Embed Size (px)
Citation preview
FEATURE
Computer Fraud & Security August 200916
it will also enable parents to review their child’s performance by offering them access to both relevant documentation and academic staff over the internet.
The fourth trial is about providing children aged 12 to 16 with secure access to specially-created international chat-rooms and discussion groups that cannot be accessed by adults, while the final one will focus on authenticating citizens so that they can access govern-ment portals on a cross-border basis.
What happens next
A range of countries have already signed up to undertake the pilots and are in the process of finding recruits to take part. Once the tests have been com-pleted, Stork consortium members will write a report based on the findings and submit it to the EC for review.
Although it is not clear how any implementation phase would be con-ducted at the moment, or whether it would be mandatory, the EC is already discussing such issues with its e-govern-ment group, which includes representa-tion from all member states.
In order to fund the scheme, mean-while, the Commission has so far con-tributed E10 million, as have each of the current Stork consortium members. But it also plans to add another E5 million to the pot next year, a sum that the six
new members will be expected to match when they join.
“It is not clear how any implementation phase would be conducted at the moment, or whether it would be mandatory”
But the very fact that these new states are keen to be actively involved in the project is a positive sign, believes Sharmah. “People are showing interest as they realise that this is serious. It’s gone past the interesting project stage and looks like it’s got a good chance of fulfilling its mission,” he says.
Future challenges
That is not to say that there are not sig-nificant challenges ahead. The key ones, however, relate less to technology and more to the policy and legislative implica-tions of such a move. “I suspect there will be quite a few legal issues,” says Leyman. “Different countries today have different legislation, but that doesn’t mean it can be used for cross-border communications.”
As a result, the Stork consortium has already asked the Commission’s legal advi-sors to establish what key legislation is miss-ing at the moment and what needs to be done both nationally and at a Europe-wide level to create a binding legal framework.
To ensure that i2010-related work does not simply die a death when the programme runs out, however, the EC is also putting together the European Large Scale Action (ELSA) initiative, which is perceived as the next big step. ELSA will focus on devising a long-term vision for a digital Europe and projects such as Stork are expected to be rolled into it.
Stork is likewise anticipated to act as the e-identity foundation for other EC schemes such as the Pan-European Electronic Procurement OnLine (PEPPOL) and European Patient Smart Open Services (epSOS) e-health projects. PEPPOL is intended to develop a com-mon means for enabling public and private sector organisations to electroni-cally order, invoice and digitally sign for products and services sold online, while epSOS will make it easier for citizens to access healthcare services when abroad.
Although it is too early to say whether the initiative is likely to succeed or fail, it is nonetheless clear, as Leyman says, that: “Stork is pretty strategic to the EC” if it is to deliver on its i2010 goals.
About the authorCath Everett is a freelance who has been writing about business and technology issues since 1992. Special areas of focus include information security, manage-ment issues, skills and high-end software.
Out of office – and into trouble
The excitement buildsThe usual protocol these days for when we are away from the office for more
than a day is that we put an ‘out of office’ note on the email, phone and mobile phone.
There is a strong tendency lately for people to give out more information on these messages than is strictly necessary – not just the standard return date and another suggested contact, but also some details of where they’re going. Just in
Wendy Goucher, Security Empowerment Consultant, Idrach
So the warm spell is over, the rain comes down in buckets and thoughts turn once again to holidays and days when the alarm clock does not need to ring. I hate to be the little rain cloud threatening your BBQ but there are a few things that need to be considered if your sensitive business documents are to stay safe through the summer season.
Wendy Goucher
FEATURE
August 2009 Computer Fraud & Security17
case anyone misses the message, you can sometimes find it echoed on Facebook and LinkedIn, followed by an hour-by-hour account of events on Twitter.
You can understand why people do it, especially when they are going somewhere out of the ordinary. But stop and think for just a moment. Would you take out a half-page advert in your local paper announcing your absence? Of course not: it would be inviting people to burgle your home while you’re sunning yourself on a distant beach. And yet with an unwise ‘out of office’ message you can tell every-one who knows your address that you are not there, and won’t be for two weeks.
Phantom sitter
It might sound over-cautious, but if you’re going away, you might want to think about inventing a house sitter and then tweet about them on your site too. Alternatively, get a trusted friend to post to your blog, Facebook page or Twitter stream on a regu-lar basis, posing as a phantom sitter and making comments that suggest your home is being looked after while you’re away.
When I was a child, every couple of years our neighbours used to go on holiday to Hungary for six weeks. It was my job for the summer to open and close their curtains and windows every day, water the plants and move the mail. This is the modern-day equivalent. Of course if you can get your mates to nip in and feed the plants too, that would be a bonus.
How does all this translate to the corpo-rate environment? The same caution that people need to exert over their own prop-erty applies equally to company assets. You might issue a new policy about what peo-ple say regarding their vacations on social networking sites, for instance. But a word of caution: explain the dangers so that your staff understand them, and then give them advice to help keep their property safe in their absence. This is likely to make them much more cautious in their messag-ing than if you issue bossy directives about social networking accounts that, after all, you can’t enforce.
Packing to go
So, your employee is getting ready to go on holiday. The problem now comes from the attractiveness and utility of the company laptop and the need to work right till the last moment. Obviously the ideal – that is to say, most secure – solu-tion when staff are going away is that they leave their laptops and any other mobile computing devices at work. However, for many there is work to be done, things that need to be finished on the last day or over the last weekend. So the machine is taken away from the office and, once the work is done, it’s left in the employee’s home.
