Mais conteúdo relacionado
Semelhante a Data Safety And Security
Semelhante a Data Safety And Security (20)
Mais de Constantine Karbaliotis
Mais de Constantine Karbaliotis (9)
Data Safety And Security
- 1. Data Safety and Security: What Is the Test and How Can
I Meet It?
A guide to understanding data security issues, and what counsel can do
about them.
Constantine Karbaliotis, LL.B., CIPP1
Introduction
In the Internet age, a degree of familiarity with technology is assumed, simply because of
the pervasiveness of technology. What professional today does not have a cell phone
capable of taking pictures, receiving e-mails or text messages? What lawyer does not have
a computer at home from which to do work, connect to the office, and do research?
Unfortunately, technology has become commonplace without a corresponding education
for technology users on how to secure data.
Anyone in doubt of this can simply consider some interesting statistics about home users:
of those having broadband (high speed) connections, fully two-thirds are without a n
effective firewall, software or hardware which helps to insulate their computer from
invasive scanning from the Internet. Fully two-thirds are still without up-to-date antivirus
protection, and one in seven has no anti-virus at all, leaving their computers open to
infection by destructive viruses and worms. Four in five users has spyware or adware
programs on their computers, but most are unaware of this2. Home users are more likely to
being ‘taken over’ and turned into ‘zombies’ which are then used to launch secondary
1
Canadian Senior Compliance Business Specialist, Symantec (Canada) Corporation
2
“Largest In-Home Study of Home Computer Users shows Major Online Threats, Perception Gap”, Joint
AOL/NCSA Online Study, www.staysafeonline.org, (2004).
©Symantec (Canada) Corp.
- 2. Page 2
attacks on other computer systems; it is estimated that over 4 million computers
connected to the Internet have been turned into ‘zombies.’3
While this illustrates the gap of knowledge most computer users have about data security
fundamentals, the reality is that many enterprises, of all sizes, suffer a similar inability to
control their computing environment. In many cases, such as with small and medium
businesses, the issue simply is that they do not have dedicated information technology (IT)
staff with knowledge of the environmental risks. But in many cases, even in large
enterprises and even when IT staff are fully aware and have advised management of the
risks, management has failed to make the appropriate investment to adequately safeguard
the environment.
This paper is directed towards lawyers advising organizations, to provide some guidance
about the types of risks which clients are facing, the test against which organizations will
be measured under applicable privacy legislation, and some strategies for counsel to help
their clients in moving to a better security posture and thus mitigate potential liability
through the use of security standards.
Positions affecting Data Security
Lack of understanding of the connected world that we now live in is a key risk in the area of
data security. Seeking counsel, whether it is as to the law, or to technology, is the only
remedy to this situation, as it is difficult for most people to become educated to the risks
affecting their business.
3
Symantec Internet Threat Report, Vol. X, September 2006, p. 18 (hereafter “ITRX”). The Symantec
Internet Threat Report is available on-line for download at
http://www.symantec.com/enterprise/threatreport/index.jsp, is updated on a regular basis, and is a valuable
resource to understand where current threats exists in the online world.
©Symantec (Canada) Corp.
- 3. Page 3
Security, unfortunately, is not as ‘sexy’ as on-line shopping sites for consumers, or
business-to-business portals, which increase revenue for the organization. Security is
typically seen simply as a cost, and therefore, minimized. Particularly in the privacy arena,
where most privacy breaches arise from security breaches, there are three thought-
processes justifying this stance:
1. “We haven’t had an issue yet.”
2. “Let’s take a wait-and-see approach.”
3. “The consequences are not serious enough to justify the investment.”
These thought processes are based on two faulty assumptions: that the past will provide a
good guide to the future, and the enterprise has had no security issues.
