Now incorporating 112 Review, Community Safety Review & Military Review

Perimeter Security

In today's world our perimeter to be secured is not just the immediate physical of building walls, fences and borders.

by Michael Smith

While the Great Wall of China did something for that country by way of protection and a good perimeter fence and watchtowers may guard and protect a military or such installation, we must consider today, in the world of computers and the Internet, also and especially our virtual perimeter. This, in many case, is rather fluid.

While many companies, institutions, and others, place guards at their entrances, require passes of all kinds of levels, have fences, intruder sensors, and much more, despite the fact that they work rather on an international level, and have all manner of anti-virus protection and all manner protection against all manner of intrusions, by way of firewalls and such, few, so it would appear, have a policy in place to ensure that sensitive and mission critical data is not taken out by employees, especially temporary staff, or disgruntled staff, on removable medis such as floppy discs (yes, I am showing my age here, for I even remember when they, in fact, were floppy and rather big as well), to CDs/DVDs, USB flash memory, or even small removable USB hard drives.

We all have seen what can happen – and I am sure we all wonder where that data that was thus lost is now – when the likes of the British government offices sent data, very sensitive data, unencrypted, around the country on CDs.

Apparently, the real problem is that the two departments concerned have different encryption tools and the receiving department would not have been able to read the data had the discs been encrypted. No one thought of those implications before? Doh?!?

This is very much like NATO with all its different kinds of weapons and even communications systems all of which could really have caused a great deal of trouble had we ever had to go to war with the Warsaw Pact in those days. Unlike us they all had everything interchangeable. Proper compatibility should have been thought of one would have thought but, it does not seem to be thus. But, alas, those that sit in ivory towers.

Encryption is but one thing.

That, however, which often – more often than not – gets forgotten as far as securing data is the “physical” security of it and securing the ports – not the shipping kind though.

Who has access to the USB ports and do they need to be able to remove data by downloading it on removable media?

Organizations go to all lengths to control access to a network from the outside but often have no policy and measures in place for securing the devices. This means that basically anyone can steal sensitive data by using a USB memory stick, for instance, or an iPod.

The question is to ask who has access in an organization who could compromise data, as this could be more important than the possibility of an external breach and resultant data theft.

Too often only the “break in” from the outside into the system is being considered as far as data and security is concerned and the he possibility of data theft from within an organization by an employee is often overlooked.

Today with flash memory devices getting smaller and smaller and also being “concealed” in other objects, such as pens, and also getting more powerful with ever more data storage capacity plugging in a USB stick and copying a large amount of data only takes from some seconds to something like ten minutes and USB sticks nowadays are so common and, in fact, part of work, that the fact that someone has one or more on his or her person says and means nothing to the security guards, for instance. Hence the protection has to be at a different level.

Music players too, such as an iPod or similar, straight-forward MP3 player can often store data aside from just music files and are therefore also a way in which data can leave your institution; a way in which someone can take out data who, maybe, should not be able to.

Also, such devices, whether players or memory sticks, and such like, can be used by someone with malicious intent, whether employee or not, to inject malware into a PC or an entire network. All it needs is access to computer that is not locked down, for instance.

It would appear that many organizations do not have any systems and policy in place that control who may access and especially copy data to removable media of whatever kind.

All it takes, as we have seen more than once, is a disgruntled employee – or even an ex-employee whose password and such is still active – to ruin the reputation of an organization or to hold it to ransom.

© M Smith (Veshengro), December 2008
<>

Powers of RIPA legislation abused

Ex-Chief of MI5 'astonished'

by Michael Smith

The Regulation of Investigatory Powers Act (RIPA) was passed in 2000 to regulate the way in which public bodies such as the police and the security services carry out surveillance.

To begin with originally only a small handful of authorities were able to use RIPA but its scope has, for some reason, been expanded enormously and now there are at least 792 organisations using it, including hundreds of local councils.

This has generated dozens of complaints about anti-terrorism legislation being used to spy on, for example, a nursery suspected of selling pot plants unlawfully, a family suspected of lying about living in a school catchment area, and paperboys suspected of not having the right paperwork.

Now those campaigning against the abuse of RIPA have got a new ally in the person Lady Manningham-Buller, the former head of MI5. In a speech in the House of Lords recently, she said she was "astonished" when she found out how many organisations were getting access to RIPA powers.

Those that nowadays, more or less willy-nilly seem to be granted the right to carry our surveillance for this or that reason, should never, so it seems as far as the Security Services are and were concerned, be given those powers and rightly so.

While there may be reasons in fact for councils and others to, at times,m be granted powers under RIPA no council, per se, needs to carry our covert surveillance of dustbins for instance as to what people put into them. The same is true in respect to other uses that RIPA has been used for.

When RIPA was introduced the activities authorised by that legislation were meant be confined to the intelligence and security agencies, the police, and Customs and Excise.

The legislation was drafted at the urgent request of the intelligence and security community so that its techniques would be compatible with the Human Rights Act when it came into force in 2000.

Nowadays, however, for reasons unfathomable, every authority of whatever kind, from local councils and trading standards – and that latter one can still be understood – over the Milk Marketing Board equivalent and the one responsible for eggs and whatever else, aside from police, security services and HMRC, that is to say Customs and Excise, are given such covert surveillance powers.

Britain is the fast becoming, if it is not already, an all-pervasive surveillance society and British subjects are the most spied upon people on this planet, ahead even, so it would appear to citizens of Russian and even of Cuba.

On the principle governing the use of intrusive techniques which invade people's privacy, there must be total clarity in the law as to what is permitted and they should be used only in cases where the threat justifies them and their use is proportionate.

Presently, however, it would appear to be neither and as far as a great many people who are in the know amongst the general public are concerned this is very disconcerting and it is creating resentment amongst the people.

However, it seems that the current Labor administration in the United Kingdom could care less as to what the public thinks really. They have a majority in the House and hence do not care one iota about the people.

How can we expect to combat terrorism on our shores when we alienate the general law-abiding public who should be the eyes and ears of the authorities by using spy techniques and anti-terror legislation against them who have done nothing wrong.

The idea of the DNA and fingerprint database and the idea of monitoring all email and Internet traffic of every subject of Her Britannic Majesty is not going to bring the people onto the side of the government. Rather the opposite.

People who work in the field of security, I am sure, can see that but those that try to lord it over the people, whether central or local government do not care, it would seem. Councils up and down the country use RIPA powers against people that may or may not put the wrong stuff into their dustbins; who may put their dustbins out at the wrong day, and such like. As far as I, and Lady Manningham-Buller, see this is a total misuse of the powers of the act. Time some reigning on was done here.

© M Smith (Veshengro), December 2008
<>

Environmental protesters get into secure airport area

What the h*** happened to the security?

by Michael Smith

When, on Monday, December 8, 2008, environmental activists, gained access to a high security area air side on Stanstead airport in Essex one can only ask as to what the h*** has happened to the security at that airport, whether their own security teams or the police. Was everyone asleep at that time of the early morning?

If that is the security on the air side side of our airports then what is going to prevent a more or less major terrorist attack. If environmental activist – unarmed – except for bolt croppers and such like – can get air side on a more or less major airport, the second-largest airport in the UK in fact.

Not so long ago activists got onto a parked aircraft at Heathrow, Britain's largest airport, and one of the world's busiest and no one had noticed until some of them in fact unfurled a banner on the plane.

I must say that if that is our air side security at airports then all the other security measures are a waste of time and useless and will not make our airports and air travel secure.

While those measures aimed at air travelers inconvenience those traveling by air and make check ins and arrivals and longer process they will not prevent explosives, for instance, being placed on a plane. Not as long as the security on airports remains a joke as it is presently. The problem is that this joke is not funny by a long shot.

All the measures currently in place, as I have said already, do is inconvenience the airline travelers and not the terrorists for all they have to do is get air side, by cutting through a fence a la environmental activists and place a device at the belly, for instance, of a parked aircraft. And, the way security (what security?) is on that side of the airports at the present this is not, despite what we are being told, a difficult undertaking and this should make us really worried.

This is also very much the same as regards to security of the railroad rolling stock. While, for instance, as regards to the Eurostar trains, for example, airport style scanners and security checks are used and now even small penknives are illegal to be taken on that train there is very little stopping any more or less determined person getting near the parked trains and attaching a device to it or getting onto the tracks and sabotaging them.

I know that as much as with cyber security there is no 100% security possible anywhere and it cannot be unless we would surrender all our liberties and freedoms and we, as people, should take some responsibility – in fact the greatest part of it – for our own personal security and that of our families and loved ones, and, to some degree of society as a whole.

However, when we look at the ease that people can get into supposedly secure areas and get onto, as in the instance of Heathrow, a parked aircraft then we must ask what is going on.

