Alan Calder on IT Governance, information security & ISO 27001

Surrey County Council’s recent £120k fine from the Information Commissioner was for failing, on three separate occassions, to assess and address the security risks of sending sensitive personal information by email. In each case, highly sensitive information ended up in the wrong hands by mistake – and the fine wasn’t for the mistake, it was for failing to realise that sometimes emails are mis-directed and takin appropriate steps to control the risks.

And that’s one of the important points about the Data Protection Act – it expects organisations to assess risks to personal information, and then to take appropriate administrative, technical and organisational steps to control the identified risks. In the case of sending sensitive information by email, it should by now be self-evident that mistakes sometimes happen and that applying encryption to such emails, as a standard, should be as much a default information security control as applying encryption to laptops and mobile media and USB Sticks.

“We’re really, really sorry for the PlayStation Network outage” is, apparently, the gist of the Sony announcement on this issue. I guess it’s also, in essence, the message of the US organisations which experienced the 662 data breaches in 2010, exposing more than 16 million records (adding to an astonishing 480 million other records exposed in the US since 2005). These statistics are quoted in the just-published Ponemon report, together with the equally interesting finding of the CSO CyberSecurity Watch 2011 Survey, which found that 81% of respondents had experienced a data breach in the last 12 months.

Is ‘really, really sorry’ enough? When you look at the recent spate of hack attacks – Sony, Nintendo, Lockhead Martin, Google’s Gmail – you have to conclude that there are lots of people out there who like breaking into networks – and you probably also have to conclude that there are lots of organisations out there who don’t care enough about the personal data with which they’re entrusted to take adequate steps to look after it.

Let’s think about it for a minute. If you live in a neighbourhood where casual crime is rife – people popping in through windows left open, slipping in through front doors left ajar, and likely to make off with your car if you leave it in the street with the keys in the ignition – what would you do? Yes, you’d probably start locking doors and windows and stuff like that.

Well, if you have a website, you’re in a tough neighbourhood – called the Internet. And what’s the Internet equivalent of locking your doors? It’s patching vulnerabilities in your websites. And how do you do that? You deploy a penetration test - straightforward, easy to do – and then you fix (what’s called remediation) the security holes that are identified.

And how much does a penetration test cost? It does depend – but for the average website, it will cost marginally less than £2k - and is £2k a better investment than the millions that a successful breach might cost you? (The Ponemon report estimates that the average data breach costs USD 7.2 miillion).

It’s unusual to see India leading the way in terms of Information Security Management – dealing with cyber security threats in a structured, systematic way.
Rule 8 (4) of The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011)  says:”The body corporate or a person on its behalf who have implemented either ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government.”

That effectively makes accredited certification to ISO/IEC 27001 a legal requirement for Indian organizations. Maybe, with more organisations forced to follow Information Security Management best practice, we may see a gradual, long term improvement in the protection of personal data – worldwide.

If a hacker issues a statement saying they have broken into your website and stolen 1 million plain text passwords, as well as compromising a whole lot of other information, what would you do?

And if you’re the same global corporation that was previously hacked and had 1 million other customer records compromised, what would you do the second time it happens?

Of course, you’d issue a statement saying that you were investigating the claims. That should do the trick, shouldn’t it?

Sony (Sony Pictures, this time) doesn’t appear to care about your security at all. Stored in plain text was a whole lot of useful personal information: name, address, telephone number, password……and all accessed by means of a basic SQL injection attack.

If you’re a corporation or run a website that stores personal data, you need to check it out for vulnerabilities (it’s called penetration testing - and it’s neither complex nor expensive, but it is essential – a bit like checking your front door to make sure that it really is locked and won’t fall over if pushed).

If you’re an individual who had a Sony Pictures account, you need to:

1. Go change your password on any other online account that has the same password;
2. Watch out for phishing attacks – targeted right at you, with very relevant information – something like guidance on what to do if you are worried that your personal details may have been stolen;
3. Watch out for vishing attacks – phishing attacks by VoIP – telephone callers asking you for critical missing information, like date of birth or mother’s maiden name – maybe claiming to call from your bank…….
4. Keep any eye on your credit record – investigate suspicious stuff asap (and, remember, your bank will probably want to sell you insurance against identify theft, even though this may be designed not to pay out under most reasonably imaginable circumstances);
5. Avoid Sony in future!!

