Alan Calder on IT Governance, information security & ISO 27001

If a hacker issues a statement saying they have broken into your website and stolen 1 million plain text passwords, as well as compromising a whole lot of other information, what would you do?

And if you’re the same global corporation that was previously hacked and had 1 million other customer records compromised, what would you do the second time it happens?

Of course, you’d issue a statement saying that you were investigating the claims. That should do the trick, shouldn’t it?

Sony (Sony Pictures, this time) doesn’t appear to care about your security at all. Stored in plain text was a whole lot of useful personal information: name, address, telephone number, password……and all accessed by means of a basic SQL injection attack.

If you’re a corporation or run a website that stores personal data, you need to check it out for vulnerabilities (it’s called penetration testing - and it’s neither complex nor expensive, but it is essential – a bit like checking your front door to make sure that it really is locked and won’t fall over if pushed).

If you’re an individual who had a Sony Pictures account, you need to:

1. Go change your password on any other online account that has the same password;
2. Watch out for phishing attacks – targeted right at you, with very relevant information – something like guidance on what to do if you are worried that your personal details may have been stolen;
3. Watch out for vishing attacks – phishing attacks by VoIP – telephone callers asking you for critical missing information, like date of birth or mother’s maiden name – maybe claiming to call from your bank…….
4. Keep any eye on your credit record – investigate suspicious stuff asap (and, remember, your bank will probably want to sell you insurance against identify theft, even though this may be designed not to pay out under most reasonably imaginable circumstances);
5. Avoid Sony in future!!

According to a recently published Which? report (based on the results of an FoI requesst to the ICO), there were, in the year up to August 2010, nearly 1,200 allegations of breaches of the DPA made to the ICO in respect of UK banks and building societies. The Which? report said that only 13% of people knew they could report DPA breaches to the ICO, suggesting that the number of actual breaches may be much, much higher.

And who could be surprised?  UK financial institutions – which once had a reputation for honesty and probity – have been implicated in scandal after scandal – pension mis-selling, the bank fee/charges scandal, the debt crisis and, more recently, the payment insurance scam. (They’re now selling insurance against identify theft – watch this turn into another scandal, with another multi-billion compensation pot.)

UK banks appear to have invested heavily in their complaint-suppression processes. Consumers are to be exploited, not cared for, appears to be their real philosophy. At least a Nigerian Advance Fee Fraud is self-evidently dishonest – UK banks cloak their schemes in legalese. glossy advertisements and implacable complaints processes. Failure to protect data is just one of the areas in which failure follows inadequacy follows absence of care. While we can avoid buying the banks’s schemes, we can’t avoid the fact that they have our personal data. We can – and should – insist that our data is maintained in line with the DPA. Banks will not do this voluntarily.

I believe that we have reached a point where financial institutions should be required to immediately report all DPA breaches to the ICO, that breaches should automatically attract a compensation award to the individuals affected and that repeated breaches should automatically attract a significant fine from the ICO, with the amount of the fine increasing with every subsequent breach.

What do you think?

Is it surprising that organizations continue to suffer data breaches when so few of them give a damn?

In last year’s Carnegie Mellon CyLab survey, NO respondents (yes, not one) identified “improving computer and data security” as a top three priority for the board. Now, I recognize that last year was another particularly tough year for most organizations, when hanging on to topline revenue, controlling overhead and cashflow management would have been daily challenges, but for data security not to make it to somewhere near the top of the agenda is a little thoughtless – and perhaps explains why organisations like Sony continue to experience data breaches.

It’s a bit like a homeowner saying that, because they’re worried about paying the mortgage, locking the doors and windows when they go out for the day is not a priority for them. We’d think that was pretty stupid, wouldn’t we?

“Sony suffers second data breach with theft of 25m more user details.” Actually, (according to the Guardian) this was their first loss – the Sony Online Entertainment (SOE) network was hacked on 16 & 17 April, while the PlayStation Network (PSN) was hacked between 17 & 19 April. Sony discovered the second hack first, didn’t think that the hackers had taken anything other than the initial 77 million records and then discovered that, actually, the hackers had already made off with 25 million other records. 102 million records - each with a value to hackers for whom identity theft is the new, wild opportunity – and, two weeks after the hack, Sony said: “on May 1, we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.”

Two weeks is not really as soon as possible, Sony, is it? Two weeks after the event is more than enough time for these records to have been used maliciously. A tried and tested incident response procedure - which combines forensic investigation with rapid client communication in the event of a breach – should be part of any organisation’s information security management system. Perhaps Sony should get itself an ISMS?

“Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” Sony is reported to have said to the 77 million customers whose personal data was compromised between 17 and 19 April 2011.

Why? Why was Sony storing credit card numbers? It’s a PCI DSS requirement that payment card numbers are never stored or, if there is a clear business reason why they must be stored, then they must be hashed in the database so that they are unreadable. Clearly not something Sony did, or it wouldn’t need to warn customers that this data may have been compromised. Does PCI DSS not apply to Sony, or what? Everyday, we see small e-commerce businesses being hounded into PCI compliance by their acquiring banks, often at expense far greater than the immediate value to their business – but apparently not Sony. Is Sony too big to comply?

And what exactly does Sony mean when they talk about ‘an abundance of caution’? They weren’t cautious enough to protect card holder data in the first place and, as Michael Paller was reported by Reuters to have said, Sony may also have a tendency to throw up unreviewed, unsecure code in a rush to get products to market – so, overall, not very cautious at all. Negligent, in fact, you might think.

Epsilon’s statement that, on March 30th, it had detected that ”a subset [about 2%] of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system” has sparked a flurry of activity for a wide range of household names, whose email lists may have been exposed in this hack.

