Data being leeched from company databases by less secure mobile devices is a common occurrence, making data leakage the big technology issue of 2008. With the increasing use of mobile phones, PDAs and laptops as work tools, important company data is removed from the office every day.
This increase in data sharing promotes an environment suitable for data leakage and is aggravated by the associated use of hot-desking, home working and wireless hotspots. It is further complicated by the shuttling of data back and forth between staff on USB sticks, CDs, DVDs, backup tapes and even iPods. As a consequence, security breaches are on the increase.
Whether it is HM Revenue & Customs losing 25 million records on CDs, the Ministry of Defence losing details of 600,000 servicemen and women in a lap-top theft, or the recovery (from beside a bicycle shed) of a USB drive containing the personal details of Perth & Kinross Council workers, cases of data loss appear with uncomfortable regularity.
The Payment Card Industry Data Sec-urity Standard (PCI DSS) that is currently being implemented, as well as the forth-coming governance regulations in the Companies Act, will force UK businesses to focus on the problem of data leakage.
Unlike many other parts of the world, in the UK there is no requirement to disclose data breaches. The Identity Theft Resource Center (ITRC) reports that data breaches doubled to 167 in the US during the first quarter of this year, compared with the equivalent a year ago.
That figure is probably similar in the UK, even without the ITRC figures accounting for the encrypted files that may have been compromised. However, there remains no real breakdown of the number of breaches that are directly related to mobile data.
In all fairness, and in terms of numbers, the incidence of data breaches as a result of mobile device theft is perhaps not as high as scaremongers would have us believe, simply because it is not as anony-mous as covert internet hacking. If someone wants to steal data, doing so by taking a laptop means they run the risk of discovery, perhaps being seen by someone, or monitored on a security camera. But it does happen, and the theft of one laptop can do more to expose a company’s data than any concerted hacking or social engineering exploit.
However, theft of mobile devices is a problem for many reasons, not least of which is because access permission is often set on the mobile device and there is no local security to prevent a thief from booting up the computer. For this reason, even allowing remote access can open a back door to systems.
The biggest hack to date is the well-publicised attack on retailer TJ Maxx, where an estimated 45 million customer records were stolen. The attack started by compromising a wireless LAN that only used Wired Equivalent Privacy (WEP) encryption that can be cracked within 10 minutes by an experienced hacker.
The compromised network allowed entry to other systems and the breach has, according to the company, cost an estimated $12m (£6m), but analysts believe this may actually stretch into more when the full cost of the remedial work and harm to the brand is taken into account.
Ensuring compliance through best practice
Bob Tarzey, service director at analyst firm Quocirca, offers the -following advice on compliance where mobile data is concerned:“Ensuring you comply is a problem because the laws are -changing at all levels via legislation and legal precedent. The -application of best practice is needed, and these should be rigorous and reviewed continuously to withstand legislative requirements.
“Should the need arise, these precautionary measures will have to convince a judge or jury that all reasonable steps had been taken to ensure security.”
- Either making sure that sensitive data cannot be copied to mobile devices or, if it is necessary, data is encrypted on the device.
- Blocking sensitive data is a tagging issue and requires -content filtering at the host to control what can and cannot be copied.
- Making sure employees use security access keys and ensuring these are not left attached to devices.
- Providing locked-down devices for users who only need limited capabilities so they can only access the functions they need and have no ability to copy data.
- Disabling Bluetooth.
- Using phones without built-in cameras, or disabling the camera function, as malicious employees can use the camera for data theft.
- Making sure lost devices can be disabled remotely or, preferably, erased if they are authorised to store sensitive data.
- Providing education around adhering to best practice that is related to the job.
However, before the issue of mobil-ity can be addressed, it is necessary to understand the extent of the problem by taking an audit of all the mobile devices used within a company. Capricode has developed SyncShield, one of a growing number of mobile device management products that help to manage smaller mobile devices such as smartphones and PDAs. “The first step is to get information on the types of phone you have and the software used into one database. And while you can do it with Excel or with asset management products, it entails extensive manual work,” says Erkko Vainio, business development director at Capricode.
“A mobile device management product which is really designed for business use can allow you to collect the information over the air after you’ve installed a client on the phones,” explains Vainio.
According to Vainio, this could extend the problem as it introduces some unpleasant surprises. “You may find that some people, even though most will have business phones, will be using their own private phones. This means that even though a company may have issued, for example, Nokia phones, the actual mix could include iPhones and BlackBerries.”
Vainio recommends limiting the number of operating systems and phone models to make the system more manageable. “When you commission a new laptop, it will have been standardised so you have a limited number of configurations. You can decide what kind of software you want to have on it and what the settings should be, whether it’s done by the reseller or using your own image. This is what IT managers know how to do, and this is what to aim for with the smartphones as well,” he comments.
Phil Huggins, chief technical officer at Information Risk Management, agrees with Vainio. “The big problem – and mobile is a really obvious indicator – is that people aren’t clear what their data is, or where it is,” he says. “As enterprises expand, more work is being done by people over remote browsers on BlackBerries and other mobile devices rather than at desktops. The big challenge is to understand how much risk you have already placed outside your traditional boundaries.”
