Your SlideShare is downloading. ×

Data Safety And Security


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Data Safety and Security: What Is the Test and How Can I Meet It? A guide to understanding data security issues, and what counsel can do about them. Constantine Karbaliotis, LL.B., CIPP1 Introduction In the Internet age, a degree of familiarity with technology is assumed, simply because of the pervasiveness of technology. What professional today does not have a cell phone capable of taking pictures, receiving e-mails or text messages? What lawyer does not have a computer at home from which to do work, connect to the office, and do research? Unfortunately, technology has become commonplace without a corresponding education for technology users on how to secure data. Anyone in doubt of this can simply consider some interesting statistics about home users: of those having broadband (high speed) connections, fully two-thirds are without a n effective firewall, software or hardware which helps to insulate their computer from invasive scanning from the Internet. Fully two-thirds are still without up-to-date antivirus protection, and one in seven has no anti-virus at all, leaving their computers open to infection by destructive viruses and worms. Four in five users has spyware or adware programs on their computers, but most are unaware of this2. Home users are more likely to being ‘taken over’ and turned into ‘zombies’ which are then used to launch secondary 1 Canadian Senior Compliance Business Specialist, Symantec (Canada) Corporation 2 “Largest In-Home Study of Home Computer Users shows Major Online Threats, Perception Gap”, Joint AOL/NCSA Online Study,, (2004). ©Symantec (Canada) Corp.
  • 2. Page 2 attacks on other computer systems; it is estimated that over 4 million computers connected to the Internet have been turned into ‘zombies.’3 While this illustrates the gap of knowledge most computer users have about data security fundamentals, the reality is that many enterprises, of all sizes, suffer a similar inability to control their computing environment. In many cases, such as with small and medium businesses, the issue simply is that they do not have dedicated information technology (IT) staff with knowledge of the environmental risks. But in many cases, even in large enterprises and even when IT staff are fully aware and have advised management of the risks, management has failed to make the appropriate investment to adequately safeguard the environment. This paper is directed towards lawyers advising organizations, to provide some guidance about the types of risks which clients are facing, the test against which organizations will be measured under applicable privacy legislation, and some strategies for counsel to help their clients in moving to a better security posture and thus mitigate potential liability through the use of security standards. Positions affecting Data Security Lack of understanding of the connected world that we now live in is a key risk in the area of data security. Seeking counsel, whether it is as to the law, or to technology, is the only remedy to this situation, as it is difficult for most people to become educated to the risks affecting their business. 3 Symantec Internet Threat Report, Vol. X, September 2006, p. 18 (hereafter “ITRX”). The Symantec Internet Threat Report is available on-line for download at, is updated on a regular basis, and is a valuable resource to understand where current threats exists in the online world. ©Symantec (Canada) Corp.
  • 3. Page 3 Security, unfortunately, is not as ‘sexy’ as on-line shopping sites for consumers, or business-to-business portals, which increase revenue for the organization. Security is typically seen simply as a cost, and therefore, minimized. Particularly in the privacy arena, where most privacy breaches arise from security breaches, there are three thought- processes justifying this stance: 1. “We haven’t had an issue yet.” 2. “Let’s take a wait-and-see approach.” 3. “The consequences are not serious enough to justify the investment.” These thought processes are based on two faulty assumptions: that the past will provide a good guide to the future, and the enterprise has had no security issues. The past is not a good guide to the future. The Internet is evidence that not only are threats evolving, they are evolving more rapidly that most organizations can handle if they rely on traditional tools to respond. Whereas in the early days of the Internet, attacks were primarily made by those seeking reputation for infecting the largest number of machines possible, today attacks are profit-oriented, with organized crime often behind the attacks4. Both the purpose and mechanism of attacks changes on “Internet time,” which is to say rapidly. The ‘zero-day exploit’ – the attack which occurs on or before the day that a vulnerability is identified, and before software makers can issue patches to remedy the vulnerability – is a further example of why the past is not a good guide to the future. The targets of attacks have changed: rather than being ‘everyone,’ attacks are increasingly are very targeted. In the past, viruses have been created with a view to creating reputation 4 ISTRX, page 4 ©Symantec (Canada) Corp.
  • 4. Page 4 – by infecting as many machines as possible, causing embarrassment or actual destruction of data. Anti-virus software makes have responded, and reduced the opportunities for such massive waves of destruction. Now, ‘malware’ authors are targeting customers of specific enterprises, such as banks, in order to obtain personal information such as credit card data, with the ultimate goal to commit fraud or identity theft5. The second fallacy, “We have been okay up to now,” has often been the response to IT staff seeking better security. Most organizations which have inadequate security safeguards, also have no capacity to know if they have had a security breach. The risk here is that losses of personal information have taken place without the organization knowing for sure – or worse, that it may still be happening. Technologies exist which provide for intrusion detection and monitoring, and audit systems’ compliance with security and private policies: examples include testing for whether passwords are long enough, whether the latest operating system patches applied or whether each system has up-to-date antivirus protection. These systems provide auditable evidence of compliance. Not enough organizations in Canada have made the investment in these technologies, which is increasingly less defensible given the number of areas in addition to privacy where organizations are obliged to provide evidence of compliance with security standards – SOX/Bill 198, PCI, and critical infrastructure protection requirements, to name a few. It is only when a breach occurs, and some exposure, whether through publicity, law suits or regulators, that money is made available to address security and privacy concerns. This 5 ISTRX, page 9 ©Symantec (Canada) Corp.
  • 5. Page 5 becomes a rushed expenditure that rarely is well spent – reacting to the immediate problem rather than putting in place security and privacy solution that fits into the overall business. ‘Firefighting’ highlights yet another risk associated with not having determined a data security strategy in calmer moments. Finally, as to the third fallacy, the risk of consequences is indeed changing. The Privacy Commissioner of Canada has announced that her office will be conducting audits where there is on reasonable grounds to be concerned over the privacy practices of an organization. Public issuers in Canada subject to Sarbanes-Oxley and Bill 198 are subject to an increased level of audits concerning their information management – and in turn are also conducting audits known as CICA 5970 audits to review the information practices of their sub-contractors and outsourcing partners, to ensure that they are handling information in an appropriate manner, since the public issuer remains liable for any problems associated with the safeguarding of the information being processed by the subcontractor or outsourcer. Finally, the Payment Card Industry Security Standards provide for serious consequences for companies who fail to adhere to the standards, including fines by the credit card issuers, or termination of their contract to process credit cards. (Attached as Appendix A is the PCI Security Standard). Compliance is increasingly a corporate topic inclusive of privacy, as well as a host of other regulatory and contractual requirements. A weakness in security affects compliance in all arenas. Apart from regulatory sanctions or law suits, it is increasingly obvious, both within Canada and in the US, that security breach stories are never good for the reputation of the organization. Finally, while there are not yet many cases in Canada arising from security breaches, it would be expected that lawyers would consider not only regulatory action, but the likelihood that civil damage claims would ultimately be made in an appropriate case. ©Symantec (Canada) Corp.
  • 6. Page 6 Because such security breaches often involve databases, and thus the exposure of the personal and financial information of large numbers of individuals, these types of claims are ideally suited to become class proceedings. Threats and Attacks This is not intended to be exhaustive, but to supply some basic knowledge about current threats and attacks, as much as the language relating to it, and how they operate to threaten an enterprise6. Malicious code refers to the variety of types of software that has evil intent – regardless of the mechanism with which they spread or operate. Viruses were the first of this type, but now include as well worms, trojans, bots, and adware or spyware. Malicious code has one thing in one common – it involves installation of software which causes harm, either without the consent of the computer user, or by deception. Risks from these types of programs are increasing in response to the improved defences supplied by anti-virus technologies; now malicious software is often modular, which downloads other software after the initial infection, and is thus able to update itself with new potentially more damaging code. A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their 6 The definitions are taken from a variety of Symantec sources; see for enterprise related information, and for home and home office related information. ©Symantec (Canada) Corp.
