Print
Discuss
Send to friend
RSS feeds
The Home Office recently came under fire for data breaches after reports that a laptop sold on ebay contained a highly confidential disk inside. Not surprisingly, some sections of the media jumped on this as another sign of government incompetence, but what are the risks for companies and how easily can they avoid such mishaps?
The loss or misappropriation of data from laptop computers, notebooks, PDAs, BlackBerries and removable data storage media is one of the key risks facing today’s business environment.
These portable computers and peripherals are the basic building blocks of enterprise-wide computing, but their security is often overlooked or ignored, with protective efforts expended disproportionately on firewalls and perimeter defences.
According to a Gartner Group study, two-thirds of critical corporate data is stored on workstations and laptops and not on servers. Many organisations have suffered extreme embarrassment due to their inattention and neglect of portable computer security.
The UK government is beset with difficulties with regard to data loss, suffering serial embarrassment. High profile incidents, all of which have occurred since November 2007, include:
- HM Revenue & Customs losing two computer discs with information on 25 million people and 7.2 million families. They were lost in the post, unencrypted, unrecorded and unregistered.
- Two unencrypted computer discs containing the names and addresses of 7,685 Northern Ireland motorists disappeared in December.
- The Driving Standards Agency confirmed the loss of three million learner driver records held on a removable disk drive at a “secure facility” in Iowa.
- HMRC admitted losing a computer cartridge containing data on 6,500 customers of a private pensions firm.
- Nine NHS trusts have lost 168,000 patient records.
- A Devon and Cornwall Police disc containing confidential staff data was found at a recycling centre in Exeter by a man looking for spare computer parts.
- A Royal Navy laptop containing personal information on 600,000 serving and potential recruits to the armed forces was stolen from a car park in Birmingham. The Ministry of Defence confirmed the theft of 68 laptops in 2007, 66 in 2006, 40 in 2005 and 173 in 2004.
Critical loss
Alarmingly, data loss impacts upon national security at the highest levels. In 2005, classified cruise missile data and control software ended up in a second-hand shop called Computer Exchange after a Royal Navy officer sold Ministry of Defence computers to fund his gambling addiction. Chief Petty Officer Paul Crookes confessed to selling the equipment including three laptops that contained files marked ‘Top Secret for UK/USA eyes only’.
The insurance industry says that more than 1,000 laptops are stolen each day in the US. Theft is relatively mundane and the loss of a laptop is often met with a resigned, but dismissive, shrug of the shoulders in the mistaken belief that the retail price of replacement is the full extent of the loss.
Thieves and extortionists are increasingly aware that the computer’s content may be of far greater value than the resale price of the machine itself. There are reports of blackmailers demanding ransoms to return laptop computers to their rightful owners.
Fraudsters are attuned to the criminal opportunities presented by mobile computing. In May 2004, a laptop used by Kern County Mental Health Office, California was stolen in an opportunist raid on the department’s offices and the social security numbers were subsequently used to defraud Medicare.
The unifying theme of all of all these incidents is that these security breaches resulted from the loss or theft of portable devices. Notably, one of the most recent reported data losses in February an optical disc holding Home Office information discovered hidden beneath the keyboard of a laptop bought on an online auction site resulted in no disclosure of confidential information at all.
Lee Bevan, of LeapFrog Computers, to whom the laptop was subsequently sent for repair said: ‘It had the words Home Office and Confidential written on it. We put the disc in the drive to see what it was, but it was encrypted.’
This is the crux. Total disk encryption will not necessarily prevent an intruder from copying the contents of the computer’s hard drive. However, an encrypted data stream, even if copied, remains encrypted and, if it is a strong encryption, it remains protected from disclosure.
Total disk encryption that employs strong algorithms such as PGP or Blowfish offers a profound defence against unauthorised access. Without the pass phrase or key, the encrypted data is useless to the thief.
Commercially available products offer ‘on-the-fly’ hard disk encryption that does not impose significant processing overhead or burden on the user. But be warned, that where encryption technology is circulated to the workforce, it is imperative that the organisation retains the capability to over-ride it using a tightly controlled administrative password or authentication procedure.
Don’t get locked out
When determining a corporate policy on encryption tools and procedures, an organisation should avoid empowering users to the extent that it finds itself locked out from its own computer systems and data.
An over-ride mechanism or key for each and every encryption and access control system in use is mandatory, lest we lock ourselves out from the very systems we seek to protect.
Data also requires secure disposal. The inadvertent disclosure of confidential information is unlawful in many jurisdictions in the EU, for example, the failure to protect personal and financial information is an offence under data protection laws.
It is not sufficient to delete files on computers the data remains in situ and may be restored using data recovery software. The recommended procedure for wiping data from hard disks and magnetic computer media including memory sticks is that it is purged using secure erasure software. Positive erasure options vary from a quick, single-pass sanitation that overwrites all data on the disk with zeros to an ultra secure sanitation that overwrites the data a total of 35 times.
The most secure data purging software overwrites data with a pseudo-random pattern, which will prevent even the most advanced data recovery techniques. There are a number of data purging software tools available on the internet including Steganos, CyberScrub and Data Eliminator.
Non-magnetic media, such as CD-ROMs, DVDs and optical disks that cannot be overwritten require physical destruction. Commercially available shredders can destroy CDs, DVDs, credit cards, Iomega Zip disks, DAT tapes and even LS 120 super disks.
It is also advisable to encrypt information on any computer or device that is sent for servicing, repair, maintenance or upgrade. Another option is to remove the hard disk of any computer prior to its despatch.
Security on the move
There are a number of technical measures available to secure laptops and mobile computers. Even where such measures are unheeded, apply some simple common sense:
• Use strong total disk encryption to protect against data leakage.
• Consider a lockdown by using the computer's onboard BIOS setup menu to disable all unnecessary external interfaces such as USB and Firewire ports.
• Do not provide computers installed with writeable CD or DVD drives.
• Beware of shoulder surfing when using a laptop in public places.
• When travelling do not put company labels on baggage, hand luggage or laptop bags.
• Do not store access devices, passwords or codes in laptop bags.
• Use a power-on password.
• Take great care with removable disks, USB thumb drives and other portable media - many incidents of data loss occur when these devices are mislaid, lost or stolen.
• Use a password protected screen saver to prevent unauthorised browsing or use when the computer is unattended.
• Do not use Wi-Fi 'hotspots', unless wireless traffic is suitably encrypted.
• Install a personal Firewall and use spyware detection software such as Spybot Search & Destroy (www.spybot.info/en/index.html) or Pest Patrol (www.pestpatrol.com).
• Do not auto-save passwords in any software application or login script.
Edward Wilding is chief technical officer at Data Genetics International
All IT Security
del.icio.us
Digg this
reddit!
