Page 54 - the SyI Quarterly 15
P. 54
Cyber Updates
Even worse is youngsters revealing too much personal information and becoming victims
of cyber bullying or worse. Such information as being part of a minority group or religion
can open someone up to abusive online bullying or even being targeted in the real world.
The first thing is to recognise where information is being aggregated. This can apply to
one database or dataset, but it is also important to look at that dataset in the context of
related datasets. By itself, a database of customer details in a CRM system may not seem
that sensitive, but when related to other databases it may be possible to extrapolate
additional information such as someone with an addiction or fetish.
Having decided that a dataset aggregates to something more sensitive than the sum of
the individual datasets, additional controls need to be added to address the aggregation.
Information may be classed as personal if it’s one entry or one million. But losing a copy of
one entry would normally have a much lower impact than losing a copy of a million entries,
especially if it includes credit card information or other sensitive personal data.
Even from a basic business impact perspective, having to send a letter to one customer
to say their credit card has been compromised may cost £1 - Letters to a million or more
customers on the other hand... When TNT lost 2 discs of personal info from Her Majesty’s
Revenue and Customs (HMRC),not only did HMRC get the blame, it cost them £23 million
just to send out the letters informing people.
Access control should ensure only authorised people have access to the data, but
consider; do staff need access to all the data to do their job or just some of it? If they only
need regional data or access to single entries at a time, then the authorisation should
be configured to enforce this policy and not allow datamining or bulk extracts. More
importantly the accounting of users actions should be of sufficient quality that it can be
used as evidence in a court, should legal enforcement be required.
Accounting is very important in dissuading people of overstepping their remit. Just
because someone can do something, it does not mean they should. The ability to look at
all records in a database does not mean a member of staff should start looking at details
about their neighbours, managers or famous people. It should be possible to trace an
action to the responsible individual.
There may be some records in a database that you want to add a flag to. Well-known
people are obvious examples, but also company directors may be deemed sensitive and
could be flagged. By this I mean using a host-based intrusion detection system or other
method to alert security if someone looks at a particular record. SOC staff would have a
list of those authorised to do so and would send someone to pay a visit to anyone who
was not.
If databases have search functions there are also controls that can be put in place to
reduce or prevent data mining. Putting a specific type of proxy in front of the database
that prevents more than a set number of searches or only allows a small number of
records to be returned at a time can help. If people only need to see single records to do
their job, why would you permit multiple records to be returned?
Controls could also prevent wildcard searches on the database or limit the search keys.
Banks do this very well. When a person contacts the bank via a call centre, the advisor will
look up the record for the person based on, for example, postcode and surname. They will
then be prompted for information that only the caller would know. Without this the record
cannot be seen by the staff member.
54
