If it wasn’t for the users we could secure the company much more easily.
They just don’t get it, we are doing this for their benefit.
We often hear statements like this being made, and sometimes even uttered by ourselves. In fact I daresay they are often made by people in very different support industries, not just information security, but it seems that we harbour these feelings more than most.
Effective security is security that is understood, adhered to and respected. Ineffective security is either too lax, or so tight that individuals do their level best to work around it. They are not working around it because they are subversive elements in our organizations, but rather because it is restricting them from getting their day jobs done; it has become a barrier.
Each organization will have it’s own unique requirements, and even within that organization unique requirements will come about. The finance and legal teams are likely to require a different level or type of security around their work than a creative or IT team. If you have ever observed a creative team in full flow you will understand that the concept of a “clear desk” policy is not only laughable but also extremely restrictive to the very fundamentals of their craft. That same policy however will be more easily understood and accepted by the aforementioned finance and legal teams.
So in this example do you enforce an organisation wide clear desk policy? Probably not. It may make sense to have a departmental one, although in some circumstances this would be harder to police. Or you could implement clear desk “zones”, i.e. areas where it is not necessary to have a clear desk because of other measures. The measure may be soft, such as background checks on cleaning staff or hard, such as supervised cleaning staff.
Variations to blanket policies always cost money, but if you ascertain the potential financial value of that loss and compare it to the cost of the measures you can help your business to understand, adhere and respect the measure you are proposing.
This doesn’t just apply to physical security (although it very frequently does!) but also to technical and administrative controls too. Policies have to be very carefully written and reviewed by the various stakeholder of your organisation to ensure the right balance is struck. Technical controls also have to have this balance. Data Loss protection (DLP) is a marvelous technology that when implemented correctly can reap huge rewards and avoided risks, but it is expensive and time consuming to install and run. Who should ultimately make that decision, you, or the business. (clue, it’s not you).
Don’t be afraid to compromise in your dealings with your organisation. If they disagree with your approach, they either get it and feel it is simply the cost of doing business, in which case go off and look at other ways to support them. Or they don’t get it, which means you need to do a better job of convincing them of the risk in which case, go off and look at other ways of making your point. A good compromise is made when each party respects and aligns to the other parties point of view, not when each party is on fundamentally different sides.
Help your business respect and align to the information security ideals you hold dear, and do the same for theirs and you will always get more effective security.
There has been much written and talked about over the years about the use of skimming devices and cameras being installed on cashpoints (ATM’s for my international readers), their increasing complexity and ability to seamlessly blend into the cashpoint itself. With the card being entered and read, and the PIN code either intercepted with lay on keypads or filmed with cameras, the criminals ability to clone cards is quite significant, and the financial rewards high. Most of us, if we were honest, would struggle to see a sillfully crafted and installed skimmer on an average ATM.
Why are we still so reliant on this kind of security? Sure, it is technically two-factor, with the card that I have and the PIN that I know, but as my previous statements show very clearly, this security can be bypassed very easily.
The Royal Bank of Scotland (RBS) quietly announced a new feature last year to their mobile app that allows cash to be removed from an RBS or NatWest cashpoint without a card. Given there has been much research on the fact that people were no more likely to forget their wallets and purses than their phones, and actually become more distressed at not having their phone over their wallet, the bank could see a shift in how people were becoming increasingly reliant on their smartphones.
The process is straightforward; after logging into the (already downloaded) app, and pressing “Get Cash” one simply types in the amount of money they would like to withdraw, and is then presented with a six digit, one time use PIN. This PIN can also be texted or sent to someone else if need be. (VERY useful to help out friends and family in distress.) One then uses an RBS or NatWest cashpoint (unfortunately other banks do not participate in this scheme) , presses enter on the keypad, and then enters the six digit PIN number twice followed by the amount of money that was originally requested. The cash is then dispensed. If more money is required, the process is repeated and another, different, six digit PIN is issued.
To my mind this is an excellent innovation, and other thought so too, with the creators behind the enhancement, SapientNitro being awarded a Cannes Lion at last years show. A slightly cheesy advert follows…
(Note: at this point it is worth me declaring my interest, as I am an employee of Sapient, the parent company of SapientNitro. That said, I was using the service before I realised it was Sapient that came up with the idea in the first place!)
This works in many ways:
- 1: The pin is only used once, so it doesn’t matter if a skimmer is in place, it is recording only a one time password.
- 2: Your card cannot be cloned as it is never used.
- 3: It is convenient because nights out only involve looking after your phone, not you phone and cash card and cash!
