Last week we talked about data classification and policies and restrictions. My conclusion is it is very difficult for organizations to fully implement a broad restriction of access to personal use sites such as social networking sites, webmail, blogs, YouTube etc. Although, many tools exist to help enforce this policy on the LAN, or corporate network, users may simply be able to use their Internet enabled phone/Smart-phone to access these sites undetected by IT security.

If the organization allows synchronization of email, calendars, notes, documents, files or maybe even hosts an extranet service like a CRM application which is accessible by the mobile sales force, it is important to know the type and class of the data being shared. Mobile Phones may introduce a new risk to compromise sensitive data, which may not be as easy to control as implementing a gateway system or access control list. Should the organization have access to control personal devices or restrict what users can do on these devices? It probably is not realistic to tell users they cannot bring their mobile phones to work in the event they have a personal or family emergency, or if they want to make a personal call during a break or lunchtime. Perhaps an approach of limited use would help provide better controls to monitor use versus users turning to alternatives such as their smart-phones. I attended a concert recently where they said no cameras allowed. I wondered how it would be enforced since virtually all new generation phones have an integrated camera; they did not confiscate my phone. Maybe if I tried to march in with a high end SLR, I would have had a problem. What type of risk does this present to organizations? (Maybe another entire discussion)

As a former security consultant, I used the following trust and operations model.

1) Relied on Managers and Human Resources (HR) for employee background checks, and screening.
2) Provided network and data access based on job roles and responsibilities; enabled higher level of auditing/logging for first 90 days for all new users to monitor activity
3) If a user had a high level of access to customer records, financial data or HR, verbose logging was enabled on the systems and reports were provided to the user’s manager on a periodic basis for review.
4) Implemented security infrastructure and polices, and used BS17799/ISO17799 as a guide; all users would sign a computer use (Zero tolerance) agreement as part of the hiring process.
5) Promoted awareness/best practices through emails, meetings, and lunch-n-learns. Encouraged users to report suspicious behavior.
6) Ensured a balance of security and usability. i.e. user visits a site considered non-work related (webmail), a warning message appears to notify them, they are being monitored, but can click through to continue. A simple but effective reminder to not spend too much time on non-work related sites.

So simply, establishing a trust baseline, but restricting users from roaming servers and data in which they had no reason to access. You would think most Admins would naturally do this, but after countless audits and vulnerability assessments there would almost always be case of users having access to resources which were not necessary.

I believe this is a result of IT not having intimate knowledge of department application servers, initiatives which did not involve IT or job changes, promotions etc and the user is “grand-fathered” in with the original access rights and new permissions are added. Smaller organizations tend to have a flat and open system where many users have full access. The receptionist may handle the book-keeping and customer service and their IT department, most likely an independent computer consultant who wants to ensure productivity while security is sidetracked. In my opinion the small business owner’s data is no less important than a larger organization’s data, so security should be weaved into the any IT deployment of hardware, software, and assignment of users’ rights.

I am interested in hearing your thoughts on:

1. How do you segregate resources? Roles, Responsibilities, other?
2. Do you think of soft policies/reminders is an effective approach for non-work use of IT resources? Any experiences you can share?
3. Should organizations have a policy over personal devices such as smart-phones, personal voice recorders etc. How would you enforce it?

Building on my post from last week I want to invoke thought about how you as an individual or on behalf of your organization approach data loss prevention (DLP). I used an example of the way we (generally speaking) expect, and rely on our financial institutions to keep our money safe and accurately accounted for but I also mention the expectations banks and institutions place on users and consumers. If we apply this same model to computer use, it is form of a privileged system model (authentication and permissions). i.e. proper authentication to access resources , and permission based rules to govern activities just as the bank controls access to accounts.

The challenge remains there are constant threats to our data from vectors by misuse, social networks, theft, lost devices, malware, viruses, Trojans, botnets, social engineering, integrated business partners, outsourcing etc. IT administrators adhering to best practices are vigilant in protecting data but are required to balance it with usability for businesses to remain productive and competitive. Businesses continue to rely on faster and broader communications and data security is often perceived as a hindrance.