The fact that Epsilon has been hacked exposes one key myth about ISO27001 certification: it does not equate to 100% security. ISO27001 is simply a management system which, effectively deployed, improves an organisation’s information security and resilience. In Epsilon’s case (and Epsilon does have an ISO27001-certified ISMS) it would appear that there is an effective incident management procedure in place, as this breach seems to have been identified quickly, followed by appropriate noises about investigation and notifications.

On the other hand, it would appear that there was a significant failure in Epsilon’s risk assessment process. Risk assessment is at the heart of effective information security management and, in the case of an organisation that manages email data, the risk of an external cyber attack should be high on the list of worries. Epsilon’s IT infrastructure has been penetrated; cyber criminals have found one or more vulnerabilities in the Epsilon infrastructure and taken advantage of them to steal email data (and, remember, as email lists have real value to cyber criminals, the likelihood of a cyber attack on an email database is high).

Epsilon’s selected controls were inadequate to deal with this risk and, as a result, it is now suffering a highly significant impact, the full scale and cost of which have yet to emerge.

What should Epsilon have done differently? It needed (and needs) a much more comprehensive security or penetration testing regime than it clearly has. Organisations that have a low likelihood of cyber attack may feel confident that an annual penetration test (calling on a packaged penetration testing service) is an adequate check of the effectiveness of their cyber defences; organizations like Epsilon, where the likelihood and impact are both very high, should be looking at least at weekly penetration tests.

Regular penetration testing, for high value data systems like that of Epsilon, is essential but not enough. Zero day vulnerabilities are now common. Organizations need a systematic approach to tracking information about emerging vulnerabilities, identifiying occurrences on their systems, and rapidly remediating them. This requires a much more pro-active information security function than most organizations have in place – but it is exactly what is envisaged in the ISO27001 Annex A control 12.6.1 Control of Technical Vulnerabilities – see the best practice guidance in ISO/IEC 27002 for more information on this (and related) controls.

The ICO has just issued two more fines for breaches of the DPA. Ealing and Hounslow councils are, between them, paying up £150,000 of money they probably don’t have to spare for the theft of just two laptops from an employee’s home.

There are three key learning points from this most recent set of fines:

1. Laptops must be encrypted – the ICO said: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.” Our free Technical Briefing Paper describes clearly what has to be done to encrypt laptops and portable devices.

2. You cannot hand your data protection responsibilities over to a third party – you must have a clear contract in place, with the right of audit, and you must take action to ensure that your third party contractor complies with its responsibilities. The ICO said: ““The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected.”

3. Lax data protection practices will lead to fines. The ICO’s statement concluded with this warning: “Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”

And the fines are just the monetary tip of the iceberg: before the fine is even issued, there is an investigation to endure, there is highly damaging PR and you still end up having to comply with the DPA anyway. So the sensible thing is to comply in advance of a breach – because, sooner or later, every organisation has a breach.

The process of becoming compliant is straightforward: carry out a gap analysis to identify where your actual practices are deficient against the requirements of the DPA, create an action plan to close the gap, and execute that plan. We created a DPA Compliance Tooolkit specifically to put everything required for this process in one place. It costs £100. If both Ealing and Harrow had purchased – and deployed – their own copy of the toolkit, it might have saved them a joint £150,000. Not a bad return on investment!

According to an article published today, local councillors must register with the ICO if they process personal data in their constituency offices. Apparently 6,000 are already registered and another 13,000 could and should. Of course, registration with the ICO is just the start – once registered, they also have to comply with the DPA. Compliance is relatively straightforward – the problem is that most organisations, particularly smaller ones, leave compliance until after they’ve been breached and then have to deal with all the sad repercussions of negative press coverage and distressed constituents. The penalties for compliance failures are potentially very significant.

Research giant Forrester has identified the need for Social Media Governance as the starting point for adopting social technologies in organisations. Social Media Governance is a complex topic – it starts with adopting a social media policy but it does then have to deal with a comprehensive range of headline issues such as:

• Social Media User Guidelines
• Roles & Responsibilities
• Metrics & Monitoring
• Records Management 
• Legal Guidance
• Communications Policy
• Branding & (Corporate) Style Guide
• Training

Security is a major area and should be linked with any ISO27001 or other ISMS that the organisation has in place. Key areas for the information security team to address include:

• Acceptable Use Policy
• User Name and Password Management
• Classification 
• Anti-malware
• Backup
• Incident Management
• Monitoring
• Privacy

And, finally, there probably need to be specific user guidelines or work instructions that cover, in some detail, at least the following social media activities:

• Blogging
• Facebook
• LinkedIn and LinkedIn Groups
• Instant Messenger – Organizational IM
• Instant Messenger – Third Party IM allowed
• Skype
• Twitter
• YouTube

The social media framework that we use in our own organisation is based on ITGP Social Media Governance Toolkit. These templates have made our life much easier and, of course, our own experience and that of our customers is then fed back into further improvements in the templates.

For the Forth Valley NHS Board, the answer is now a resounding ‘Yes’. Of course, it should have been a ‘Yes’ before there was a data breach, and before sensitive patient details were put at risk. However, the Board has now recognised (and has formally committed to ensure) that the only USB sticks available for use by Board staff should be issued by the Board, and that these USB sticks should all be encrypted.

It is, in today’s world of portable media, a basic security step. ISO27001 control A.10.7.1 specifically deals with management of removable media and any organisation implementing this control must (amongst other things) use encryped memory sticks – which can be purchased with USB-resident encryption, so that they are simple to deploy and use in the workplace.