- 4: Even if you phone is lost, it is password protected, tracked, and you r banking app is also PIN protected with more than a four digit pin code (it is, right?). You can also wipe your smartphone remotely in most cases.
A UK food chain, Pizza Express, did a similar thing last year as well, whereby on the bottom of the receipt is a unique code that allows people to pay with PayPal; again this is smart (your misgivings about PayPal aside) as your card cannot be taken around the back and cloned without your knowledge, as the payment is sent directly from PayPal to the restaurant and notification received on the till. Of course every time I have tried to use it the code has always been misprinted stopping me from doing so! Lovely idea nonetheless…
So what is the upshot of this? Most importantly I think it shows how with the judicial use of technology we can keep one step ahead of the criminals. Of course they will catch up, and of course there are other security implications (a rise in smartphone theft perhaps?) but RBS has shown that a relatively small change in their systems can result in a huge change in the security of their transactions. As of writing I am not aware of any other UK bank having this capability (they seem to be focussing on the ability to send payments to friends rather like PayPal than anything else), but this kind of approach should become the new norm.
It is this application of security alongside the ability to truly understand their clients and their needs that in this case has allowed RBS to steal a march on their competitors. I know this simply because of the looks on the faces of my friends when I take cash out of the cashpoint without using my card; it is magic, and they like it…
This is truly a case over security versus convenience… but with added convenience.
Being a frequent traveller, be it train, bus, car or plane, I often get to see people working in all of these environments to one extent or another. From seeing people’s laptops on the front seat of their cars to leaving them unattended in travel lounges, I have seen all sorts of behaviour that we, as information security professionals, would see as unforgivable. We regularly question ourselves as to why this happens, especially when the effects can be so dramatic and have direct impacts on our professional and personal lives.
My most recent example was just last week, sitting opposite a woman who was working on her laptop and referring to a sheaf of A3 colourful papers. They had the unmistakable artwork of Lauren Child, a children’s author and illustrator. As a father of a ten year old and an eight year I recognised the artwork and style immediately as the author of Charlie and Lola, some of my children’s favourite story characters. The papers in questions had plenty of hand drawn mark up on them suggesting this was in the final stages of editing and layout prior to printing, the story itself centering around one Elmore Green who was jealous at the arrival of a younger sibling into his family. It all ends well of course, with Elmore having someone to snuggle with at the end of the book.
Three things surprised me. Firstly, the way in which the papers in question were left out of the direct sight of the woman concerned, either on a seat on the opposite side of the walkway, or even underneath her own seat (and very accessible from behind). Secondly I was able to discern a large amount of detail from the book in a very short period of time; this is of course partly down to the nature of the book itself, but also, because each page was carefully moved to in turn and then placed somewhere I could review it and even photograph it. Finally, I was alarmed that someone like Lauren Child, who has a very unique and successful place in children’s literature would allow an as yet unpublished book be revealed in public in such a way as this.
This is of course very serious for Lauren Child and her publishers; why was this person allowed to take large copies of this book into a public space? If they knew it needed to be worked on in a train or other public space why weren’t electronic versions made available? Or had they even considered the fact that someone could have easily stolen the manuscript and copied it for an earlier release to capture their particular market?
The implications for UK PLC are probably not that great, and yet examples like this are played out across the country whenever people travel and feel they are in ‘safe‘ environments, with a dangerous cumulative effect for the country. The combined effect of actions like this could potentially add up to the millions in lost opportunities and lost work. It reminded me of Wendy Nather’s response to a question about public apathy to security, and her surprising yet eerily accurate response was;
I don’t think that society in general will stand up and do something about security until people start dying in enough numbers that it could happen to them individually and not just organizations because we don’t care about organizations.
I sincerely hope Lauren Child has not been hurt by this incident financially or otherwise, she has given too much joy to my children to wish that; but if she reads this I do hope she feels sufficiently motivated to insist on stronger controls around the management of her manuscripts from her publishers. If you would like some help doing that Lauren, feel free to contact me!
(Originally posted on the Iron Mountain Information Advantage Blog, November 20 2013.)
Leaving things on the train or in a restaurant, or in fact anywhere is an unpleasant fact of life for many of us. I would guess that almost all the readers of this blog have at some point left their keys, wallet, shopping, hat, gloves, children, scarf or phone somewhere or other. On occasion, such lapses in concentration can be upsetting, costly, or embarrassing and in some rare instances even dangerous. But in most cases what we leave behind is either easily replaceable (gloves), insured/covered (bank cards) or worth the cost to change and replace (keys). It’s very rare that we leave and lose something irreplaceable (presumably you found the kids!). This is because the items we treasure often have significant intrinsic and/or emotional value. A good example would be family heirlooms, passed down from generation to generation; we treasure them and therefore take care to protect them, storing them in a safe (or at least a safe place) to be taken out only on special occasions.
