Saturday 28 January 2012

ICO Taking Action - 2011 Analysis

I did an analysis of the UK's Information Commissioner's (ICO) "Taking Action" incidents for 2011. There were approximately 80 incidents  where the ICO took action, after personal data breaches. Of these:
  • 26 were related to  unencrypted media (e.g. lost or stolen laptop or USB memory stick); 
  • 24 were caused by a misadventure of some sort with paper records; 
  • 14 resulted from data being electronically sent (e.g. email or fax)  to the wrong recipient;
  • 12 came from an application or website issue; 
  •  4 were categorised under "other".
The lesson for security managers is that most incidents involving personal data are caused by relatively mundane type events, not advanced hacking attacks. Security awareness training for people should reinforce the message: be careful when processing personal data and do not use USB sticks. Technical measures include encryption of laptops etc.

The UK's Information Commissioner (ICO) lists the actions he has taken against individuals or organisations found to have been in breach of the UK Data Protection Act. I did an analysis of the incidents for the year 2011. The main purpose is to analyze the causes of these incidents to gather metrics.

I divided the incidents into 5 categories:
  • Unencrypted Media - this includes such items as loss or theft of unencrypted media such as USB sticks or laptops. 
  • Loss of Paper Records - including incidents where physical documents are misplaced, lost, found in a waste bin, or similar.
  • Electronic Records Missent - where personal data is sent electronically to the wrong recipient using either email or FAX
  • Website/Application Issue - where the action results from some sort of application or website issue.
  • Other - which did not fit into any other category
The following table shows the results:

Category Number Incidents
Unencrypted Media 26
Loss of Paper Records 24
Electronic Records Missent 14
Website/Application Issue 12
Other 4
Total 80

The ICO does not usually say whether an actual loss occured as a result of any incident. There are a number of incidents where you get two for the price of one. For example a laptop is stolen along with paper records.

The results show that the majority of incidents have  relatively simple or mundane causes. Advanced hacking techniques were generally not employed. The lessons to be taken from this analysis are that basic security measures will prevent the majority of these incidents:
  • Security awareness training to reinforce the message that people should be careful when pressing the send button.
  • Do not use USB sticks
  • Encrypt laptops (and USB sticks if they must be used)
I hope to do a more detailed analysis of the Website/Application issues in a future blog entry.
There is a spreadsheet on Google Docs of the analysis (See Useful Links)

I did a similar type analysis of ICO enforcements in 2010 (See Useful Links)

Useful Links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Thursday 26 January 2012

Proposed EU Data Protection - Data Security

On January 25th, 2012, the EU proposed a comprehensive new General Data Protection Regulation.

Data Security is  covered in Section 2 which includes Articles 30, 31 and 32 which begins on page 59 of the proposed regulation

Here is the main security text from article 30: 
"The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected,having regard to the state of the art and the costs of their implementation.
The controller and the processor shall, following an evaluation of the risks, take the
measures referred to in paragraph 1 to protect personal data against accidental or
unlawful destruction or accidental loss and to prevent any unlawful forms of
processing, in particular any unauthorised disclosure, dissemination or access, or
alteration of personal data."
It also talks about "solutions for privacy by design and data protection by default", so implying that you should think about security from an early stage.

Article 31 covers notification of a personal data breach - and gives 24 hours for a breach to be notified.

Article 32 gives more details on communication of a personal breach.

At this stage this is only a proposal which may or may not become law in the fullness of time.

Useful Links:

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Tuesday 10 January 2012

Tuesday Top Tip and SSL

Another Tuesday Top Tip.

If you say in your privacy policy or statement that the security of your users is of the highest importance;  that you will meet and exceed all security best practices, legislative requirements and any other "good security thing" that you can think off, can you at least make sure that you use SSL.

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Sunday 8 January 2012

Business Risk: Selling AppSec to Business Leaders

Use compliance and reputation risk concerns based on these risk survey findings to persuade management  to invest in your Application Security programs

The table towards the bottom shows the top 25 lists of business risks as given by two different groups. The first list comes from the Lloyd's Risk Index 2011 featuring content from the Economist Intelligence Unit (EIU). The second is slightly older and is taken from the Ernst & Young Business Risk Report 2010.

These show the risks that business leaders are worried about.

What are the risks that can be leveraged to try and improve investment in Application Security programs? There's little point in saying "Guinness Application Security is good for you".  However, we can try to leverage the risks that senior management are worried about.

Compliance and Reputation would seem to be the two main arguments that we can put forward.


Both surveys feature "changing legislation" or  "regulation and compliance" towards the top of the risks that business leaders are concerned about.  In our field,  this would include such topics as PCI DSS, Data Protection legislation, HIPAA etc. Our first argument would go along the lines :
  • "We need to improve our application security program in order to comply with XYZ"
From my experience PCI DSS is definitely a strong motivator. Some companies realize that they need to comply and are undertaking security initiatives: something that would probably not have happened if PCI DSS did not exist.

The other main risk which we can use seems to be Reputation. The Lloyd's Risk index has Reputational Risk at number 3 while the E&Y Business Risk Report has it at number 19. I presented the E&Y table at a recent OWASP Switzerland chapter meeting. The general concensus at that event was that companies are worried about reputation and so the Lloyd's Risk Index placement at 3 is more accurate.

The argument here is:
  • "We need to improve our application security program in order to protect our reputation. Look at what happened to SONY, Stratfor, etc...."
Cyber Attacks
The Lloyd's Risk index mentions malicious cyber attacks as risk number 12 and cyber-risks (non malicious) at 19, whereas the E&Y report does not mention them specifically.

Lloyd's Risk Index 2011 The Ernst & Young Business Risk Report 2010
1 Loss of customers/Cancelled orders Regulation and compliance
2 Talent and skills shortages Access to credit
3 Reputational risk Slow recovery or double-dip recession
4 Currency fluctuation Managing talent
5 Changing legislation Emerging markets
6 Cost and availability of credit Cost cutting
7 Price of material inputs Non-traditional entrants
8 Inflation Radical greening
9 Corporate liability Social acceptance risk: corporate social responsibility
10 Excessively strict regulation Executing alliances and transactions
11 Rapid technological changes Inability to innovate
12 Cyber attacks (malicious) Maintaining infrastructure
13 High taxation Emerging technologies
14 Failed investment Taxation risk
15 Major asset price volatility Pricing pressures
16 Theft of assets/Intellectual Property Resource scarcity
17 Fraud and corruption Consumer demand shifts
18 Interest rate change Global (re)alignment
19 Cyber risks (non-malicious) Reputation risks
20 Poor/Incomplete regulation Energy shocks
21 Critical infrastructure failure Supply chain and "extraprise"
22 Government spending cuts Managing new business models
23 Supply chain failure Capital allocation
24 Pollution/Environmental liability Intermediary power
25 Sovereign debt Shifting demographics

Compliance and reputation risks are probably the two main risks to leverage when you are trying to convince management to invest in application security.  This type of approach might seem a bit underhand - but all is fair in love and war.

Links to surveys(PDF):

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot