 |
 |
 |
In 1876, WB Yates, an Irish poet, decided to write to his younger sister Lily, age 11. As usual he decided to ensure that no one but Lily could read the letter so he proceeded to write using the secret cipher code that only the two of them were able to work out. However, having lost the cipher keys used as a decryption code, he decided to write to her in plain English for her to send him a copy of the code so that they could resume writing to one another using their secret code in the next letters. By doing this WB Yates broke all best practices rules for encryption key management. There are a few lessons to be learnt from that anecdotal story. Firstly the need to keep some information or data secret and undecipherable from un-trusted third parties is not new. Secondly, urgency in getting or granting access to data pushes people to circumvent all common best practices to preserve the very mechanisms they have put in place to protect that data in the first place. Things have not really improved as the recent headlines surrounding data loss, theft and leakage incidents would tend to prove. So are we still missing the whole point about data protection? Should we not go back to basics to understand why large corporations with significant IT and security budgets are still victims of data incidents? What can organizations do to help mitigate data protection risks? Our first port of call is probably to review some of the latest data theft and date leakage incidents to hit the headlines worldwide. In doing so we cannot avoid talking about the TJX incident in Massachusetts, whereby the company confirmed that over 45 million of its customer cardholder data has been accessed by hackers. Altogether, at least 45.7 million credit and debit card holder customers of TJX are now potentially exposed to identity theft. According to the latest reports it would seem that the data was accessed through wireless networks vulnerabilities at one of the chain's stores in the US. Wireless network access was not appropriately configured in so far as it did not match the requirements mandated by PCI DSS (Payment Card Industry Data Security Standard). PCI DSS is a security standard which applies to merchants, payment service providers (gateways and processors) as well as banks and which requires concerned entities to implement over 220 technical, procedural and skills transfer controls grouped into 12 high-level requirements ranging from implementing security policies to providing employees with security training through to collecting audit logs for specific system components. According to an article printed a couple of months after the incident. The Massachusetts Bankers Association, Connecticut Bankers Association, Maine Association of Community Banks and some individual banks argue that TJX failed to protect customer data with adequate security measures, and that the retail giant was less than honest about how it handled data. This has resulted in significant damage to TJX's reputation not withstanding the costs of repairs, legal costs and PR costs to the organization. At a more basic level, Data Protection standards at TJX were obviously not high enough at TJX. More recently, another Massachusetts based organization was victim of a similar attack. More worryingly, this time the victim, Hannaford, was compliant with PCI DSS and therefore by the security rules laid out by the card associations to secure cardholder information. A breach of Hannaford's computer systems is said to have exposed more than four million credit and debit cards issued by nearly 70 US banks. Because this incident is quite recent, February 2008, it might be a while before we grasp the full extent of the incident and associated consequences however it would seem that basic security technical solutions were not in place to prevent malware from making the hack possible. The Boston Globe reports that malware was installed on servers at every store in the Hannaford chain -- approximately 300 locations and that the malware intercepted the credit card number and expiration date at the point of sale as it was being sent for authorization. The malware then sent batches of card numbers over the Internet to a foreign ISP. A further article from Information week questions whether the attack, whilst effective on a new scale level for that type of incident, is indeed that new and that complicated to stop or whether simple data protection principles have not been implemented at Hannaford. It also questions whether mere compliance with industry and /or legal mandates provides enough security to ensure good practice data protection levels. The US is not the only territory where one can wonder about data protection levels. In Europe a series of major data leakage and data theft incidents have hit the headlines. HM Revenue & Customs (UK) confirmed in November 2007 that two computer discs containing the entire child benefit database of 25 million people had been lost in the post by HMRC. It also confirmed that the personal details on the discs included names, ages, bank and address details. HMRC chairman Paul Gray resigned over the incident, which he described as a "serious operational failing". In April 2008, one of the largest banks in Europe, Bank of Ireland, admitted to losing 4 four laptops containing up to 10,000 customer records. Moreover it seems that these laptops contained quite sensitive information such information required to get a formal proposal for life insurance, retirement funds and new bank accounts thus covering most details required to fake someone's identity. The additional concern here, over and above the data leakage itself, is the fact that the first laptop loss occurred as early as the summer 2007 and is only being reported to the relevant Irish authority (the Office of the Data Protection Commissioner) in April 2008. These four examples would tend to show that organizations are missing the point and beg a number of questions which organizations should consider as a matter of urgency. Is your organization protecting access to its wired and wireless systems on a need to know basis? Why does information need to be stored on mobile