Breaching Acceptable Use Policies

Care of Slashdot I saw this post on the potential ramifications of breaching an Acceptable Use Policy based on a recent judgement [pdf]  in Western Australia.

The defendant was a Police Officer, who would normally be held to a higher standard than Joe Public, and the system in question was a Police database, but as the blog post points out: "Ms Giles wasn't convicted for breaching police secrecy, or improper disclosure of information --- she was convicted for common cracking. She used the restricted-access system other than in accordance with her authorisation"

Nick Gifford in his book "Information Security: Managing the Legal Risks" (which I have mentioned before) describes AUAs (Acceptable Use Agreements) as "a contractural mechanism for managing the risks to the organisation associated with granting user access rights" and as a contract I can understand that there would be a legal risk to those who would breach that contract.

What about your company's Acceptable Use Policy? Is it up to date and consistent with employee duties?
Have all of your users read your organisation's AUP? What about those staff who have been there 10, 15 or 20+ years? Has your AUP changed over that period, and have those users acknowledged those changes? Do they have to re-acknowledge the AUP regularly? (yearly?)
Does it explicitly state that there should be no expectation of privacy when using email, browsing the internet or storing data on comapny assets? Does it allow for monitoring employees and clearly state potential penalties for breaches?

While it's a little late for New Year's resolutions (maybe a Chinese New Year resolution?), make it a priority to look into your AUP and how you track acknowledgement and ensure compliance. And if you don't have an AUP, the ever-useful SANS website has a sample [pdf] to help get you started.

Cyber Crime Facts Executives Need to Know

I came across an article on PCWorld entitled "7 Cyber Crime Facts Executives Need to Know" and thought I'd add some comments:

Cyber crimes are far more costly than taking steps to harden an environment beforehand
Prevention is always cheaper than cure (cheaper in time, resources and dollars!). This doesn't just go for security, but other areas such as software development as well. Retro-fitting is always difficult, always expensive and never as good as if you'd 'done it right the first time'. The quote:
"the appointment of a single top executive responsible for enterprise risk management, a la a Chief Security Officer, or better still, a Chief Risk Officer is a critical factor for success" is an interesting one, as in my experience (and from talking with peers) many CROs in Australia are still primarily focused on financial and operational risk, with little understanding or appreciation of Information Risk. Perhaps it's a bit different in the US however (and I hope the trend is slowly changing here as well....thanks Julian Assange!)

Cyber crimes are pervasively intrusive and increasingly common occurrences
Recent high-profile events such as Wikileaks and the recent Vodafone breach have probably helped raise some awareness about Information Security and the 'reality' of cyber-crimes, although your less tech-savvy executives may think that having anti-virus installed = magical cyber-crime prevention forcefield.

The most costly cyber crimes are those caused by web attacks and malicious insiders
Web attacks I agree with, but I think there has always been some controversy about the real threat of insiders. While they can't be discounted (OK Wikileaks again....), they shouldn't be overestimated either. Insiders know they're more likely to get caught than the anonymous hacker in Russia or some other place with no extradition laws....
IMHO your web stuff is more likely to get attacked than you are to suffer an internal breach, especially with the rush to throw as much as possible onto the internet.

At onset, rapid resolution is the key to reducing costs  
Rapid identification and handling of incidents is a must in order to reduce damage and cost. Like point #1, preparation is the key and will make all the difference when the bits hit the cyber-fan.
Oh and notice I mentioned identification - you can't handle or resolve that you don't know about!

Loss of information due to theft represents the highest external cost, followed by the costs associated with the disruption to business operations
This may vary industry to industry and country to country as laws such as breach disclosure are different across the world. But in general, if it was worth breaking in and stealing, it must be worth something to someone - a competitor, a rival government, etc. Resuming operations is certainly easier than retrieving data posted on the Internet or consumer confidence in the face of a privacy breach.

All industry verticals are susceptible to cybercrime
If you have data worth something, then you're a potential target. Whether you're in medical, finance or widget manufacture, you may be a target for cybercrime. Unfortunately it's a fact of life today. Of course some industries (like finance) are far more likely to be targeted.

If you deal with senior or Executive Management in your organization, these make great starting points to present some information to them. Use sites like datalossdb to find incidents in your area or industry to emphasize your points. Don't assume they know these things, go out there and educate them!

Physical Security fail

What's wrong with this picture?