  • 7. Page 7 presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss. Polymorphic viruses are becoming more prevalent: these alter their own code during replication to avoid detection by traditional antivirus software. Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm. Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet. Bots (short for “robots”) are programs that are covertly installed on a targeted system. They allow an unauthorized user to remotely control the compromised computer for a wide variety of malicious purposes. Attackers often coordinate large groups of bot-controlled systems known as bot networks. These networks can be used to perform distributed attacks, including denial-of-service (DoS) attacks, against organizations’ systems. ©Symantec (Canada) Corp.
  • 8. Page 8 A rootkit is a collection of trojan horses that replace system binaries in an attempt to allow attackers to retain access to systems while hiding their activity. Often, the script used to install the rootkit will remove evidence of the compromise and rootkit installation to further cloak the intrusion. Spam has been a pervasive problem over the past few years; enterprises have had to invest significant efforts and money in technologies to prevent the onslaught of invitations to invest, expand various parts of the human anatomy, buy drugs, or participate in get-rich- quick schemes. Spam now makes up 54% of all monitored e-mail traffic. As instances of spam climb, so does the complexity of the techniques used. Over the past couple of years, “phishing” has become a common phenomenon. Phishing generally employs clever fakes designed to lure the unwitting into revealing confidential information such as passwords, account information, and other forms of sensitive personal information. Spam is also becoming a conduit for malicious code, such as Trojans, which may be used to turn recipients’ computers into ‘zombies’ that can be remotely controlled by hackers to attack Web servers, collect personal information, or send spam emails. On average, 172,000 users lose control of their machines each day, and zombie networks account for about 50 to 80% of all spam according to various industry reports7. Adware and spyware are also becoming a prevalent source of problems8. Adware and spware are software which has been installed, often deliberately by a user of the home computer, but was ‘hidden’ in an otherwise innocent-looking download of a browser toolbar, utility, game or screensaver. Spyware or adware is often included in apparently desirable or useful software downloaded from the Internet, and may be even mentioned in 7 Getting Tough on the Growing Spam Problem (June 21, 2005), Symantec Enterprise Library 8 Spyware: How can it be removed? (June 15, 2005), Symantec Home and Home Office ©Symantec (Canada) Corp.
  • 9. Page 9 the licence agreement that most users simply click to accept. Spyware can include software which search for and send sensitive data, record the user entering passwords or credit card information, and send it surreptitously to the creator’s web site. Adware often installs other, pernicious software which redirects the user to web sites to drive up usage statistics, on which web sites are often paid by advertisers, or imposes advertising on the home user. Often, the content of these sites or advertising can be uncomfortable or embarrassing for adult users, and are inappropriate and harmful to children., Adware typically also monitors the user’s patterns of usage and behaviour on the Internet and provides this valuable ‘meta-data’ to the authors who resell it – whether or not the meta-data is anonymous, to others for directed and further intrusive unsolicited advertising. A Sampling of Data Security Issues and Mitigations Data security breaches can occur in a number of ways; and can impact many different types of information in the organization. While loss of business confidential information can also be devastating to an organization, the focus here will be the likely ways in which the personal information in the custody of the organization can go astray. This is not intended to be an exhaustive list of potential data security risks, but ones that focus on ways in which lawyers work on a day-to-day basis, and are applicable to the law firm environment. ©Symantec (Canada) Corp.
  • 10. Page 10 1. Portable information Information is increasingly portable – and given that most people seem to work more than forty hours in a week, often from the road or at home, this is a tremendous convenience. . It is fairly common to use these devices to copy information from the corporate network, and take it home to work on. Laptops and other portable devices that can carry tremendous amounts of data, such as USB drives or iPods, are pervasive, useful and commonly used by professionals and organizations’ executives and staff. But there are many public examples of the loss of this portable information; the ones that have recently received considerable attention is the loss of laptops. One strategy is to encrypt the data on the device. However, few organizations make the effort to ensure that the information on these devices is encrypted so as to mitigate against the risk of the loss of the device. This is often due to the administrative difficulty in managing the keys required to encrypt data – this requires some central management, and thus effort and labour, simply to ensure that the data can be recovered when (inevitably) the user forgets their password. Another strategy is to not allow personal information to get onto the laptop or device in the first place. With web-enabled applications, most information can be offered remotely to users, and securely – and loss of the laptop means little if there is no information actually stored there. This requires however an investment in web-based security and in making the information needed to do one’s work available remotely. ©Symantec (Canada) Corp.
  • 11. Page 11 2. Endpoint Security: Working from home and the web cafe Many knowledge workers work from home – after all, with high-speed access, and the never-ending work week, this is quite practical. But there are, as noted above, few homes that have adequate security around their home networks and computers, and this is ultimately the organization’s problem. Home users are the most highly targeted group of users for targeted attacks – 86% according the latest Symantec Internet Security Threat Report9. This is likely because they remain a fertile source of personal information, in combination with inadequate measures to secure home computing resources. The risks that home working creates arise in part from the lack of even basic protections on home computers, that are nonetheless used to connect to corporate networks. To address this, many companies are making anti-virus software available to their employees, specifically for their home computers, as well as firewall software. Another common approach is to create a ‘virtual private network’ (VPN) that allows home users to communicate through a secure, encrypted ‘tunnel’ directly to the corporate environment, ensuring that the content of the communications cannot be intercepted. As well, secure web applications can be utilized to encrypt the connection between the remote user and the web application. The problem with both these approaches is that it assumes that there is protection against malicious code at the endpoint – the user’s computer. 9 ISTRX, page 9 ©Symantec (Canada) Corp.
  • 12. Page 12 Web ‘café’s’ where there are public terminals available for use and paid for by the hour, as well as wireless connections for those using their own laptops, present another set of challenges. These web café computers may be infected with malware, or viruses, through the usual mechanism of people visiting sites and downloading software, or by deliberate actions on the part of those seeking to harvest personal information. Web cafes, as well as home users, often utilize the convenience of wireless connections. These present their own challenges, simply because they are so convenient, and commonplace, yet so typically inadequately protected. An estimated 75% of wireless networks are either insecure (not utilizing encryption) or are configured with ‘default’ administrator passwords and setup, well known and available by simply downloading user manuals from the Internet. (Typically, they are set up for user ‘admin’ with password ‘admin’). Because of their convenience and ease to set up, corporate IT administrators have to be on the look-out for users who have simply connected a wireless access point to the corporate network. This poses a tremendous risk, because users typically fail to turn on even rudimentary security; such a connection opens the whole network up to exposure, defeating the often tremendous investment in setting up firewalls and other security through the corporate network’s connection to the Internet. An additional area of concern lies i in monitoring communications between users and the corporate LAN through unencrypted communications, ‘eavesdropping’ on the transfer of confidential information. Often this can happen quite accidentally – many laptops come with wireless networking built in, and are turned on by users so they can connect at home, but who fail to turn it off when returning to work. While connected to the wired, corporate ©Symantec (Canada) Corp.
  • 13. Page 13 network the wireless connection provides an access point into the network to anyone in the vicinity10. “Wardriving” refers to the hobby of locating and accessing such available access points. Below is a map from 2004 indicating, in green, insecure access points in downtown Toronto; blue indicates ‘default’ set-ups, and the red, those utilizing WEP (wireless encryption protocol) for security. Even WEP has been demonstrated to be easily cracked, and new more defensible standards such as WPA have evolved; however, it may be that the only way to secure wireless connections containing confidential or personal information effectively, is to use a VPN and encrypt the communications11. 10 ISTRX, page 34 11 ISTRX, page 36 ©Symantec (Canada) Corp.
  • 14. Page 14 12 In a 2003 story in Toronto, police arrested a man driving the wrong way down a one-way street, and found him half-naked with a laptop utilizing an insecure wireless connection from a home network to download child pornography. This highlights the risk to individuals and businesses, who might be called to explain why their IP address was being used to access inappropriate materials. 12 Source: ©Symantec (Canada) Corp.
