Monday, November 27, 2006

IT security

You may think that the IPCC incident is the biggest joke in IT security, and that Hong Kong, in particular the government, is inadequate in IT management and IT security training. Not necessarily so. There are many ways to breach the most sophisticated IT security protection. Getting a system protected by the leading edge firewall and intrusion detection system and other advanced technology is only half the solution. The human factor is the most vulnerable, including evil-minded criminals, and ignorant and careless users and staff.

I read an article from Reuters yesterday reporting that banks are getting increasingly concerned about the physical theft of confidential client data by insiders or impostors. You can read the full article at this link. Here are some main points.

"Banks are pouring money into building formidable defenses against computer hackers, but are only just waking up to what may be a bigger threat -- the physical theft of client information by people in the office. 'You can have a fortress-like security system, but if you are not terribly discriminating with consultants and temporary employees, there is a terrible vulnerability,' 'If people can get physical access, the game is over.' said Oveissi Field, managing director of Daylight Forensic & Advisory, a security consultancy."

"Banks, especially in Europe and the United States, are investing vast sums to make computer systems impregnable and have been warning customers of the dangers of being duped into giving away confidential information about their accounts. 'Identity theft can happen through hacking into a bank system or internally with someone walking out of the door, and that worries me more than phishing.' said a security officer at a major European bank.

"Widespread outsourcing of data management and other services has exposed some weaknesses and made it harder to prevent identity theft by insiders. 'There are lots of weak links.' said Oveissi Field. 'Back-up tapes are being sent to offsite storage sites or being mailed and getting into the wrong hands or are lost through carelessness.'"

"What banks worry about is that they may have a combination of weaknesses such as staff vetting and physical security, which when put together can let a sophisticated attacker get at their real crown jewels. Banks are starting to respond to the threat by combining teams working on physical and information technology security, which traditionally have been separate functions"

I think the article is a bit unfair on outsourcing as a source of data leakage. Outsourcing is the order of the day. Very few companies can afford a high skill level IT team without resorting to expert help in the market. The loop hole is actually a neglect of IT management and lack of proper IT security guidelines.

The point about staff vetting and physical security is quite valid. For that matter, I note that this point is valid for any type of security, not just IT security. For staff vetting, it can be extended to all staff, including those from outsourcing contractors if necessary. However, there is very little that staff vetting can do. First, it reveals inaccurate security information at only a certain point in time; and second, people may turn bad any time thereafter. The suggestion on combining physical and IT security is good. A single team led by someone with the overall security in mind can help plug more loop holes.

Reflecting on the IPCC case, it was not technical incompetence nor a skilled hacker that caused the data leakage. It was the insiders, or those who were entrusted with the data, that negligently or carelessly let loose the data into the internet sea. Such leakage could also be caused by malicious intent of dissatisfied employees. A sophisticated IT security system can only do half the job. In fact, the easiest way to get access to a secured system is through unaware clients and staff. A secured system starts with a proper level of alertness on user names and passwords.

No comments:

Post a Comment