devices such as laptops and if there is a requirement for same, how can sensitive data be protected? In light of the aforementioned US and European examples, what value add do laws and standards such as Data Protection regimes and PCI DSS bring to the security Industry? Data Classification and Data Protection Policies It is best practice to start addressing security challenges by taking a step back, away from technical considerations. Indeed, one should try and consider the business objectives of the organization and how it uses IT and Telco (ICT) solutions to conduct its business. This tactic allows an organization to segment the types of ICT transactions it requires to perform its daily tasks, e.g. sending & receiving e-mail, web browsing, FTP transaction, remote access, third party access to semi-public corporate collaborative environments and so on. Then, one should concentrate on the data contained within or access through these ICT transactions. At a business level data can be either public, confidential or highly confidential (you may use more granular segmentation techniques). At an IT level, data can be structured or unstructured which may make it difficult to locate and protect. At a user level, organizations need to grant access to data on a need to know basis. If a user does not need access to specific data to perform his/her duties, such access must not be granted. To ascertain who should have access to what, organizations must create groups of users and assign specific data access rights for each category, this also needs to be coupled with log reporting on authorized and unauthorized access to data. With these three elements in place (i.e. data consideration at a business use level, ICT level and user level), organizations can start formulating a data classification and data usage set of policies. Typically this is translated into three (sets of) policies: Data classification policies At the simplest level, data can be classified on the basis of the function its serves for the organization: sales & marketing data, production data, executive management data. This is useful, however it does allow for classification of the value of data. The value is generally linked to the harm that would be caused should the information fall into the wrong hands. Depending on which country your organization is located and on the basis of applicable industry standards, several models of data classification can be applied starting with three levels (public, confidential, highly confidential) to multiple levels including subtle differences between levels (e.g. public, semi-restricted, restricted, confidential, highly confidential, and top-secret). The following are a few examples for consideration: Typically data pertaining to someone's identity or to organizational trade secrets is labelled as highly confidential. This would also include data such as organizational strategies (e.g. go to market strategy for a new product). Organizational charts are often confidential because they can be used by potential attackers to gain information about who key decision makers are and who reports to them. They can then use that information to launch social engineering attacks on more junior employees to get access to the organization's systems. Having said that, some organizations which are not required by law to communicate their organizational chart will partly make it public for other purposes such as marketing or sales. In any event, confidential information refers to information which could potentially be used to detriment of the organization should it fall into the wrong hands. Public data is data which can easily be found in the public domain although it may well pertain to some elements of confidential or highly confidential subject matters. Data may have various levels of importance and use throughout its life cycle. It is important to understand that data classification levels may evolve in time. For instance, some data is always considered confidential whereas other data will gradually become less useful and therefore less sensitive (e.g. health information on individuals tend to retain its highly confidential status whereas some information such as government classified information can be downgraded to public information after a certain amount of time depending on the regime it is subject to. Data Protection and Retention policies There are two types of Data Protection policies: governance based policies and technical policies. In the EU, the Data Protection Directive of 1995 applies in all EU 27 countries. However some member states have directly copied and translated the directive into national laws whereas others have included additional rules. It is therefore not surprising that the data protection regime in France (CNIL) be different from that in Ireland (Data Protection Act 2003) and that of Germany (Datenschutzgestezt). Although they all incorporate the provisions of the European Directive, they also add some national flavours in the shape of additional requirements for monitoring usage of corporate systems and employee data and in terms of how data protection watchdogs may apply fines and even jail sentences for non compliance. The Act also mandates that a designated person be in charge of data protection compliance, typically a data controller which in security terms translates in to a data security officer or CSO. On key thing to remember in the EU is that the directive mandates that appropriate security measures must be implemented in order to protect customer and employee information. One other point is that all employees must be made aware that they may be monitored for the organization to comply with the Data Protection regime and that employees must be informed of the reasons and techniques as to how their usage of corporate resources may be monitored, not withstanding the fact that such monit oring must be done equally across the board and fairly for all employees, unless as part of an internal documented inquiry into employee wrongdoing. In the US, employees rights are not as protected as in the EU, meaning that in principle it is easier to monitor employees behaviour if an organization