Page 14 of 14
ECCP Data Security – Report and Recommendations
Introduction
The recent high profile cases of portable devices being lost or stolen, has highlighted our legal obligation to ensure that we are doing everything possible to reduce the risk of sensitive data exposure, from loss or theft
In 2011, the Information Commissioner’s Office (ICO) published details of eighty three cases where formal action was taken regarding a breach of the Data Protection Act 1998 (DPA). Of these, around 25% related to the use of mobile or portable devices resulting in loss of personal information. Two of the cases involved substantial monetary penalties for the organisations found to be in breach of the DPA. Since then the number of cases has increased dramatically with the explosion in the use of personal mobile devices for work.
The DPA places certain obligations upon organisations regarding their use of personal data and it grants individuals certain rights regarding the personal information held about them by organisations. The DPA covers ‘personal data’ and ‘sensitive personal data’.
The ICO’s view confirms the necessity for institutions to audit and monitor what is happening with regard to processing of personal data in their institutions and to include data protection when carrying out a risk assessment prior to introduction of new ICT facilities including social networking, data storage and shared services (e.g. dropbox which allows use via a smartphone). The ICO view of substantial damage, substantial distress and reasonable steps is outlined in the guidance and includes:
§ whether a risk assessment was carried out,
§ whether there are clear lines of responsibility,
§ whether appropriate policies are in place,
§ inclusion of a policy to encrypt laptops,
§ application of recognised standards on information security management
§ whether the damage or distress is perceived or of real substance
“The ICO will take an objective approach in considering whether there has been a serious contravention of the data protection principles.”
Overview
Traditional network-based security - firewalls to protect office workers, VPN for remote/mobile employees, and standard user logon security - is no longer enough in enterprises where employees are mobile and/or work remotely; or where the use of consumer mobile devices such as smartphones, laptops and tablets, becomes the norm. To better protect the data, security needs to move closer to the endpoint; i.e. the place where the data actually resides. As a result, encryption is a growing trend, particularly among larger organizations that have dispersed workforces.
Encryption is the process of modifying or changing (scrambling) the actual data into another form, so that another person can understand it only by unscrambling it with the correct decryption key. For example, a "secure" html link (such as for online banking) uses encryption to prevent a wiretapper from knowing what your data and passwords actually look like. The secure (secret) distribution of the necessary keys is a critical component of any encryption system. Encryption can be used for secrecy (transmission or storage), authentication (only someone with the secret key), disposal (encrypt then delete the only key), digital rights management (combination of above), and key distribution, among other things.
(Note: to overcome criminal activities hidden within encrypted data, under the key disclosure laws, the Regulation of Investigatory Powers Act 2000, activated by ministerial order in October 2007, requires persons to supply decrypted information and/or keys to government representatives. Failure to disclose carries a maximum penalty of two years in jail).
Until recently, ECCP work related data was only stored and accessed from location secure PC’s at the workplace. Therefore, the only security required was system password security on the machines themselves and document password security on confidential files. There was little possibility of the data being lost or stolen as the PC’s were never removed from the workplace. However, with the increased use of laptops and mobile devices by staff, new security measures need to be implemented.
This report details various options available, although not all will be included in our policy as there has to be a balance between what should be done to reduce our exposure to risk whilst not over-reacting so much that the systems become unmanageable and prevent us from doing our work.
Physical Device Security
a) Mobiles
Manufacturers of mobile devices provide three types of locking. A Sim_lock which Locks your SIM card, - no matter which phone you put it into, it will ask for the password. A Phone_lock which Locks the specific phone - no matter what card you put into it, and a Network_lock which locks the phone itself to a particular network. We are concerned in the first two.
If you utilise a smartphone for work, and have confidential data loaded to the phone; please ensure that you have Sim_lock password set if you are carrying data on the SIM, and the phone_lock password set, if you have data in the phone memory. As each phone setup will be different, I cannot give specific instructions here on setting these passwords, so please refer to your phone manual.
There is a further consideration with phones; that of securing confidential data on an SD memory card. Any Memory card can be removed and placed in a memory reader on a computer, or another phone to access the data therein; so if you have confidential data on an SD card, it will need to be encrypted. However, apart from Blackberries, which have an internal encryption function for SD cards (Blackberry content protection), most other manufacturers are very lacking when it comes to this level of security. Companies using both Android and windows phones, have been trying unsuccessfully to get the manufacturers to address this situation for several years but there is still no announcement forthcoming. Iphones do have internal encryption activated through the passcode feature, which means data can only be unencrypted in the computer designated at the apple site as the computer used to synchronise the phone
Windows 6 PDA mobile encryption does exist, but sadly if the PDA is cold booted then the decryption keys are lost and you will not be able to get to your data. If you have a smartphone or PDA, and intend to carry confidential data on it, there is a package called Secubox that you can purchase to encrypt the data. It is available from the following link http://www.aikosolutions.com/encryption/sd-card-encryption/.
If you have an Android phone, the various Android blogs give some suggestions, but some people have lost data trying them, so be careful. At the moment Google has not given any indication of how they will respond to user requests for this feature, so confidential data should not be loaded to an Android phone until further notice.
More general details on smartphone encryption and security can be found at the following link http://searchsecurity.techtarget.com/tip/Choosing-smartphone-encryption-software-for-mobile-smartphone-security
b) Laptops
Where people are using personal Laptops for work, these need to be secured to prevent unauthorised access to the machine. At the moment most users are only utilizing logon security. This is not enough. It merely prevents access through the operating system. It is a very simple process to remove the passwords from an operating system. Although the passwords are encrypted; if a potential thief isn’t interested in what they are, but just in removing them, it is a very simple process to delete the password fields from the system. Many packages are available, including free packages, which will perform this action for them.
