Simple Ideas For Protecting Against Data Leakage

On the last (ISC)² ThinkT@nk Roundtable webcast (link to the archive is below), I had the good fortune to moderate a very interesting panel about low tech methods for securing your data. Our panelists ranged from the academic to the pragmatist.

• Dr. Hugh Thompson, Chief Security Strategist of People Security
• Chris Trautwein, Information Security Officer at (ISC)²
• Joe Sechman, Director of Sunera‘s Attack & Penetration Testing Practice

What I found most exciting about the event was the sheer number of ideas being offered by the audience members. While I usually have little trouble keeping up with audience questions during these types of events, we had over 400 people in attendance and the ideas were coming at me so fast that we ran out time before getting to all of them. I want to take a minute to share more of what was going on “behind the scenes” and see if this sort of recap is useful to you. Let’s keep the discussion going. Just add your own ideas and thoughts on the roundtable in the comments section below.

1. Being a supporter of the (ISC)² Security Leadership Program, and the sponsor of this event, it was no surprise that 3M’s privacy filters were discussed as a means of guarding against “shoulder surfing”. These filters are now available for just about every mobile device on the market now and seem like a good starting point.
2. Within just a few minutes of the call, Robert Curee from Rite-Solutions, Inc. brought up another obvious choice: laptop cable locks. I can’t even count the number of times someone at a coffee shop has asked me to keep an eye on their new MacBook while they scurried off to the bathroom. This just seems like a no-brainer for the mobile worker.
3. Martin Linda, from Siemens, then quickly added that they issue laptop bags that don’t look so much like laptop bags. Being able to hide the fact that you are even carrying a mobile device, makes you less likely to be targeted. He went on to add that at Siemens, they issue backpacks and other alternatives to traditional laptop bags with each new laptop going out.
4. Just a couple of minutes later, Jospeh Valinotti of Valador piped up that he encourages larger bags for travelers so that they put their personal affects in with their laptops. His theory being that this helps raise awareness because the user is also thinking about their own “stuff”, not just company assets.
5. In a spark of creativity, David Nelson from the FDIC started attaching a small cat bell to his own laptop bag. This simple idea let’s him know when his bag is being  tampered with, even when out of sight such as when going through airport security.

These first few items seem like an easy way to mitigate data theft, but the questions soon shifted toward how to implement these and other controls. Here are some of the key items we captured on the discussion.

• For physical security controls, such as cable locks and laptop bags, integrate with the purchasing department to ensure that every new mobile device getting released to the field comes with these basic protections.
• Train your users on the proper use of these tools and direct them to your company policy regarding their responsibility for protecting company assets, both physical and ephemeral.
• Not only should you reach out to purchasing, but while we were on the topic of policies, Larry Chu from RS Investments reminded us of the need to include HR in the policy making decision. Especially if you use language around penalties the user could face, such as termination.
• While we are on the topic of HR enforcement of policies, Petr McAllister mentioned a policy of “lose your laptop, lose your job” that he recalled from the CSO of Visa who imparted these words of wisdom at RSA back in 2007 or 2008 (if anyone has a link to the presentation, please send it along).

Keep the ideas coming, we had a great discussion and some of the comments on the live were very encouraging.

Very interesting discussion with a variety of relevant viewpoints

Learned a lot of new ideas to help me in preventing mobile data breaches.

Good presentation. Covered a wide range of issues and potential solutions.

Jam-packed with practical real-world tips, this was an excellent presentation!

In case you wanted to watch it again, or pass it along to your colleagues, the archived event is below.

Continue Reading

Recently, I had the opportunity to sit down with Patrick Miller and some of his colleagues from EnergySec to see where they are headed and what big plans they have in store for the coming months. This interview followed shortly after and gives some terrific insights into how his team is moving forward and bridging the gaps in knowledge and cooperation across the various silos in IT and Information Security.

[Brandon Dunlap] What is “EnergySec ,“ the Energy Sector Security Consortium, chartered to do?

[Patrick Miller] EnergySec spawned from a group of security professionals in the electric power business in the Pacific Northwest. The group met for professional lunches and shared security information with their trusted peers. No vendors and no regulators were allowed, it was strictly limited to utility personnel. Due to the interconnected nature of the power grid, more peers from further connected utilities began showing up until we outgrew the restaurant model and had to shift to quarterly meetings. This all-volunteer army of security practitioners (including folks from physical security, information security, disaster recovery, business continuity, audit, regulatory, operations, engineering, etc) ultimately grew into a nation-wide non-profit in late 2008. The mission never changed and it is still intact today: security information sharing between trusted peers in the energy sector.

[BD] How are EnergySec and “NESCO,” National Electric Sector Cybersecurity Organization working together?

[PM] EnergySec is the parent non-profit 501(c)(3) organization, and NESCO is a DOE funded program under the EnergySec umbrella. NESCO’s mission is to lead a broad-based, public-private partnership to improve electric sector energy systems cyber security; become the security voice of the electric industry. I think is it easy to see the natural fit for NESCO under EnergySec.

[BD] A lot of folks from the utility sector would disagree with you about the uniqueness of their security needs. How is EnergySec fostering this collaboration and helping to bring down some of the barriers that have plagued this industry historically?

[PM] I think many industries suffer from the “not invented here” syndrome, but the electric sector is notorious for this. SCADA is SCADA, whether it is power, water, oil, gas, manufacturing etc. Sure, there are uniquenesses to how you manage a live industrial control system (from the management application environments to the endpoint field devices) so that you minimize potential impacts to the always-up reliability expectations but this is not unique to the electric sector.

[BD] How can the broader information security community lend a hand to either or both of these two organizations?

[PM] Security isn’t unique to the energy sector. Great security ideas, architectures and approaches are happening every day. The cross-pollination and interdisciplinary discussions are really where the value is realized. We have much to share from our experience securing both business systems as well as industrial/process control systems (SCADA), and we are open to good security ideas from anyone.

If you are interested, then you can join Patrick on February 22nd to learn more about the NESCO project and what it means for the electric industry.  In this informative webinar Patrick Miller, as both CEO of EnergySec and the Principal Investigator on the NESCO project, will discuss in depth:

• what NESCO is
• why NESCO was created
• NESCO’s mission and goals
• the differences between NESCO and EnergySec
• and the supporting role of NESCOR, funding structure, the critical role of industry, our partnerships, outreach efforts and more.

Date and Time: February 22, 2011 10:00 am PST

Event number: 921 850 714

Event password: nesco

Event address for attendees: http://bit.ly/EnergySecWebinar

Call-in toll number (US/Canada): +1-408-600-3600

Access code: 921 850 714