Another local government data loss

  • Thread starter Thread starter J.B
  • Start date Start date

J.B

J.B

J.B

Soldato
Joined
16 Aug 2006
Posts
5,924
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsId=20539

Looks like lightning does strike twice!

The kicker is (in my eyes) that the government want to cut back spending on IT and conultancy, but infact the IT consultancy company I work for go in and try to prevent things like this from happening!

Just another reminder for business and public bodies that there is a need to control data movement in and out of their network.
 
It's the IT "consulting" companies that lose the data. Well, it was them who lost the HMRC stuff anyway. These companies charge an absolute fortune to do not a lot, and are the scourge of the civil service and need sacking ASAP :p
 
I'm amazed they're allowed to use unprotected USB sticks. Seems to rather defeat the point of all the other security measures they take.
 
I agree, in this day and age why are they allowed to use USB drives. At our place you can only use specific encrypted drives which have to be signed out and all the laptops have to have full disk encryption ....
 
Dj_Jestar said:
It's the IT "consulting" companies that lose the data. Well, it was them who lost the HMRC stuff anyway. These companies charge an absolute fortune to do not a lot, and are the scourge of the civil service and need sacking ASAP :p
Click to expand...

My favourite quote for things like this is a response to the question "How did you get into consulting?"

"Well Im a con artist who likes insulting people so it was all very natural"
 
memyselfandi said:
I agree, in this day and age why are they allowed to use USB drives. At our place you can only use specific encrypted drives which have to be signed out and all the laptops have to have full disk encryption ....
Click to expand...
To the bean counters, and on paper, this makes perfect sense. Until you remember that all this encryption slows things down, makes transposing of data from one machine to another difficult, and generally makes the whole point of using a USB drive in the first place not worth it. Which completely defeats the point, so work arounds and corner cutting take place.. such as just using unencrypted devices.

It's the same logic as making everyone use a password of atleast 8 characters, must have upper and lower case, and contain at least one symbol, and change their password every 60 days or so. Great, it'll now be very difficult for anyone to guess a password. Including those who set the password - so they'll resort to writing them on a bit of paper and keep it with their laptop - completely negating the reason for having rolling passwords in the first place.
 
You can still limit the drives that can be used on a computer.

For example, you can lock them down and say only allow access to ironport usb devices and if another brand gets plugged in, it wont allow access.
 
Dj_Jestar said:
To the bean counters, and on paper, this makes perfect sense. Until you remember that all this encryption slows things down, makes transposing of data from one machine to another difficult, and generally makes the whole point of using a USB drive in the first place not worth it. Which completely defeats the point, so work arounds and corner cutting take place.. such as just using unencrypted devices.

It's the same logic as making everyone use a password of atleast 8 characters, must have upper and lower case, and contain at least one symbol, and change their password every 60 days or so. Great, it'll now be very difficult for anyone to guess a password. Including those who set the password - so they'll resort to writing them on a bit of paper and keep it with their laptop - completely negating the reason for having rolling passwords in the first place.
Click to expand...

This is exactly how it works.
We have ALL laptop devices encrypted and all USB devices encrypted and all machines locked down to only allow write access to the encrypted USB device.
The best thing is the amount of laptops that come back to us for repair with a full sticky label on the laptop with both the users encryption log in details and their account log in details.
Ive even seen the usb devices with sticky labels around them with the password on!
No matter how hard you work to lock things down it comes down to simple user error or lack of common sense!
A system is only as secure as the users using it!
 
Dj_Jestar said:
To the bean counters, and on paper, this makes perfect sense. Until you remember that all this encryption slows things down, makes transposing of data from one machine to another difficult, and generally makes the whole point of using a USB drive in the first place not worth it. Which completely defeats the point, so work arounds and corner cutting take place.. such as just using unencrypted devices.

It's the same logic as making everyone use a password of atleast 8 characters, must have upper and lower case, and contain at least one symbol, and change their password every 60 days or so. Great, it'll now be very difficult for anyone to guess a password. Including those who set the password - so they'll resort to writing them on a bit of paper and keep it with their laptop - completely negating the reason for having rolling passwords in the first place.
Click to expand...

Except with decent spec kit the encryption doesn't have a significant impact on performance in most uses, (I'm normally running at least two virtualbox vm's on top of my windows laptop and they run fine even though it has whole disk encryption installed). If I want to transfer some files to a colleague then I use the corporate network instead of a USB stick which can be lost.