One must then also wonder as to whether there really is the threat that we are told is there or are we just being told that so that the powers that be can make things more and more difficult for the ordinary people to go about their daily lives, such as having biometric ID cards (probably with transponders) forced upon them and the threat that any cop may demand to see ID and if no ID carried that one then might find oneself in jail.

If the security is allowed to be as lax as it appears to be then on can but come to the conclusion that in reality there is no such threat as the security services and government keep trying to tell us. If not then the lackadaisical approach taken to the air side security at British airports is criminal negligence and some heads should, nay indeed must, roll, and security must be made nigh on watertight.

As I said already, I know, and I hope that everybody else does too, that there is no such things as 100% security without living in a fortress and giving up all liberties and freedoms, and it would be then that the terrorists and enemies of freedom have succeeded and this we must not allow to happen.

If anyone is supposed to feel secure again flying – I for one would not, then again I do not like flying, period – then air side security must be enhanced and made as good as watertight. No good inconveniencing the passengers with all those checks and searches and restrictions when anyone can just saunter into any airport directly through the fence with bolt cutters and then can do, unmolested for quite some time, what they wish to do. There are many countries in the world where anyone entering such a secure are of an airport would simply be shot by snipers.

I do not think that we would, necessarily, want to have such kind of operations in the United Kingdom, but...

© M Smith (Veshengro), December 2008
<>

Private Web spies monitor activists online for Australian police and attorney-general

God defend me from my friends – from my enemies I can defend myself

by Michael Smith

A private intelligence company has been engaged by police in Australia to secretly monitor internet and email use by activist and protest groups, according to a report.

The company was hired by Victorian Police, the Australian Federal Police and the federal Attorney-General's department to monitor and report on the internet activities of anti-war campaigners, animal rights activists, environmental campaigners, and other protest groups.

The Melbourne-based firm has for the past five years monitored websites, online chat rooms, social networking sites, email lists and bulletin boards, so says the report, and has gathered intelligence on planned protests and other activities, and even though many, if not even the majority, of those on the watch list have broken no laws.

Welcome to the fascist Dominion of Australia. Then again, it would appear that the mother country, Britain, is headed the same way, with the security services running roughshod over all civil liberties possible. Is this a sign of things to come?

This private intelligence company has also prepared threat assessments and intelligence reports for government agencies that included material from media reports, speeches, academic journals and publicly available company data, but no private correspondence, so it is claimed, was monitored.

As to the latter I would, personally, be very dubious. If they go as far as they have gone the chances are that they may have gone further still but that this is more secret than other things.

The company was not named at the request of its management for fear extremists may target the firm.

The news comes a month after Victorian police were found to have targeted community and activist groups in a long-running covert operation.

So much for the claims of freedom and liberties in Australia. If that is freedom and liberty then I would not want to see what happens should they change tack.

There is one difference between Australia and the UK and that is that in Australia it seems to be easier to find out those things that the services are up to compared to the UK. In the latter place the law and the culture of secrecy makes getting such information very difficult indeed, despite of the “Freedom of Information Act” and if they can claim that they are monitoring suspected terrorists then, well, no chance of getting info and anything that ends up leaked and then published could get one killed.

© M Smith (Veshengro), November 2008
<>

How to avoid on-line manipulation: "Nigeria-letters"

EU Agency ENISA launches "Social Engineering"-report with 5 defence advice to counter fraud threat

Heraklion, Crete, October 2008 - The EU Agency ENISA (The European Network and Information Security Agency) launches a white paper on 'Social Engineering', (i.e. on-line manipulation, through social networks, email, also known as 'Nigeria-letters' or 'advance-fee frauds', instant messaging, or Voice Over Internet Protocols (VoIP). The Agency provides 3 case studies portraying how easy users are manipulated, identifies 5 defence measures and issues a check list, 'LIST', for users to counter social engineering. Finally, the Whitepaper includes an exclusive interview with the world famous security author, speaker, and consultant Kevin Mitnick.

What are the risks of on-line manipulation, or "Social Engineering"? Fraudsters frequently manipulate people and exploit human weaknesses through 'social engineering'. That way, people break their normal security procedures. The scale and sophistication of such fraud is increasing, (27.649/month, Jan.'07-Jan '08, according to APWG). Several new ways are used to reach users (e.g. instant messaging, VoIP, and social networking sites apart from emails). Successful social engineering entails:

1. A convincing pretext for contacting the target,
2. Getting the facts right by research,
3. Timing and exploitation of current events, e.g., the Tsunami event, or a Santa Claus mail around Christmas, with a worm included.
4. Exploit human behaviour and psychology.

Three e-mail based case studies portray how easy it is to trick ordinary users:

- Case 1: 179 respondents assessed 20 messages (11 bogus, and 9 legitimate), and only 42% of the users could correctly classify the mails; (32% were classified incorrectly and 26% as 'do not know'.)
- Case 2: Of 152 targeted end-users within an organisation, 23% were tricked into accepting malware infections.
- Case 3: Over 500 undergraduate students followed embedded links, opened attachments, etc. The rate of failure was 38-50%. The good news is that the failure rate was reduced with training.

The Agency identified 5 defence measures against social engineering. However, the key to success lies in improving users' awareness. Users should use a checklist of questions to verify the Legitimacy, Importance of the Information, the Source and Timing (LIST) (for full checklist see p 25-26 of the report.) Mr Mitnick underpins the report with the claim that it is much easier to trick someone into revealing their password, rather than making an elaborate hack. The Executive Director of ENISA, Mr. Andrea Pirotti, comments: "Making staff and users aware of security is of serious concern for Europe. We should all become more aware and 'responsible on-line EU-citizens', in our own interest of being able to benefit of the Internet safely."

The report has been elaborated with the kind support of the ENISA Awareness Raising Community and is available at: http://enisa.europa.eu/doc/pdf/publications/enisa_whitepaper_social_engineering.pdf

<>

"Children on Virtual Worlds" - 25 parental safety tips, report launched by the EU Agency ENISA

The EU Agency ENISA, the European Network and Information Security Network Agency, launches a report on virtual worlds with 25 safety tips for parents on how to make their children behave safely in online virtual worlds.

Heraklion, Crete, 06.10.2008 - Club Penguin, Barbie Girl, Moshi Monsters, Webkinz, etc. Is your child spending hours playing online games? Well, you are not alone. Virtual world sites are now hugely popular and have become a compelling activity for many Internet users. The rate of growth in online social networks, including virtual words for children has risen over the last past years. With more than 100 youth-focused virtual worlds, regulators and parents are struggling to keep pace. It has been estimated that 20 Mn children and tweens will visit virtual worlds by 2011.

Parents are naturally concerned about how their children use and behave in virtual worlds. The biggest concerns is the online safety of children (7 years old and under) and tweens (8-12 years old) and how they can be protected from online predators. Awareness of what children can do online and parental involvement is crucial. Parents should be educated, empowered and engaged to ensure truly positive and valuable experiences for their children, while reinforcing safety online habits in these three-dimensional environments.

The ENISA paper gives 25 safety tips to parents. These tips provide clear and comprehensive tools for parents to decide with their child what is appropriate and safe, to behave responsibly as well as to have fun in virtual worlds. Sample tips range from computer security, to rules, and advice on parents? and children?s education, e.g;

1. Keep the computer in a common room.
2. Set house Internet/mobiles rules if and how to use virtual worlds.
3. When activating a child?s account, always do it using the parent?s email address.
4. Be aware that parental consent should be required to process sensitive personal data, for chat rooms, send unsolicited commercial e-mails, etc.
5. Have children use neutral nicknames, not their real ones.
6. Communicate with your children about their experiences. Encourage them to tell if they feel uncomfortable or threatened online.

For all 25 safety tips, , please read the full report: http://www.enisa.europa.eu/doc/pdf/deliverables/children_on_virtual_worlds.pdf

The Executive Director of ENISA, Mr. Andrea Pirotti remarked: ?It is our responsibility as adults to secure that our children can have both fun and safely enjoy online gaming and virtual worlds?

<>

The identity crisis continues

A government report says the National Identity Scheme will fail if it does not primarily serve the public, including being free to join

by Michael Smith

Sir James Crosby's much delayed review of identity management, commissioned by Gordon Brown when he was still chancellor, was not available at the event in March 2008 where home secretary Jacqui Smith outlined her plans for the National Identity Scheme. That is not surprising: it makes embarrassing reading for the government.

The former HBOS chief executive recommends that the identity scheme should be free to join: it will not be. He thinks it should be run independently, perhaps by Parliament: it is run by a Home Office agency.

Crosby's main point is that the scheme should be so useful and easy that citizens actively want to use it, in the manner of Google. Yet it remains to be seen whether the government is listening. For example, it sounds as if students may have a tough time if they do not enrol, rather than the scheme transforming their lives if they do.

Crosby's report shifts the emphasis of government policy away from identity management and towards identity assurance. It states: "ID assurance meets a clear and growing consumer need, whereas ID management addresses the interests of the owners of any identity database."

He recommends that the scheme should be accountable to Parliament, rather than government; that the amount of centrally held data should be minimised; and that citizens should be able to block reuse of their data except for national security purposes.

The identity scheme's core problem was and is that the government wants it to be two things at once: a security system that stops people from doing things, and a enabling system that helps them.

Crosby believes there is very little common ground, and says that the scheme has to focus on enabling people - even for the purposes of national security, as otherwise citizens will minimise usage as far as possible, providing little data to be trawled.

If the scheme fails, he just got in his "I told you so".

The problem with this hair-brained ID card scheme of this government and that of other EU nations – and forgive if I am wrong but this to me would appear to be in fact a scheme that the European Union is demanding (for better control of all citizens – welcome to 1984) – that the British government and its agencies simply cannot, as is proven day-by-day with the losses of sensitive data, be trusted with the data of the subjects of Her Majesty. Nay, I did not say a wrong thing. Please remember that the British citizen is but a figment of imagination.

However, whichever way, the British government and it agencies and the contractors and sub-contractors used by said agencies has such a dismal record as to data protection that there is just no way, whether the scheme is free to join or compulsory – and I am sure we all remember that we were told in the beginning that it was going to be entirely voluntary (believing this government is not easy) – that no one in their right mind could be prepared to trust his or her data, including and especially biometric information and such, to such agencies.

I also doubt that it would be any different whether the Tories of the Liberal-Democrats would be in charge as to the data problems as the problems do seem to lie with the civil service and the departments rather than with the politicians.

On the other hand, though whether we can believe them or not, both the Tories and the Whigs have promised to get rid of that hair-brained scheme altogether. And pigs might fly, I know, for if this comes from Brussels and the new European Ministry of Security then there is no way that it can be abandoned.

Data can be made secure on a small and a large scale but whether the British government agencies would know how to work hardware encryption is questionable.

© M Smith (Veshengro), September 2008
<>

LONDON MULTI-TRADE SHOW GETS FULL INDUSTRY SUPPORT

The industry’s leading trade associations and wholesale groups have renewed their support and participation in the London multi-trade show that now consists of Totally Tools, Totally DIY and the recently launched Totally Secure.

The changes proposed for the 2009 shows by organiser Brintex have won the approval of long-term show supporters, the British Home Enhancement Trade Association (BHETA), Decco, the Federation of British Hand Tool Manufacturers, the Garden Industry Manufacturers’ Association (GIMA), Home Hardware Southwest, MICA Hardware and Toolbank who have all confirmed they will be exhibiting next January. In addition, the British Hardware Federation (BHF), which has had its own stand at the show for the past two years, has confirmed it will be back in 2009.

This year, many members and customers of the various organisations will be offered assistance with travel and refreshment costs, to help promote a visit to the show in January.
This activity, alongside a revamped floor plan which puts new products literally centre stage, the provision of free personalised invitation tickets for exhibitors to use, and a fresh approach to the idea of staging a ‘multi-trade’ show, with the introduction of Totally Secure has met with approval.

Paul Woolley, commercial director of the BHF Group, said, “With over 2,000 hardware members we see the show as a great opportunity to meet up with existing members and recruit for new ones! We’ll be offering new members a 25% discount on membership fees if they sign up at the show.

“In addition, our team from BHF Direct will be on the look out for new lines and products to offer our members – the show provides us with a great opportunity to get direct feedback on new products and our own services. We can cover a lot of ground in three days at the show!”
Simon Bicknell, sales director of Toolbank, whose support was important to the successful launch of Totally Tools four years ago, commented:

“Totally Tools continues to be an important part of our marketing programme and we welcome the initiatives being made by Brintex to add energy and impetus to the show.
“The show is a great platform to update customers on our latest initiatives and plans. We look forward to meeting potential new accounts, and spending time with many existing customers and are pleased to confirm Toolbank's participation in Totally Tools 2009.”

New exhibitors to sign up for the 2009 to date include Aisin Europe, AP Lifting Gear, GT 85, Isotronic Mezger, RKW Leisure, RCD and Tarax Technology. In addition, Brother UK, Saint Gobain Abrasives and Spectra Tool Company are returning to the show after a break last year and DK Tools and Tool Connection are both back at the show having doubled the size of their stands.

“More than ever, retail buyers have to be proactive in their search to find new products to sell on to their customers. Our multi-trade show will be a great sourcing platform for buyers – and should help to stimulate interest and retail sales, which the whole market needs,” said show director James Murray. “Now is the time to proactively sell and to get out and see what companies have to offer!”

This year, to mark the show’s 15th year, a high-level industry conference, addressing the key issues of DIY and home retailing, will take place on the morning of Monday, 19 January. Details of the conference theme and speakers are to be announced shortly.

Current exhibitors for Totally Tools include Abingdon King Dick, Arrow Fastener, Evolution Power Tools, Exakt Precision Tools, KS Tools KWB Tools / Ringwood Agencies, Ledco, Monument Tools, Nilfisk Alto, Northern Wholesale, Rolson Tools, SMC and Valley Industries.

In Totally DIY confirmed exhibitors include Agralan, Bulk Hardware, Centurion Europe, Coo-Var, Crown Paints, Draper Tools, Euro Showers, Everbuild Building Products, Fair & Square, Feed ‘n’ Leave, Gorilla Glue, Group 55, IBP Conex, Initial Monogram, King Cole, Liberon, London & Lancashire Rubber, Mueller Primaflow, Oracstar, Polyvine, Procter Brothers, RB UK, Route 1 Group, Sealey Power Products, STV International, Sycamore UK, Tembe DIY, Tor Coatings, Trollul and Unger Germany.

New show Totally Secure has attracted bookings from Yale Security Products, part of the Assa Abloy Group, Borg Locks, Codringtons, Davenport Burgess, Guardian Lock & Engineering, Henry Squire & Sons, Keyprint, M.A.C Solutions, Master Lock, Sentry Safes, Sterling Locks and Total Product Sales, with more names waiting to be confirmed.

Totally Tools, Totally DIY and Totally Secure will take place 18-20 January 2009 at Earls Court in London. For further details and a full list of current exhibitors please contact show organiser Brintex on 020 7973 6401.

<>

Another serious case of data loss in Britain

by Michael Smith (Veshengro)

Home Office loses USB memory stick with data of about 100,000 criminals

The continuing data security breaches and loss of data and laptops containing secret information must, by now, become an embarrassment to the British government, or so at least it should. It is rather time that heads rolled but, alas, that is hardly going to happen.

How, pray, does anyone put data such as that which has just been lost – due to the fact the USB memory stick has been lost – onto a small little USB memory stick unencrypted.

Apparently the private sector contractor working for the British Home Office – the the British Ministry of the Interior – took the data which was, so we are told, encrypted originally, decrypted it and then simply stuck it onto an unsecured memory stick. This is not just being stupid or incompetent, though both attributes certainly also apply, but this is criminal negligence.

As Keith Vaz, Labour MP and chairman of the home affairs select committee, said: “f you hand out memory sticks almost like confetti to companies and ask them to do research for you, then you have to be absolutely certain that the company concerned has put in practice procedures which will be just as robust as the procedures that I hope the government has followed.”

But it is not just private sector contractors to the government that have such a lackadaisical attitude to data security; the government's own departments are, normally, directly, the culprits.

If one does need and want to use portable devices, such as USB memory sticks, then they should at least be hardware encrypted – please note: I said hardware encrypted – and this with very strong credentials. There is no excuse not to use such devices. They are also no longer costing the earth and it certainly should not have anything to do with cost.

If the information can be believed that was given to me then the reason, for instance, that the data from the HMRC office that was sent by courier to London a while back now which was unencrypted on CDs and which were subsequently lost, then it was because the two departments do not have the same encryption program. While we were being told that a junior clerk had simply copied the data onto the disks and send them out, apparently, the reasons are different.

Already, the data should have been encrypted, period, when it was downloaded onto the CDs in that instance. Why is open data held in the first place on computers? The data that is held on the computers systems of whichever government department should already be encrypted and would, hence, when copied to CD or whatever, still be in code. But, apparently, this is not the case.

A spokeswoman for the Home Office said in a public statement that the reason as to why the data was in the hands of a private contractor and why it was downloaded onto a USB memory stick was that the outside company was to conduct a study as to how to provide an improved prosecution of offenders. Further information as to how it happened that this stick was lost, however, was not given.