The past is not a good guide to the future. The Internet is evidence that not only are threats
evolving, they are evolving more rapidly that most organizations can handle if they rely on
traditional tools to respond. Whereas in the early days of the Internet, attacks were
primarily made by those seeking reputation for infecting the largest number of machines
possible, today attacks are profit-oriented, with organized crime often behind the attacks4.
Both the purpose and mechanism of attacks changes on “Internet time,” which is to say
rapidly. The ‘zero-day exploit’ – the attack which occurs on or before the day that a
vulnerability is identified, and before software makers can issue patches to remedy the
vulnerability – is a further example of why the past is not a good guide to the future.
The targets of attacks have changed: rather than being ‘everyone,’ attacks are increasingly
are very targeted. In the past, viruses have been created with a view to creating reputation
4
ISTRX, page 4
©Symantec (Canada) Corp.
- 4. Page 4
– by infecting as many machines as possible, causing embarrassment or actual destruction
of data. Anti-virus software makes have responded, and reduced the opportunities for such
massive waves of destruction. Now, ‘malware’ authors are targeting customers of specific
enterprises, such as banks, in order to obtain personal information such as credit card
data, with the ultimate goal to commit fraud or identity theft5.
The second fallacy, “We have been okay up to now,” has often been the response to IT staff
seeking better security.
Most organizations which have inadequate security safeguards, also have no capacity to
know if they have had a security breach. The risk here is that losses of personal
information have taken place without the organization knowing for sure – or worse, that it
may still be happening.
Technologies exist which provide for intrusion detection and monitoring, and audit
systems’ compliance with security and private policies: examples include testing for
whether passwords are long enough, whether the latest operating system patches applied
or whether each system has up-to-date antivirus protection. These systems provide
auditable evidence of compliance. Not enough organizations in Canada have made the
investment in these technologies, which is increasingly less defensible given the number of
areas in addition to privacy where organizations are obliged to provide evidence of
compliance with security standards – SOX/Bill 198, PCI, and critical infrastructure
protection requirements, to name a few.
It is only when a breach occurs, and some exposure, whether through publicity, law suits or
regulators, that money is made available to address security and privacy concerns. This
5
ISTRX, page 9
©Symantec (Canada) Corp.
- 5. Page 5
becomes a rushed expenditure that rarely is well spent – reacting to the immediate
problem rather than putting in place security and privacy solution that fits into the overall
business. ‘Firefighting’ highlights yet another risk associated with not having determined a
data security strategy in calmer moments.
Finally, as to the third fallacy, the risk of consequences is indeed changing. The Privacy
Commissioner of Canada has announced that her office will be conducting audits where
there is on reasonable grounds to be concerned over the privacy practices of an
organization. Public issuers in Canada subject to Sarbanes-Oxley and Bill 198 are subject
to an increased level of audits concerning their information management – and in turn are
also conducting audits known as CICA 5970 audits to review the information practices of
their sub-contractors and outsourcing partners, to ensure that they are handling
information in an appropriate manner, since the public issuer remains liable for any
problems associated with the safeguarding of the information being processed by the
subcontractor or outsourcer. Finally, the Payment Card Industry Security Standards
provide for serious consequences for companies who fail to adhere to the standards,
including fines by the credit card issuers, or termination of their contract to process credit
cards. (Attached as Appendix A is the PCI Security Standard). Compliance is increasingly a
corporate topic inclusive of privacy, as well as a host of other regulatory and contractual
requirements. A weakness in security affects compliance in all arenas.
Apart from regulatory sanctions or law suits, it is increasingly obvious, both within Canada
and in the US, that security breach stories are never good for the reputation of the
organization. Finally, while there are not yet many cases in Canada arising from security
breaches, it would be expected that lawyers would consider not only regulatory action, but
the likelihood that civil damage claims would ultimately be made in an appropriate case.
©Symantec (Canada) Corp.
- 6. Page 6
Because such security breaches often involve databases, and thus the exposure of the
personal and financial information of large numbers of individuals, these types of claims
are ideally suited to become class proceedings.
