Author Jeff Stanton's Blog: Employee Monitoring and Information Security

Let's Talk about Stolen Laptops

jmstanto@syr.edu — Fri, 07 Jul 2006 19:13:00 GMT

Last week (7/1/06), the Red Cross reported that a laptop containing thousands of records of blood donors' personal data had been stolen from a locked closet in one of their local offices. They reported that there was no sign of forced entry into the closet. Obviously this implicates someone with a key to the closet. An employee? Janitorial staff?

Bizarrely, the Red Cross spokesman, Darren Irby, said, "We haven't viewed this as a security breach at this point." I guess he is resting comfortably with the idea that because the donor data were "encrypted," that they are safe even on a stolen laptop. Let's just take a moment to remember that there are lots of different types of encryption, some more secure than others, and that all forms of encryption are subject to attack. Further, for the most common kind of file encryption (symmetric key encryption), the security of the data also depends on keeping the "key" (like a password) secret.

A stolen laptop was at the heart of the Veteran's Administration data leak scandal as well. Laptops are wonderful. I have one and I love it. But laptops are a triple threat for security:

1. They hold tons of data. The wimpiest new laptop you can buy generally comes with dozens of gigabytes of data. Which means that users can stash tons of valuable information on them.

2. They are highly portable. A laptop can be concealed in a backpack, a grocery bag, or under your shirt. It is no more difficult to steal a laptop than it is to steal a ream of paper.

3. They are quite valuable on the "stolen products marketplace." That is, they are easy to fence.

Good security polices must specify what employees can do with laptops, where they can do it and when. This includes any personal machines that are permitted to have access to company data. Firms need to work out policies that appropriately balance productivity and security. Most importantly, users need to internalize the idea that loss and theft of laptops is a very common event. TAXI, a trade journal of the taxicab industry, did a survey showing that 4973 laptops were left in London cabs over a period of six months in 2004. That's just one city, in one part of the world, and just one mechanism of loss. As users leave the building with laptops in their briefcase, they should assume that the machines will get stolen, and should prepare and protect their data against this eventuality.

Sophos Security Report Highlights Social Attacks

jmstanto@syr.edu — Thu, 06 Jul 2006 20:23:00 GMT

Partly as a public service and partly as a marketing technique, antivirus vendor Sophos (http://www.sophos.com) publishes an update on the state of computer security every six months or so. The latest report just came out (July 2006) and it highlights an ever-increasing array of security threats that affect business and home users.

Among other problems, Sophos has documented the increased use of subtle social attacks that encourage users to perform dangerous behaviors such as clicking on attachments. While these attacks used to entice victims with the possibility of seeing Brittany Spears or some other celebrity "lightly clad," new enticements to click on evil attachments include political scandals, crime descriptions, and other newsworthy headlines. These threats are considered social attacks because they prey on natural human curiosity (or other common motivations) as a method of encouraging users to take inappropriate actions.

As always, the best protection against social attacks is to use training and awareness programs to educate users about the prevalence and nature of these threats. On the face of things training always appears expensive as an upfront preventative investment, but a careful analysis of the lost productivity and IT staff time involved in recovering from a malware attack shows that the investment in training generally pays off handsomely.

One additional important point is that more and more of these malware attacks work by installing so called "trojan horses" which allow a remote attacker to take partial or complete control of a compromised computer system. These trojan horses can lead to the destruction or dissemination of sensitive and important data. In turn, these losses can have powerful negative impacts on the reputation and success of a business.

The Sophos report is quite brief and easy to read. here is a link:

http://www.sophos.com/sophos/docs/eng/papers/sophos-security-report-jun06-srus.pdf

Microsoft to 98 and ME Users: Good Night and Good Luck

jmstanto@syr.edu — Wed, 05 Jul 2006 21:00:00 GMT

Well the day has finally arrived. Next Tuesday (7/11/06), Microsfot will officially discontinue support for Windows 98 and Windows ME. no more security updates, no more operating system patches. Good riddance, you may say! These operating systems were never very stable, and were not well suited for the thorny security environment that is the modern Internet.

The only probably is that there are tens of thousands of schools, non-profit companies, and small businesses across the country and the world that still have a substantial number of working computers that are running Windows 98 and Windows ME. I hate to admit it, but I have one of each myself! (Strictly for non-critical applications you understand - think gaming and mp3 playback.)

I've visited a number of these smaller organizations in the course of my research and I've found that they are struggling with enough IT problems already and are under enough budgetary pressure that there is no way they ccan upgrade all of their older systems to Windows XP. A lot of those old systems wouldn't run XP without a hardware upgrade or two anyway, and it makes no economic sense whatsoever to try to revitalize a 5-10 year old PC.

I smell a niche market here, for someone who wants to package together a few key security apps that will still run happily on 98 and ME and that will help all of these smaller, less well resourced organizations squeeze just a little more life out of their PCs. Top of the list is Grisoft's AVG anti-virus package (free edition), followed closely by the popular Ad-Aware SE Personal (also free). With these and a couple of other add on programs, it may be possible to dodge the (in)security bullet with these older systems even if Microsoft had given them their final salute.

