Risky Business: Using Production Data for Test Purposes

July 4th, 2006

Today some stories ran in multiple UK publications, such as the Techworld’s "Firms play Data Protection roulette" discussing the use of production data for test purposes.  It contained some interesting, but unsurprising, statistics.

  • "Nearly half (44 percent) of companies use live data in test environments – something the 1998 Data Protection Act warns against explicitly, according to a recent survey of IT directors by Compuware.
  • Half the directors (48 percent) were only ‘vaguely familiar’ with the Act itself, according to the research, which highlights the importance of understanding the demands and keeping track of how customer data is treated.
  • A further "83 percent used only minimal measures such as using non disclosure agreements (NDA) to control data when outsourcing.""

These statistics come from UK organizations, and actually sound a little low.  Based upon the many business partner and vendor security program reviews I’ve performed I think the number of organizations using live data would probably be at least in the 75% – 90% range…admittedly a very unscientific estimate.

The article provides some discussion of UK’s Data Protection Act and provides a few high level recommendations.  It also reminds the reader of the risks of outsourcing and how such precautions as NDAs will still not stop the insider threat to data, such as the case of the outsourcer employee I blogged about a few days ago who committed fraud using the information he used to perform his job.

There are many, many more issues involved.  There are also many other laws and regulations that prohibit the use of live data for test, pilot and quality assurance testing…basically any type of use that is not for production. 

I wrote about this important topic in the December 2005 issue of the Computer Security Institue Alert newsletter, "Is There Privacy When Testing?"  I’ll plan to update the article and post in the reading room of my Realtime IT Compliance website sometime in the near future.

In the meantime, here are some paraphrased or abbreviated points from my article with a listing of some of the key points organizations need to address when testing, particularly how to deidentify production data to be able to then use for test purposes:

  • Test and development teams need to work with databases that are structurally correct functional copies of the live environments. However, they often do not necessarily need to be able to view real confidential personal information. For test and development purposes, as long as the data looks real, the actual record content is usually irrelevant.
  • De-identifying data is considered a leading practice, and is also legislated in regulations such as HIPAA.  Basically, when data is de-identified it covers, removes or alters real or production data so that the data elements cannot be linked to a specific individual.  Data that has been de-identified is generally considered acceptable to use in the test environment.

De-identifying Data
There are several options for de-identifying data, both operational and automated.  I go into more detail within the article, but here is the barebones listing to start your thinking around this topic:

  1. Data deletion
  2. Data NULLing
  3. Data Mixing
  4. Data replacement
  5. Data Substitution
  6. Encryption
  7. Interjecting Unrelated Text
  8. Modifying Numerical Data
  9. Using an Isolated Testing Environment

Whatever de-identification method you use, you need to make sure the de-identification results are appropriate for the context of the application being tested, and must make sense to the person reviewing the test results.

Because testing activities occur throughout the application lifecycle, organizations must consistently follow documented procedures to thoroughly test applications while at the same time staying in compliance with privacy-related laws, regulations and contracts.  And yes, de-identifying data will be challenging, but still achievable, when the application uses relational databases. 

However, there are many data de-identification solutions and vendors out there, just a few of which include:

I am not endorsing any of these, but provide them to give you an idea of the wide range of automated products available. 

Technorati Tags







OMB Issues Recommendations for Laptop and “Sensitive Agency Information” Security

July 3rd, 2006

I’m just getting around to reading the memo issued largely in response to the VA laptop and harddrive incident by the Office of Management and Budget (OMB) on June 23, 2006, "Protection of Sensitive Agency Information."  This is a good document to serve as a model for other agencies and organizations for protecting personally identifiable information (PII) and other sensitive information.  The key to making this document effective will be good communication of the policies, procedures and requirements through ongoing awareness and training.

Let’s look at a few of the items within this memo, issued by Clay Johnson III, Deputy Director for Management:

"I am recommending all departments and agencies take the following actions:

  1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;
  2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;
  3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and
  4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required."

Why just make these recommendations?  Why not make them requirements?  This is weak wording and seems to allow for agencies to not follow these security requirements at their discretion.

Hopefully the OMB has documented what constitutes sensitive and non-sensitive information.  Otherwise recommendation #1 is also subjective and a weak statement to make…open again to interpretation.  They should provide a documented definition of what is considered sensitive and non-sensitive information…perhaps this is in their documented data classification policy, if they have one.

Requiring two-factor authentication from remote locations is a good security measure.  All organizations would be wise to implement this if they allow remote users access into network information that is confidential, is PII, or they have PII and/or confidential information on their remote computer.

Requiring reauthentication after a short period of inactivity is a good idea for any computer with access to or containing your organization’s data.  Less time than 30 minutes of inactivity would be better.

Logging data access is always a good idea also.

It will be good to see the agencies issue these recommendations, with stronger statements, as requirements within each of their agencies and offices.

"Please ensure these safeguards have been reviewed and are in place within the next 45 days."

Well, this is a stronger statement…it sounds more like a requirement.  However, it’s likely the actual solutions (such as 2-factor authentication and encryption solutions) cannot be realistically implemented with 45 days…unless these initiatives are already in progress.  This is optimistic, although with good intention, and probably being stated in this way to help address the backlash from recent incidents.  All agencies should be able to have an implementation plan in place fairly quickly, though, showing an implementation timeline for each of the requirements.

The The National Institute of Standards and Technology (NIST) checklist for protection of remote information is attached to the memo.  Again, this really is a great model to use for your own remote information asset protection plan.  I really like that they included the flowchart showing the process; visually providing the flow of procedures always helps those responsible for implementing them better understanding of what is involved, and how to do it correctly.

There are many references to NIST documents within the memo attachment.  I encourage organizations to visit the NIST special publications site to take advantage of this library of great information security guidance repository.

Technorati Tags







Red Cross Laptops Stolen: Finally, Laptops That Used Encryption!

July 2nd, 2006

Yesterday the Dallas Morning News reported "Three laptops, one of them containing personal information on thousands of blood donors ‚Äì including Social Security numbers and medical histories ‚Äì were stolen from a locked closet in the Farmers Branch office of the American Red Cross in May."   

It is good to read that this data was encrypted.  The report indicates the information could be decrypted with a password, though, so hopefully they had a strong password in effect.  Effective and successful security all comes down to human decisions and actions, as do most information security issues. If the password was a good one, the data was probably safe…assuming it was not an insider with knowledge of the password who took the laptops.

BTW, the laptops were recovered. 

Technorati Tags








Encryption…”Maybe I will, GOSH!!”

July 2nd, 2006

I got a kick out of a story posted yesterday in the Phasetwo blog, "IBM using Napoleon Dynamite quote to encrypt data." I love this movie…and to think it has been incorporated into encryption…"sweet"!  🙂 

""Knock it off, Napoleon! Just make yourself a dang quesa-dilluh!". This phrase, from the movie Napoleon Dynamite, is the cipher key IBM are using to publish encrypted XML at this year’s Wimbledon grand slam. But is this a rather glaring lapse in security, or simply an anticipatory nod to curious hackers, many of whom surely rank amongst the fans of this quirky 2004 movie?"

Kinda looks like the IBM folks were experimenting with encryption in this case…it doesn’t sound like any confidential information was being protected with it.  It wasn’t even any critical IP they owned, was it?  I really can’t tell from my limited, okay, basically nonexistant, knowledge of this "font of live data." 

It’s nice to know some companies enjoy using encryption, isn’t it?  Heck yes!

Technorati Tags





Demystifying Privacy Laws: What You Need to Know to Protect Your Business

June 30th, 2006

We are undergoing a data protection renaissance.  New laws have considerably expanded corporate obligations regarding security and privacy for information in all forms.  A significant obligation of the laws is applicable to basically all organizations; the duty to provide reasonable security for all corporate information.  Bottom line, generally all organizations have some legal obligation to establish effective information security programs.  It is important to realize that in most cases there are no hard and fast rules regarding which specific security measures a company should implement to satisfy its legal and privacy law obligations. In this podcast I discuss what you need to know to protect your business when trying to comply with the multitude of privacy laws, and I describe a unified, process oriented best practice approach organizations can use to address the requirements of such laws as HIPAA, GLBA, Canada’s PIPEDA, the EU Data Protection Directive, among many, many others.