can prove it is doing it to safeguard the organization's good name. On the other hand, additional burden is put on organizations to regulate themselves and to secure their environments. This can be seen as with PCI DSS as mentioned earlier in this document and with HIPAA, the Health Insurance Portability and Accountability Act, established in 1996, which provides US national standards for the security of electronic health care information. For instance HIPAA mandates that the following be in place: Covered entities (entities that must comply with HIPAA requirements) must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures - Administrative Safeguards category Data retention refers to how long data must be retained and in which format, e.g. encrypted, password protected etc. Data retention mandates v ary within particular industries and territories. Key elements to watch out for are as follows: Does draft legislation exist? It is worth noting that in some jurisdictions, data protection and data retention regimes are dealt with within a single piece of legislation. In addition, it is also worth looking into how data can be acquire d and how it must be maintained update to have any legal bearing and to avoid holding data unlawfully. At a technical level, the implementation of the above requirements typically translates into the implementation of streamline technologies to enforce business policies. Examples include firewalls, IDS/IPS, System management, Log reporting solutions and strong authentication solutions. In addition, specific data encryption solutions are required to comply with some data protection mandates. This covers both data at rest and data in motion. Acceptable Usage Policies (AUPs) AUPs are an essential link in the security chain. AUPs are referred to in many legal and industry frameworks as security best practice to ensure that corporate data as well as employee data is secured. In short, AUPs govern what is deemed acceptable and not acceptable in terms of employee use of corporate ICT resources including e-mail/web, IM, phones, fax and even multi-functional printers. In essence, it provides guidelines as to how to securely use technical tools which allow employees to process, store and transit data. AUPs must reference data classification at the concerned entity and must provide clear guidelines as to what they may or may not do with data in its raw form (e.g. knowledge and material or dematerialized data) and data systems. Most legal and industry frameworks require organizations to train employees and to communicate and explain AUP. For instance PCI DSS requirement 12.6 and 12.7 read as follows: 12. 6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security upon hire and at least annually ISO 27001 requires that organizations put in place, amongst other items, an Information Security Classification Document, an Internet Acceptable Usage Policy, and a User Agreement to be put in place along with a user registration procedure, tele-working policy, and user access policy. So are laws, regulatory frameworks and industry standards really adding value to the Data Protection problem? Data Protection and data security in the wider sense are actually covered in many legal frameworks and industry self-regulating programs. The various frameworks, be they legal or industry based, do provide best practice security guidelines on how data protection from how data may be acquired, retained and stored to who can access data depending on its classification. Nonetheless, it is clear that the message is not fully understood and/or applied by concerned stakeholders. Whilst it is easy to trace back the issue of loss of unencrypted laptops to managerial lack of commitment to implement technical security measures, policies and awareness programs to protect confidential data on mobile devices, the fact that organizations in compliance with standards such as PCI DSS and the fact that government organizations do not apply government driven mandates does beg the question of the value add of such industry initiatives and legal frameworks. This issue also reinforces the very need for all organisations in the public and private sector to take their data protection responsibilities seriously. For what it's worth, as a security professional, I believe that compliance does add value because it provides a target level of security for concerned entities. Where compliance lets the industry down is in its lack of enforceability or enforcement levels, meaning that some mandates are difficult to enforce so as not to cripple a whole industry after a major incident and amending that other mandates should be applied more drastically as there is indeed no value in non enforced penalties, since organizations often see penalty avoidance as a business driver for compliance. On the other hand, the Hannaford and HM Revenue and Customs examples show that security should go beyond compliance. Security is a process which means that the technical solutions, policies and procedures and skills transfer programs that make an organization compliant today need to be constantly revisited in order to ensure that the organization remains not only complaint with the mandates that apply to its industry, but also secure against most common attacks including not technical attacks such as social engineering, social networking based risks and other upcoming threats. At a technical level, this may translate into moving away from simple mobile device encryption strategies to corporate encryption strategies including both data at rest and data in motion. At policy and skills transfer levels, it means incorporating mobile devices and potential acceptable usage of social networking sites into the AUP and into the awareness program. In summary, it is recommended that organizations elevate the security debate beyond compliance. Compliance is a good thing, perhaps a necessary evil, in that guides organizations towards best practice security. Good practice security strategies and implementations, on the other hand, should bring your organization to compliance and will allow you not to become the next data protection incident headline. |