Newcastle "Eyes" Promote Good Behavior

jmstanto@syr.edu — Fri, 30 Jun 2006 17:43:00 GMT

This is really cool! Researchers at Newcastle University in the UK conducted an experiment which showed that people are more honest when they feel they are being watched - even if they are not actually being watched. In the experiment, a large black and white poster depicting a person's eyes, when placed in front of an "honor system" contribution box (for the purchase of a drink), caused people to put two and a half times more money in the box than when the poster depicted flowers.

The human brain is programmed at a deep level to care about what others think of our behavior. If cues in our environment make us think we are being watched by other people, we generally will behave more "prosocially."

This is a major issue that we documented in The Visible Employee when discussing employee monitoring. We argued that for monitoring to be effective in its mission of improving information security, employees have to know about it. This flies in the face of what some IT security professionals believe. Some security people think that you can't let your "subjects" know about the ways in which you monitor them, for fear that they will find ways of circumventing the system. No go. If you want your security policies to be effective in influencing behavior, people have to know that you have and use methods of checking up on them.

Note that these ideas beg the question of the ethics of monitoring and surveillance. In the book we do not advocate a willy-nilly approach to setting up a panopticon where everyone is watched all the time. We recommend a thoughtful approach called "transparent security governance" that gets employees involved in the design and deployment of monitoring systems.

McAfee Falcon

jmstanto@syr.edu — Mon, 19 Jun 2006 15:58:00 GMT

If Microsoft were chasing me I would be scared too. Today's news reports that McAfee - maker of individual and corporate antivirus solutions - has released a beta of their new product, code named "Falcon."

Falcon purports to be a security "platform" not just a tool or application. As a platform it appears to be a one stop shop for security protection for computers. In addition to traditional anti-virus functions, the platform provides anti-phishing protection, detects and eliminates rootkits, and a Site Advisor that provides information about contaminated or dangerous websites.

McAfee is developing these welcome innovations in response to the fact that Microsoft has been edging their way into the security product business little by little over the past few years. The great news for small business is that the competition between the antivirus giants like McAfee and Microsoft will drive prices down and create a wider range of features and capabilities, at least in the short term.

Hopefully, in the long run, Microsoft's entry into security products like antivirus will strengthen, rather than damage the existing security product companies by getting them to step up innovation.

Meanwhile, your small business should download and start using free copies of McAfee's site advisor. If your employees need (or like) to do any web browsing into uncharted territory, Site Advisor can help to keep them out of trouble and save you a lot of hassles in getting contaminated PCs repaired.

The DOE Data Leak

jmstanto@syr.edu — Wed, 14 Jun 2006 15:40:00 GMT

OK, now the Department of Energy is having "difficulties" with data security. A "red team" (a security testing group, sometimes called penetration testers or pen testers) was testing DOE security last Fall when they discovered a previous hack in which employee records of 1502 contract employees of the DOE were stolen by a hacker from an unclassified computer system..

This one sounds, at least in part, like a technical security problem, though there are certainly organizational issues here as well. It is strange that the DOE knew about the breach for some months but did not undertake an effort to notify all the affected employees until recently. Neither the DOE Secretary nor his deputy were informed about the breach until recently. A little communication problem, perhaps?

In our research we found that IT departments and IT security groups often had difficulty getting and holding the attention of upper management because there was no high level executive involved in information security. Large companies without VP level representation of the security function have to work extra hard to make sure that distress messages from down below are actually bubbling to the top in a timely way.

The Veteran's Administration Data Leak

jmstanto@syr.edu — Tue, 13 Jun 2006 18:14:00 GMT

At latest count over 26 million veterans had their data leaked by an employee who downloaded data onto a laptop, brought the laptop home, and was the unfortunate victim of a burglary in which the laptop was stolen. The records contained a variety of sensitive information including social security numbers.

As a result of this data theft there has been an expected outcry in industry and government circles about the need for greater security. Unfortunately, most of this hubbub focuses on the wrong issues. Polls show that U.S. citizens are concerned about privacy and identity theft, but primarily in the context of online transactions such as eCommerce purchases.

The VA case is a classic failure of behavioral policy within large organizations and has little to do with Internet security or eCommerce security per se. One of several root causes is important here:

The VA did not have a policy on bringing home data on laptops.
The VA did have a policy on bringing home data on laptops but it was too vague, too loose, not communicated to employees, or not enforced.
The VA did have an enforced and communicated policy, but this employee did not abide by the policy.

In the case of number 3, we can certainly probe more deeply, but it is likely that the organization is still at least partially at fault, perhaps in failing to supervise or screen employees properly. In all three cases the failure is not primarily technological and is neither Internet-centric nor technology-centric.

In a nutshell: The VA needs better security governance.