This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 Malta License.
The personal data of every citizen of Malta consisting of ID and passport numbers, name, address, age, phone, email, credit card and bank account numbers and a dozen other items of information require less than the storage capacity available on a single CD-ROM disk. While a CD-ROM disk is a medium familiar to many, it is not the most compact. Four times the storage capacity of a CD-ROM can now be stashed in a USB pen drive having an area of less than 4 square centimetres. And such pen drives are not lab animals; you can go and buy one tomorrow. Electronic data has no weight and takes up no space. A USB pen drive which is empty looks identical to one which is packed solid. Transferring all the data from its original repository to a USB pen drive takes a few minutes; is silent and above all, leaves the original copy unaltered. With the data listed here one can impersonate a person, send out mail shots (electronic, telephonic and paper), use credit cards to effect purchases or perform demographic information on the data. Most of the information listed above can be sold to hackers and spammers for good money if one knows where to go.
Compare this to a situation in which someone wants to take the same information on paper. If one takes the originals then these will probably be missed sooner or later. On the other hand, if one decides to photocopy the original, the amount of supplies necessary to complete the task may get noticed. Assuming that, unlike McLaren who were caught red handed copying Ferrari documents at a copy bureau, one owns the photocopier, toner, paper and the time necessary to duplicate the documents, transporting them is a huge challenge necessitating both man and machine.
The quantity and ease with which data can be carried places a new responsibility on those who carry such data. In today's connected world, the need to hold data outside the confines of a properly secured and controlled area should be questioned, Rather than make a copy of the data when working from home, one should consider hooking via a secure channel to the work computer. Therefore if the home computer is stolen no data would be actually stored on it and other than the cost of the device itself no additional loss would be registered.
Not everyone has or can justify a properly secured premise in which to centrally house all the data they use. Many SMEs, NGOs and other "normal" computer users have a form of security they use to protect other items of value within the boundaries of a house or office. For a determined thief normal home security poses no problem. To this list, one must include many professionals whose only computer is their notebook and therefore end up lugging it all over the place.
The key to successfully protecting the data one has been entrusted with is to apply the law of least exposure. If one can access the data remotely then one should do so; if not one should take the utmost measures that ensure that the data cannot be hacked into.
Irrespective of how or where data is stored and how it is accessed, access to all computers should be via a login screen. The minor incontinence to a legit user having to type in a user name and password on computer boot up translates into a hurdle to a thief. A weak password (or one which has been written down on the computer itself) is as good as no password.� Such a simple security measure will differentiate between a thief who stole a computer for its intrinsic value and one whose after its contents; the foremost would give up and reinstall it from scratch erasing all prior content thereby eliminating any chance of his having a peak at "what's inside". A screen saver that automatically locks the computer after a reasonably short period of time ensures that the computer will not be accessible for long after its owner moves away (although locking a computer as soon as one moves away from it is a very easy habit to get into).
What applies to login passwords applies to all subsequent passwords. If a computer is in the possession of a hacker, that machine's login can be compromised and the hacker can impersonate the legitimate user. All those features and facilities available to the owner now become available to the thief. For example, if the one had memorised passwords to access sensitive web sites as well as those that allow access one's work place; the hacker would find them pre-programmed and need not have to figure them out. Take it on from there...
One technique used by hackers who are after a computer's data is to remove the hard disk from the stolen machine. In fact there is an increase in the number of cases wherein thieves walked away with all the hard disks in an office leaving the opened computers behind. In such a situation, the only way to protect a data is to encrypt the file directly or, even better, to encrypt the entire hard disk. As long as the encryption mechanism (most modern products provide encryption endorsed by the US and the EU) as well as the password are up to standards, the data is, for all intents and purposes inaccessible. This protection can be applied as effectively to data storage devices such as CD-ROM disks and USB drives.
Having a frequently updated security solution made up of firewall, antivirus and spam blocker is a must. Ideally one should have a computer to surf the net and chat and have fun and a computer for work. Allow young children to surf off a work computer is not unadvisable. If this is not possible, one should then have a login for work related matters and another login without administrative rights for pleasure. Above all, discipline, maturity and the common sense (these are the reasons why young children should not use work computers) are mandatory. All too-good-to-be-true situations are exactly that. Accepting something without having read what it does and opening everything that comes via email or chat is a recipe for problems. For example, malicious programs called key loggers and bots are being distributed to thousands of unsuspecting users via the channels mentioned here. Key loggers transmit every keystroke typed into the computer to its master. Passwords, websites, bank account numbers and credit cards are examples of the type of information being sought. On the other hand, bots lie dormant until their master sends them an instruction. Upon receiving the instruction these electronic zombies execute what they have been instructed to do.
Is this a dooms day scenario necessary or is it simply ink on paper? If the computer holds data and therefore individuals stand to loose or suffer if a computer is compromised than it is the responsibility of the data holder to ensure that the data is safeguarded and is not available to unauthorised third parties. The examples listed here are a few of the reported cases in which conjecture became fact. And what about the multitude of unreported cases in which the theft is nor reported and the data owners are never made aware of the event?
Richard Thomas, the British Information Commissioner, wants to pass legislation that would make doctors and hospital employees liable if they leave a laptop containing patients� records in their car and the laptop is stolen. He claimed that "it is hard to see that is anything but gross negligence" and that is should attract criminal penalties. Currently there is no element of punishment for wrong doing. If the new legislation were to pass, offenders could be fined up to £5,000 in a magistrates' court or unlimited sums in the Crown Court. Cases in which individuals or groups have sued companies over data leaks are common.
And don't leave your laptop in your unattended vehicle.
Alan is the managing director of onNeutral Ltd an ICT firm specializing in security, data retrieval and crime investigation services. onNeutral Ltd's web site is at http://www.onNeutral.com.
Your comments are welcome.
This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 2.5 Malta License.