Sunday Business Post | Irish Business News

Breaking News Business Ireland World Sport Weather

Navigation (Home)News News Features The Market Media & Marketing Comment & Analysis Computers In Business News Buyers' Guide A-Z Guide Profile Property Motoring Agenda Letters

People In Business Budget Forum Events / Conferences Company Reports Tools Crossword Search the archives Newsletter IMODE RSS

Text-Only

Identity crisis
Sunday, September 07, 2008
As IT security breaches continue to make headlines, Ian Campbell explores the reasons why organisations are seemingly unable to manage their data properly.

Many more voices must be joining in with the mantra that says technology can only do so much for IT security after the events of the last month. No firewall in the world will compensate for management negligence and an inability to observe basic principles of data protection.

There has been a long litany of failure in a short space of time. At the start of August,11 people were found guilty of the biggest credit card fraud in history. TJX, the parent company of TK Maxx, and a number of other US retailers managed to lose 40 million credit card details to a sustained hack attack of modest sophistication. Closer to home, a number of retailers in Galway had their card-payment machines skimmed and 20,000 names and personal details were stolen.

Meanwhile, following on from the Bank of Ireland lost laptops debacle, another incident came to light revealing that the Comptroller and Auditor General's office had a laptop stolen that contained 380,000 personal details belonging to the Department of Social and Family Affairs. These were just the latest incidents of hacking and identity theft to have made the news.

Despite the media coverage and words of warning from the IT security industry, such incidents will come around again - as inevitable as a wet Irish summer.

The sobering truth is that all of the incidents were entirely avoidable. Basic IT investment and common-sense management was all that was required. In the case of TJX the initial reports suggested that the company was running a Wi-Fi network with WEP (Wired Equivalent Privacy) protection, the most basic level of wireless security that has long-since been discredited as all too easy to crack. In Ireland it was the ‘skimming' of card machines that unearthed a different type of problem. A criminal gang would pass themselves off as technicians from the bank, tamper with the machines and enable access to card holder details. Basic management procedures should prevent this from ever occurring.

Poor management was also to blame when the social services data went walkabout, a terrible indictment on public sector security that was compounded because it took them a year to own up to it.

Paul Dwyer, chief executive officer of security specialists TeamInfoSec, said such incidents come down to poor management procedures aided and abetted by apathy.

“People don't take data security seriously because they don't have to. The Data Protection Commissioner has the power to fine organisations €100,000, but it never happens. Nobody gets prosecuted and nothing ever gets done. The same names keep offending, which just proves that there is no real deterrent.”

Dwyer thinks people underestimate the severity of the crimes. “Why bother holding up a bank when you can steal a laptop? They are taking personal information that can be sold on the black market for $40-$50 so there is real criminal intent in identity theft.”

Dwyer and other security specialists are calling for Data Protection Commissioner Billy Hawkes to drop the softly-softly approach and instigate much tougher punishments.

“He needs to take a much harder line and follow the example of Britain where organisations are fined heavily for losing laptops and personal data.”

It has been claimed that information security codes of practice, like ISO17799, are taken much more seriously in Britain and other parts of Europe. Such standards are trickling into Ireland, encouraging organisations to better manage information security and ensure that information receives an appropriate level of protection. “Private sector companies in particular are adopting some of the practices,” said Dwyer, “but the public sector has been much slower in our experience.”

Another problem is there is no legal obligation in Ireland to report lost data or missing laptops - the only reason that the public sector incidents have come to light is because of the Freedom of Information Act. Not that playing down the problems has been entirely wilful; a lot of people responsible for data management are simply unsure of what to do according to Dwyer.

“We deal with the public sector, private sector and financial institutions, and I can tell you that there is a lot of confusion about data protection among all of them.The Data Protection Commissioner sends out contradictory information and organisations don't understand what's required of them so they can't implement the relevant controls.”

Worse still, many organisations are unclear where responsibility lies within their business to make things better. “They don't understand that compliance around the security of data is a business matter and not an IT issue,” said Dwyer.

In fact, the IT community finds the recent spate of breaches a bitter pill to swallow because they know that they could have been avoided through implementing the most rudimentary technology.

“Some encryption technologies have been out there for 15-20 years so it's people's unwillingness to spend money to protect the data that is the problem,” said Michael Conway, managing director of Renaissance.

“Part of the issue is that people want to get on with their business and worry about the technology another time. They buy a laptop but they won't pay a little more to make it secure. It's crazy. In many cases the data is usually more critical and valuable than the laptop.”

Conway couldn't resist a dig at the banks around the Galway skimming episode to illustrate the skewed logic.

“Banks are so careful in demanding to see customer ID at all times, yet large retail organisations are able to let people on to their premises and work on cash machines. It seems incredible that so many could be tampered with over such a long period of time.”

Conway points out that statistics prove that the majority of security breaches come from insider threats, internal people who have easy access to information. Recognising this fact should have an immediate impact on security strategies.

“There is no such thing as 100 per cent security. You must have multiple levels and barriers throughout the organisation and be prepared to continually manage and change them. You don't just leave one encryption key in there forever. People come and go and before too long the key becomes too accessible to too many people.”

Policies and Procedure

The bottom line is that technology can only facilitate an organisation's policies. In the case of TJX it seems a series of procedural errors were the problem.

“For a start it had been storing card numbers for18 months that it didn't even need,” said Conway.

“In any organisation the risk management and compliance people should be asking questions about where data is kept. There has to be a level of internal controls that stops it being too easy to roam around. Finally, there has to be external controls to prevent a hacker getting into the network in the first place.”

Dwyer has some sympathy for the Comptroller and Auditor General's office and other public sector organisations that have lost laptops.

“They are subject to the Freedom of Information Act and have to tell the truth but there is a lot we still don't hear about. This type of problem is much more widespread than the state sector. Thousands of laptops are lost in airports on a daily basis and a tiny percentage will be encrypted.”

According to a recent Dell survey more than 800,000 laptops are lost annually in US and European airports. Nearly half of those surveyed said they kept confidential information on their laptops. Over half of them took no steps to protect that data in the event of a loss or theft.

Dwyer's own experience confirmed these findings. “We've been involved in laptop encryption for10-15 years and I'd say only a small fraction have any level of protection on them.”

Security specialists will say that most organisations now have security policies in place, so why is there a disconnect between drawing up policies and implementation?

“The policies are drawn up at a high level but the implementation of those procedures hasn't been mapped on to real life. That's the problem,” said Dwyer. Conor Flynn, technical services director at Rits, said it is a long-standing issue.

“Big organisations would have strong central policies in a lot of areas but there would be a certain amount of designated control to local branches. Unless there is regular auditing there will be inconsistencies in standards and deployments across their networks.”

Companies like Rits carry out audits and vulnerability testing for their clients and frequently uncover surprising lapses in control.

“One company that we went into audit said that it didn't use wireless but we went in and turned up a bunch of wireless technologies.”

This is not uncommon, according to Flynn, because wireless devices are treated like commodity items.

“People are buying them out of consumables budgets without the management even knowing, usually for very altruistic reasons. They might have a big meeting and want to enable staff to use their laptops in the boardroom. They put it in for good reasons but don't think about the implications of what they are doing.”

He said that Wi-Fi was also a weak link in retail where investments in unsecured hand-held devices, used for stocktaking, are access points that could be exploited and used to hack into company networks. Similarly, some companies are using wireless to link buildings.

“It's very cost-effective for mediumsized firms with a couple of warehouses in a business park. Rather than dig up the tarmac and put down cables they stick in a wireless access point to link them together. But they don't always think through the security ramifications.” The message from Flynn is very clear: “If you are going to use wireless secure it; otherwise don't.”

The case of the Comptroller and Auditor General is a different kind of failure and a sore point for Flynn and Rits because the company's details were on the laptop that went missing. What bothers him about the episode is that the Department of Social and Family Affairs, which held the details of Rits, was trying to do the right thing.

“They had encrypted the files on two CDs that were hand-delivered to the controller's office. Someone there decrypted the files and put them on a laptop that was lost at a bus station.”

Mary Hanafin TD, Minister for Social and Family Affairs, has already expressed her anger at the incident and Flynn is similarly annoyed.

“The controllers go into the different departments and are very aggressive when it's audit time, yet they are unaccountable when something like this happens.

“It's not even about costs. It's about a distinct lack of leadership in the policy areas. They are being pushed across the departments, but each one seems to be doing their own thing.”

Wi-Fi protection
Much more secure than WEP (wired equivalent privacy), WPA (wireless protected access) and its latest iteration, WPA2, use encryption so that every packet sent over the wireless network is encrypted with a unique key. Most entry-level wireless products will now come with WPA and WPA2 as standard and can cost as little as €50-60.

Laptop encryption
All the major software players are going down the route of delivering end-point security. There are free encryption products such as TrueCrypt and CompuSec. New innovations allow you to remotely destroy data on a lost laptop. Beyond Encryption Technologies is an Irish-based organisation with an IP-protected data security solution.

A ‘heartbeat' checks in at regular intervals using pre-set protocols to ascertain if the data has been compromised. If data does fall into the wrong hands it can be automatically destroyed.

Skimming prevention
Bacs is an industry body responsible for the processing of more than 5.5 billion payments a year. It recommends security measures around card machines based on tamper-evident and tamperproof standards. Tamper-evident use seals or markings to make it clear that a device has been subject to unauthorised access. Better still is tamper-proof, which automatically erases and damages the chips, making the device unusable.

Click here for Sunday Business Post stories before this date