It might be better if the British government began conducting a proper study as to how to avoid loss of data from government departments, for presently there seems to be a sieve here in operation and no safeguards in place whatsoever. This is not only scandalous; it is criminal.

Shadow Home Secretary Dominic Grieve said that there had been a "massive failure of duty" and I do not think that one can add any more to that. With the exception, perhaps, that it is time that the minister responsible for the Home Office tendered his or her resignation. I say here his or her as I cannot remember whether presently it is a man or a woman that is in charge there. People come and go there too often, in general, and that culture too, probably, has a lot to do with things going missing.

© M Smith (Veshengro), August 2008
<>

Legal & General offers Brits ten top security and safety tips in support of National Home Security Week

Legal & General is encouraging Brits, in support of this year’s National Home Security Week, which runs from 23rd to 29th August 2008, to ensure they check their home security and safety. This would appear to be particularly important as a previous Legal & General online survey, ‘Safe as Houses', revealed that although we’re very good at putting home security features in place we’re not so good at checking that they are still working.

Research highlighted that although more than eight in ten, 84%, have smoke alarms in their homes and that almost one in three, 30%, have installed a security alarm, worryingly over 50% admitted that they have never checked their security alarm.

Elaine Parkes, Head of technical services, at Legal & General’s general insurance business commented: “Our research showed that while many Brits have installed security and safety devices to protect their homes, many are not as vigilant as they should be in carrying out regular checks that they actually work.

So, to help prompt people to carry out these important checks we have prepared the following security tips to hopefully encourage more people to make a conscious effort to ensure their homes are safe and secure.

Top ten home security and safety tips
  • Check your burglar alarm works or consider installing one if you don’t have one already. These should be regularly checked in accordance with the installer’s or manufacturer’s recommendations, which normally suggest annually.
  • At least every month check that smoke alarms are clear of any dust and that the batteries are working.
  • Check locks fitted to all accessible windows are in working order, particularly those that may not have been opened for a while.
  • Make sure your shed and any other outbuildings are secure. This may mean replacing any locks that have rusted and repairing or replacing any rotten or damaged window frames.
  • Check trees and shrubs for storm and wind damage so they are not likely to fall on the house and cause any damage.
  • Clean out your kitchen oven extractor hood to remove any oil build up to reduce the risk of fire.
  • Clean tumble dryer filters and exhaust duct and the area under the dryer to reduce risk of fire and flood.
  • Check the roof for any missing tiles or cracks in roofing felt and that the guttering and* drains are undamaged and clear of any debris.
  • Check brickwork for any cracks.
  • Check gutters for any debris collections or animal or wasp nests.
Legal & General has also prepared a special guide, Safeguarding Your Home which outlines in more detail how people may protect and safeguard their home and possessions. The guide is available to download at www.legalandgeneral.com/safeguard

More details on the National Home Security Week are available at http://www.homesecurityweek.co.uk

Source: FD Consumer Dynamics
<>

NEW SECURITY SHOW LAUNCHED FOR 2009



Totally Secure
, a specialist show for locksmiths and security product resellers, is being launched by Brintex, organisers of the Totally Tools and Totally DIY trade shows.

Totally Secure has been created in partnership with Simon Griffiths, Gary Eckersall and Chris Taylor who are the organisers of the very successful ‘Security Live’ and MLA Manchester Central exhibitions that have previously taken place in the north of England.

Totally Secure will take place alongside Totally Tools and Totally DIY at Earls Court in London next January 18-20th.

Simon Griffiths of Security Live said, “We are very excited at the prospect of working with Brintex to create an interesting and vibrant show at Earls Court, which will encompass a wealth of new and existing products from the market leaders.”

Paul Grinsell, show sales director at Brintex responded: “Simon, Gary and Chris, who are all Master Locksmiths in their own right, have developed a successful show, which we believe will do equally as well in the south, and give a whole new audience of security product resellers the opportunity to catch up with this growing industry sector. In addition, Totally Secure will deliver an in depth security product offer to current visitors to Totally Tools and Totally DIY.”

In its first year, the show aims to have a full range of security product suppliers taking part, covering all types of physical security products, and will encourage them to use the event as a new product launch pad.

Nagib Jiwa is managing director of Keyprint, one of the leading suppliers of keys, locks and related security products in the UK. He is already interested in taking part in the new show, and commented:

“We have exhibited at Totally DIY now for a number of years; it's given us a chance to meet buyers we would not usually be able to call on or meet face to face, as well as a platform to meet some of our southeast-based customers. Now with Totally Secure we can bring a fuller and wider range of our products and services and get in front of the London and southeast locksmiths and resellers. It definitely meets a need.”

Further information on Totally Secure will be available shortly via www.totally-secure.net or from Brintex sales director Paul Grinsell on 020 7973 4734.

Source: The Press Office Ltd

Monitoring for effective data protection

By Geoff Sweeney, CTO, Tier 3 www.tier-3.com

Recent security breaches in both the private and public sector have highlighted the need for organisations to ensure personal information is processed and stored securely. Ever growing collections of personal data, more remote access and the prevalence of crime such as identity theft all create vulnerabilities. It is essential that effective data protection policies and practices are in place, combined with vigilance and strong governance at all levels in all organisations, to ensure data protection is taken seriously.

Individuals expect the Data Protection Act to shield the security of their information. At the same time information security is increasingly at risk. As part of its new data protection strategy launched in March 2008 the UK’s privacy watchdog, the Information Commissioner’s Office (ICO), disclosed its plans to promote the importance of appropriate security, the use its regulatory powers against organisations that neglect their responsibilities in this area and to help individuals to protect their own information.

In May this was reinforced when The Criminal Justice and Immigration Act received Royal Assent creating tough new sanctions for the ICO. This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act and represents a step up from the ICO's previous power to simply issue enforcement notices.

This isn’t necessarily the end of the changes and there may be more regulation to come as, towards the end of May, the European Network and Information Security Agency (ENISA), called for laws tougher than those in the US to force companies to reveal when their computer systems have been breached. In its General Report 2007 the EU's top security body said governments, businesses and consumers are still underestimating the scope of the IT security problem, in part because of the lack of transparency when breaches occur, and mandatory disclosure of security breaches would be a step toward raising recognition of the seriousness of security threats. In the US, there are two laws which force organisations to publish details of security breaches. One is the California Breach Law (SB1386), which requires organisations doing business in California to tell customers about possible security breaches. Similar laws are planned for other states. The second is Sarbanes-Oxley, which obliges executives to keep informed about material aspects of their business, including security breaches.

Whether mandatory disclosure of information security breaches is ultimately adopted in the UK or not is not yet known but clearly advances in IT have made the collection, storage and sharing of all sorts of information easier and available to a wider population. Undoubtedly these advancements have resulted in enhanced services across many sectors but it has also increased the challenge of managing and protecting information. The vulnerability of data protection is evidenced almost daily with costly data leakage incident regularly impacting individuals and the organisations charged with the custody of their sensitive information.

The connectivity of WANs and the internet means that there are now few barriers to sharing information. The consequence however is that it is increasingly apparent that organisations can quickly lose control of who is sharing the information, where it is going and whether it is being used appropriately?

With this in mind the best way for organisations to meet their data protection obligations is to understand the information flows and uses within their business environment. A systematic risk based approach which matches the data monitoring and protection capabilities of the organisation with the risks associated with the loss of information based on its sensitivity/value and its likely impact to the individual and the organisation is increasingly important. Security policies, processes and technology are all part of the operational risk management process of identifying, monitoring and controlling information security breaches which may cause highly public exposure to your organisation and its stakeholders.

Increasingly, with the massive data volumes involved, this risk management loop requires the integration of skilled operational staff and competent technology to provide appropriate monitoring and control to ensure the use and movement of confidential information is within policy and adequately protected.

The good news in all this is that the security management process shouldn’t be to onerous and indeed should be part of the overall IT security effort. Technology is available which readily monitors who is accessing information, when and for what purpose. Using data protection systems which employ behavioural analysis an organisation can easily distinguish between legitimate use of its confidential information and inappropriate usage. One of the most damaging breaches is when an authorised user who has “legitimate” access to sensitive information either accidentally or maliciously chooses to misuse or leak that information. A behavioural analysis based security system can detect unexpected or risky data movement even where other systems can’t.

By recording the movement and use of information a behavioural analysis based security system establishes a profile that incorporates the characteristics of normal system use. By constantly monitoring and profiling user and system activity the system immediately recognises when information is accessed, changed or shared in an unusual or uncharacteristic manner and immediately alerts the accountable manager for remediation and evidentiary audit purposes. Specific business and policy rules can complement the system to enable early warning of any specific forbidden or unacceptable practices eg. Theft or fraud.

