Kroll Ontrack obviously know a thing or two about data disasters, it is a company that spends its entire time working with the consequences of them. So who better than to do a data recovery survey with a twist: if you only had time to save one file which would it be?

Asking a cross-section of business types just what they consider to be the most vital of business data proved to be an interesting exercise. I am guessing that there was some kind of ‘assuming you had no backups’ suggestion implied in all this.

I asked my secretary, also known as ‘the wife’ or if she is in earshot ‘the lovely Yvonne’, what would she save for the good of the business. Rather sensibly, I guess, she said the accounts. “After all” she explained “HMRC are not going to accept ’sorry, they got mislaid by the courier’ as a valid excuse, are they.” She may well have a point.

Personally, I would choose exactly the same as an astonishing 81 percent of those surveyed and save my email. That’s my email message database, not my contacts file or appointments calendar, they can go hang - it is my message base that is vital to my business.

“Our statistics reveal that e-mails are the most important files for business executives,” said Phil Bridge, Managing Director, Kroll Ontrack UK. “Regardless of the size of IT budgets, organisations simply cannot afford to ignore implementing systems to help avoid severe data loss. Employee education, careful planning and rigorous backup testing of e-mail storage is the only way critical information is protected.”

The reasoning, Kroll argues, is simple: “the logistics required to restore a large e-mail system is complex, and due to its critical nature, downtime needs to be minimised.” Indeed, for this very reason many companies are now capping the storage capacity of user mailboxes and inadvertently increasing the risk of users losing their e-mails.

Kroll Ontrack put together some top tips to e-mail bliss for executives.

We can all relate to, and laugh at, the antics of your average Bastard Operator From Hell (BOFH) that rogue system admin who vents his spleen on end users and employers alike. However, sometimes a sysadmin with a grudge is no laughing matter. Such a case would be that of one Jon Paul Oson who has been jailed for five years after deleting data from his former employer’s network in an apparent act of revenge over a poor performance evaluation report.

It seems that the chap was actually pretty good at his job to start with, having been hired to work as a network engineer at a company providing services for 17 regional health clinics in the Southern California area. Within just five months he had got promotion to a technical manager role and all was going well, until the following year when he got that bad performance review and quit. This seems to have been the trigger for his particularly extreme BOFH attack on the former employer during which he first disabled the automatic backup routine for medical records, and then six days later deleted thousands of records containing appointment data and medical charts over the course of an hour.

Although fined $400,000 and sent to jail for a total of 63 months, which might seem harsh for a nerd hitting the delete key, the real human cost of this red mist has to be taken into account. It is all too easy to dismiss such an event as being all about the network: better security should have prevented it so the employer must share the blame. However, let’s remind ourselves about the chain of events here, because this was major league data vandalism with intent. First the guy disables the automatic backup system, then leaves it a week to ensure that there are plenty of files which have not been backed up and only then returns to delete them. These are files which contain the medical records of patients, a fact that as a network engineer and then technical services manager working on the system he must have been all too well aware of.

As far as I am aware nobody died as a direct result of the reckless deletion of data, if they had then I suspect Oson would have been on some kind of murder or manslaughter charge. But that was surely more a matter of luck than judgement.

There was little in the way of luck when it came to how the FBI actually managed to provide the required level of proof that Oson was behind the attack though. Despite his best efforts to conceal his involvement, which included securely wiping the drives of all but one of his home PCs, Oson did not allow for just how clever some detectives can be these days with regard to technology related evidence.

It appears that before the attack itself, ’someone’ had explored the network without permission and had done so from a computer that had drivers installed for an HP 2100 Laserjet printer. A printer which Oson possessed. No great evidence as plenty of people have these, of course. However, the Feds also noted that a second computer used in the intruder incidents was loaded with not only the HP 2100 drivers but also those for a Laserjet 4M. Guess what, Oson used both of these. Still not damning evidence, but when investigators discovered that second PC was called ‘kuku’ which was the same name as Oson’s son, and that a printer had been given the handle of ‘mike2003 HP LaserJet 4M’ and this exact same name was given to one of the printers being used by Oson when the FBI raided his house, it starts to become a little too much to put down to coincidence…

With some industry commentators predicting that the Virtual World population will hit 50 million by 2011 there can be no more attempting to write off these 3D immersive environments as just another gaming fad. Indeed, in my book Being Virtual I have interviewed many people for whom the virtual world is at least as important as the real one, and for some more so. The argument so often posed by ‘the media’ which suggests that real life suffers when folk become addicted to their virtual ones can, in many cases, be countered by the simple fact that for some their real life stops and the roleplay begins when the computer is switched off rather than the other way around. The t-shirt slogan of ‘I am not a nerd, I am level 9 warlord’ is a badge of honour for some.