Threats and Attacks
This is not intended to be exhaustive, but to supply some basic knowledge about current
threats and attacks, as much as the language relating to it, and how they operate to
threaten an enterprise6.
Malicious code refers to the variety of types of software that has evil intent – regardless of
the mechanism with which they spread or operate. Viruses were the first of this type, but
now include as well worms, trojans, bots, and adware or spyware. Malicious code has one
thing in one common – it involves installation of software which causes harm, either
without the consent of the computer user, or by deception. Risks from these types of
programs are increasing in response to the improved defences supplied by anti-virus
technologies; now malicious software is often modular, which downloads other software
after the initial infection, and is thus able to update itself with new potentially more
damaging code.
A computer virus is a small program written to alter the way a computer operates, without
the permission or knowledge of the user. Some viruses are programmed to damage the
computer by damaging programs, deleting files, or reformatting the hard disk. Others are
not designed to do any damage, but simply to replicate themselves and make their
6
The definitions are taken from a variety of Symantec sources; see
http://www.symantec.com/enterprise/library/index.jsp for enterprise related information, and
http://www.symantec.com/en/ca/home_homeoffice/library/index.jsp for home and home office related
information.
©Symantec (Canada) Corp.
- 7. Page 7
presence known by presenting text, video, and audio messages. Even these benign viruses
can create problems for the computer user. They typically take up computer memory used
by legitimate programs. As a result, they often cause erratic behavior and can result in
system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to
system crashes and data loss. Polymorphic viruses are becoming more prevalent: these
alter their own code during replication to avoid detection by traditional antivirus software.
Worms are programs that replicate themselves from system to system without the use of a
host file. This is in contrast to viruses, which requires the spreading of an infected host file.
Although worms generally exist inside of other files, often Word or Excel documents, there
is a difference between how worms and viruses use the host file. Usually the worm will
release a document that already has the "worm" macro inside the document. The entire
document will travel from computer to computer, so the entire document should be
considered the worm.
Trojan horses are impostors—files that claim to be something desirable but, in fact, are
malicious. A very important distinction between Trojan horse programs and true viruses is
that they do not replicate themselves. Trojan horses contain malicious code that when
triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite
these programs onto your computers; for example, by opening an email attachment or
downloading and running a file from the Internet.
Bots (short for “robots”) are programs that are covertly installed on a targeted system.
They allow an unauthorized user to remotely control the compromised computer for a wide
variety of malicious purposes. Attackers often coordinate large groups of bot-controlled
systems known as bot networks. These networks can be used to perform distributed
attacks, including denial-of-service (DoS) attacks, against organizations’ systems.
©Symantec (Canada) Corp.
- 8. Page 8
A rootkit is a collection of trojan horses that replace system binaries in an attempt to allow
attackers to retain access to systems while hiding their activity. Often, the script used to
install the rootkit will remove evidence of the compromise and rootkit installation to
further cloak the intrusion.
Spam has been a pervasive problem over the past few years; enterprises have had to invest
significant efforts and money in technologies to prevent the onslaught of invitations to
invest, expand various parts of the human anatomy, buy drugs, or participate in get-rich-
quick schemes. Spam now makes up 54% of all monitored e-mail traffic.
As instances of spam climb, so does the complexity of the techniques used. Over the past
couple of years, “phishing” has become a common phenomenon. Phishing generally
employs clever fakes designed to lure the unwitting into revealing confidential information
such as passwords, account information, and other forms of sensitive personal
information. Spam is also becoming a conduit for malicious code, such as Trojans, which
may be used to turn recipients’ computers into ‘zombies’ that can be remotely controlled
by hackers to attack Web servers, collect personal information, or send spam emails. On
average, 172,000 users lose control of their machines each day, and zombie networks
account for about 50 to 80% of all spam according to various industry reports7.