(Thanks to Richard for the pic)

Legal Clouds

I came across a copuple of interesting reads over at the UK-based Cloud Legal Project site (which is part of the Cenre for Commercial Law Studies, Queen Mary University of London).

The first is a survey of Cloud vendor contracts ('Terms of Service Analysis for Cloud Providers'), which highlights risks such as the vendor right to change ToS at any time without niotification, cancellation of accounts for disuse or AUP violations and limited liabilities for loss of data.

The second paper is on Information Ownership ino the Cloud, which highlights the need for strict definitions in contracts as to who retains the ownsership rights of various data types.

Both papers are well worth a read.


Vodafone - one of the world's biggest telecommunication companies - has been hit with an embarrassing data breach here in Australia. While the details are in dispute (some stories say the data was open to everyone, others say not), they all acknowledge that there has been a significant breach at a time when the company is already reeling from negative press about poor reception and data transfer speeds on their network.

To quote Vodafone:

"Customer information is stored on Vodafone's internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password,"
Well it must be secure. They used the word secure twice!

Seriously though, while I can understand with all the partners and shops nation-wide that Vodafone found the easiest way to provide CRM access was to use the internet; it is a serious lapse in judgement for Vodafone to not require multifactor authentication on their web portal. What were they thinking?*

The Australian points out that it's likely that Vodafone won't get more than a public 'slap on the wrist' as the Privacy Commissioner currently has no power to act on breaches of the Privacy Act. Gah!

Adopting security is often about incentives. If the Privacy Commissioner can't 'punish' the company for the breach and implementing something like multifactor authentication can't be sold as a customer benefit ("Sign up with us and your data won't be stolen again!") then we're left relying on the company to 'do the right thing' - which has been shown again and again to not be a great incentive to businesses (it could be argued that if 'doing the right thing' was a sufficient incentive, Vodafone would have already used multifactor authentication on their CRM portal - I imagine someone inside of Vodafone is saying "I told you so" today...).

*probably that usernames and passwords are cheaper than multifactor authentication. Which they are, just not safer...

Military Digital Complex

State of Security have a nice post about the 'Post-Zeus/Stuxnet World'. In a year that saw what many believe was the first real government created 'cyber-weapon' or 'weaponized malware' that did more than just knock a site offline, but destroyed physical infrastructure.
Combine this with events such as an arms manufacturer buying an Australian security company that (among other things) performs penetration tests and the future certainly looks..interesting.

More over Military Industrial Complex and hello Military Digital Complex?

This is nothing that was unexpected, the logical progression of military might is from the physical to the digital realm. For a smaller, less technologically developed nation, striking with weaponized malware at your larger more advanced and more techonolgy-dependant foe (especially if no one can prove it came from you!) has to be attractive.

Any security professional knows defence is hard. An attacker only has to find that one weak point, while the defender has to protect and monitor the whole perimeter. Unlike the castles of old, digital perimeters look more like the Great Wall in scale and are constantly changing.

The bad guys are smart, and they learn. The complexity and effectiveness of the likes of Stuxnet will have been noticed and will be part of the next generation of crimeware. As Government or Military contractors develop increasingly weaponized malware, the techniques and methods they use will filter into the ranks of the black hats and criminals - just as advances in military technology have always flowed into civilian life. Radar? TCP/IP? The Internet?

2011 is shaping up to be an interesting year...


Although it's a few years old, I just came across this great post from the ITSkeptic that likens ITIL to the Hitchhiker's guide to the Galaxy and COBIT to the Encyclopedia Galactica.


Cybertarget: Australia

The Australian is reporting on a preview of a report from the Kokoda Foundation that "paints a damning and frightening picture of a complacent nation that has not grasped the scale of the threat posed by cyber hackers to national security, the economy and personal privacy".

Some interesting points made by the article are that "Australia has the fifth-highest level of malware infections in the world" and "the country still lacks a whole-of-nation, government-led integrated long-term National Cyber Strategy and Plan".

The latter point is not really surprising. Does it sound more familiar if it is changed to "the organization still lacks a whole-of-company, executive-led integrated long-term Information Security Strategy and Plan"?
From my discussions with friends in the security industry, once you get outside of the big banks and major financial institutions, Information Security in Australia is still commonly an afterthought or an 'IT Problem'. Hopefully this attitude is changing, especially with the incredible amount of reporting on incidents sich as Wikileaks.

The Kokoda Foundation report should be available later this month.

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme