Bad year will bring action
Don't give away your brand
After last year's big breaches, new laws on handling confidential data won't be far off, so get ready now.
As you're reading this, chances are that your new year's resolutions have long been forgotten or will soon be broken; whether it was getting fitter, losing weight or cutting down the amount of "security research" you've been doing on facebook. As well as time for setting goals, the new year was also a time for reflecting on what has happened in the last year, or, perhaps more importantly, thinking ahead on what is to come.
Of course, in the fast-changing world of information security, a lot can happen in a year. The nature of threats is continually changing - we've seen the rise of the uberbotnets, with the likes of the Storm worm growing to vast proportions.Virus writing has become a sophisticated commercial enterprise, done purely for profit.
Of course, security technology is doing a pretty good job of keeping up with things - if you're running a good recent anti-spam system, the chances are you won't even have noticed that spam and malicious emails have risen five-fold during the course of the past year.
However, the big theme of 2007 was the world waking up to the realisation that there is now a lot of key personal data that is not looked after very well at all.
The main story probably wasn't HMRC's data loss but the really big hack of 2007: the compromise of customer passwords at ISP Fasthosts. Unlike the HMRC incident, where the data has most likely "just" been lost, the machine holding the Fasthosts information was broken into, and the data stolen. The impact of this will take some time to trickle through - in the worst case, hundreds of e-commerce sites will have been accessed, with customer details and credit-card information being taken. Like the HMRC incident, this wasn't due to flaws in technology, but appears to be the failure to adopt some key principles of data security, such as encryption.
Which leads me to do a bit of crystal-ball gazing for the coming year. The next thing for the security professional to worry about will be to keep up with forthcoming legislation. Now that the world has woken up to the dangers of information loss, it won't take long for the politicians to realise that this will be an important area for creating popular legislation. Hopefully, any new laws won't be passed on a whim and will be properly thought through. If they are, we can expect to see a tightening up of data protection legislation. Changes are likely to focus on the requirements for information security - especially on key personal data items: names, addresses, bank details and so on.
And the requirements won't just apply to government departments. In addition to a stiff set of penalties - think prison sentences for company directors - there will be specific rules for the handling of these items. The key requirement will be to maintain the confidentiality, integrity and control access to the data. This will manifest itself in three key areas: encryption of data, use of two-factor authentication to control access and the use of audit trails, logging etc to track both access and movement of data.
It's time to start thinking about how your key data is held now. Using SMTP, POP3 or FTP to transfer data will be harder to justify without encryption, storing key data unencrypted on file systems or in databases will also be a no-no. Two factor authentication will be required, at a minimum for access to data from public networks, especially where the access allows many records to be viewed at once. And of course, logs of this access will have to be kept. One of the requirements of legislation may well be the right to audit, especially after a security breach has occurred; so the proactive security professional will make sure they have their processes and procedures well documented.
So maybe February is actually the best time to set new year resolutions: rather than worry about how to lose those Christmas pounds, think about how not to lose that customer data.
- Ian Castle, CISSP, is a senior consultant at information security consultancy ECSC.