by Ricky M. Magalhaes
Article focusing on data leakage and how this information asset is lost and the result of exposure. This vulnerability may be the result of inadequate measures, or poorly implemented controls that expose organizations and their clients.
2008 is the year of privacy in Europe. Data privacy will be the trend on the hype cycle for the next 24-36 months. End point security is becoming the big focus and many inventive technologies have been developed to implement solutions that solve the problem. Leaders have already started to emerge in the market space but this race is a long one.
In 2008 Quarter 1 over eight major data leaks have occurred in Europe, exposing over 50 million people in the UK alone. Worldwide these figures are estimated to be tenfold. These are statistics and reflect reported numbers, however these are believed to be understated as organizations and government entities are not keen on reporting data leakage, or data spillage.
At the end of February 2008 a laptop was bought off EBay containing a CD (not in the CD drive, hidden in the computer) this laptop was taken in for repairs, to the local computer shop because of a rattle, and it was found that the CD belonged to the home office in the UK. The CD had written on it that if found please return (home office Confidential) and the data on the CD was encrypted. In this case the data was stored in a secure state, and the laptop was also encrypted, so the encryption keys were safe (or were they?). This is different to the stories of the past where millions of records were found to be in the clear and lost in transit.
Recently, in Princeton University, some tests were performed that resulted in an interesting discovery. It was found that encryption keys for some encryption products stored the access key/keys in RAM and this RAM could be taken out of the computer and the keys could be recovered. This vulnerability has been ignored by some but taken very seriously by others, especially considering that some of the vendors sell a solution that protects against this data disclosure.
Why does data leakage keep happening, and why is little being done about these incidents in the private sector? Do organizations, representatives and officials understand the implications? Does anyone really care about your details? Considering that Identify theft is by far the biggest problem in the digital age, more needs to be done with regards to assurance that your credentials and information is stored and transmitted safely.
Recently I found that organizations were not encrypting their data and that for the most part the people interviewed could not see the benefit of securing the confidentiality of their data because:
* Organizations did not understand the mechanics of encryption and what it was or could be used for in their business context.
* Key staff members, officials, management and directors were not educated about the laws specifying that encryption was necessary for certain data in their operational business and for their jurisdiction.
* It was also the consensus that encryption would add both an administrative and operational overhead that was felt to be unnecessary and potentially costly.
* Some organizations found that the total cost of ownership was too much compared to the value of the data.
* Some organizations did not know about encryption or what it was used for and thus felt that if they had been operating until now without it, it was unnecessary and possibly just another technical control that would be costly to implement and maintain.
* Some organizations said that they had nothing to hide and that no data was stored on their devices in transit.
* In some instances the organization had tried encryption once before but had a bad experience with encryption and thus aborted the project completely or left the solution in a bad state.
How is data stored and transmitted?
Data is stored in containers like liquid. The term data leakage is appropriate as it contextualizes how the phenomenon occurs. Some data flows from place to place in conduits (networks or VPN links) like water in pipes and again this is prone to leakage. In this scenario the data leaks near the tap, on the computer where the data is processed and transmitted from. It is possible for the pipe/network to be tapped/sniffed again resulting in data leakage. The counter to these vulnerabilities is encryption. Solutions like IPSec can help in keeping information that is being transmitted secure.
Liquid can also be carried in buckets data similarly can be transported on Laptops, Mobile phones, USB devices, memory sticks, tapes, etc. These buckets can have holes or can lack access control solutions to stop people from taking water out of the bucket. These technical controls can come in the form of encryption or strong access controls. In this day and age strong encryption is highly recommended as most access controls are easy to bypass as a result of access of tools available on the Internet.
Other potential data leakage points are remote access solutions, instant messaging clients, email, printouts and intruder attacks. Even a glass window that is part of a skyscraper that someone can peer through using a telescope by using a vantage point in another building can result in data theft. Do not rule these types of attacks out. Although it sounds far-fetched and low-tech, I consult at a banking hub and have recently shown a high profile bank how easy it is to do this from a public building across the road from where data is processed for many of their clients.
Why do we have to stop data leakage?
* Encrypt: Encrypting data enables confidentiality this means that if the data falls into unauthorized hands the data is unreadable.
* Require two factor authentication: Passwords have become too weak, two factor authentication is becoming more necessary as our lives become more digital. Think about the worth of your digital identity.
* Encrypt communication: If you do not want others to hear what you are saying change the way you speak. Encrypting communications is not a new technique - it was used even in the times of the Romans. Rest assured if you are not interested in the security of your communications there are many unscrupulous people that are.
* Protect your keys: This is very important and should be the number one concern. Access to keys = Access to data. Your key needs to be stored in a secure manner, just like the key to your home it is good to have a second set of keys stored away in a secure location so if the first set is destroyed you can get your second key securely. This year alone I have consulted with four large clients that have lost their keys. One I was able to help by scanning all their removable material for the keys. The keys were retrieved and the data restored. This is also a security vulnerability but the data was saved. The other clients lost access to their data and are still looking for the keys.
* Backup your data in a secure way: Data storage and data backup need to be performed in a secure way. It is important that data is accessible and the ability to restore is paramount, in parallel it is also important that such data is kept in a confidential form and that unauthorized users are not able to read or manipulate this data. It is frightening to know that fewer than 5% of financial institutions in Europe are encrypting their backups. In a recent consultancy a large financial institution informed me that the encryption shortened the backup window and that it made the disaster recovery operation challenging. Little wonder why the figures do not add up…
In conclusion, vendors need to bear in mind that solutions that involve the encryption of valuable data needs to be easy to maintain, deploy and follow key management best practice. This does mean the escrow of the key material is stored in a way that will allow for the organization to recover in a disaster. This proves vital on recovery and failing this simple practice will result in lack of availability.
About Ricky M. Magalhaes
Ricky M Magalhaes is an International Information Security business specialist, author and consultant, working with a myriad of high profile organizations. He has been consulting in the information security field for over ten years and continues to promote information security best practice, strategic and compliance to many top international entities. He has trained the government agencies and other governmental entities on various information security disciplines and has often spoken at national and international conferences on behalf of Microsoft.