Read more

It appears that a professional penetration tester with some 17 years experience in the job has managed to hack his way through from an unnamed civilian government agency network right into the heart of a not at all civilian FBI crime database in less than six hours from start to finish.

The report reveals how the security consultant at PatchAdvisor was able to uncover unpatched vulnerabilities within the government agency web server and network during a routine and otherwise harmless scan. This kick started a chain of events that began with grabbing logins being reused on a number of enterprise systems which then became open to inspection, and in turn revealed unsecured account details to provide the pen tester with Windows domain admin privileges. As anyone who has the slightest experience on either side of the hacking fence will recognise, this has become a classic case of an escalation-of-privileges exploit.

So it should come as no surprise that it led to the ability to access a police workstation on-site, nor that in turn this led to the pen tester being able to install monitoring software upon it to discover applications connecting to the FBI National Crime Information Center database. If he had so wished, and it seems he did not, then the next step would have been installing a keylogger to grab the logins required to access it.

I guess the moral of this tale comes down to the obvious and oft repeated mantra of no matter how solid the security further up the food chain (in this case that FBI database) if the small fish are allowed to swim freely around at the bottom of the tank then eventually some shark is going to come along and gobble up everything. Patch management coupled with sensible firewalling of that police network could surely have prevented what has become something of an embarrassing as well as potentially serious, in the face of the ongoing war on terror, security slip up.

Guilty as charged. I print hardcopy of important documents so they do not get lost, so that I can keep them safe, so that I can easily share them with anyone who might need to see them. And it appears that I am not alone in participating in this retro-archiving activity, despite my high tech background, as a new report from the EMC Corporation suggests British business is printing so much stuff that it is costing around £11 billion per year.

In the poll of 500 office workers across the UK, KRC Research discovered that people spend 52 minutes every day searching for ‘lost’ emails and assorted electronic documents with those in the South East being most likely to waste more time hunting down the elusive information that is hidden somewhere within the network.

Move towards my neck of the woods, the North of England, and office workers seem concerned with reducing the amount of paper used during the working day. Yet workers aged 18-34 are printing out an incredible 100 pages worth of paper documentation each and every day on average. Makes my 10-20 sheets of A4 look positively green by comparison.

Talking of which, the same survey also revealed that 81% of office workers want their employers to do more for the environment, and the same number have a personal desire to reduce their carbon footprint in the office.

Nice to know that I am not alone in being totally screwed up when it comes to balancing environmental concerns with the day to day reality of office survival. Makes me feel a little better to realize that I am not the only person who understands IT systems, and knows how to archive documents securely, but who still resorts to good old fashioned comfort food of information technology: printouts…

That would appear to be the conclusion of a new survey carried out on behalf of the Department for Business, Enterprise and Regulatory Reform, the early results of which have been released today. Although we will have to wait until next week for the full survey to be revealed at InfoSecurity Europe, the results seem both encouraging and worrying at the same time.

The 2008 Information Security Breaches Survey suggests that the number of UK companies reporting malware infection is actually down by as much as 60% when compared to just 24 months ago. This can be, fair enough, partly accounted for by improved anti-virus controls but at the same time we are told that two-thirds of the companies affected said that malware was responsible for their worst information security breaches.

One thing is clear, and that is the nature of the malware threat is certainly changing. The people writing the malware itself are increasingly sophisticated in their methods, especially when it comes to concealing their activities.

Still, on the happy happy side of the fence the survey does appear to be suggesting that malware is causing less damage than in the past, much less damage. The early figures that have been leaked out have a mere 14% of UK companies reporting a malware infection last year. That’s down from 35% two years ago, and it would appear that there are three main reasons for this:

1. Corporate anti-virus defences have significantly improved with 95% of companies scanning incoming emails for viruses and 98% having software installed to scan for spyware.
2. Most minor infections are no longer considered security breaches but as ‘events’ dealt with by routine controls.
3. Malware itself is now just the first stage in enabling more lucrative attacks by hackers rather than infection being an end in itself. Which means it tries harder to remain undetected.