Adware and spyware are also becoming a prevalent source of problems8. Adware and
spware are software which has been installed, often deliberately by a user of the home
computer, but was ‘hidden’ in an otherwise innocent-looking download of a browser
toolbar, utility, game or screensaver. Spyware or adware is often included in apparently
desirable or useful software downloaded from the Internet, and may be even mentioned in
7
Getting Tough on the Growing Spam Problem (June 21, 2005), Symantec Enterprise Library
8
Spyware: How can it be removed? (June 15, 2005), Symantec Home and Home Office
©Symantec (Canada) Corp.
- 9. Page 9
the licence agreement that most users simply click to accept. Spyware can include
software which search for and send sensitive data, record the user entering passwords or
credit card information, and send it surreptitously to the creator’s web site.
Adware often installs other, pernicious software which redirects the user to web sites to
drive up usage statistics, on which web sites are often paid by advertisers, or imposes
advertising on the home user. Often, the content of these sites or advertising can be
uncomfortable or embarrassing for adult users, and are inappropriate and harmful to
children., Adware typically also monitors the user’s patterns of usage and behaviour on the
Internet and provides this valuable ‘meta-data’ to the authors who resell it – whether or
not the meta-data is anonymous, to others for directed and further intrusive unsolicited
advertising.
A Sampling of Data Security Issues and Mitigations
Data security breaches can occur in a number of ways; and can impact many different
types of information in the organization. While loss of business confidential information
can also be devastating to an organization, the focus here will be the likely ways in which
the personal information in the custody of the organization can go astray. This is not
intended to be an exhaustive list of potential data security risks, but ones that focus on
ways in which lawyers work on a day-to-day basis, and are applicable to the law firm
environment.
©Symantec (Canada) Corp.
- 10. Page 10
1. Portable information
Information is increasingly portable – and given that most people seem to work more than
forty hours in a week, often from the road or at home, this is a tremendous convenience. .
It is fairly common to use these devices to copy information from the corporate network,
and take it home to work on. Laptops and other portable devices that can carry
tremendous amounts of data, such as USB drives or iPods, are pervasive, useful and
commonly used by professionals and organizations’ executives and staff. But there are
many public examples of the loss of this portable information; the ones that have recently
received considerable attention is the loss of laptops.
One strategy is to encrypt the data on the device. However, few organizations make the
effort to ensure that the information on these devices is encrypted so as to mitigate
against the risk of the loss of the device. This is often due to the administrative difficulty in
managing the keys required to encrypt data – this requires some central management, and
thus effort and labour, simply to ensure that the data can be recovered when (inevitably)
the user forgets their password.
Another strategy is to not allow personal information to get onto the laptop or device in the
first place. With web-enabled applications, most information can be offered remotely to
users, and securely – and loss of the laptop means little if there is no information actually
stored there. This requires however an investment in web-based security and in making the
information needed to do one’s work available remotely.
©Symantec (Canada) Corp.
- 11. Page 11
2. Endpoint Security: Working from home and the web cafe
Many knowledge workers work from home – after all, with high-speed access, and the
never-ending work week, this is quite practical. But there are, as noted above, few homes
that have adequate security around their home networks and computers, and this is
ultimately the organization’s problem.
Home users are the most highly targeted group of users for targeted attacks – 86%
according the latest Symantec Internet Security Threat Report9. This is likely because they
remain a fertile source of personal information, in combination with inadequate measures
to secure home computing resources.
The risks that home working creates arise in part from the lack of even basic protections on
home computers, that are nonetheless used to connect to corporate networks. To address
this, many companies are making anti-virus software available to their employees,
specifically for their home computers, as well as firewall software. Another common
approach is to create a ‘virtual private network’ (VPN) that allows home users to
communicate through a secure, encrypted ‘tunnel’ directly to the corporate environment,
ensuring that the content of the communications cannot be intercepted. As well, secure
web applications can be utilized to encrypt the connection between the remote user and
the web application.