Therefore a laptop should have a device password, often called the boot password defined. Like a mobile phone this will prevent access to the device itself. When you switch the laptop on, the first stage of the boot process will ask for a password, and will not allow the boot to continue until a correct password is entered. This password is held in the CMOS on the motherboard, and will remain in existence as long as the motherboard CMOS battery is charged. Long before this you will probably have thrown the machine away.
Setting the BIOS/CMOS password on a windows laptop
To prevent access to the machine (in the same way as you would prevent access to your phone), you need to set a password in the BIOS. To do this once you have switched on your machine, Press the BIOS access Key. This is usually the ESC, delete or function key such as F1 or F2. A list of probable keys by manufacturer, if you don’t know your key, can be found at http://pcsupport.about.com/od/fixtheproblem/a/biosaccess_pc.htm
Once the access Key sequence is pressed, this will load the BIOS menu. Navigate with the arrow keys across the top menu to select the security option. Three password options are given. The Supervisor password prevents someone from changing these password settings in the event that someone tries to boot from a network or CD. The User password is the main switch on password which causes a prompt for this password before the computer boot load continues. This HDD password enables hard disk password security for the disk, to prevent access to the data on the disk even if it’s transferred to another machine. However, a data recovery function could still access the files if they are unencrypted. Also, this option needs to be supported by the hardware you have.
Set the user and supervisor password. Do not bother with the HDD password as we will be using encryption for the confidential data where necessary. To set these passwords, tab down using the up and down arrow keys to the correct field and enter the password you require. DO NOT FORGET IT. Once you have set a BIOS password the only way to get rid of them is to short the motherboard, and this can be dangerous to your machine.
Press the ESC key to exit the BIOS and save.
From now on whenever you switch on your machine, even before it starts to load the BIOS or operating system you will be asked for the user password you set in the BIOS.
c) Apple Machines
Unlike PC laptops, Apple machines are a bit more complex to protect the physical machine. Apple's latest Open Firmware update introduces support for additional security options which allow the Open Firmware to be password protected. Similar to the typical PC BIOS password protection feature, this feature in Apple's implementation of Open Firmware allows you to password protect your computer's ability to boot.
The firmware password protection feature is off by default on all Mac machines and, according to Apple, the Open Firmware Password tool should be used only on Macs with Mac OS X 10.1 and later. Because Apple does not provide technical support or endorse using the Open Firmware Password Protection feature on earlier versions of Mac OS or with any third-party software utilities, you should be careful and first make sure that your Mac complies with this basic requirement. On Intel and PPC based Macs, the firmware password protection is based on two different types of firmware.
To be able to use the firmware password protection, you should have one of the following Apple computers: any Intel-based Mac, MacBook Air, iMac (Slot Loading) and later models of G3 iMac, iMac (Flat Panel) and later models of G4 iMac, iMac G5 and later models of G5 iMac, iBook (all models, both G3- and G4-based), eMac (all models), PowerBook (FireWire), PowerBook G4 and later models of G4 PowerBook, Power Mac G4 (AGP Graphics) and later models of G4 Power Mac, Power Mac G4 Cube – all models, Power Mac G5 and later models of G5 Power Mac.
Updating the Open Firmware with security enabled has been reported to cause permanent password corruption (and the security-mode setting before the update stays). So ensure you disable password protection security before applying any Open Firmware update.
Password-protecting Open Firmware does not ensure the physical hardware totally as a thief can open the case of the computer and force a password reset. By adding or removing memory, the host is put into a mode where it is possible to reset the PRAM by pressing Command-Option-P-R at boot time. Once the PRAM is reset three times, the password protection is removed. This quirk in the Open Firmware architecture is a backdoor similar to removing the battery on a PC. Also, a utility called FWSucker allows an attacker, once logged in to a host, to harvest the Open Firmware password. Even guest users can decrypt the password.
Open Firmware password protection must be treated as a tool in protecting your host, not absolute protection.
Setting Open firmware password protection on an apple machine
Because of the limitation and danger of corruption; which Apple will not take responsibility for, and for which they will charge you to correct, we will not be expecting any ECCP member to activate any additional device protection as standard on their own Apple devices. However if you do wish to activate this feature for your own benefit, instructions can be found here http://www.securemac.com/openfirmwarepasswordprotection.php#fwsucker
If you intend to use a personal Apple device for work, please contact Mike or Samy to discuss your needs. Permission may be refused.
d) USB Sticks
Everyone now has at least one personal USB Stick, used to carry around their own data at work. These are even easier to misplace, than a phone or laptop!!!; so, if they are going to carry any type of work related confidential data, they must be secured at all times with some form of data encryption. There are three ECCP acceptable methods of achieving this. The first and second are software options. They are to use either an encrypted partition on your USB device, or an Encrypted data store on your USB device. The standard software you should use for this is the open source software TrueCrypt available from the download site http://www.truecrypt.org/downloads This has been tested by the FBI and has proved to be uncrackable if a complex sentence key has been used. It is also, one of the few packages that will work equally on Windows, Apple and Linux machines, meaning the same USB stick can be used to transfer data across multiple platforms. Detailed instructions can be seen in the documents attached and outlined in the Data security section below.