And on the not so happy side? Well, we are warned that despite the lower levels of infection, it’s a mistake to assume the malware threat is over. Chris Potter, a partner with PricewaterhouseCoopers LLP, who led the survey commented: “If there is one area of security where UK plc has really got the message, it’s virus protection. Only a tiny minority of companies don’t take this area seriously. The message from this survey is clear - if you haven’t got anti-virus and anti-spyware software, you’re way outside the benchmark. But, there remain some serious challenges. Companies now seem to be slower to install operating system patches than they were in 2006. Delaying patches can leave systems vulnerable to attack. On the other hand, rolling out patches instantly, without testing them first, can lead to systems instability. It’s important that companies strike the right balance here - risk assessment is essential.” While Dr. Guy Bunker, Chief Scientist at Symantec Corporation, one of the consortium members responsible for the survey, added: “While the results of the survey are encouraging, it’s clear that the battle between malware writers and companies continues unabated. Our recent research shows that there are over a thousand new malicious threats appearing each day. The battle is still on, it’s just changed from being obvious and high-profile to silent and obscure but is just as lethal. The motivation of malware writers has changed. Law enforcement in this area has improved around the world. As a result, the kudos derived from writing a disruptive worm to gain notoriety is outweighed by the personal consequences. Motivated by the money involved, organised crime is employing malware writers to write ’stealthy’ code that seeks to obtain confidential information or open security holes which can be exploited for financial gain.”

Another of those pre-InfoSecurity surveys has emerged from my email today, and oh boy is this one a huge bringer of happiness. Well, actually, no it isn’t. What it does bring to the IT security table is the bad news that 75 percent of of the companies questioned think their applications have holes large enough to be exploited by criminal types.

One Professor Howard A. Schmidt, who happens to be a director at Fortify Software but perhaps more interestingly also a former Cyber Security Adviser to the White House, is quoted as saying “this figure of three quarters of organisations having security holes based on application vulnerabilities, while dramatic, is unfortunately not that surprising. When organisations develop applications, quality is one of the highest priorities but security vulnerabilities are seldom recognized or fixed. Priority is often given to delivering application features and business benefits without the understanding of fundamental coding errors that lead to security issues. Cybercriminals are targeting applications to steal money and information, and they know all too well how to exploit vulnerabilities not only in commercial software but are also very adept in finding security holes in applications that are developed “in house”. Business leaders need to set in place business software assurance processes including development practices designed to ensure that their applications are secure to protect the data of citizens, customers and shareholders from the new wave of threats from cybercriminals.”

He’s not wrong of course, although I disagree about the ‘not that surprising’ bit. I am absolutely gob-smacked that people wearing long trousers and one assumes getting paid decent money to take care of IT business will happily admit that the applications they use are doing a decent impression of Swiss cheese: full of holes.

Look, hackers are not in it for the fun any more. Forget the pot-boiler novel portrayal of the spotty geek wreaking havoc for the heck of it. Today those geeks can afford to have laser treatment for the spots and still have enough money left over for the latest bling-filled car. Cyber crime is big business, big and well organised business. Shame that it seems only the bad guys are taking it seriously enough though…

I love the run-up to the annual InfoSecurity Europe show, not least because it means I am assured of numerous press releases with the most wonderfully eye-grabbing headlines from exhibitors wanting to attract my attention and my time while visiting the show. One such release arrived in my inbox today, proclaiming that if you ‘Outsource your code’ then you are ‘more likely to be hacked.’

Naturally, I read on. The gist of the email being that according to a report released today by IT analysis group Quocirca, some the majority of companies manage to overlook the basic task of mandating security when they enter into an outsourcing agreement.

In fact, the report reveals that of the organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 percent outsourcing more than 40 percent! The survey at the basis of the report discovered that more than 60% of companies which enter into the outsourcing of critical applications coding just do not bother to mandate that security must be built into the applications at all. This should actually come as little surprise if you ask me, especially if you delve deeper into the report and discover that 20 percent of UK companies don’t consider security when building their applications at all.