According to a recently published Which? report (based on the results of an FoI requesst to the ICO), there were, in the year up to August 2010, nearly 1,200 allegations of breaches of the DPA made to the ICO in respect of UK banks and building societies. The Which? report said that only 13% of people knew they could report DPA breaches to the ICO, suggesting that the number of actual breaches may be much, much higher.

And who could be surprised?  UK financial institutions – which once had a reputation for honesty and probity – have been implicated in scandal after scandal – pension mis-selling, the bank fee/charges scandal, the debt crisis and, more recently, the payment insurance scam. (They’re now selling insurance against identify theft – watch this turn into another scandal, with another multi-billion compensation pot.)

UK banks appear to have invested heavily in their complaint-suppression processes. Consumers are to be exploited, not cared for, appears to be their real philosophy. At least a Nigerian Advance Fee Fraud is self-evidently dishonest – UK banks cloak their schemes in legalese. glossy advertisements and implacable complaints processes. Failure to protect data is just one of the areas in which failure follows inadequacy follows absence of care. While we can avoid buying the banks’s schemes, we can’t avoid the fact that they have our personal data. We can – and should – insist that our data is maintained in line with the DPA. Banks will not do this voluntarily.

I believe that we have reached a point where financial institutions should be required to immediately report all DPA breaches to the ICO, that breaches should automatically attract a compensation award to the individuals affected and that repeated breaches should automatically attract a significant fine from the ICO, with the amount of the fine increasing with every subsequent breach.

What do you think?

Is it surprising that organizations continue to suffer data breaches when so few of them give a damn?

In last year’s Carnegie Mellon CyLab survey, NO respondents (yes, not one) identified “improving computer and data security” as a top three priority for the board. Now, I recognize that last year was another particularly tough year for most organizations, when hanging on to topline revenue, controlling overhead and cashflow management would have been daily challenges, but for data security not to make it to somewhere near the top of the agenda is a little thoughtless – and perhaps explains why organisations like Sony continue to experience data breaches.

It’s a bit like a homeowner saying that, because they’re worried about paying the mortgage, locking the doors and windows when they go out for the day is not a priority for them. We’d think that was pretty stupid, wouldn’t we?

“Sony suffers second data breach with theft of 25m more user details.” Actually, (according to the Guardian) this was their first loss – the Sony Online Entertainment (SOE) network was hacked on 16 & 17 April, while the PlayStation Network (PSN) was hacked between 17 & 19 April. Sony discovered the second hack first, didn’t think that the hackers had taken anything other than the initial 77 million records and then discovered that, actually, the hackers had already made off with 25 million other records. 102 million records - each with a value to hackers for whom identity theft is the new, wild opportunity – and, two weeks after the hack, Sony said: “on May 1, we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.”

Two weeks is not really as soon as possible, Sony, is it? Two weeks after the event is more than enough time for these records to have been used maliciously. A tried and tested incident response procedure - which combines forensic investigation with rapid client communication in the event of a breach – should be part of any organisation’s information security management system. Perhaps Sony should get itself an ISMS?

“Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” Sony is reported to have said to the 77 million customers whose personal data was compromised between 17 and 19 April 2011.

Why? Why was Sony storing credit card numbers? It’s a PCI DSS requirement that payment card numbers are never stored or, if there is a clear business reason why they must be stored, then they must be hashed in the database so that they are unreadable. Clearly not something Sony did, or it wouldn’t need to warn customers that this data may have been compromised. Does PCI DSS not apply to Sony, or what? Everyday, we see small e-commerce businesses being hounded into PCI compliance by their acquiring banks, often at expense far greater than the immediate value to their business – but apparently not Sony. Is Sony too big to comply?