The scale and task of protecting stored and transmitted sensitive information is undoubtedly becoming greater. The problem for organisations, however, is that their responsibility for information assurance remains unchanged and with the intrinsic risk associated with its storing and sharing information owners continue to need ongoing visibility of who is accessing data, for what purpose and where are they taking it. Behavioural based security monitoring technology provides the ability to continuously manage and report the status of access and usage of confidential information for any organisation.

Source: Eskenzi PR
<>

How to multiply the uses of your Business Continuity Infrastructure

Ian Master, sales and marketing director UK, Double-Take Software

Introduction
Business continuity (BC) infrastructure is typically thought of as a means to get data offsite. IT managers don’t necessarily realise that the BC infrastructure they are building can provide much more. A well thought through deployment can provide the ability to move information technology systems anytime, anywhere, for whatever purpose, without interfering with ongoing operations. Whether recovering from a disaster, simplifying routine server maintenance or even migrating whole data centres, a good deployment can provide a dynamic infrastructure that ensures effective business continuity planning as well as making the data centre manager’s life a whole lot easier.

A day in the life of a data centre manager
To state the obvious, data centre managers don’t spend their working lives exclusively worrying about large-scale disasters. Their day-to-day experience is more likely to include managing smaller business continuity and infrastructure issues. How can they maintain full service when they know a shared disk is starting to malfunction and needs to be swapped out? How can they replace a physical server because it is no longer performing optimally? What happens when entire clusters of servers need to be moved because the nodes lack disk or processing ability? What happens if the entire data centre needs to be moved to a different location?

Building a dynamic infrastructure
Data replication solutions, which copy data in real time from one server to another to create a complete duplicate on a live backup system, provide very high levels of data protection and availability. However, data replication is just that; it only protects an application’s data, not the application itself. In the event of a disaster, system administrators will have to hope that all of the application backups are valid and can be restored, because if not, they’ll have no choice but to find the installation disks and sometimes even that isn’t an option. To overcome this, the more sophisticated data replication solutions provide byte-level replication for application system states so that administrators have the ability to provision an entire server at the touch of a button and keep business critical applications up and running.

Another tool used to reduce hardware costs and manage infrastructure more flexibly is virtualisation. Virtualisation provides data centre managers with the ability to move servers “dynamically” to a different virtual machine where more processing power or disk space may be available. However, the process of moving virtual machines is limited to the virtual infrastructure and sometimes only the same physical server where the technology is hosted. By combining data replication that moves data and the application system state, virtualisation, WAN accelerators, operational monitoring and security tools, you now have the ability protect and dynamically manage your entire data centre, regardless of the situation.

Dynamic infrastructure in operation
Using host-based replication allows you to replicate data and operating systems, independent of hardware and in real time, while systems are still in production. Administrators are able to replicate from physical to a virtual environment or vice versa, physical-to-physical or virtual-to-virtual, all while the end users are accessing the data.
Data centre managers are using dynamic infrastructures to move entire data centres without end users even being aware, easing operational management as well as meeting the most stringent business continuity requirements. If a server is in need of maintenance, the data centre manager isn’t committed to a 2.00 am Sunday morning change control window just to tweak a configuration setting or perform a reboot. The operation of that server is dynamically moved to another without interruption, allowing the technician to take as long as needed to perform maintenance or repair that server. Maybe the part from the vendor won’t be available for 10 days? Operations continue uninterrupted and the maintenance window is open to whenever it is convenient.

Conclusion
If you have the ability to move systems anywhere, anytime, for whatever reason, without interruption to users, you have just exceeded a rather large piece of your company’s business continuity requirements and, more importantly, maximised data centre uptime. Dynamic infrastructures are providing the ability to restore business operations after a disaster not only to a functional level but also to the level of service that your end users expect, as well as providing the ability to seamlessly manage data centre operations.

Source: StoragePR
<>

The bad guys are out-running the good guys – Can compliance stop them?

Brian Chess, Founder and Chief Scientist, Fortify Software

Judging by the number of public breaches that we keep hearing about, it looks like the bad guys are far outrunning the good guys. We know it’s a big problem because as a company we get called in to sort out the problems most often once the horse has bolted.

In June of this year in the US with section 6.6 of the PCI Data Security Standards (DSS) becomes mandatory in the US will things change? From a UK perspective it’ll be interesting to whether it makes a change for the better. Online merchants that process credit card payments will either have to conduct a code review for their applications or install an application-layer firewall. The standard offers a choice, but there really isn’t any choice at all. If an organization is going to successfully protect its data, it needs to aim for preventing a breach, not passing an audit. This means, first, finding and fixing the vulnerabilities in your software, second, building security into the development process, and third, protecting your applications once they’re deployed.

Hannaford Bros, a supermarket chain based in New England, USA, passed a PCI audit and then got hacked. They lost 4.2 million credit and debit card numbers, which has led to 1,800 cases of fraud to date. Over the last two years, as the PCI standards have slowly been implemented, the number of data breaches has increased from 158 incidents in 2005 to 443 incidents in 2007, for a total of 212 million records. So judging by this, you’ll see the bad guys are still very much in the lead. And that’s why PCI keeps evolving. But, in order to win this battle, companies must invest in security, not just in compliance.

In the spring of 2005, someone broke into a Web application for the Assignment Management System of the United States Air Force. They stole 33,000 personal records. The USAF responded to their breach with a multi-million dollar effort to identify and eliminate their security holes. This initiative incorporated a heavy reliance on source code analysis, in order to fix the problems at the root cause, as well as targeted investments in application firewalls, web application scanning tools, and database firewalls. The key to their approach was having the right motivation. They didn’t launch this initiative to pass an audit. They did it to ensure their software was secure. The result has been a comprehensive and dedicated deployment. As software drives nearly every military activity today, we can all be a little more comfortable knowing they have the right approach to deal with the threat.

The PCI council knows that analyzing the code early is the right thing to do, as they stress the importance of building security into the development process. All of the following quotes come from the PCI council, and they all emphasize the importance of the code.
  • “…it is recommended that reviews and scans also be performed as early as possible in the development process.” (1)
  • “Tools should be made available to software developers and integrated into their development suite as much as practical.” (1)
  • “The reviews or assessments should be incorporated into the SDLC and performed prior to the application’s being deployed into the production environment.” (1)
  • “Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines.” (2)
  • “Review custom application code to identify coding vulnerabilities.” (2)
  • “Cover prevention of common coding vulnerabilities in software development processes.” (2)
(1) Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified. April 15th, 2008

(2) Payment Card Industry (PCI) Data Security Standard, Version 1.1. September, 2006

Bottom line – build security in. If you want to have the best chance of passing a PCI audit, AND preventing a breach, fix the code first, and then monitor it in real-time.

PCI Section 6.6 is a productive step forward and encourages companies to do just this, but as with many standards, companies can interpret the mandates in many ways. A bad interpretation and a weak implementation will mean a false sense of security. Passing a PCI compliance audit is necessary, but compliance alone does not protect your company from a breach. So be ahead of the bad guys, put your efforts into ensuring your applications are secure – that way you’re be out there taking the lead.

www.fortify.com
<>

New Online Community for Information Security Industry www.infosecurityadviser.com

NEWS RELEASE

Monday 30th June 2008 - The team behind the popular Infosecurity Europe show - held in London every spring - has launched an online interactive security forum for the Infosecurity industry with advice, forums, blogs, career path, ask the experts, Q&A and other resources for everyone involved in the challenges of information security. The key difference from other sites is not about the latest news, it is a community where all the content is created by and for the benefit of the global infosecurity community.

"The Infosecurity Adviser portal contains a wide variety of resources, including top-quality blogs, all of which are designed to keep computer users up to date on current and future events in the IT security industry. Registered users of the site can get involved by posing questions to members of the “Ask the Expert” panel, on the forum, add a product review on a technology they have used or comment on any of the content created by the community." said Claire Sellick, event director of Infosecurity Europe.

The most active bloggers at the moment are Members of the Information Security Awareness Forum Board including, Dr David King ISSA chair of the ISAF; Peter Wenham, CISSP from the Communications Management Association, Andy Jones, CISSP from the Information Security Forum; also Jon Collins, Service Director with analyst firm Freeform Dynamics and Chris Potter a partner with PricewaterhouseCoopers. The 2 top rated blogs at the moment are “Top down awareness” by ISAF Blog team member Peter Wenham and “Security awareness - the next generation” by Chris Potter from PricewaterhouseCoopers.

"We also have an exclusive "Ask the Experts" section of the site where users can get free advice from industry experts," Sellick added.

According to Sellick, thanks to the support of the Information Security Awareness Forum and a number of other IT security bodies, the Infosecurity Adviser portal can offer all types of computer users information and resources that will keep them informed on the many aspects of information security they need.