  • 15. Page 15 3. Malicious Code Protection What can be done about malicious code? It is now an expectation that organizations will have up-to-date antivirus software installed on computers, and will scan e-mail attachments as well as most other forms of electronic communication – instant messaging being the latest battleground – to ensure malicious code does note enter the organization. Organizations which do not have this, must be viewed as falling below an acceptable standard of care. But it goes beyond this. One of the greatest problems in this area is of course the ‘unmanaged device’ such as the home computer, or the USB drive, or even the old floppy, that requires the enterprise to actively monitor and defend itself from the risks associated with malicious code entering through the day-to-day activities of users accessing the corporate network. Technology to support remote users on a variety of platforms exist; sod do technologies which monitor, or disable USB devices that are not approved, or simply automatically run scans and isolate devices which do not meet corporate security standards exists; as does access control technology that ensures that only permitted devices should be able to access information over the corporate network. These are all available, and must be viewed as essential elements in the toolkit to meet the obligations of the corporation’s stewardship over personal information. Education is also critical to help prevent infection; users must be taught not to open attachments that are not from trusted sources, or that they are not expecting. Most successful malicious code attacks are in combination with ‘social engineering’ techniques, which require the user to be fooled into opening an attachment or running a program. Given that outbreaks can often be attributed to poor information security practices on the ©Symantec (Canada) Corp.
  • 16. Page 16 part of users, a security awareness program should be considered not a best practice, but a minimum requirement. Considering the consequences of a virulent outbreak, the organization must devote an appropriate amount of resources to deal with the consequences of a potential exposure of confidential and personal information to those seeking to use it for fraudulent purposes, which includes considering it from the perspective of business continuity planning (such as use of archiving and retrieval technologies.) Best Practice = Best Defence? It is against the standard of reasonableness that most actions are measured, including data security. The tendency is to confuse this with ‘what everyone else is doing.’ This is not a helpful way to determine an appropriate course of action with regards to data safety and security, and represents the fourth and final fallacy: what everyone is doing may be wrong. Best practices are identified by practitioners in the information security field, and it is against these that organizations will be measured, in terms of how far or how closely, the organization’s practices measure against them. With this in mind, the following enterprise best practices13 are suggested as the being ‘the test’ for data security and safeguarding in the privacy arena: 1. Enterprises should first of all have a security strategy and policy, which involves multiple, overlapping, and mutually supportive systems to guard against a single point of failure in any specific technology or protection method. This should include the 13 ISTRX, page 99 ©Symantec (Canada) Corp.
  • 17. Page 17 deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. 2. Enterprises should assess their systems against their enterprise security policy, and turn off and remove services that are not needed. 3. If malicious code or some other threat exploits one or more network services, the enterprise must have the capacity to disable or block access to those services until a patch is applied. 4. The enterprise must always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as web, file transfer, mail, and directory or domain services. 5. Enterprises should implement network compliance solutions that will help keep infected mobile users out of the network (and clean them up before entering). 6. Enterprises must enforce an effective password policy. Ensure that passwords are a mix of letters and numbers. Do not use dictionary words. Change passwords often. 7. Enterprises should configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses. 8. Enterprises must have the capacity to Isolate infected computers quickly to prevent the risk of further infection within the organization, and thereafter perform a forensic analysis and restore the computers using trusted media. ©Symantec (Canada) Corp.
  • 18. Page 18 9. Employees should be trained to not open attachments unless they are expected and come from a known and trusted source, and to not execute software that is downloaded from the Internet unless it has been scanned for viruses. 10. Enterprises must ensure that emergency response procedures are in place. This includes having a backup-and-restore solution in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss. 11. Enterprises must educate management on security budgeting needs. 12. Enterprises should regularly and routinely test security to ensure that adequate controls are in place – and document the results. 13. Enterprises should ensure that only applications approved by the organization are deployed on the desktop and laptop, to prevent loss of information through malicious code. Conclusion This can only be a brief introduction for counsel wishing to understand the risks associated with data security, and to begin the conversation needed with IT staff in client organizations. Mature organizations understand that there must be an ongoing conversation between counsel and IT staff, in order to ensure that the legal obligations of the organization in respect to compliance, including data security, are met. The facilitator and implementer of that effort, and the tools appropriate to the task, is the IT department; it is only with the assistance of the IT department that the goals of the enterprise in data security can be ©Symantec (Canada) Corp.
  • 19. Page 19 met. However, the requirements for data security, as well as a full assessment of the risks to the business, and the potential for harm, must involve the business side, and of course, legal counsel. ©Symantec (Canada) Corp.
  • 20. Page 20 Appendix A: The PCI Security Standard Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security ©Symantec (Canada) Corp.