“Every day this summer, in airports around the world, thousands of business lap-tops will pass through on their way to vacation destinations”
Perhaps that seems safe enough, and yet it was just such a circumstance that led to the biggest security incident of its time in the UK. In November 2007, an employee of the Nationwide Building Society had his laptop, containing sen-sitive customer data, stolen from his house while he was on holiday.1 The subsequent fines and compensation cost the building society around £8 million, and estimates of the resulting cost for the financial sector as whole, in terms of security investment, are around £50 mil-lion. And yet this staff member did not take huge risks: he did not take the lap-top with him and leave it on his towel on the beach while he took a swim. He simply left it ‘safely’ at home.
The journey
Employees taking their laptops away with them is an even bigger threat. But why would they do this, you might wonder, given that they’re supposed to be on holi-day? Entertainment is the simple answer.
The trials of travelling, especially by air with the long waiting that results from the need to get through security checks, mean it can be very tempting to take the laptop to watch a film while you wait in the lounge. This is especially the case if you have young children – the alternative being you sitting between them to keep the peace while staring longingly at the bar in the corner.
Only the newer machines have battery lives that will allow you to watch a full film if there are no power points avail-able. The family computer just won’t hack it, so instead, people take the nice, new highly specified work laptop.
The result is that every day this sum-mer, in airports around the world, thousands of business laptops will pass through on their way to vacation des-tinations. And even though lessons learned from the Nationwide incident – and the increased pressure for safe accredited policies and procedures – mean it is more likely that the laptop is encrypted and key information has been backed up, there are still risks.
Travelling presents many dangers, including damage and loss. For instance, while laptops are sturdier than they were five years ago, they are still no match for a drop from a moving trolley, falling under the wheels of a taxi or having the keyboard flooded by a sugary drink.
There are also lots of ways to lose a laptop while travelling through an air-port: one of the most common – again aggravated by the increased demands of airport security – is leaving the laptop at the security point. Although other security measures – such as the need to remove shoes and carry liquids in plastic bags – vary, the requirement to remove your laptop from your cabin luggage has become more widespread over the past couple of years.
When this has happened to me, generally I have been travelling on my own and know what to expect. But watching families arrive stressed and hassled at the receiving side of security you could see how a laptop could
FEATURE
Computer Fraud & Security August 200918
easily be overlooked. What is surpris-ing is that this also happens to busi-ness people even with their fewer distractions, and that they don’t always reclaim their lost machines.
It is worth noting at this point that at many borders across the world, including US airports, laptops can be retained for inspection and it can be some time before they are returned. If at all.2
The holiday commences
Once at the destination, there is the ever-present chance of theft from your accommodation. Any theft is bad, but imagine having to interrupt your holiday to call the boss and break the bad news.
And if a touring holiday is more to your family’s taste, then bear in mind the fate of the employee of Colchester Hospital University NHS Foundation Trust who, in June 2008, had his lap-top stolen from the back of his car in Edinburgh.3 Someone simply broke the window and took it. A moment’s thoughtlessness and it made vulnerable the records of 20,000 patients - and cost the hapless tourist his job. So whether you carry the company laptop with you or leave it in the hotel room you are taking a risk.
Top tips for a safe holidaySo, after all that, what can be done to help make everyone’s summer breaks peaceful and restful?For staff1. Leave your laptop and any other device
that has secure business information stored on it, locked away at work.
2. Make sure all your data from any mobile device, including your PDA, iPhone or mobile phone, is backed up.
3. Don’t give out specific information about your holiday arrangements any-where that can be obtained by casual, unknown or unauthorised users.
4. Restrict viewers of your social net-work websites, including Twitter, to invited persons only. This is a good general rule in any case.
5. Get a cyber house-sitter.
For management:6. Make sure all staff have an emergency
number to call in the event that any business equipment goes missing.
7. Check the business insurance policies to see if the business is covered for damage or loss of equipment on holiday.
8. If staff are likely to need to renew or change passwords to gain necessary access while they are away, encourage
them to change them early – before they leave.
9. Provide easy access information to help staff understand the risks and strategies associated with holidays.
10. Encourage staff to leave work behind when they go on holiday. Well-rested staff are more effective and less likely to make security mistakes.
References
1. ‘There is no Patch for Stupidity’, Paul Wood, lecture to the IISP January 2008.
2. ‘Taking your laptop into the US? Be sure to hide all your data first’ Bruce Schneier, The Guardian
http://www.guardian.co.uk/technolo-gy/2008/may/15/computing.security
3. NHS manager is suspended after losing computer’, The Herald http://www.theherald.co.uk/news/news/display.var.2371758.0.NHS_manag-er_is_suspended_after_losing_com-puter.php
About the author
Wendy Goucher AInstISP MBCS has a background in psychology, management and economics. She works with organisa-tions of all sizes and sectors to improve information security and security awareness from within the business. She can be con-tacted at [email protected].
The era of web tobacco
The investigation began in June 2006, when the agents in the mobile squad monitoring the sales of products via the internet discovered a number of forums containing enthusiastic exchanges about the possibility of buying, from websites
not specifically named in the conversa-tions, major brand cigarettes, including Marlboro, Merit, Philip Morris and West. These were being sold at cut-rate prices – as low as 50% of the normal price at Italian tobacconists.
The agents got word to the Office of the Prosecutor in Alba, the jurisdiction in which the first illicit buyers to be identi-fied resided. A technologically sophisti-cated investigation was soon underway, which employed a variety of interception techniques. This investigation led to the identification of two websites – located in Switzerland and belonging to a Swiss
Dario Forte CFE CISM CGEIT, founder and CEO of Dflabs, Italy
The Italian Guardia di Finanza (Finance Police) recently completed a long-standing investigation of a criminal organisation that specialised in internet sales of tobacco products, using orders that are processed outside of Italy.
Dario Forte
