Alan Calder on IT Governance, information security & ISO 27001

As Iran has discovered, arresting individuals the government doesn’t like, or doesn’t agree with, doesn’t stop others protesting. Quite often, as Tunisia, Egypt, Libya, Yemen and others learned, arresting one person can lead to far more violent, vigorous and ultimately destructive protests.

The arrest, last night, of a 19-year old man alleged to have been one of the Lulz masterminds will not immediately patch the Internet security vulnerabilities that have been so gleefully exploited by hackers over the last few weeks. Unpatched security vulnerabilities are still an open invitation to hackers to penetrate an organisation’s data banks and, as has been proven time and again, there are lots and lots of hackers interested in proving their prowess. Many are also interested in the commercial resale value of what they are able to access.

Arresting one or more hackers is not a solution to cyber security weaknesses. The only practical solution is to identify those weaknesses and then remediate – and, as I’ve said before, that is a very straightforward process: vulnerability scanning, penetration testing, and then remediation – patching vulnerabilities, training staff, and improving technical security architectures.

The only solution to the cyber security threat is better security.

It’s encouraging that Malaysia has passed a Privacy and Data Protection Act. It is even more encouraging that the government is taking practical steps – working with public and private sectors – to translate the legislation into practical data security. This new Malaysian law seems to have many of the attributes of the EU and UK data protection and privacy legislation and recognises that individual data must be properly protected and maintained.

Coming on the heels of India’s more comprehensive Information Technology (IT) Rules 2011, which also contains stringent requirements around privacy and data protection, it is evident that developing economies are increasingly recognising the need for governments to take a clear, regulatory lead in terms of creating appropriate frameworks for protecting personal data.

I would expect to see ISO 27001 – the international standard for data security – become ever more widely deployed as governments recognise the importance of information security management. India, of course, has already set out a requirement for organisations to undergo an annual audit to ISO27001.

It’s a pity that the United States – the world’s biggest digital economy – still lacks a single, federal law that protects individual data (other than on a sectoral basis, such as HIPAA or GLBA). Still, I guess we have to hope that, where the developed economy leads, the mature US economy will follow!

Do you imagine that your website and network are as safe and secure against external cyber attack as those of the IMF, the CIA and the US Senate? Are you likely to have spent as much on cyber security as Sony, Nintendo, Sega, Fox, PBS and the rest? And do you think that, because you’re not a high profile organisation, you are immune to cyber attack?

If your answer to the first two questions is ‘No’ but you’ve answered ‘yes’ to third, then I have to tell you that you are deluding yourself: all organizations, irrespective of size or sector, are at risk of cyber attack. The organisations that make the headlines are those with a high media profile – the multitudes of smaller hacked organisations do not make interesting front-page news and therefore get to suffer in silence. Absence of press coverage does not mean absence of cyber attack.

The first part of a cyber attack is usually automated: an free-standing, web-based ‘sniffer’ programme seeks out web security vulnerabilities (remember, security vulnerabilities are all publicly listed) and, in many instances, the subsequent attack - aimed at stealing information or simply taking over computers to use as part of a zombie botnet – is also automated. 

Sometimes the attack comes by means of an increasingly carefully crafted ‘spear-phishing’ email and, increasingly, the attack is made possible when a member of staff downloads malware from an infected site – malware disguised as something important.

Every organisation has to take adequate steps to protect itself against external cyber attack. There are two practical ways of doing this. The first is to have quarterly ‘hackerguardian’ vulnerability scans run to check the security of your websites and externally facing IP addresses. PCI-compliant organisations already do this, but this is a basic security step that all organisations should take.  The second is to have six monthly penetration tests carried out. Pen tests look for opportunities to exploit vulnerabilities and security weaknesses that might have been missed. Sensible organisations will do both of these things, and will also take steps to ensure that they have a tried and tested incident response procedure to deal with those instances where front line defence fails.

Unless you take action today, you may be tomorrow’s cyber victim.

Codemasters have just demonstrated the weakness of a fallback strategy, when attacked by hackers, of taking your website offline: the hackers will already have got away with a whole lot of valuable information. So Codemasters appear now to be in a position where their website is offline, their customers are upset – and a lot of their customers data is in the hands of those not entitled to have it. It’s not really a good way to run an Internet business, is it?

Sensible online organisations will usually do one – or both – of two things. The first is to run quarterly vulnerability scans across all websites that collect customer information – and one of the best tools for doing this is the HackerGuardian Scan service. It is PCI DSS compliant, which means that it meets requirements for e-commerce sites as well as scanning for all other website vulnerabilities.

The second thing to do is to have a detailed external penetration test carried out at least once per year and, ideally, on a quarterly basis – to make sure that your website and network access are both secured against attack. Pen testing is not expensive, and is not complicated – particularly when you purchase a pentesting package.

For most organisations, spending less than £10k per annum on Internet and network security testing must be a more sensible, more cost effective option than hoping that hackers won’t strike you – becasue they will.

Surrey County Council’s recent £120k fine from the Information Commissioner was for failing, on three separate occassions, to assess and address the security risks of sending sensitive personal information by email. In each case, highly sensitive information ended up in the wrong hands by mistake – and the fine wasn’t for the mistake, it was for failing to realise that sometimes emails are mis-directed and takin appropriate steps to control the risks.

And that’s one of the important points about the Data Protection Act – it expects organisations to assess risks to personal information, and then to take appropriate administrative, technical and organisational steps to control the identified risks. In the case of sending sensitive information by email, it should by now be self-evident that mistakes sometimes happen and that applying encryption to such emails, as a standard, should be as much a default information security control as applying encryption to laptops and mobile media and USB Sticks.

