Author Archives: Hacker Medic

The public sector has a somewhat mixed record when it comes to staving off security breaches within its walls. In the UK, for example, the hugely embarrassing data losses at HMRC (Inland Revenue/Taxation services) – when the personal details of 25 million people were heavily compromised, due to what were described as “serious institutional deficiencies” – still linger in the mind a few years down the line.

On the plus side, the UK government has been heavily engaged in getting its own house in order, identifying information security as a key priority for 2013 and beyond. In recent months, new initiatives to address growing cyber security threats have been announced, with a cyber security ‘fusion cell’ established for cross-sector threat information sharing. The intention is to put government, industry and information security analysts side-by-side for the first time. The analysts will be joined by members of intelligence agencies, law enforcement and government IT, as they exchange information and techniques, and monitor cyber attacks in real time.

However, many of today’s businesses work across international boundaries, so preventing breaches and loss of data has become a world-wide challenge. According to a report from Ernst & Young, ‘Data loss prevention: Keeping your sensitive data out of the public domain’, companies in every industry sector around the globe have seen their sensitive internal data lost, stolen or leaked to the outside world.

“A wide range of high-profile data loss incidents have cost organisations millions of dollars in direct and indirect costs, and have resulted in tremendous damage to brands and reputations,” it states. “Many different types of incidents have occurred, including the sale of customer account details to external parties and the loss of many laptops, USB sticks, backup tapes and mobile devices, to name just a few. The vast majority of these incidents resulted from the actions of internal users and trusted third parties, and most have been unintentional.

“As data is likely one of your organisation’s most valuable assets, protecting it and keeping it out of the public domain is of paramount importance. In order to accomplish this, a number of DLP [Data Loss Prevention] controls must be implemented, combining strategic, operational and tactical measures.”

In the face of such global threats, governments are responding. The European Commission, for example, has introduced a computer emergency response team in each member country to promote reporting of online attacks and breaches. The recently published draft EU Cybersecurity Directive makes it compulsory for all ‘market operators’, including utilities, transport and financial services businesses, as well as public authorities who use ‘network and information systems’ within their businesses, to implement technical and organisational measures to manage cyber risks.

These organisations will be subject to independent regulation, have to disclose security breaches to the regulators, submit to compulsory regulatory audits and be sanctioned, if they fail to comply with the law.

All good news, then… But the simple reality is that any public sector department or body intent on ensuring its own security could readily put in place measures to stop such data breaches and losses, such as, for example, secure File Transfer Protocols and Data Guardians (a secure database application with up to 448-bits of Blowfish encryption), enabling the locking down of data.

Public sector organisations are often, by their nature, large and complex, making it relatively easy for a rogue employee to access a sub-set of highly sensitive data; or simply to move on to another job, with the organisation unaware that a certificate relating to that employee is about to expire, all due to a lack of adequate central management. So they need such solutions.

Take Symantec’s Managed PKI for SSL service, for example, which enables organisations to manage and deploy SSL certificates from a single centrally managed platform, while also tailoring the deployment to meet their individual requirements (such as, if your organisation needs to issue multiple SSL certificates to different internal organisations or business units. Managed PKI for SSL allows for both centralised control and delegated administration). This cloud-based approach dramatically lowers the cost and complexity of managing multiple SSL certificates by eliminating the time it takes to authenticate multiple different business units, individual purchasing, personnel, training, and maintenance expenses and complexity associated with deploying multiple SSL certificates.

What SSL does is to protect applications that demand the highest level of security – enabling the secure transmission of sensitive data, Web services-based business process automation, digital form signing, enterprise instant messaging and electronic commerce. It also protects firewalls, virtual private networks (VPNs), directories and enterprise applications. Trust lies in knowing that the people, networks and devices accessing, modifying or sharing information within a community are verified.

There can be a tendency to imagine things are worse in our own backyard, but the security issues we face in the UK are, by and large, no different from those in other countries or indeed in other industries. One manufacturer in Europe, for instance, saw its production line go down when a certificate suddenly expired. Eventually, the problem was traced to an expired SSL certificate. Symantec’s solution, through a complete audit of the company’s architecture, using a product called Certificate Intelligence Center, would have identified any certificates that were about to expire and immediately notified the business – and (if a Symantec SSL certificate) automatically have renewed the offending certificate. Instead, the outcome was estimated to be in the millions of Euros, in terms of lost production, damage to their brand, corporate reputation and a workforce standing idle.