Huggins adds that there are several issues that need to be considered around mobile device use. “Mobile devices are very easy to lose. As a valuable item to sell, these devices are quite highly targeted. I don’t think people are necessarily stealing these devices to get hold of data, but this could change. People are using their phones to store data and they’re also using USB drives. Companies are deploying applications specifically developed for mobile devices that allow employees to access dashboard applications, financial spreadsheets and such. The key problem is that people aren’t aware of the risks they are taking in the first place.”
The obvious solution to this is to devise policy documents and train staff to be aware of security issues. Staff members are rarely savvy about security and a lack of understanding can lead to errors. They are often working to meet deadlines and such pressure can lead to shortcuts. It is not unusual for pressurised staff to take copies of documents relating to their work so that it can be finished at home.
The best practice is to disable any port that can be used for copying. USB ports are obvious candidates, but there are also issues with Bluetooth, Wi-Fi and CD/DVD drives that must be addressed.
Huggins says: “Questions that must be asked are, do you have Bluetooth open to the world? Are you connecting to the internet constantly? It’s more to do with the configurations of the devices rather than the software security that is deployed on them. One interesting thing I have seen deployed on BlackBerry Enterprise Servers and also on other mobile manufacturers’ offerings is a ‘remote-kill’ feature. When you have a standard platform, you’re able to put in a server that can send remote-kill commands. If a device is endangered, you press the button and it eradicates its memory and kills itself. This is incredibly valuable, especially when combined with local device encryption.”
Various companies, including mobile device suppliers and network operators, aside from BlackBerry manufacturer Research In Motion, are starting to offer remote-kill facilities. There is also a burgeoning market for remote-kill services for laptops. In these cases, it is wise to ask what kind of service is being provided. Does the erasure process only delete files, or does it overwrite the data on the disk? If it merely deletes data, then an undelete application, freely available for download on the web, can retrieve the files.
There is no substitute for encrypting infor-mation to protect mobile data. It is common practice to encrypt transmitted data, but not many people encrypt hard drives, optical discs, backups and USB drives. Huggins believes that this is essential. “If we’re talking about laptops, I advise full disk encryption,’ he says.
“Some people seem happy to go with encrypted areas of the disk, where people are supposed to put secure files. Good security in business is about people making the best decisions based on training awareness and policy, but technology should also support them because they may not necessarily make the best decisions. Full disk encryption means people don’t have to be relied on to make the right decision – it’s just done.”
The idea is to reduce the value of any stolen device to the hardware costs. The harder it is to get at the data, the less valuable the device becomes to professional thieves seeking industrial espionage potential. Eszter Morvay, senior research analyst for European personal computing at analyst firm IDC, feels that even more protection is required.
“In terms of security, there are three things to consider,” she says. “Nowadays, it is good practice to ensure that any business notebook comes with a biometric fingerprint reader on board, as well as disk encryption. The second element is being provided from an original equipment manufacturer perspective. When Intel or AMD design a new processing platform, security is one of the key features they focus on. Basically, you get additional pieces of software that work together with the processing platform to enable higher data security and higher data integrity, though how much this can achieve is debatable.
“The third element is putting really secure software, such as McAfee, Symantec and Check Point ZoneAlarm, on top of the operating system to offer all-around protection,” explains Morvay.
“The principal shaper of future security policies will be governance regulations,” she adds. The onus is on companies to prove they are taking all possible measures to protect sensitive information – and that requires a massive amount of work to increase the awareness of employees to best practices. The size of this task may change the face of future infrastructures, especially on the client side.
Morvay explains: “There are several client solutions emerging at the moment that have no hard drives or USB ports. These thin clients are basically access devices. When you type in your username and password, the remote server allocates processing power and the applications you are going to be using.”
Morvay points out that the availability of mobile thin clients, which look like conventional laptops and cost between £300-£400, makes the proposition even more attractive. In vertical markets such as financial services, retail and healthcare, where data security is crucial, the lack of data storage on the device greatly simplifies the security structure.
A mobile thin client without server access is a fairly useless device, which is both a blessing and a curse. The good point is that security training is simplified to protecting the login process and not leaving the equipment turned on and unattended. The downside is that some form of network has to be available in order for the device to be useful.
The mobile thin client may not be to everybody’s taste, but a thin-client phone or PDA may be the way ahead to ensure that data is not stored locally and, therefore, cannot easily be compromised.
What to do when mobile data goes missing
1. A security policy should ensure that any missing item containing data is reported immediately to the helpdesk. There is sometimes a tendency to hold back in case the item shows up.
2. All relevant helpdesk reports should be immediately referred to the CIO, chief security officer, or an appointed authority. Where possible, the report should contain details of where, when and how the loss occurred, and the contents of the device.
3. Perform an immediate risk assessment and take any -necessary actions to mitigate impact on the business. Close down any -exposure points on the network, report the loss to the police and, if applicable, instigate an immediate search.
4. Collect and collate information on all missing items to see if any patterns emerge, including specific departments, locations, or time of year. Questions should be asked to determine factors such as whether the incidents are the result of carelessness, or if particular models are more attractive to thieves.
5. Review the security policies constantly to see if awareness can be improved. Should a reminder be issued? Is a specific -training course necessary? Could increasing the penalties for certain breaches improve security?