“Every day, CIOs face the challenge of putting the necessary technologies and processes in place to protect confidential data and comply with federal regulations, but they have to accomplish this without impeding daily business operations.” – CIO Magazine

So where do we practically begin? Does the organization know what their sensitive data is/classified, where it resides, how it travels through business processes, how it is shared and used? Some of these questions are easy to answer but some might be difficult. Who owns the data? If a user accesses his or her personal email account, or another personal use site, is any information or data downloaded belong to the organization? Does the company have a legal obligation to protect it? Should the company control the user’s content? Do they have a legal obligation to do so to protect company or customer information and interests?

How do we classify data? These are often the questions and challenges facing organizations on a daily basis. Is it practical to just restrict access? Perhaps sales and marketing or the executives of the company have specific needs requiring access? Maybe the company promotes control versus broad restrictions? I don’t have answers to all of these questions nor do I believe there is a simple answer which applies to all organizations. How do you approach it?

I am interested in hearing your thoughts on:

1. Do you think it is important to classify data formally? If so, have you done this and what was your experience?

2. What do you think is the largest threat to your confidential data? Users, malicious attacks, social networks, data leakage via lost or stolen devices etc.

3. Do you or your organization promote control over broad restriction policies or how do you determine the best practice? e.g. restrict or block webmail, and social networking sites versus providing limited access with monitoring

Data Loss Prevention or DLP is an interesting and popular topic especially since the largest single incident of data theft recently occurred. Heartland Payment Systems discovered numerous systems were compromised and an estimated 130M consumer credit card numbers were at risk surpassing TJX Companies reported compromise in 2007 of 94M consumer records.

The implications of these incidents can be difficult to measure, but if you just consider the amount of resources to investigate, notify consumers and remediate an incident, the costs rise quickly. In addition if we try to account for any fraudulent activity that may have occurred or the time consumers must spend to monitor credit activity and/or dispute fraudulent activity this adds to the cost considerably. Will Heartland or TJX Companies disappear, fail or go bankrupt as a result of these security breaches? Well, not likely but is there a negative impact? If we look for a correlation between stock price and the reported incidences, it is inconclusive; TJX appears to follow the trend of the S&P 500, while Heartland does a nose dive. One thing is certain, the costs to investigate and remediate the data loss is significant having a negative impact on the bottom line in both cases.

HeartLand Payment Systems	TJX Companies

Obviously, these are high profile incidences and may have even affected some of you reading this, but probably nothing more than receiving a letter, a new card and asked to monitor your credit reports, and watch for suspicious credit card activity. The questions I have are we as a society just accepting this as the problem is too hard to control or is it merely a cost of doing business today? International boundaries, anonymity of the internet, millions of insecure computers primed for botnets, poor security architecture by software vendors, lack of information security budgets etc., all are significant challenges to protect our information.

I believe there is a personal and corporate responsibility to protect our information just as most of us trust our bank to keep our money safe and it is expected they will do so or more safe than tucked away at home. They also expect consumers to be diligent with access control. They issue ATM cards with user defined Pin Codes (two-factor authentication with limited authorization i.e. maximum daily withdrawal limits), credit cards with signature panels and identifiers or they deliver a battery of questions when we need to obtain any information on our account by phone.

I am interested in hearing your thoughts on:

1. Is the bank/consumer model or concept reliable? Do you think it works reasonably well?
2. Do you think there should be greater responsibility on users, or the organization to ensure data confidentiality?
3. Is Data Loss, a real concern for you or your organization? Why?

About Me:

Michael McKinzie, CISSP (Business Development Manager, SecurStar) – security practitioner for 12+ years, worked in IT management, consulting, casino gaming, and on the dark side with encryption and security manufacturers. Still a fan of the C Programming Language by Kernighan and Ritchie and know I will make some money from my autographed copy of Applied Cryptography on eBay some day.