MP3: Rebecca Herold – Demystifying Privacy Laws: What You Need to Know to Protect Your Business

Insider Threat Example: Bank Employee Gives Customer Data to Fraudsters Who Then Took Funds From Accounts

June 30th, 2006

Here is another example of an actual insider threat…how an employee with access to customer funds used this access to commit fraud

"The Bangalore police have arrested one 24-year old Nadeem Kashmiri, on charges of having leaked confidential customer data from a BPO of HSBC, resulting in a loss of almost 233,000 pounds (Rs 1.95 crores) to the bank’s UK-based account holders.

HSBC says it takes its data protection responsibilities very seriously, and that hence it has initiated legal action against Kashmiri, who until earlier this month was an employee at HSBC’s Bangalore global service center.

Kashmiri was an employee of HSBC Electronic Data Processing India (HDPI), an offshore unit of the multinational bank. The bank approached the police on June 22, once it was convinced about his involvement. The police had been on the lookout for him since then.

Meanwhile, Kashmiri is accused of passing-on confidential information pertaining to certain HSBC customers in the UK that was used to access the bank accounts of the victims through telephone banking services. Impersonating genuine account holders, the fraudsters extracted funds out of these accounts. They also carried out fraudulent transactions through the ATM and debit cards of the victims. It is reported that a gang of scamsters in the UK had paid Kashmiri for carrying out this fraud.

The fraud was uncovered by HSBC’s own security teams, when some customers complained to the bank about discrepancies in their accounts, ultimately leading to Nadeem Kashmiri’s suspension in April pending HSBC’s investigations.

HSBC, convinced that Nadeem Kashmiri had perpetrated the fraud, terminated his employment, and reported the crime to the Bangalore police. HSBC is assisting the Indian police in their investigations, and the bank intends to pursue Kashmiri’s conviction as vigorously as possible.

The Bangalore police will be in touch with their UK counterparts to solve the case; and HSBC is in touch with affected customers who have been assured of full re-imbursement of losses."

Points out the need for good information security controls along with audit logs and the ability to monitor access to sensitive data.  There will always be personnel who will do bad things if they have the opportunity.  However, effective detective controls along with preventive controls will help to address the insider threat.

A good case study for an information security awareness or training exercise.

Technorati Tags







On Day Stolen VA Laptop and Disk Recovered, VA Announces They Also Lost a Backup Tape In A Different Location

June 30th, 2006

Well…Jim Nicholson, the VA Secretary, must be relieved the much publicized stolen laptop and disk were recovered (more on that later), but then it he announced a backup tape "with more than 16,000 case records is missing from the Veterans Affairs regional office in Indianapolis."

Actually the backup tape was discovered missing on May 5, two days after the laptop and disk were stolen.  Why did they wait to announce this additional incident along with the news of the recovered laptop and disk?  Did the VA think that it would be just too overwhelming for the public to learn that the records of 26.5 million veterans and individuals in active service AND that a backup tape was missing?  Likely they didn’t want to look even more sloppy with information security practices…with incidents occurring at virtually the same time in different locations.  I guess yesterday they saw a good opportunity for a "we have some good news, and bad news" moment.

Or, did they plan not to report the lost backup tape at all, but then decided it would lessen the impact of that incident if they announced it WITH the news that the laptop and disk were recovered?  Both took way too long to be reported to those whose personal information were stored on the devices.

And the statements downplaying the likelihood that the data on the recovered laptop and disk wasn’t accessed are meant to be positive spin, but c’mon!  In this day and age a significant portion of th population know that complete disks and files can be copied without leaving any evidence of such activity.  Regarding the recovered laptop and disk…

"The FBI, in a statement from its Baltimore field office, said a preliminary review of the equipment by its computer forensic teams “has determined that the (Maryland) data base remains intact and has not been accessed since it was stolen.” More tests were planned, however."

