Sidewinder on giving security a bit of stick

 

Davey Winder tells the least funny joke in the history of IT security. He’s not laughing: and neither should you be.

OK, here it is, the least funny joke you could tell an IT administrator. What's insecure and sticky? Your data on a memory stick.

My editor struggled to see a joke there at all. What’s really funny, though, is that while it is relatively easy to secure data on memory sticks all too often these simple data security procedures are overlooked.

You would need a fairly twisted sense of humour to find anything to laugh about in some of the cases of “stupid stick security” that have been brought to my attention recently.

Cambridge University Hospital NHS Foundation Trust got into trouble with the Information Commissioner's Office after an unencrypted memory stick went missing from an unattended staff vehicle, complete with the medical treatment details of 741 patients – all of which were subsequently found by a car wash attendant.

Or how about the Lancashire NHS Trust, which managed to lose a memory stick with more than 6,000 prison patient details on it, while inside the prison itself? The data on that stick was encrypted, but there's still a punch line.

Knock knock… Who's there? Lost encrypted memory stick. Lost encrypted memory stick who? Lost encrypted memory stick with the password attached on a sticky-note. Nope, I'm not laughing at that one either. “NHS guidelines say any data stored on a PC ‘or other removable device in a non-secure area or on a portable device’ should always ‘be encrypted’.”

Simple messages

According to NHS Connecting for Health (NHS CFH), it is the "responsibility of NHS trusts to ensure they have secure and robust IT systems that not only support the IT requirements of the trust but provide a safe, secure network that prevents unauthorised people from accessing confidential information."

It rightly points to the necessity of having a multi-layered, multi-faceted security model which combines different controls for the detection and prevention of intrusion within the network. However, there also needs to be a degree of thinking outside the box; or, more to the point, outside the network.

One person taking this very seriously is NHS chief executive, David Nicholson, who has written to all NHS trusts to say there should be no transfers of unencrypted person-identifiable data (PID) in electronic format anywhere across the NHS.

Nicholson has also reminded chief executives about existing guidelines on the use of encryption within the NHS, which state that any data stored on a PC "or other removable device in a non-secure area or on a portable device" should always "be encrypted".

Meanwhile, the Data Protection Act states quite plainly that all organisations must take the appropriate measures to ensure that personal information is kept secure. As everyone’s favourite TV meerkat would say: ‘Simples!’

Difficult controls

Encryption aside, we have to return to that good old ‘security is an onion’ analogy. It should have plenty of layers and make anyone trying to peel them away cry. “We have to return to that good old ‘security is an onion’ analogy. It should have plenty of layers and make anyone trying to peel them away cry.”

So think about the data on your network and your desktops as well as on removable devices. This means thinking about a policy to control and enforce USB port usage.

There’s no shortage of USB port protection options. You can get memory sticks which come with their own unique asset number stored within a central management system database. If one of these gets stolen, it can be disabled, meaning nobody can write to it and it can no longer be accessed via the network’s PCs.

Such systems provide granular access controls, for example allowing 'visitor devices' to be able to read data (like presentations) but not write to the network or copy data to the device itself. Then, we can throw in the ability to lock down a desktop machine with a USB device attached if it is left unattended for a given time.

Sure, in times of economic pressure, you have to persuade the powers that be to spend hard cash on these secure memory stick options.

Sure, you also have to persuade your users that it’s worth learning how to use the advanced security functions properly (to prevent accidental data wipes and lock-downs).

But when staff have to think about these things every day, they have to think about security in general, as well. It’s broad-church security education on the job – and that’s something that should have IT managers smiling.

Encryption by numbers

Getting memory stick security right involves a little number crunching. They use “encryption keys” (an advanced form of password or secret code). The ‘strength’ of the key is essential. If you think that anything is better than nothing, consider this: a 40-bit key can be cracked in under five seconds. A 128-bit key increases the number of mathematical possibilities from 240 to 2128. And a 128-bit key is therefore 309,485,009,821,345,068,724,781,056 times more random, or a whole lot more secure. Simples! Again.

About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years. Last June, he won the Security Journalist of the Year 2008 award: the second time he has been given this honour in three years.