On 9th March Lothian and Borders Police announced that they had lost containing details of vehicles of interest and other intelligence (http://news.bbc.co.uk/1/hi/scotland/edinburgh_and_east/7932228.stm). In recent months there have been a number of high profile data losses in the UK public sector – what is happening, why and what can be done to prevent it.
The public sector is being driven by the requirement to aggregate data from many sources into large databases; this increases the attraction to criminals as there is the potential to harvest more data from compromising a single database. Another effect of data aggregation is that it becomes increasingly difficult and costly to “dis-aggregate” the data when sharing it with third parties
This is exactly what happened in well publicized case of the lost child benefit records; the National Audit Office had requested specific “de-personalised” data – internally within HMRC it had been decided that it was too expensive to depersonalize the data in the way requested by the national audit office had requested and, therefore, the complete data was sent; this was only compounded by the fact that the data was sent unencrypted on a CD via an insecure mail service.
As well as the primary effect of this incident (the compromise of people’s personal details), there was a secondary attack where people were targeted with a email offering a £215 tax rebate which redirected them to a malware site.
The bad news is that it is getting worse, in the 12 months to September 2008 there were 12 major incidents in the public sector affecting 29 million records. See http://www.silicon.com/publicsector/0,3800010403,39295167,00.htm for more details.
The government’s response to data has been a working party that produced the following recommendations.
Changes to policy, systems, procedures and controls with the focus on trust, reputational risks, cost avoidance and accountability.
However, the focus is on risk and cost avoidance from a government perspective. In most of these incidents the government bears very little cost or risk. In the case of the HMRC incident the risk was borne by the individuals claiming child benefit (potentially having their bank accounts compromised) and the cost was borne by the banks (the administrative effort in potential losses through fraud, changing account numbers, reissuing cards etc).
Penetration Testing.
Penetration testing is a worthwhile exercise but it assumes that the weakest point is the network perimeter; this would not have prevented any of these incidents occurring.
Encryption of end points.
All of these incidents have occurred because of endpoint vulnerability; the CD, the USB memory stick or the laptop left in a taxi. Clearly the encryption of endpoints is critical in mitigating risk if the endpoint itself is lost or stolen.
Unfortunately, they do not address the real issue – the people in control of the data have no interest in keeping it secure, an effect called externality. The organizations involved do not bear the consequences of their actions – there is no point in fining a public sector organization as it is public money anyway. The only way this issue will be addressed is for the individual employees of these organizations to bear the consequences of their actions – and ultimately this will probably man serious criminal sanctions.
No comments:
Post a Comment