access Control List entries that allowed them to be sent or blocked depending on the classification and destination of the information, he says.

Cybertrust security consultant Andrew Walls says that the “number one issue” for organisations is classification of their data.  Is it important that some data remains confidential no matter whether its integrity is critical or how important it is to have the information readily accessible. 

“The critical thing is for business to say what is important, then apply security controls.  What role does the data play in an organisation’s plans, including its profitability?  At a simple level decide what is a secret, and what is not.  If it is a secret, talk to us before accessing it or publishing it,” Mr Walls says.  “Don’t expect the IT security people to make these decisions; classifying the data is a business decision.”

Mr Walls says the Australian Government has five tiers of classification: public data, internal use only, confidential, protected and highly protected.  At each tier a decision is made on how important are confidentiality, integrity and availability.  Mr Baar says the proper use of information standards, such as AS/NZS4360, a risk management standard, would provide a much better basis for decision making.  “Poor risk analysis means that the real risks, likelihoods and consequences are not known in detail, therefore the real losses are also unknown,” he says.

Symantec systems engineering manager Paul Lancaster agrees that compliance is not just about the data, but its integrity and availability.  Compliance means adhering to regulations that affect a business and what that means for its data storage systems.  “Data loss occurs when it can’t be accessed,” says Mr Lancaster.  “Organisations have their own products and services they deliver as a business and the data behind that is key.  Not having the ability to obtain data to show the public that their data is intact, with no integrity loss, can be detrimental to a business.”

Backing up is one obvious strategy, but how many organisations do this critical task properly?  MR BAAR says most hospitals in NSW have multiple secure systems, with servers in two locations to keep patient records secure. 

For example, witness protection program lists are closely guarded, and kept on a computer system accessible to only a few, not including the systems administrator.  It has Defence Signals Directorate (DSD) certification for its internet gateway service for Australian Commonwealth customers.

Pharmaceutical companies have high security networks, cut off from all other networks.  They encrypt their entire networks, “down to the hardware,” Mr Walls says.

Identity theft is a more common problem in Australia, Mr Lancaster says, with fraudsters trying to access laptops and servers to get credit card details or personal information.  Employees may have ASIO checks and security clearances for their staff but what about the cleaning staff?

Posted on 06/01