What about leaving data somewhere? It wasn’t so long ago, that civil servants and the MOD were criticised frequently in the media for leaving highly sensitive and valuable data exposed in public places. Rarely, it seemed, did a day go by without the Daily Mail bemoaning the inability of the public sector to protect our data. Headlines called for heads to roll. And yet, invariably, these were just the kind of simple, human mistakes that every one of us have made in one way or other. These days, however, the vast majority of data is (or at least should be) encrypted, both when it is on the move and when it’s at rest. Consequently, the loss or theft of encrypted data may now raise fewer eyebrows.
Printed matter, however, is another thing entirely. You can’t encrypt paper documents, and paper is very difficult to secure during transport, without somehow physically attaching it to your person. Taking sensitive documents from one location to another, so often a necessity, quickly becomes a thing of peril. Conceptual drawings, designs, technical drawings, mock ups etc. will often need to be taken to a client site or a manufacturer, and sometimes cannot be sent electronically. After a successful pitch and a few celebratory drinks afterwards those documents could all too easily be left on the night bus to Neasden, unprotected and full of intellectual property and sensitive information. A breach like that can so easily turn a night of celebration into a morning of embarrassment and apologies, followed by the inevitable search for new clients.
Protecting printed documents is difficult, probably more difficult than electronic information, and yet we seem to put all of our efforts into the very latest and best encryption, protected USB keys, and expensive data loss prevention (DLP) initiatives. It’s easier to put in place a technology, especially a “transparent” one than it is to change behaviours.
I would suggest that the information security community needs to address this disparity; the paperless office hasn’t transpired, the digital documents are secured, but paper has been left behind. How can we address this without handcuffing briefcases to people? As usual, it has to come down to awareness, we need to drive home the message that paper should be transported with the same care as electronic records, observing sensible procedures such as ensuring there are always two people present when travelling with paper (to act as more of a reminder than as a physical protection) or even only couriering them with a specially selected and reviewed vendor.
I don’t want to turn the Chief Information and Security Officer into a George Smiley type character, but I do want all of our sensitive records to be treated with the same level of protection irrespective of format.
Mobile devices are great. I’m sat here in the back of a car in India travelling to a meeting. I’m connected to the internet via my iPhone and using the time to write a blog post on my laptop about the inherent dangers of using mobile devices while travelling. The irony isn’t lost on me.
Much has already been said on the various things that can be done to protect yourself while working on the move. Indeed, just the other day I wrote a piece on exactly how not to do it, and I am sure it is a regular topic of internal security articles at many companies.
The key issue I see is that the security measures are not always seen as ways to protect information. Rather, they are often seen as hoops that people need to jump through to get to the information they need to do their work. When, as is sometimes the case, security measures are poorly designed and/or poorly implemented, then the view of information security as an obstacle should come as no surprise.
Therefore, rather than trying to foist technology or procedures onto people, would we not be better focussing on behaviours that can be reinforced with easy to remember concepts? Here are a few to consider:
Think about where you are sitting with your laptop/mobile phone. Can it be stolen easily (as in this example) or can your screen be viewed easily by people sat nearby? Your data can be both physically stolen as well as “visually” appropriated.
All internet-based connections should go through a VPN. This might be overkill for some, but it ensures that there is no internal dialogue about the security of a Starbuck’s Wi-Fi versus a BT hotspot or even a hotel Wi-Fi. Always use a corporate VPN to encrypt and tunnel your traffic through any potentially unsafe network. Even when using a personal laptop to do your own work in a cafe, like a bit of banking or shopping, your credentials and details can be stolen, so use one of the many commercial (and sometimes free) VPN products that are available
Be aware of your surroundings. Is this a high-traffic area such as a cafe or airport lounge, with people moving in and out frequently? Be aware of what is on your screen – is it confidential? Should you really be working on it in a public space? This doesn’t mean you need to be paranoid, but travellers, especially when abroad, can often be spotted easily and are often viewed as vulnerable. Knowing your surroundings and behaving accordingly is an important part of not only keeping your data secure, but of keeping yourself safe also.
Let’s face it, technology is never going to solve everything. I wrote recently about an example which had all the right technology in place, only to be let down completely by a visit to the bathroom. If in doubt, your mobile devices should be your “bathroom buddies” and not left exposed in public!