Heck, statistics abound which show that the software application layer is like a banana to a monkey as far as hackers are concerned when it comes to accessing critical data. The National Institute of Standards and Technology (NIST) reckons that 92 percent of vulnerabilities affecting computer networks are contained in software applications. Do the math and this whole issue starts to become really rather important, does it not?

I am not sure that I agree with the implication of the statement in the press release that says “an organisation that has not developed the code itself can never be absolutely certain that it is secure” which would seem to suggest that outsourcing per se is the evil twin in this software sibling scenario. The truth is that even if you develop the code yourself from the bottom to the top you can never be 100 percent certain that it is secure, at least not for 100 percent of the time. New exploits can make previously considered secure code vulnerable, after all. This is kind of admitted in the release when it insists ” However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they develop-for example, by placing a backdoor in software that can be used to infiltrate a network in the future.” Yup, as could a rogue in-house developer of course.

The report was supported by Fortify Software whose Director, and former Cyber Security Advisor for the White House,  Howard Schmidt comments “These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code.” Again, I am not so sure I agree. The results suggest to me something that I already know, and would hope that those executives sitting on mission-critical application code would also already know, and that is that security is pretty darn important throughout the application lifecycle.

Fran Howarth, Principal Analyst at Quocirca and author of the report adds: “The findings of this report indicate that not enough is being done by organisations to build security into the applications on which their businesses rely. Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications-without which they could be playing into the hands of hackers.”

Now that I can agree with 100 percent.

That, at least, appears to be amongst the early findings of the 2008 Information Security Breaches Survey from the Department for Business, Enterprise and Regulatory Reform. Although the full report is not scheduled to be published until the week of the Infosecurity Europe show in London starting April 22nd, some early titbits are leaking out. Such as the fact that employee behaviour is key to improving information security.

The survey reveals, if that is not too strong a word under the circumstances, that companies are placing greater trust in their staff. 54% allow staff to access their systems remotely (up from 36% in 2006) while the proportion of businesses restricting Internet access to some staff only has nearly halved (from 42% to 24%), and only 9% give no staff access to the Internet.

Yet, at the same time, the survey also shows that staff are increasingly targeted by social engineering attacks and businesses are becoming increasingly concerned about staff behaviour on social networking sites when it comes to what is being said about them online. Hardly surprising when some staff have been posting confidential information on these sites under some kind of weird misaprehension that they are talking to a bunch of mates down the boozer.

So what is the corproate response? According to the report it is a hardening of technical controls:

Use of strong authentication has nearly doubled since 2006. 14% of small businesses and 53% of large companies now use strong authentication for some of their systems. Two-thirds of companies that allow staff to access their systems remotely require additional authentication over that access. Virtual Private Network (VPN) use is almost universal among very large businesses for remote access. 81% of large companies block access to inappropriate websites and 86% log and monitor staff access to the Internet.

Most encouragingly I guess, companies are making staff aware of usage and security policies and then monitoring behaviour. The proportion of companies that have an information security policy has quadrupled over the last eight years. Large businesses remain more likely to have a security policy; seven out of eight do so, and some of the 12% that do not have a security policy per se have an integrated overall set of business policies that include information security. Some 68% of companies surveyed that give a high or very high priority to security have a security policy (up from 55% in 2006 when the last ISBS was conducted) compared with 64% of those that treat security as low or no priority (up massively from 13% in 2006).

That is the rather unsurprising conclusion of a YouGov survey which took a pan-European view on consumer attitudes to online security. It revealed that European users visit their bank most often, closely followed by retail sites. Yet when asked if the government and banks, for example, are doing enough to safeguard their data while online, a resounding 57 percent of UK users said nope, 44 percent of Germans said nein and 31 percent of Swedes responded nej.

The survey was commissioned by VeriSign who say that European Internet users are putting as much as £360 billion at risk simply by sharing personal data on sites that are lapse about security. Interestingly, the survey also asked who should be responsible for the protection of our personal information online and the answer was overwhelmingly, and again totally unsurprisingly, the banks, credit card companies and web sites themselves.

Jon Kerr, VeriSign SSL Manager, commented, “With increasing frequency, we are seeing more and more theft of consumer’s personal information. The study shows that online customers are becoming more aware of the risks involved in passing on their details over sites that may not be secure. It is the organisations themselves that will fail to benefit as they will lose out on an increasingly skeptical customer base who expect their online safety to be taken care of. Trust is difficult to build but easy to break…”