Monday 22 April 2013

ICO Breach Statistics 2012

In 2012 the ICO (Information Commissioner's Office) in the UK found 5 websites to be in breach of  data protection act.

The ICO lists the actions that it takes against organizations that it deems to be in breach of the Data Protection act. This also serves as a useful source of statistical information which this blog entry briefly explores. There are a number of different actions that the ICO can take.
  • Monetary Penalty Notices, 
  • Undertakings
  • Enforcement Notices
  • Prosecutions

Overall Statistics

For 2012 here are the overall statistics.

Total for Action
Nr for Web
Monetary Penalty Notices 24 1
Undertakings 29 4
Enforcement Notices 03 0
Prosecutions 06 0
Overall Total 62 5

There were 62 incidents of which 5 relate to websites. Given the number of online applications that process personal information, 5 seems to be a remarkably small number.

Here is a high level overview of the web application incidents.

Monetary Penalty:
  • 6th August: Sensitive personal information relating to 1,373 employees was published on the  website.
  • 1st March: Disclosure of personal information in training materials published on its website
  • 17th April: a web design error that created the potential for unauthorised access to individual’s personal data 
  • 18th April:  Two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 30th November: A private area on the website was accessible to members of the public

The Rest of the Incidents

The rest of the cases are made up of a mixture of the usual suspects:
  • Information being sent to the wrong recipient. 
  • Paper files left in waste bins. 
  • Unencrypted memory sticks. 
  • Hard drives not securely erased at end of life.
  • etc.

It is worth taking a look at the ICO website taking actions page to get a feel for the kind of problems that exist. There is no real pattern. Website issues are only a small proportion of the overall numbers. It shows how difficult it can be for a security manager to put a comprehensive security program in place.

Useful Links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Thursday 18 April 2013

Information Security Error Caused Austerity

The headline of which we dream.

It looks like there was an Excel coding error in one of the main academic papers which brought this age of austerity upon us. The spreadsheet that the authors used is not accurate.

The Roosevelt institute blog has all the dirty details.

Now for the Information Security angle. We all know that information security is about protecting the confidentiality, integrity and availability of

According to ISO 27000, information security is the
  • "preservation of confidentiality, integrity and availability of information"
Also according to ISO27000, integrity is the
  • "property of protecting the accuracy and completeness of assets"
The Roosevelt blog shows that the Excel spreadsheet was not accurate.
Since the accuracy isn't protected, then there is an integrity issue.
And since there is an integrity issue, there is an Information Security issue.


Imagine having to tell the people of Europe that all these austerity measures are the result of an Information Security problem in an Excel Spreadsheet.

Useful Links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Monday 8 April 2013

ISO 2700x Standards on the Cheap(ish)

Most people agrees that ISO 2700x family of security standards are a good idea. But like James Joyce's Ulysses,  how many have actually read it? 

The big problem is that they are  expensive to acquire. A casual user is probably unwilling to fork out the money. Even in big organizations it can be difficult to get hold of the standards.

The two main standards ISO27001:2005 and ISO27002:2005 each cost  Swiss Francs CHF134.-- (approx $143.00)  each on the ISO store. And there are a lot more standards.

 Recently I discovered that you can purchase the main 27001 and 27002 copies of the standards from ANSI for $30 each. See Useful Links below. This is a big saving compared to the standard ISO price. The main difference is that the branding is from INCITS ((InterNational Committee for Information Technology Standards)). The text itself seems to be the same.  Of the two, the 27002 is the more useful, as it lists many best practice security controls or measures that you can implement in your organization. The other ISO2700X standards are not available so cheaply through ANSI.

You can also download ISO/IEC 27000:2012 "Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary" for free.

Useful Links


Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Thursday 4 April 2013

Which is it ? - Cyber Attacks cause Huge Losses or no Losses

Do cyber attacks cause real damage or not?

According to Bloomberg:

"The 27 largest U.S. companies reporting cyber attacks say they sustained no major financial losses, exposing a disconnect with federal officials who say billions of dollars in corporate secrets are being stolen." 

Are these companies telling the truth? These reports are based on recent filings with the Securities and Exchange Commission (SEC) so one would imagine they should be fairly honest.

According to the BBC:

"In 2012, the head of MI5 Jonathan Evans said the scale of attacks was "astonishing".

One major London listed company had incurred revenue losses of £800m as a result of cyber attack from a hostile state because of commercial disadvantage in contractual negotiations."

If it's a listed company, would they not have to reveal the loss in their annual report? Does anybody know who this company is?

If you are interested, it's worth reading the paper "Measuring the Cost of Cybercrime" by Ross Anderson and associates.

Useful Links:

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot