Indifference and cluelessness:
http://milibanddumbass.blogspot.com/
The latest data giveaway by the UK's Ministry of Defence shows that not even the most basic IT policies are being followed. There are various ways to ensure laptops do not go astray when loaded up with sensitive information. The most basic is that such information should not be on any machine unless absolutely necessary. The …
Yes maybe if someone invented some sort of cable that at one end had a loop and the other end some sort of lock. Then the cable lock end could pass trough or around something, say the seat hinge or spare wheel, through the cable loop and connect to the laptop, thus stopping any smash and grabs.
I just can't think of why no one has thought of this simple idea before....
It always amazes me when I read these stories, why it is that all this personal data is on a decentralised laptop.
I work for a very small SME and even we can afford to use NetSuite (not cheap by any means) to store our customer's data on.
This means I can take my laptop around and access our customer data from anywhere, but it isn't stored on the laptop at all.
This Government has spent (wasted) millions on umpteen computer projects, so why they can't spend some money on a centralised database to which their users can gain access from anywhere, like we in the real world do, is beyond me.
Regards
Neil
We as a society have become so apathetic towards this kind of thing that they simply don't fear us anymore. We are not the empowered and informed members of society we should be. We are the impotent and weak being flogged to death slowly while being forced to watch through a rose-tinted lense.
To paraphrase a very wise man "Go back to sleep, England. Here's 27 channels of Britney Spears being a drunken idiot. Go back to sleep, England."
"why they can't spend some money on a centralised database to which their users can gain access from anywhere, like we in the real world do, is beyond me."
Prime your irony glands.
Having spent a number of years around central government IT, I imagine it's because any IT project which involves accessing sensitive data from the big, scary internet (regardless of VPNs etc) becomes so tied up in security accreditation and arse-covering that it never gets anywhere.
So people work around the bureaucracy by copying data to laptops.
One reason I permit more freedom to access the Internet from our network (~1000 users) than most one of my private nightmares is a user, thinking that they are helpfully bypassing needless security in order to work more efficiently, hooking their laptop to the raw internet via dialup. That's the problem: plenty of staff think that the company will thank them for ``getting things done'' by ignoring the petty rules of the autistic fusspots in the IT department. And sometimes they're right: management commitment to an ISMS is a variable beast.
That any of the lost data has found its way into the hands of the criminal fraternity.
(But they are working on it. )
Just out of interest, why are these people taking laptops full of private data home with them, not enough hours in the working day?
You can have all the security in the world to protect your millions of customers, password protected and encrypted. As soon as it leaves the premises in the hands of a junior office worker, all that security means nothing and the government have to rely on that employee not making copies, sharing it with others (for profit or just to impress his latest girlfriend), unlocking the PC and walking away etc. etc.
Taking a laptop out of the protected, CCTV'd, passcard entry, firewalled office is the same as not bothering with that security in the first place.
You'd never see a bank allowing a cashier to take home a bundle of notes to count at home, so why is this data leaving the premises.
Neil Briscoe said it very clearly. Centralised DBs are the way to go. not decentralised data!
Getting my coat and checking my wallet!
This is shocking given the requirements the MoD expects everyone else to meet. I used to work for an aerospace company that did work for the UK MoD (not BAE Systems!), mainly for the RAF, mainly on the transport aircraft, and getting access to classified data was a real pain, you had to sign the Official Secrets Act, undergo security checks, background check, criminal record check, references, etc.
Even once that was done and MoD was happy you weren't a spy or a thief the computers used to access the data had to be in a separate room with the windows 'frosted' so people couldn't look in and see what you were doing, were not allowed to have any connections to the company networks (or the internet) and the hard drive was encrypted and had to be in a removable caddy. When you finished working on the classified data, it was encrypted, you shut down the machine and removed the hard drive caddy. This was then locked away in a big f**king safe, just to make sure someone couldn't wander along and pick it up.
And now I get to hear the genius' at the MoD happily wander around with reams of personal data they don't really need completely unsecured. Alright, the measures above are pretty extreme but how can a Ministry that requires them be so cavalier with personal data?
Security Guard at MoD: Oi! That laptop sir, does it have any sensitive data on it? You know, blueprints for the latest Astute submarine, access codes to GCHQ, that sort of thing?
MoD Bod: Nah, just the bank account details for some blokes who considered joining the Royal Marines a couple of years ago...
Security Guard: Oh, no problem. Here, let me help you with the door.....
Over there, the CIA say security on SCADA networks is a possible issue and a roomfull of brainless Sun-reading MS-worshipping PC know-it-alls say it isn't.
Someone says (paraphrased) "an externally owned visiting laptop connected to the SCADA network to 'help out' is a classic attack vector".
Seems Ian here has a bit of sense too: "a user ... helpfully ... hooking their laptop to the raw internet via dialup". In addition to the DSL line, the laptop might also be using a 3G phone (possibly invisibly connected via Bluetooth). It might be a visiting laptop allowed on to the "corporate" LAN - could even be an employee's laptop, with inappropriate networking settings "accidentally" left on. Can't be a security issue there, surely, 'cos you can't see anything wrong? Not till it's too late, anyway.
This is not intended as a smack on the MoD, and it probably is a norm in the whole public sector in general (at least here in the UK).
The premise is that people entrusted with responsibilities probably are very low skilled and much in deniance of that but rank or authority means that what is done is done. In other words one may have authority to do so even though there is an obvious lack of skills to support the basis to grant one to do so.
In short: the public deserves better, should have better and lots of public money (in the UK) is probably squandered as these events are indicators of the skills levels and practices within the sector proper. The security issue really is , in my opinion, a manifestation of mistakes that probably extend far, far wider.
In short: I am surprised that anyone is surprised.
Interim conclusion:
It is a manifestation of the Policy-Practice divide. Ideally Policy should drive practice should drive policy should drive .... but in effect for many organizations it is far more expedient to allow policy makers to do what they have to do in order to attract funding or pull down funding streams. Once that funding is there then Practice part of the organization can do what it want s without consideration or support of the policy part. I call that the Policy-Practice divide and it is the nightmare scenario of a Policy-Practice synergy.
Personal conclusion:
Organizations that demonstrate Policy-Practice divide should be stripped of opportunity to call down or pull down public funds full stop.
"There are various ways to ensure laptops do not go astray when loaded up with sensitive information. The most basic is that such information should not be on any machine unless absolutely necessary. The second policy would be to take some action to ensure the laptop was kept physically safe - so leaving such a laptop in an empty car overnight is probably not a good idea.
Assuming one or both of these steps were followed, the MoD could then use various types of technology to ensure the data was safe if the worst did happen and the machine was stolen - it could password protect the machine and it could encrypt the data."
So you're saying that if /neither/ of those steps were followed, the MoD could *not* then use encryption or set a password? Damn, that's just when I would have thought it would matter the *most*.
Did these paragraphs get mangled in some kind of hideous subediting accident, or do you really mean that it's only possible to set a password and use encryption on a laptop if it doesn't have any sensitive information on it and if it's not being left in a car overnight? As far as I can see, those various measures are basically independent and orthogonal:
- you can encrypt your laptop regardless of whether there is any sensitive data on it that matters if it gets stolen or not
- you can encrypt your laptop regardless of whether or not you take good care of it or leave it in a car overnight
and likewise for setting a password. I can't even make sense of that as saying "There's no point encrypting and setting a password unless you've taken more basic measures first", since in the lack of those first two steps, using encryption would have saved the day.
A little clarification needed here, perhaps?
amanfromMars icon, because the claim seems pretty ga-ga to me.
Presumably these incidents occur because the custodians of the laptops can't be bothered/forget to take the laptop out of the car, rather than actually wanting to leave them there.
So...take the storage out of the laptop permanently and incorporate it into something the custodians would be less likely to forget/be lazy enough to leave behind.
How about incorporating a SSD into a wireless enabled mobile phone? Chances are the custodian won't leave their phone in the car. Then set the laptop up to boot from the network, and serve the OS over the WiFi connection from the phone.
The point being, that the theft of the large (can't be bothered) laptop is not the problem, the problem is the theft of the small (easily portable) storage device contained within.
As a bonus, the custodians home desktop could then also be set to boot from the same Wi-NAS, and the office desktop.
Who leaves a bloody laptop sitting in a car overnight???
"Oh, sorry boss that new laptop you gave me with all those bank account details on it, well it got stolen last night. Yeah my car got broken into and i'd left it sitting on the front seat. Well i thought it would be safe seeing as its outside my house and all."
Is someone looking into this "junior officers" bank account. Notice any large unaccounted for transfers yet? And even if he is clean, anyone that stupid deserves to be taken out back and shot - rid the world of one more imbecile!
"With preparations like this, we should all be more than ready to hand over our personal data to the proposed national ID scheme - after all, the data can't be that personal if the government has already given it away."
Or we could just not give them any data whatsoever, and just say we already did and they must have lost it.
From memory the entire hard disk is encrypted up the wazoo. That way even if someone loses one nobody can get at anything. If this lot weren't doing that then they were breaking the security rules for laptops, independent of information classification.
Physical security on laptops is a bit of a nonstarter.
"Who leaves a bloody laptop sitting in a car overnight???
"Oh, sorry boss that new laptop you gave me with all those bank account details on it, well it got stolen last night. Yeah my car got broken into and i'd left it sitting on the front seat. Well i thought it would be safe seeing as its outside my house and all."
Is someone looking into this "junior officers" bank account. Notice any large unaccounted for transfers yet? And even if he is clean, anyone that stupid deserves to be taken out back and shot - rid the world of one more imbecile!
Or not.. "
You think thats bad there has been a few high profile incidents of FBI agents leaving fully automatic weapons in their car, driving car home, and said car gets stolen or the guns get ripped off from the trunk.
I know plenty of people in the Home Office - nope it not encrypted most of the time when they move data around, and neither do the other companies mentioned in the press over the last year.
How about WE, the people, start to prosecute THEM, the Government, for their incompetence. After all they actually work for us, not the other way around, which seems to have been completely forgotten.
I know what's happening to our CDs they are being used by George Bush and co to hide all their secrets.
Why else would so many CDs disappear without trace? Either that or there is a mountain of them secreted about the EU.
Yet more go astray. And that is only from mid December:
http://news.bbc.co.uk/1/hi/uk_politics/7204399.stm
The government today announced that it is on course to meet one of its most important targets – to lose the personal details of the entire UK population by the time of the next election.
Following the loss last week of a laptop containing the national insurance, address and bank account details of 600,000 potential army recruits David Miliband, the Secretary of State for Defence, said last night:
“We know this is only a small beginning. Other departments are far ahead of us on this matter – we congratulate, for example, the Department for Work and Pensions for their sterling work in losing the details of 24 million child benefit recipients. But on this matter we are determined to pull our weight, and nobody should be in any doubt that here at the MoD we will be ramping up our efforts during 2008 and beyond to show that we can lose just as many personal details as anyone else.”
Not to be outdone, the Home Secretary Jacqui Smith announced that her department would shortly be launching a new publicly-accessible web site, “Rip Off the UK”, which would contain the electoral roll, address, banking, medical and benefit details for every man, woman and child in the country. Smith said “We are irrevocably committed to our policy of ‘total transparency’ when it comes to the personal data of UK citizens. The huge rise of identity theft in recent years shows that our policy is working.”
British Airways has this morning announced record numbers of people booking one-way flights to leave the UK. The most popular destination so far has been ‘Anywhere else’.
"but the ICO is still negotiating exactly how this would work"
Government ends it's exemption, or rather cop-out, from the DPA and funds the ICO properly. Then ICO investigates these losses and prosecutes the government/body/minister responsible - someone (senior, not a junior scapegoat) goes to jail and the rest wake up to reality.
Of course the government will do neither of these actions - because, to paraphrase, it's got a lot to hide !
The repetitive data losses by UK guvmint is like an insane G&S operetta. At the top you have a bunch of utterly clueless pols who parrot whatever is the fashionable tagline of the minute, and who appear to occupy positions of authority because it's PC to put them there, not because they know what the hell the job entails.
At the bottom, you have underpaid, demoralized grunts -- as someone said in a comment on another story, "pay peanuts, get <something>".
In the middle you have all those lovely senior managers hired in from the business sector; in my opinion, that's where the real rot starts.
The business world has managed to widely propagate the meme "business is everything, and someone successful in business is blessed by God." 'Tain't so. Success in the business world is generally due to luck and possession of a certain low animal cunning and in no way implies intelligence or skill.
That meme has a variant: "run the public sector like a business." What nonsense! The public sector is not a business: it's "customers" are captive, and it has no competition, unless it's false competition fostered by the idiots described earlier. Everyone seems to have forgotten that the original of this tagline/meme was "run the public sector in a business-like way", which is a horse of an entirely different color.
What was asked for was often nothing more than keeping proper accounts for the individual departments so you could get some sense where the money was coming from and where it was going. But this need was often dealt with by setting up Crown corporations (quangos in UK-speak), contracting out, and assorted other mistaken actions.
What's to be done? Nothing. If you don't like it, emigrate. The stranglehold that business has on life is irrevocable. Me, I'm going to hang out in my bomb shelter the rest of the day.
See, in the commercial, free sector an organization is accountable and that accountability has consequence.
When annual or periodic reports are published the free sector pitches in to buy or sell shares and the "worth" of an organization and its governance tends to be (in broadest generalities) demonstrated in its share prices.
They go up (peer group supporting good and robust governance) or they go down (peer group supporting poor or shoddy governance). It may be different across the pond due to non-standard accountancy practices much frowned upon over recent years.
As far as the UK goes that does not happen with publicly funded bodies.
Should your local school be in best management it will secure funding for next year.
Should that same UK school be in poorest management it will also secure funding for next year.
So, in real terms: why bother?
The budget will be the same, employees will be the same and there is no real difference between squandering or good use of public funds to many an organization.