Who knows…or will ever know?  It’s very possible the data was not copied.  But it’s also possible it was.  Why can’t the agencies involved with investigations be upfront with their statements and just admit that there is no way they can determine whether or not the data was copied?

Organizations who have incidents, thefts and losses need to realize there are tens of thousands of information security professionals who know better than to believe their spin…they should not release such downplaying comfort statements to the public in the same way a parent talks to their preschool child.  Not only will info sec pros see right through the spin, but those with no info sec savvy will gullibly believe that they have nothing to worry about.  People need to realize there are many more bad things that can be done with personal information than just commit identity theft…and the bad things can occur for a very long time after the incident. 

Technorati Tags








VA Secretary Reports Stolen VA Computer and Disk Found

June 29th, 2006

Computerworld just reported the stolen VA computer and disk have been recovered.

"A missing laptop and hard disk containing personal data on over 26.5 million veterans has been recovered, Department of Veterans Affairs (VA) Secretary Jim Nicholson announced this morning.

"The investigation continues to see whether or not this information has been compromised in any way," or whether copies of the data have been made, Nicholson said just before a scheduled hearing before the House Commitee on Veterans Affairs."

I did not see any press release about it on the official VA info website however…hopefully they will post something soon.

More on this later…I want to see what the official VA press release says about this…and of course how the situation develops and impacts the credit monitoring promises…and what forensics will be done on the recovered computer and disk…etc…

Technorati Tags








Social Engineering Is Still An Effective Fraudster Method

June 28th, 2006

Technology continues to advance, security tools continue to emerge, but the good ‘ol tried and true social engineering exploit is still as effective as it ever was.  I found an article published today, "Hook, line and sinker," very interesting.  It describes how computer-based attacks, such as phishing exploits, are being combined with social engineering. 

There are some good stories within this article to not only help demonstrate the need for a comprehensive information security and privacy training and awareness program that includes information on identifying and not falling victim to social engineering attacks, but they could also be used within your training and awareness efforts.

Technorati Tags






ANSI and CBBB Announce Plans to Create Standards for ID Theft Prevention & ID Management

June 27th, 2006

Yesterday (6/26) a Market Wire news story reported ANSI was partnering with the Council of Better Business Bureaus (CBBB) to establish a new standards panel to address identity theft prevention and identity management standards. 

This is a good proactive move; if a comprehensive federal law cannot (or will not) be created to address data protection and privacy in a way that provides good guidance and data protection requirements for all types of businesses, then it makes sense that non-profit organizations step up to grab the bull by the horns and provide sound guidance…actionable standards for businesses to use to demonstrate due care while also protecting information using realistic means.  That is my hope for such standards, anyway.  (I’m optimistic)

This partnership was actually announced by ANSI on 6/23.  The following is an excerpt:

"The prospective panel would serve to identify existing published standards (and those in development) as they pertain to identity theft protection as well as identify areas of need where updated or newly developed standards would further minimize the threat of identity theft or enhance identity management.

Standards pertinent to the panel’s work may cover areas such as:

  • Protocols for managing sensitive customer data — Access, management, storage, and disposal;
  • Employment records management, storage, access and disposal;
  • Employee qualifications and training to handle sensitive data;
  • Criteria for selecting contractors who use or maintain organizational data;
  • Remedies to quickly recapture and restore the integrity of stolen identities or other personally-identifiable information;
  • The possible utility of universal identifiers as a tool to combat identity theft and fraud;
  • Protocols to anticipate new identity theft tactics as the marketplace continues to evolve."

Well, this list isn’t definitive; notice the news release indicated the "work may cover" these areas. 

Some of the items in the list are also noble, but lofty, goals…particularly the last three listed.  However, it is good that these issues will be addressed by organizations that will hopefully have people involved with the project who are knowledgeable in information security, privacy and realistic business practices.

I’ll monitor activity and see where the initiative goes…hopefully it will be a vast improvement!

Technorati Tags