Talking about a breach

In November last year, a laptop belonging to an employee of the Boeing Corporation was stolen. Among the information contained in the machine was the personal financial data concerning 161,000 current and former employees of the aerospace giant. None of the confidential information was encrypted, and thus the thieves would have been able to read and exploit it at will.

Yet this was just one of the two serious failings in Boeing's IT security procedures uncovered by this episode. The second was not to have immediately owned up to the incident. Indeed, the company still refuses to reveal the precise timings, but has admitted that it was "several days" after the theft took place before the 'victims' were officially informed that their personal details were now in the public domain [-] potentially ready to be used by criminals involved in identity theft.

Companies across the world have always preferred not to reveal details of their IT security breaches. In truth, though, the problem once became so bad here in the UK that the Metropolitan Police Service launched a 'special guarantee' under which companies were promised anonymity if they reported that their corporate IT network had been the target of hackers. Without such a scheme, police were unable to prosecute the hackers because officers were totally unaware that any incidents had taken place.

The basic dilemma

It's reasonably easy to understand the dilemma of the targeted organisation. A run-of-the-mill incident might cost a typical bank £250,000 in terms of lost productivity, replacement hardware or system downtime. Yet if the attack is reported to the police and the suspects subsequently end up in Court, the whole episode becomes public knowledge (resulting in customers losing trust in the bank concerned). At which point the £250,000 becomes totally insignificant. If a bank loses the trust of its customers, it will lose those customers and revenue.

The nature of the problems that may be incurred are many and varied [-] ranging from loss of key information, adverse publicity and loss of trust through to legal action by customers and official censure by the regulators. All of which might be avoided with a professional towards the use of data encryption.

Where once your key information (such as customer account data and profitability figures) resided on a few desktop PCs in a private office, now the information is spread far and wide. As well as the master copy on the main system, there are often copies (or at least extracts or summaries) in many other computers. Some of them will be laptops, which are incredibly easy to lose or steal.

In addition, unscrupulous members of staff or dishonest visitors can easily copy information from a bank's main systems to a multitude of external storage devices. These include USB flash drives, digital cameras, MP3 players, mobile phones or even the good old-fashioned floppy disk. All of which then become vulnerable if subsequently lost, stolen or re-copied.

Encrypting File System

An effective encryption policy needs to encompass every device onto which employees might wish to copy files. It also needs to be transparent to users, such that it may be centrally controlled without any user action being require

Although Windows provides some encryption with its Encrypting File System (EFS), this is difficult to manage and impossible to enforce. Turning the EFS off requires just a couple of mouse clicks. In any case, it doesn't actually protect areas of the hard disk such as the swap file or other temporary files. Most importantly, if files are copied from a Windows PC to an MP3 player, floppy disk, mobile, ftp site or USB drive they invariably lose their encryption, often without the user's knowledge.

An effective encryption policy needs to encompass every device onto which employees might wish to copy files. It also needs to be transparent to users, such that it may be centrally controlled without any user action being required, and should be impossible to disable (other than by authorised administrators). Ideally, the encryption policy should also have the selective ability to block files from being copied to external devices at all (or if the target device doesn't support the same level of encryption as that which protects the source data).

Your choice of crypto algorithm is also vital. Choose a proprietary encryption system. If anyone discovers the secret mathematical formula behind it, all of the files that you have ever encrypted instantly become public knowledge. That being the case, choose a known international standard such as the Advanced Encryption System (AES) with a key length of at least 256 bits.

Management walk-through

What action should be taken? A management walk-through is a great way to assess the impact of a security breach. Simply sit a group of technical and non-technical managers around a table and discuss a series of 'What if?…" scenarios. Such an exercise invariably highlights critical weaknesses in existing strategies which can then be corrected before it's too late.

For example, walk through the following scenario… A director of your company attended a conference last week. At some point, his briefcase was snatched from the back seat of his car. The case contained a laptop computer which held a list of the Top 10,000 customer accounts by revenue. The information was not encrypted. This happened on the Friday afternoon, but it's now Monday morning and the loss has only just been reported…

Among the topics that you will need to discuss are:

• How will you ensure that those 10,000 affected companies are discreetly informed about the breach as soon as possible?
• Who will brief the regulatory authorities and your company's legal team?
• What will you tell journalists from the national press and broadcast media once they grab hold of the story and want to hear your version of events?
• Who is officially responsible for the security of your company's information, and what will he or she be doing to prevent such an event from happening again?
• Who could make use of the stolen information, and how? Can you put systems in place to help detect instances of this taking place?
• What action will the Marketing Department take to help regain the trust of new customers who have decided to take their accounts elsewhere?
• Which laws and regulations has the organisation broken, and in which countries?