Even more documents lost....

Following on from my post last week which discussed the loss of Top Secret government documents a second breach has been hitting the headlines.

I was amazed that these kind of documents were left on a train once but to happen twice is beyond belief. Several of the statements made by government officials/in news reports did grab my attention, firstly:

"His work reportedly involves writing and contributing to intelligence and security assessments, and he has the authority to take secret documents out of the Cabinet Office - so long as strict procedures are observed."

So the government actually allows Top Secret (National Security documents) to be printed and taken off its premises. As a Security professional my first reaction was one of surprise until you consider the major security blunders by the UK government in the past 12 months.

Secondly, a comment made by Keith Vaz, Chairman of the Home Affairs Select Committee:

"no official no matter how senior, should be allowed to take classified or confidential documents outside their offices for whatever reason."

That seems a good enough start in my opinion. But this really does come back to very last point I made in my original post last week about printed data.

It is one of my biggest professional fears, how do I know people aren't printing sensitive data off and stuffing it into their pockets? As a financial services company we get emails every week from individuals and banks (yes, banks) which contain un-encrypted sensitive data. Fortunately we have well defined procedures and skilled staff to respond correctly to these emails. But what if we didn't?

In terms of technical controls we can control the risk of theft around this data but if it were printed then all bets are off. A user could just print the email, if we prevent printing then could do a screen print, they could even write it down and away they go. In this day and age of mobile phones with high resolution cameras what is to stop people just taking a picture of the data and taking it that way?

When you think of it like this you may feel a bit of sympathy for the government, but they have the budgets and the ability to hire the top talent to prevent these breaches.

Security, is it really that hard?

I read and hear about security breaches almost everyday and I always ask myself the same question, "is security really that hard?".

Today I have read two articles on the BBC website, one (BBC Article 1) is even more credit card numbers lost and the second (BBC Article 2) is more UK government confidential documents lost.

Cotton Traders have lost 38,000 credit card numbers through their website. No technical details of the breach have been given but its likely to be a SQL Injection attack. The article on the BBC doesn't give much information away. What it does give away is false information about the TK Maxx data breach in 2007. The article falsely stated the TK Maxx breach occured through their website.

TK Maxx (more precisely TJX) didn't loose their card numbers through their website. The breach occurred because of someone noticing that the TK Maxx stores used WEP to protect their internal POS networks. Through war driving they cracked the WEP (not a highly technical hack) and went onto take close to 100 million card numbers over 18 months. For such a big news company I would have expected a more accurate report from the BBC.

Back to the original point, the Cotton Traders breach. Many sites are vulnerable to (again this is based on my assumption) SQL Injection so only half a scowl for them on that. But cleartext card data, thats not really forgivable. If I were investigating the breach my two main questions would be 1) Did you need to store that data and 2) Why didn't you securely store it (i.e. encryption)? I'm sure we will never publicly know these answers.

My last point on Cotton Traders is the breach occurred in January, 6 months ago. The sooner we see more laws like California's SB 1386 the better! The public should be made aware sooner of such breaches, just think how many are probably going un-reported.

The second article focuses on the fact that the UK government has lost more information. This time a government official has left printed copies of Top Secret documents on Al Qaeda and the war in Iraq on a train. A police investigation is being conducted and I'd suggest that some poor employee that may not have known better will be receiving their P45 soon. I could write all night about the potential problems that have occurred to cause this loss of data but I won't!

At a recent Data Privacy seminar we were all unanimous in our fear of printed data. We can have all the latest and greatest firewalls, IPS/IDS, encryption etc but once its on paper what can you do?

Dave