The problem with both these approaches is that it assumes that there is protection against
malicious code at the endpoint – the user’s computer.
9
ISTRX, page 9
©Symantec (Canada) Corp.
- 12. Page 12
Web ‘café’s’ where there are public terminals available for use and paid for by the hour, as
well as wireless connections for those using their own laptops, present another set of
challenges. These web café computers may be infected with malware, or viruses, through
the usual mechanism of people visiting sites and downloading software, or by deliberate
actions on the part of those seeking to harvest personal information.
Web cafes, as well as home users, often utilize the convenience of wireless connections.
These present their own challenges, simply because they are so convenient, and
commonplace, yet so typically inadequately protected. An estimated 75% of wireless
networks are either insecure (not utilizing encryption) or are configured with ‘default’
administrator passwords and setup, well known and available by simply downloading user
manuals from the Internet. (Typically, they are set up for user ‘admin’ with password
‘admin’).
Because of their convenience and ease to set up, corporate IT administrators have to be on
the look-out for users who have simply connected a wireless access point to the corporate
network. This poses a tremendous risk, because users typically fail to turn on even
rudimentary security; such a connection opens the whole network up to exposure,
defeating the often tremendous investment in setting up firewalls and other security
through the corporate network’s connection to the Internet.
An additional area of concern lies i in monitoring communications between users and the
corporate LAN through unencrypted communications, ‘eavesdropping’ on the transfer of
confidential information. Often this can happen quite accidentally – many laptops come
with wireless networking built in, and are turned on by users so they can connect at home,
but who fail to turn it off when returning to work. While connected to the wired, corporate
©Symantec (Canada) Corp.
- 13. Page 13
network the wireless connection provides an access point into the network to anyone in the
vicinity10.
“Wardriving” refers to the hobby of locating and accessing such available access points.
Below is a map from 2004 indicating, in green, insecure access points in downtown
Toronto; blue indicates ‘default’ set-ups, and the red, those utilizing WEP (wireless
encryption protocol) for security. Even WEP has been demonstrated to be easily cracked,
and new more defensible standards such as WPA have evolved; however, it may be that the
only way to secure wireless connections containing confidential or personal information
effectively, is to use a VPN and encrypt the communications11.
10
ISTRX, page 34
11
ISTRX, page 36
©Symantec (Canada) Corp.
- 14. Page 14
12
In a 2003 story in Toronto, police arrested a man driving the wrong way down a one-way
street, and found him half-naked with a laptop utilizing an insecure wireless connection
from a home network to download child pornography. This highlights the risk to individuals
and businesses, who might be called to explain why their IP address was being used to
access inappropriate materials.
12
Source: www.wirelessbandit.nerdsunderglass.com
©Symantec (Canada) Corp.
- 15. Page 15
3. Malicious Code Protection
What can be done about malicious code? It is now an expectation that organizations will
have up-to-date antivirus software installed on computers, and will scan e-mail
attachments as well as most other forms of electronic communication – instant messaging
being the latest battleground – to ensure malicious code does note enter the organization.
Organizations which do not have this, must be viewed as falling below an acceptable
standard of care.
But it goes beyond this. One of the greatest problems in this area is of course the
‘unmanaged device’ such as the home computer, or the USB drive, or even the old floppy,
that requires the enterprise to actively monitor and defend itself from the risks associated
with malicious code entering through the day-to-day activities of users accessing the
corporate network. Technology to support remote users on a variety of platforms exist; sod
do technologies which monitor, or disable USB devices that are not approved, or simply
automatically run scans and isolate devices which do not meet corporate security
standards exists; as does access control technology that ensures that only permitted
devices should be able to access information over the corporate network. These are all
available, and must be viewed as essential elements in the toolkit to meet the obligations
of the corporation’s stewardship over personal information.
Education is also critical to help prevent infection; users must be taught not to open
attachments that are not from trusted sources, or that they are not expecting. Most
successful malicious code attacks are in combination with ‘social engineering’ techniques,
which require the user to be fooled into opening an attachment or running a program.