And what exactly does Sony mean when they talk about ‘an abundance of caution’? They weren’t cautious enough to protect card holder data in the first place and, as Michael Paller was reported by Reuters to have said, Sony may also have a tendency to throw up unreviewed, unsecure code in a rush to get products to market – so, overall, not very cautious at all. Negligent, in fact, you might think.

Epsilon’s statement that, on March 30th, it had detected that ”a subset [about 2%] of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system” has sparked a flurry of activity for a wide range of household names, whose email lists may have been exposed in this hack.

The fact that Epsilon has been hacked exposes one key myth about ISO27001 certification: it does not equate to 100% security. ISO27001 is simply a management system which, effectively deployed, improves an organisation’s information security and resilience. In Epsilon’s case (and Epsilon does have an ISO27001-certified ISMS) it would appear that there is an effective incident management procedure in place, as this breach seems to have been identified quickly, followed by appropriate noises about investigation and notifications.

On the other hand, it would appear that there was a significant failure in Epsilon’s risk assessment process. Risk assessment is at the heart of effective information security management and, in the case of an organisation that manages email data, the risk of an external cyber attack should be high on the list of worries. Epsilon’s IT infrastructure has been penetrated; cyber criminals have found one or more vulnerabilities in the Epsilon infrastructure and taken advantage of them to steal email data (and, remember, as email lists have real value to cyber criminals, the likelihood of a cyber attack on an email database is high).

Epsilon’s selected controls were inadequate to deal with this risk and, as a result, it is now suffering a highly significant impact, the full scale and cost of which have yet to emerge.

What should Epsilon have done differently? It needed (and needs) a much more comprehensive security or penetration testing regime than it clearly has. Organisations that have a low likelihood of cyber attack may feel confident that an annual penetration test (calling on a packaged penetration testing service) is an adequate check of the effectiveness of their cyber defences; organizations like Epsilon, where the likelihood and impact are both very high, should be looking at least at weekly penetration tests.

Regular penetration testing, for high value data systems like that of Epsilon, is essential but not enough. Zero day vulnerabilities are now common. Organizations need a systematic approach to tracking information about emerging vulnerabilities, identifiying occurrences on their systems, and rapidly remediating them. This requires a much more pro-active information security function than most organizations have in place – but it is exactly what is envisaged in the ISO27001 Annex A control 12.6.1 Control of Technical Vulnerabilities – see the best practice guidance in ISO/IEC 27002 for more information on this (and related) controls.

Gartner says that “IT & business leaders must face the fact that social colloboration is already a reality.” I agree. As a company, we have been working with social media in its varying, evolving forms for a number of years. This blog, for instance, has been in existence for five or six years – it’s never been a blog-a-day blog, but I’ve been writing about issues in and around information security and IT Governance irregularly for a long time. We published a Web 2.0 Best Practice Report in July 2008 and coined the phrase ‘Threat 2.0′ to describe the combination of threats to confidentiality, integrity and availability of date posed by the explosion in social media.

As a company, we’ve been producing the IT Governance blog for a couple of years, have a twitter feed (which we’ve just made the default way of ensuring that everyone inside the company is able to stay on top of our own news and developments), an IT Governance on Facebook page and a large number of topic-related IT Governance LinkedIn groups, all sitting under a single IT Governance profile.

We’ve grappled with social media for many years, from the early excitement of each of the ‘next big things’ through to the period of mainstream adoption, where issues like employee accountability, corporate resilience, privacy, compliance, confidentiality, data integrity and archiving are being taken increasingly seriously by business, IT and compliance leaders in organisations large and small across the world.

Our Social Media Governance Toolkit was developed out of a combination of our own experience, research and identification of existing good practice across the Internet. It continues to be informed by both internal and external feedback from actual use and we continue to make upgrades available to customers who have already purchased their own copy.  For instance, we will shortly be sending out a LinkedIn Group Policy template, reflecting our own experience with the need to ensure that LinkedIn Groups continue to be useful forums for exchanging information in a reasonably informal (but unspammed) environment.

We hope, as increasing numbers of organisations deploy our Social Media Governance Toolkit (or similar policies and practices), that we will between us keep the ‘free interchange’ aspect of the Internet working effectively.