If criminals can use Twitter as an attack vector, and if Facebook walls are malware magnets, what should the social media aware organisation do to protect its information resources?

Well, staff training is obviously essential – and it should take place before there’s a problem. Staff training, though, is usually part of a social media governance initiative, an overall policy and plan for identifying what, some years back, I called ‘Threat 2.0′. So, one of the best ways for organisations to start tackling social media threats – and to ensure they get genuine advantage from their use of social media – is to initiate a social media governance project. The best place to start on such a project is by getting and deploying a social media governance toolkit. As with all toolkits, the immediate benefit of using one is that it saves you from having to re-invent the wheel – you can access a comprehensive collection of policies and procedures that are based on recognised best practice and start putting them to immediate use in your own organisation.

“We’re really, really sorry for the PlayStation Network outage” is, apparently, the gist of the Sony announcement on this issue. I guess it’s also, in essence, the message of the US organisations which experienced the 662 data breaches in 2010, exposing more than 16 million records (adding to an astonishing 480 million other records exposed in the US since 2005). These statistics are quoted in the just-published Ponemon report, together with the equally interesting finding of the CSO CyberSecurity Watch 2011 Survey, which found that 81% of respondents had experienced a data breach in the last 12 months.

Is ‘really, really sorry’ enough? When you look at the recent spate of hack attacks – Sony, Nintendo, Lockhead Martin, Google’s Gmail – you have to conclude that there are lots of people out there who like breaking into networks – and you probably also have to conclude that there are lots of organisations out there who don’t care enough about the personal data with which they’re entrusted to take adequate steps to look after it.

Let’s think about it for a minute. If you live in a neighbourhood where casual crime is rife – people popping in through windows left open, slipping in through front doors left ajar, and likely to make off with your car if you leave it in the street with the keys in the ignition – what would you do? Yes, you’d probably start locking doors and windows and stuff like that.

Well, if you have a website, you’re in a tough neighbourhood – called the Internet. And what’s the Internet equivalent of locking your doors? It’s patching vulnerabilities in your websites. And how do you do that? You deploy a penetration test - straightforward, easy to do – and then you fix (what’s called remediation) the security holes that are identified.

And how much does a penetration test cost? It does depend – but for the average website, it will cost marginally less than £2k - and is £2k a better investment than the millions that a successful breach might cost you? (The Ponemon report estimates that the average data breach costs USD 7.2 miillion).

It’s unusual to see India leading the way in terms of Information Security Management – dealing with cyber security threats in a structured, systematic way.
Rule 8 (4) of The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011)  says:”The body corporate or a person on its behalf who have implemented either ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government.”

That effectively makes accredited certification to ISO/IEC 27001 a legal requirement for Indian organizations. Maybe, with more organisations forced to follow Information Security Management best practice, we may see a gradual, long term improvement in the protection of personal data – worldwide.

If a hacker issues a statement saying they have broken into your website and stolen 1 million plain text passwords, as well as compromising a whole lot of other information, what would you do?

And if you’re the same global corporation that was previously hacked and had 1 million other customer records compromised, what would you do the second time it happens?

Of course, you’d issue a statement saying that you were investigating the claims. That should do the trick, shouldn’t it?

Sony (Sony Pictures, this time) doesn’t appear to care about your security at all. Stored in plain text was a whole lot of useful personal information: name, address, telephone number, password……and all accessed by means of a basic SQL injection attack.

If you’re a corporation or run a website that stores personal data, you need to check it out for vulnerabilities (it’s called penetration testing - and it’s neither complex nor expensive, but it is essential – a bit like checking your front door to make sure that it really is locked and won’t fall over if pushed).

If you’re an individual who had a Sony Pictures account, you need to:

1. Go change your password on any other online account that has the same password;
2. Watch out for phishing attacks – targeted right at you, with very relevant information – something like guidance on what to do if you are worried that your personal details may have been stolen;
3. Watch out for vishing attacks – phishing attacks by VoIP – telephone callers asking you for critical missing information, like date of birth or mother’s maiden name – maybe claiming to call from your bank…….
4. Keep any eye on your credit record – investigate suspicious stuff asap (and, remember, your bank will probably want to sell you insurance against identify theft, even though this may be designed not to pay out under most reasonably imaginable circumstances);
5. Avoid Sony in future!!

According to a recently published Which? report (based on the results of an FoI requesst to the ICO), there were, in the year up to August 2010, nearly 1,200 allegations of breaches of the DPA made to the ICO in respect of UK banks and building societies. The Which? report said that only 13% of people knew they could report DPA breaches to the ICO, suggesting that the number of actual breaches may be much, much higher.

And who could be surprised?  UK financial institutions – which once had a reputation for honesty and probity – have been implicated in scandal after scandal – pension mis-selling, the bank fee/charges scandal, the debt crisis and, more recently, the payment insurance scam. (They’re now selling insurance against identify theft – watch this turn into another scandal, with another multi-billion compensation pot.)

UK banks appear to have invested heavily in their complaint-suppression processes. Consumers are to be exploited, not cared for, appears to be their real philosophy. At least a Nigerian Advance Fee Fraud is self-evidently dishonest – UK banks cloak their schemes in legalese. glossy advertisements and implacable complaints processes. Failure to protect data is just one of the areas in which failure follows inadequacy follows absence of care. While we can avoid buying the banks’s schemes, we can’t avoid the fact that they have our personal data. We can – and should – insist that our data is maintained in line with the DPA. Banks will not do this voluntarily.

I believe that we have reached a point where financial institutions should be required to immediately report all DPA breaches to the ICO, that breaches should automatically attract a compensation award to the individuals affected and that repeated breaches should automatically attract a significant fine from the ICO, with the amount of the fine increasing with every subsequent breach.

What do you think?