If your users can't remember a 8 character password with upper, lower, numeric and symbol characters then frankly you need new users.

edit: if the laptop needs to go back for repair then support can use an admin account other than the users to login and also access the encryption even if they don't have the users password, (ref PGP WDE with central key repository)
 
Last edited:
Sally-Anne Poole, enforcement group manager at the ICO, said: “I am aware that staff have been provided with encrypted USB sticks since 2006, but older devices were not recalled.”
Click to expand...

Someone didn't think to recall the old ones, hence the problem. I bet they’ve done it now.
 
So what's the answer? User education?

Although we have mainly technical staff who understand the need for security and some could explain the maths behind different encryption types we still have a few non techs and they all remember 3 different passwords to get on and use their systems.
 
memyselfandi said:
Except with decent spec kit the encryption doesn't have a significant impact on performance in most uses, (I'm normally running at least two virtualbox vm's on top of my windows laptop and they run fine even though it has whole disk encryption installed). If I want to transfer some files to a colleague then I use the corporate network instead of a USB stick which can be lost.

If your users can't remember a 8 character password with upper, lower, numeric and symbol characters then frankly you need new users.

edit: if the laptop needs to go back for repair then support can use an admin account other than the users to login and also access the encryption even if they don't have the users password, (ref PGP WDE with central key repository)
Click to expand...
Perfect example of someone who doesn't see past the benefits. Even if the detriments far outweigh them. You'd make for a fantastic manager, you know? :)

Or perhaps is just an IT evangelist that can't possibly comprehend the idea that although it may be a great idea, it just doesn't work?

P.S. "decent spec kit" and "large corporation" (especially civil service) do NOT go together.
 
Last edited:
J.B said:
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsId=20539

Looks like lightning does strike twice!

The kicker is (in my eyes) that the government want to cut back spending on IT and conultancy, but infact the IT consultancy company I work for go in and try to prevent things like this from happening!

Just another reminder for business and public bodies that there is a need to control data movement in and out of their network.
Click to expand...

This isnt anything to do with money, that is what Labour seemed to think would solve all the nations problems as well. Making sure a usb stick with sensitive data on it is something that thousands of people manage every day without being paid any money.

You hire numpties and no matter how much you pay them, they will still be numpties.
 
simulatorman said:
Someone didn't think to recall the old ones, hence the problem. I bet they’ve done it now.
Click to expand...

I bet they havent, this is local government we're talking about!

According to The Register:
"The ICO found that unencrypted devices, in operation before the council introduced encrypted memory sticks in 2006, were still being used by members of staff. Further enquiries revealed staff had not received appropriate training in data protection issues and monitoring of compliance with the council’s policies was found to be inadequate," the ICO said.

So when they lost data the first time, nothing happened, no fines, no sackings, no pay cuts, no final written warnings... nothing, nada.

Basically the ICO are powerless, and the councils are careless. Untile people are sacked for gross negligence over this, it will continue.

Ive even seen the usb devices with sticky labels around them with the password on!
Click to expand...

Should be an instantly dismissable offence in my opinion, whatever kit is involved. Either you have a brain or you do not.
 
matt_fsr said:
I bet they havent, this is local government we're talking about!

According to The Register:
"The ICO found that unencrypted devices, in operation before the council introduced encrypted memory sticks in 2006, were still being used by members of staff. Further enquiries revealed staff had not received appropriate training in data protection issues and monitoring of compliance with the council’s policies was found to be inadequate," the ICO said.

So when they lost data the first time, nothing happened, no fines, no sackings, no pay cuts, no final written warnings... nothing, nada.

Basically the ICO are powerless, and the councils are careless. Untile people are sacked for gross negligence over this, it will continue.



Should be an instantly dismissable offence in my opinion, whatever kit is involved. Either you have a brain or you do not.
Click to expand...
Good management leads with the carrot, not the stick.

It is very bad management to "make examples" of people by sacking them for honest mistakes.
 
RopAyy said:
This is exactly how it works.
We have ALL laptop devices encrypted and all USB devices encrypted and all machines locked down to only allow write access to the encrypted USB device.
The best thing is the amount of laptops that come back to us for repair with a full sticky label on the laptop with both the users encryption log in details and their account log in details.
Ive even seen the usb devices with sticky labels around them with the password on!
No matter how hard you work to lock things down it comes down to simple user error or lack of common sense!
A system is only as secure as the users using it!
Click to expand...

Sadly this is my experience as well. Encryption isn't much use if the users write the password on the laptop.

I suppose some form of training to drill in the importance of these security measures of stricter penalties for this kind of security breach might help? I don't know what else you could do.
 
You must log in or register to reply here.
Back
Top Bottom