"The site's crisp and concise manner, together with regular updates from a flotilla of industry experts, means that we expect the portal to become a must-visit resource on the Web in a short space of time," she said.

Infosecurity Advisor is supported by the Information Security Advisory Forum (ISAF). Dr David King, ISSA UK and Chair of the Information Security Awareness Forum said, "The new Infosecurity Advisor Portal will help to bring together expertise and advice to those who have questions around information security. This in turn will help to promote security awareness. The Information Security Awareness Forum supports this initiative and welcomes the bringing together of different elements of the industry through the portal mechanism. The awareness forum is also supporting the portal through its blog which is available on the portal website."

Raj Samani, ISSA-UK VP of Comms, “Sometimes you can be left with problems which Google simply cannot answer! It is therefore refreshing to see something out there which can provide practical help to problems which can sometimes seem impossible to deal with on your own.”

“The IT security industry is an industry in transition. For this reason as much as any, it’s great to have a place where industry experts and security professionals on the front line can have a clear and open exchange of views. It’s both useful in its own right, and it all helps move the debate forward.” Said Jon Collins, Service Director with analyst firm Freeform Dynamics

"In my experience, the information security community comes up with some really good questions. I'm looking forwards to the online community being a great way for us all to share experience and get to the answers!", said Chris Potter Partner PwC

For more on the Infosecurity Adviser portal:
http://www.infosecurityadviser.com/
<>

Protecting Virtual Infrastructures with Data Replication

by Ian Masters, UK sales and marketing director at Double-Take Software

Many organisations are adopting virtualisation technologies in their data centre to secure the benefits of increased hardware utilisation, reduced power consumption and simplified management. The reliability of this new infrastructure is likely to be of critical importance but what is the best way to protect virtual servers and keep them highly available?

A virtual infrastructure has a single point of failure: shared disk space. An organisation that relies on tape to protect this environment will struggle to provide the infrastructure with the protection and availability it requires as it can take days to restore virtual systems from tape, if it’s possible at all. Some virtual products come ready equipped with a snapshot-based technology that sends data in periodic chunks. However, the flexibility of this technology is limited and as a result they do not provide the protection, availability and disaster recovery that a business critical virtual infrastructure warrants. No matter which virtualisation vendor’s solutions are deployed, independent data replication products provide availability of virtual infrastructures far more effectively than tape, greatly increase native protection and provide data centre managers with a very useful management tool.

If an organisation is already using an independent data replication solution within its business continuity plan, it may be flexible enough to be used within virtual infrastructures. Data centre managers are likely to maintain a variety of hardware on which they host virtual servers so the high availability solutions needs to have the flexibility to work in any hardware environment. Host-based replication is an asynchronous technology that replicates at the server level and streams replicating changes in real time, as they occur and compiles them on target servers in the order that the operations occurred. Host-based replication is hardware agnostic and therefore ideal for heterogeneous environments so has the flexibility required to protect typical virtual infrastructures. Host-based replication has the additional benefit of providing data centre managers with a simple to use virtual infrastructure migration and management tool.

Many organisations already have a disaster recovery facility or satellite office where they send backup copies of data for disaster recovery. Having a live duplicate of the virtual infrastructure within those locations provides the ultimate level of protection and recovery in the event of substantial site disaster. Host-based replication technologies are able to replicate over any distance so provide organisations managing virtual infrastructures with the best possible protection for business-critical physical and virtual environments.

Virtualising servers is only the first step in modernising a data centre to take advantage of the benefits on offer. Virtual infrastructures are business-critical so organisations need to make sure they are highly available. Deploying an appropriate data replication technology is the only strategy that will provide the protection required. Host based data replication products not only provide high availability but can also help data centre managers better maintain virtual systems by having the ability to provision, convert and migrate the systems both near and far.

Source: Eskenzi PR Ltd.

The real cost of a security breach

by David Hobson, Managing Director of Global Secure Systems (GSS)

In its 2006 annual report for the fiscal year ended 27 January 2007, T.J. Maxx recorded a pre-tax charge of approximately $5 million for costs incurred in connection with the computer intrusion it formally disclosed in January 2007. This charge covers actual costs incurred to investigate and contain the breach, strengthen its computer security and systems, and communicate with customers, as well as technical, legal, and other fees. $5 million may suggest that it got off lightly but is this just the tip of the iceberg? What are the hidden costs of a security breach? What will be the final figure? This article aims to examine the hidden expense of a data breach, both the tangible and intangible costs. It concludes with a ‘top ten tips’ to prevent being the next headline grabber.

IT security in the early 1990's was relatively simple. Data was stored on mainframes, access control was limited and the need to share data was very limited. Today the rules have changed. More data is needed to be shared, access to data is required from almost anywhere and the need to secure that data has grown through regulation and legislation. The user population is much more technical now, and the Internet boom has enabled an increasing number of people to be able to cause more trouble than ever. Most organisations acknowledge that the impact of a security breach to the business will result in financial expense.

It’s going to cost how much!
Firstly, there are the direct and easily correlated costs such as replacing any lost or stolen devices; investing in, or strengthening existing, IT security; and if necessary strengthening the building’s physical security.

In August 2007, Monster had to take action when it discovered that con artists had mined contact information from curriculum vitaes for 1.3 million people, and possibly many more as Monster has since confirmed that this was not an isolated incident. Files were stolen not only from Monster.com but from USAJobs.gov, the federal-government career-listing service operated by Monster. Monster has said it will have to spend at least $80 million on upgrades to its site, which will include security changes. Among them is closer monitoring of the site and limits on the way its data can be accessed.

It doesn’t stop there
Some costs are harder to pin down including contacting those whose records may have been exposed, credit monitoring for those affected, and even the possibility of subsequent legal action taken by people who have suffered a financial loss as a direct result of their records being exploited.

The HMRC, who in December had two CD’s containing 25 million child benefit records go astray in its internal post system, wrote to each person whose personal details were at risk. When tallying this up there is the physical cost of the paper and envelopes, printing the letter and addressing the envelopes, postage, and the harder to guesstimate employee’s time to draft the letter and to physically perform the mail out, to account for.

Customer lawsuits can cause serious headaches for businesses that go far beyond the reputation-slaying negative headlines. Aside from the actual monetary damages, lawsuits often leave companies on the hook for additional training, systems upgrades or -- in the case of a data breach -- credit monitoring for those affected.

In the case of TJ Maxx’s massive security breach, it revealed that all affected customers were offered credit monitoring at its expense. Additionally it disclosed that it has agreed to pay up to $24 million in a settlement with MasterCard and it might not stop there. It also confirmed that it’s had to budget for various litigation and claims that have been, or may be, asserted against it or its acquiring banks on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the Computer Intrusion.

In another instance the Information Commissioner’s Office (ICO) found Marks & Spencer in breach of the data protection act in January this year following the theft in April last year of an unencrypted laptop containing the personal information of 26,000 M&S employees. As a result, the ICO ordered Marks & Spencer to ensure all hard drives on laptops that it uses were encrypted fully by April 2008 facing further prosecution if it failed to comply although M&S have appealed against this decision and a final outcome is yet to be decided. Other tangible costs Marks & Spencer faced were writing to all 26,000 employees affected and the cost of its offer to them for free credit checks. But what is the hidden cost, how many employees loyalty will have been damaged by this incident? We all recognise the cost of recruitment and training.

In 2007, the UK's largest building society Nationwide, received a fine of nearly £1m from the Financial Services Authority after the theft of an employee's laptop unearthed security flaws which could have put its 11 million customers at risk. In the first action taken by the City regulator over such systems and controls issues, Nationwide had faced a £1.4m penalty but was given a reduced fine of £980,000 because of its cooperation.

It runs deeper still
So what other concealed costs are there?

There is bound to be an impact on share price, even if only temporarily, as stakeholders react to the news.

There is the lost marketing investment when a brand is damaged, which is a key impact that UK Boardrooms should be concerned about. This is closely followed by the recovery costs in the form of future/increased marketing budgets to regain market position, rebuild reputation, etc. Imagine the continuing damage if the company’s communications can no longer be trusted. IKEA fell victim earlier this year when a hole in its website security allowed hackers and phishers access to its ‘contact IKEA’ function enabling them to send bulk outbound mail via its email servers. The potential damage to the company's reputation and possibility of email blacklisting could be significant.

There is the cost of customer erosion, especially where the breach has compromised credit card details as in the case of Cotton Traders. Apacs has called the recent hacking attack on its website a “serious” breach, saying the hackers could use the stolen card details for fraud. The clothing company has so far refused to say how many people have been affected, and has tried to alleviate continuing fears by confirming that its customer credit card data is now encrypted on its website, but could this prove too little too late?

