Security

Ethics vs. Whitewash

Security doesn't happen by wishful thinking. It takes hard work, commitment, and management support. Doing the right thing isn't always easy, but we should expect it from those to whom we entrust our information.

Security doesn't happen by wishful thinking. It takes hard work, commitment, and management support. But some organizations still have to be hit with the proverbial two-by-four before they wake up and start doing something, anything, that actually provides some security value.

In 2007, HM Revenue and customs (HMRC) lost PII on 25 million people. PriceWaterhouseCoopers, working with the U.K. Independent Police Complaints Commission, last week completed an investigation into the loss. The results are representative of security problems in many government agencies around the globe. Statements like “systematic failures,” “woefully inadequate processes,” and “fragmented and complex IT systems” were used to describe the findings (see HMRC disc loss was ‘entirely avoidable’). According to the Independent Police Complaints Commission, security simply wasn’t a management priority.

After scores of reported breaches, public outcry about government mishandling of information, and a plethora of resources providing recommendations on basic security practices, there is no reason for government agencies—agencies of the governments that impose regulatory requirements on the rest of us—to fail to provide reasonable and appropriate protection for sensitive information.

No one is perfect. Even with well-designed and managed safeguards in place, information can be lost. The key is to understand the risks and apply resources diligently. That didn’t happen in this case.

The recommendations made by the investigators in the HMRC case are basic and potentially window dressing, quieting the public without any long term effect. Without a change in management attitude--or a change in management--controls will degrade over time. Inattention to the changing threat landscape will result in new ways to compromise information with which they are entrusted.

Organizations, both public and private, that consistently lose information usually have one thing in common. Management is only concerned with the appearance of security, not the actual protection of sensitive data. In every organization, there are those who believe throwing some controls at a network, enough to pass an annual audit, constitutes "enough security." “As long as it looks like we’re doing something,” they say, “we can justify to our customers, shareholders, and employees any data loss incident.” This might be true. Most victims don’t know any better. It often comes down to ethics. Just doing the right thing, even in the absence of a law or with the knowledge that you’ll never be caught.

Ultimately, it will take the growth of public intolerance for negligent or haphazard handling of information. When it’s obvious that management had no interest in protecting sensitive data, or that they took steps to whitewash infrastructure and process vulnerabilities with meaningless, weak controls, they should be summarily replaced. This isn’t always easy to do in the private sector. However, public sector officials answer to the people they serve. We need to start rewarding poor or negligent service with immediate unemployment.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

15 comments
Neon Samurai
Neon Samurai

It seems every week there's some big company letting a laptop or some other database containing item walk out the door. Any bets on who will be this weeks example?

seanferd
seanferd

Customers warned of data grab UNK Computers Hacked Laptop Losses Total 12,000 Per Week at US Airports Nearly 70% are never recovered; many go unreported

Neon Samurai
Neon Samurai

I mean those who stole the property and those within the "victim" companies that try to gloss over the loss. Imagin if that airport statistic included all the laptops with open shares coaxed into joining ad-hoc networks. ;)

seanferd
seanferd

The story to which I referred seemed like a study in really bad organizations. The hospital system, I recall, was somewhere in Europe. Possibly read it at http://thedailywtf.com/

Neon Samurai
Neon Samurai

I had considered that outcome in my own doings but I figured I either get noticed by info security or a warning first. The worst case I considered was being called into a "stop pointing these things out to us" meeting or having my HR profile marked as "if dismissed, escort out by security and a desktop tech". I get strange looks for my choices of casual reading which I don't feel the need to hide (2600 quarterly, inch thick textbooks on technology, ..). My current casual reading; "Security Power Tools" has been a great book reviewing what I know and adding in lots of things I've not had reason to learn yet; I got a strange look in the elevator from my VP over that one. ;) I've also seen a friend driven from more than one IT job by the "old gaurd" mentality. He's not the most diplomatic of people but he knows his tech. At this point, he's a job offer away from leaving the industry all together because of the mentality in big business. (Only MS can provide, Security is an expense we need to minimize, Your just a desktop tech; what could you possibly know about anything at 'our level', ..) Your story does not surprise me. I can see it happening in many businesses.

seanferd
seanferd

I was reading a posting by some guy who got fired as a security risk because he was pointing out terrible security problems (like, none at all) to his employers (a hospital system, I believe). Talk about funny looks. The security through obscurity model is so entrenched that anyone who knows something about security, but is not a member of some official security department, is viewed as suspicious, or a threat to security (or somebody's job).

Neon Samurai
Neon Samurai

Boy do you get looked at strange when not under the info security dept at work and you ask "do we mitigate the threat of the flaw allowing Windows too be connected to an Ad-Hock wifi network without user intervention?" (we'll see how the latest question, receiving uname/passwd sent through plain text email, goes over.) I hear fishign for cellphone activations is popular at airports still. If you can't get 'em by notebook waiting for the flight in the lounge, get 'em turning on the leash when they pass that "cell phones must be turned off" sign on the way back out. (Damn me and my ethics. I'd be rich by now if I didn't have those. ;) )

seanferd
seanferd

What's that, like, all of 'em? :D

paul.synnott
paul.synnott

I think the answer is probably "everyone", but a more pertinent question would be to ask who will own up to having done so, and how quickly.

Neon Samurai
Neon Samurai

It's only the responsible or publicly caught that you see in the headlines.

boxfiddler
boxfiddler

just about any federal government agency I can think of. US government is pretty inept when it comes to, well just about anything.