Given that outbreaks can often be attributed to poor information security practices on the
©Symantec (Canada) Corp.
- 16. Page 16
part of users, a security awareness program should be considered not a best practice, but a
minimum requirement.
Considering the consequences of a virulent outbreak, the organization must devote an
appropriate amount of resources to deal with the consequences of a potential exposure of
confidential and personal information to those seeking to use it for fraudulent purposes,
which includes considering it from the perspective of business continuity planning (such as
use of archiving and retrieval technologies.)
Best Practice = Best Defence?
It is against the standard of reasonableness that most actions are measured, including
data security. The tendency is to confuse this with ‘what everyone else is doing.’ This is not
a helpful way to determine an appropriate course of action with regards to data safety and
security, and represents the fourth and final fallacy: what everyone is doing may be wrong.
Best practices are identified by practitioners in the information security field, and it is
against these that organizations will be measured, in terms of how far or how closely, the
organization’s practices measure against them.
With this in mind, the following enterprise best practices13 are suggested as the being ‘the
test’ for data security and safeguarding in the privacy arena:
1. Enterprises should first of all have a security strategy and policy, which involves
multiple, overlapping, and mutually supportive systems to guard against a single point of
failure in any specific technology or protection method. This should include the
13
ISTRX, page 99
©Symantec (Canada) Corp.
- 17. Page 17
deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion
protection systems on client systems.
2. Enterprises should assess their systems against their enterprise security policy,
and turn off and remove services that are not needed.
3. If malicious code or some other threat exploits one or more network services, the
enterprise must have the capacity to disable or block access to those services until a patch
is applied.
4. The enterprise must always keep patch levels up-to-date, especially on computers
that host public services and are accessible through the firewall, such as web, file transfer,
mail, and directory or domain services.
5. Enterprises should implement network compliance solutions that will help keep
infected mobile users out of the network (and clean them up before entering).
6. Enterprises must enforce an effective password policy. Ensure that passwords are a
mix of letters and numbers. Do not use dictionary words. Change passwords often.
7. Enterprises should configure mail servers to block or remove email that contains
file attachments that are commonly used to spread viruses.
8. Enterprises must have the capacity to Isolate infected computers quickly to prevent
the risk of further infection within the organization, and thereafter perform a forensic
analysis and restore the computers using trusted media.
©Symantec (Canada) Corp.
- 18. Page 18
9. Employees should be trained to not open attachments unless they are expected
and come from a known and trusted source, and to not execute software that is
downloaded from the Internet unless it has been scanned for viruses.
10. Enterprises must ensure that emergency response procedures are in place. This
includes having a backup-and-restore solution in place in order to restore lost or
compromised data in the event of successful attack or catastrophic data loss.
11. Enterprises must educate management on security budgeting needs.
12. Enterprises should regularly and routinely test security to ensure that adequate
controls are in place – and document the results.
13. Enterprises should ensure that only applications approved by the organization are
deployed on the desktop and laptop, to prevent loss of information through malicious
code.
Conclusion
This can only be a brief introduction for counsel wishing to understand the risks associated
with data security, and to begin the conversation needed with IT staff in client
organizations.
Mature organizations understand that there must be an ongoing conversation between
counsel and IT staff, in order to ensure that the legal obligations of the organization in
respect to compliance, including data security, are met. The facilitator and implementer of
that effort, and the tools appropriate to the task, is the IT department; it is only with the
assistance of the IT department that the goals of the enterprise in data security can be
©Symantec (Canada) Corp.
- 19. Page 19
met. However, the requirements for data security, as well as a full assessment of the risks
to the business, and the potential for harm, must involve the business side, and of course,
legal counsel.
©Symantec (Canada) Corp.
- 20. Page 20
Appendix A: The PCI Security Standard
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
©Symantec (Canada) Corp.