There could even be the risk of employee’s jumping ship as internal morale dives when they feel their loyalty is compromised if the company they work for makes headline news for the wrong reasons. Filling vacancies is a costly exercise.

There is even the reality that those unaffected and uninvolved will still end up footing the bill. Again the HMRC data loss can provide a perfect example of this. The Chancellor of the Exchequer at the time of the breach, Alistair Darling, confirmed that banks were having to monitor all 7.25 million bank accounts whose details were on the discs. Although the cost for this monitoring has not been revealed the banks will make sure that they recoup the expense from someone! So either the tax payer, or everyone with a bank account, is going to cover this charge.

This article proves that data loss is not an insignificant issue. Information assurance is business critical and for many organisations, the data they own is their key asset, so why are so many failing to treat it as such? Failing to do so opens the corporate purse with no guarantee that it will ever be closed again. TJ Maxx itself summed it up when it said in its statement : “Beyond this charge [$5 million], we do not have enough information to reasonably estimate losses we may incur arising from the Computer Intrusion.”

Top Ten Tips to Preventing a Breach:
  1. Management set the tone for their organisations by their own behaviour. As such, good information practices are obligatory for all stakeholders, not just employees.
  2. Be proactive – management should deal with information assurance issues proactively, rather than reactively as information assurance is far more cost effective in a preventative rather than a remedial context.
  3. Information assurance is a business issue, not something extra for IT to handle. IT simply does not have the resources and/or authority to drive information assurance best practices through their organisations.
  4. Understand that information assurance is an ongoing process, not an annual event just before the auditors arrive.
  5. Information assurance is everyone’s job and as such investments in training and awareness programs for all employees are critical.
  6. Management should set out the company’s expectations with respect to information assurance in clear, accessible policies.
  7. The process for dealing with information security incidents should be defined in straightforward and unambiguous procedures.
  8. Investments need to be made in technology that will result in the secure transport and processing of information by the company’s information technology assets.
  9. Suitable best practices should be identified and implemented rather than ad hoc approaches implemented.
  10. Expert advice should be sought and used at all times to advise and oversee efforts in respect of information assurance from an experienced and objective third-party perspective.
www.gss.co.uk

Source: Eskenzi PR Ltd.

Farms need emergency plans before disasters strike

(Wisconsin) Farmers should have emergency plans before a tornado, fire, or other disaster hits their farm, according to the Wisconsin Farm Bureau Federation. The Farm Bureau posts a farm emergency plan template on its web site, www.wfbf.com, for farmers to make their own list of emergency contacts, family members and employees, a plan to meet away from the farm in an emergency, and a diagram of their farm.

“When an emergency responder pulls into a farm’s driveway, they may not always be prepared for what they are going to find,” said Casey Langan, Director of Public Relations for the Farm Bureau. “They might not know how grain bins operate, how livestock react under stress, how anhydrous ammonia tanks work and the danger involved with handling the product. Therefore a farm emergency plan should include a description and location of production facilities, livestock and equipment to help minimize the devastating effects of a farm disaster.”

The Farm Bureau said current operational procedures exist for local police, fire and emergency response teams, but many of them may have little knowledge of the workings of a farm. An emergency plan should provide the additional safety information that emergency responders will need.

Farms may have equipment, building structures, livestock bio-security measures, farm chemicals and fuels, power usage and generation, and other aspects of raising livestock and growing crops that require special attention by emergency officials or other important partners who respond to the special needs of farms.

The Farm Bureau is recommending that farm families review and update this emergency list with their family and employees, and to have copies posted near telephones and shared with neighbors and emergency responders.

Items to include in a farm emergency plan:
  • List of family members, employees or neighbors, who are familiar with your farm business.
  • List of emergency contacts.
  • Description of medical history or medical information of family members and employees.
  • Description of location of the farm and directions from nearest major intersection.
  • A general diagram of the farm that includes the location of chemical, fuels, livestock, equipment, overhead and buried utilities, etc.
  • Location of spare keys for vehicles or buildings.
  • Contact information of businesses providing services such as veterinarian, heavy equipment, electricity, livestock and milk hauling, insurance, financial, etc.
  • List of suppliers of chemicals, fertilizer, medications, etc.
  • Contact information of medical care provider.
  • Telephone grid of farmers to help provide livestock care, emergency feed and water, power, etc.
  • Safe storage of farm and personal financial information and computer records in fire-proof boxes or off-site safe deposit boxes.
  • Off-site meeting location and contacts for family and employees to gather following a disaster to assess the situation and coordinate response.

The template of an emergency plan can be found under the “Ag Resources” section of www.wfbf.com.

Source: Wisconsin Farm Bureau Federation (USA)

Special Needs Require Special Preparation

Do you or a family member have a disability? Will you be responsible for the care of an elderly adult in case of an emergency or disaster? Do you have small children that will need extra supplies and care in the event of a hurricane? If the answer to any of these questions is "yes," then you should consider now what extra steps to take in your disaster plan.

As the 2008 hurricane season begins, all levels of government, from city councils to the Federal Emergency Management Agency (FEMA) and the Mississippi Emergency Management Agency (MEMA), are working to prepare for potential storms that may strike Mississippi in the coming months.

"An aspect of preparedness that cannot be overstated as we continue to focus on recovery here in Mississippi is that of individual preparedness. We should all be prepared and alert as hurricane season is here once again." said Sid Melton, director of FEMA’s Mississippi Transitional Recovery Office (MS TRO).

Residents should be mindful that disaster preparedness is not a "one size fits all" concept. Those with special needs require special preparations.

"It is critical that Mississippi’s most vulnerable residents and their caregivers take the time now to get a plan," said MEMA Director Mike Womack. "They should consider such details as medication and special transportation when planning for the upcoming hurricane season."

General considerations for those with family members with disabilities:
  • Make prior arrangements with your physician or check with your oxygen supplier about emergency plans for those on respirators or other electric-powered medical equipment. Be sure to have electrical back up for any medical equipment.
  • Maintain a two week supply of such items as dressings, nasal cannulas and suction catheters.
  • Maintain a two week supply of medications, both prescription and non-prescription.
  • Keep copies of your medical records.
  • Keep copies of prescriptions for medical equipment, supplies and medications.
  • Keep extra contact lenses and supplies, extra eyeglasses and extra batteries for hearing aids.
  • Make plans now to have accessible transportation in case of evacuation.
  • Shelters may be limited in accommodations to meet some of the needs of those with disabilities. Prepare ahead of time to ensure that you will have what you need.
Considerations for those with small children:
  • Assemble extra items in your disaster supply kit such as diapers, baby formula, medications, favorite books, crayons and paper, puzzles, favorite toys, a favorite blanket or pillow, pictures of family and pets and any other items that will comfort your children.
  • Remember that children’s fears often can stem from their imagination – fears they may be separated from family, someone will be injured or killed, or that they will be left alone. Communication is very important in maintaining your children’s mental well-being in times of crisis.
  • Also, keep a copy of your children’s immunization records, including the date of their last tetanus-diphtheria shot.
Considerations for those who are responsible for the care of senior citizens:
  • Remember to help seniors who live alone. They may need help evacuating from their home, preparing for a storm and dealing with the aftermath of a disaster.
  • If an older adult lives in an assisted living facility or nursing home, you should contact the administrator to learn about the disaster plan for that facility.
Other considerations:
  • Hearing Impaired - make special arrangements to receive warnings.
  • Mobility Impaired - plan for special assistance to get to a shelter.
  • Single Working Parent - may need help to plan for disasters or emergencies.
  • Non-English Speaking - may need assistance planning for and responding to emergencies.
  • People without vehicles - make arrangements for accessible transportation.
  • Special Dietary Needs - take steps to ensure you maintain an adequate emergency food supply.
In case of evacuation due to an approaching storm, those who require transportation to a storm shelter should contact the Coast Transit Authority at 228-896-8080.

Additionally, people with special needs should create a network of neighbors, relatives, friends and coworkers to aid them in an emergency. Discuss needs and make sure everyone knows how to operate necessary equipment.

More information regarding disaster plans and planning for special needs can be found at www.msema.org, www.ready.gov and www.fema.gov.

FEMA coordinates the federal government’s role in preparing for, preventing, mitigating the effects of, responding to, and recovering from all domestic disasters, whether natural or man-made, including acts of terror.

Source: FEMA (USA)

The ISAF Web site opens with IT Security cross-industry support

London, UK 9th June 2008 - The Information Security Awareness Forum (ISAF) the cross-industry initiative founded by the ISSA-UK to raise awareness of information security, has formally opened its Web site.

Located at www.theisaf.org, the site seeks to act as a resource that will over time develop in to a focal point for IT security education, news and other relevant information from the Forum.

Launched in February of this year, the ISAF is backed by a number of key organisations, including the ISSA, ISACA, GetSafeOnline, (ISC)², ASIS International, the British Computer Society, Infosecurity Europe and the Institute of Information Security Professionals.

Announcing the opening of the site, the ISAF's chairperson, Dr David King, said that it will help members, as well as the industry generally, pool their expertise and help co-ordinate the Forum's development.

"The Information Security Awareness Forum has been formed to coordinate and build on existing work and initiatives, to improve their overall effectiveness, and ultimately to increase the level of security awareness that will help us all” he said.

"Our new Web site will act as the foundation stone to help us achieve these aims," he added.

Martin Smith MBE, BSc, FSyI, the chairman and founder of the Security Awareness Special Interest Group, supported the opening of the new site, saying that his group strongly recommends the use of the new Forum pages as a first port of call.

"It serves equally well those individuals seeking security awareness knowledge for themselves and their families, and managers of businesses of all sizes and all sectors looking for advice and guidance about how to protect their data from accidental or deliberate disclosure," he said.

Several other leading organisations have voiced their support for the opening of the new ISAF Web site, including the BCS, the Jericho Forum and the NCC:

“The National Computing Centre's members rely on its ability to quickly direct them to trusted best practice. www.theisaf.org provides a highly relevant link in the information chain.”

Danny Dresner, NCC

“Since its inception in 2005, GetSafeOnline.org has been working in partnership with the UK Government, law enforcement and the private sector to raise awareness of internet security issues amongst consumers and micro-businesses. We have always believed that a collaborative approach is the only way to effectively tackle online safety issues – an area that is not only complex, but also relevant to individuals and organizations in different ways. We applaud the initiative to extend this approach through the new Information Security Awareness Forum website."

Tony Neate, Managing Director, Get Safe Online, www.getsafeonline.org

“The new www.theisaf.org website is a great initiative to help improve awareness of infosecurity issues and by coordinating the activities and resources of all the member organisations enables individuals and organisations to quickly find succinct advice to help them. The Information Security Awareness Forum also has a blog on Infosecurity Adviser www.infosecurityadviser.com which is another example of how the forum's members are fulfilling their common aim of improving infosecurity awareness across the entire industry.”

Claire Sellick, Event Director, Infosecurity Europe 2008

“ISSA-UK is delighted with the progress that ISAF has made since its formation as an ISSA-UK Advisory Board initiative in September 07. ISSA-UK congratulates ISAF on the launch of its new website which we strongly believe will support the continued growth and development of Information Security awareness across organisations. It will also provide individuals with a central repository of knowledge and a first point of contact for those seeking help and guidance. This new portal will enable those seeking help to locate good, impartial advice from the leading security organisations, working together in the forum, to communicate awareness to a wider audience.“

Geoff Harris, President of ISSA-UK

“The National e-Crime Prevention Centre welcomes all efforts to protect the UK from electronic crime and the ISAF Web site is an additional and useful site for advice and guidance. Encouraging people and businesses to take action on the available advice is key to reducing the harm to individuals and the economy.”

Ken Rabey, Project Director, National e-Crime Prevention Centre

“Given ISACA’s long-held belief in the importance of educating both institutions and individuals on information security we are confident that the resources on the Information Security Awareness Forum website will help to improve awareness. Having a single website to locate the huge amount of valuable information available from all the member associations is an extremely useful feature.”

Lynn Lawton, CISA, FCA, FIIA, PIIA, International President of ISACA

"ASIS UK Chapter 208 is delighted to support the launch of the ISAF's Web site and encourages all those who want to work together with other security organisations to visit and contribute to the various activities located on the Web pages."

James Willison, Convergence Lead, ASIS UK, Chapter 208

"The IET is pleased to be a member of the Information Security Awareness Forum and believes that the new ISAF Web site will provide a valuable mine of information for both individuals and organisations. We support the development of a co-ordinated approach to the provision of advice and guidance on all matters to do with information security"

Margaret Smith, Member of the IT Sector Panel, The IET

“This coming together of ICT professional bodies, trade associations and interest groups to work together to promote awareness is most welcome and deserves every support from suppliers, users and the many government departments and agencies with responsibilities for the safety and security of those using their systems.”

Philip Virgo, Secretary General, EURIM

“EEMA welcomes the ISAF website initiative which will increase awareness of the online security issues. EEMA is also honoured to be a member and bring a European perspective to the ISAF; time and recourses are a scarce commodity in this day and age and co-ordination in the security space is essential if we are to face up to the issues and challenges of online crime.”

Roger Dean, Executive Director, EEMA

"The BCS is pleased to be a member of the Information Security Awareness Forum and hopes that the endeavours through the new ISAF Web site will signpost both individuals and organisations to resources that they should be aware of both personally and professionally. This is certainly a resource that our 62,000+ members should find useful ongoing.”

Andrea Simmons, CISSP, CISM, MBCS CITP, M.Inst.ISP, BCS Consultant Security Forum Manager

"The CMA, as an early supporter of the Information Security Awareness Forum, fully supports ISAF's pragmatic initiatives to promote industry wide collaboration and particularly welcomes the new ISAF web site (www.theisaf.org). This web site should become the destination (or portal) of choice for people, be they the man or woman in the street or a company Manager, seeking advice and guidance on how to secure information in this electronic and ever more inter-connected world."

Peter Wenham CISSP MICAF CLAS, Director, CMA

"The Jericho Forum welcomes the Information Security Awareness Forum's practical initiatives to promote collaboration between groups working in this crucial area. Collaboration is an essential part of our vision to allow seamless and secure communications between businesses, suppliers and customers across an open, Internet-driven, networked world."

-- Andrew Yeomans, member of Jericho Forum board of management.

Additional Background Information about ISAF Members

A number of professional bodies and organisations involved in information security have come together to form the Information Security Awareness Forum to coordinate and build on existing work and initiatives, to improve their overall effectiveness, and ultimately to increase the level of security awareness in the UK that will help protect us all:

The Information Systems Security Association UK Chapter (ISSA-UK) provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. ISSA-UK is a founding member and primary supporter of ISAF.

The British Computer Society (BCS) is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials.

The Communications Management Association (CMA) is the UK’s premier independent membership body for professionals and organisations focused on exploiting communications, networking and ICT, for business advantage.

The Cybersecurity Knowledge Transfer Network provides a single focal point for UK cyber-security expertise, and provides special interest groups and runs events.

EURIM brings together politicians, officials and industry to help improve the quality of policy formation, consultation and implementation.

Get Safe Online is sponsored by the British Government and leading businesses to give you free objective advice.

The Institute of Information Security Professionals (IISP) is setting the standard for professionalism in information security, speaking with an independent and authoritative voice.

The Information Technologists' Company are all senior IT professionals who have joined the Company in order to give something back to the IT sector and the wider community.

The Information Assurance Advisory Council (IAAC)’s aim is to work for the creation of a safe and secure Information Society. It is a unique, not for profit body with high level support from government and industry backed by world class research expertise.

The Institution of Engineering and Technology (IET) provides a global knowledge network to facilitate the exchange of ideas and promote the positive role of science, engineering and technology in the world.

The Information Security Forum (ISF) delivers practical guidance and solutions to overcome wide-ranging security challenges impacting business information today.

The Information Systems Audit and Control Association (ISACA) is a recognised worldwide leader in information technology (IT) governance, control, security and assurance.

ASIS International is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials.

Infosecurity Europe addresses today’s strategic and technical issues in an unrivalled education programme and showcases the most diverse range of new and innovative products and services from over 300 of the top suppliers on the show floor.

(ISC)² is the globally recognised Gold Standard for certifying information security professionals throughout their careers.

The Jericho Forum is an international IT security thought-leadership group dedicated to defining ways to deliver effective IT security solutions.

The International Underwriting Association of London (IUA) is the world's largest representative organisation for international and wholesale insurance and reinsurance companies.

The Security Awareness Special Interest Group (SASIG) is a subscription free quarterly networking forum open to those who have an interest in, or a responsibility for, raising awareness about security within their organisations.

The National Computing Centre (NCC) has pioneered a methodology for managing the 'human vulnerabilities' in information systems.

The National e-Crime Prevention Centre (NeCPC) is a multidisciplinary and multi-agency network and currently a virtual centre of excellence in e-Crime prevention and enterprise security.

The Police Central E-Crime Unit is a centre of excellence in regard to computer and cyber crime committed under the Computer Misuse Act 1990, notably hacking, maliciously creating and spreading viruses and counterfeit software.

The organisation, EEMA – the European association for e-identity and security – brings together over 135 member organisations (and over 1,500 employees of member organisations) in a neutral environment for education and networking purposes.

For further information visit www.theisaf.org