* Posts by ShingleStreet

6 publicly visible posts • joined 18 Apr 2023

Northern Ireland cops count human cost of August data breach

ShingleStreet

I misread who had been tasked with the review…

I live in Northern Ireland, where we we have had no functioning government for a couple of years, a bunch of incompetents arguing with each other about whether they should go back to their desks in Stormont and continue arguing there and a collection of public services that would be on their knees if only they had any knees left to be on.

Having said all that, I thought we had plumbed a new low when I misread (and believed, sadly) that Pete Doherty had been tasked with this review.

Northern Ireland police may have endangered its own officers by posting details online in error

ShingleStreet

Lack of Controls

Sounds like the PSNI aren’t classifying their data (Public/Private/Confidential/Highly Confidential), either that or classifying it and not acting upon the classification.

Given, the nature of Northern Ireland, I would expect that a full list of mere names, roles and postings of PSNI staff would call for a higher data classification that if they worked outside the security forces.

So there seems to be inadequate oversight on data leaving the organisation - both in terms of human review but also in terms of technology - ie a single, controlled exit at the network perimeter with approximately designed controls to detect and prevent exfiltration of this sort of data.

I’d be alarmed also (but not surprised) that an Excel spreadsheet is really the “employee master” within the PSNI. Hopefully referring to it as the source data was just a figure of speech.

And then there’s the other PSNI data leak of staff details via stolen laptop etc that has subsequently surfaced….

Brit healthcare body rapped for WhatsApp chat sharing patient data

ShingleStreet

The reprimand is not about the technology

In my opinion, the issue here is about the lack of control over implementation and ongoing use of the technology, rather than about the technology itself.

If NHS had done a proper risk assessment, then with controls such as the following, they MAY have considered it appropriate to proceed with pre-nominated classifications of data.

Data in transit:

- analysis of the messaging service to ensure that encryption meets strength requirements, that keys are managed appropriately, that data remains encrypted between user endpoints and that encrypted blocks are not persisted along the way

Data at rest:

- configuration of Mobile Device Mgt infrastructure so that the app and its data reside in an encrypted image managed by the MDM client

- appropriate settings of the messaging app enforced by MDM to eliminate off-device, cloud backups etc

- configuration of the MDM to disable screenshotting

- audited human process to clear chats of data which is no longer current

- appropriately managed and audited MDM access control

- tightly controlled and audited human processes for provisioning access and re-attesting ongoing access to the chat group to the necessary staff only and only via MDM controlled devices

Once these sort of controls (and I’ve no doubt left out some really obvious ones) were possible and in place, then really the only data leak should come through loss or misuse (eg. taking a photo) of a legitimate device whilst in session and the NHS would need to decide as part of its pre-implementation risk assessment whether human-dependent policies and training were sufficient mitigation and the residual risk acceptable.

Missing Titan sub likely destroyed in implosion, no survivors

ShingleStreet

Echoes of the Challenger.

I can't help feeling there are strong parallels between this event and the Challenger space-shuttle disaster. In both cases strong advice from the techies was ignored.

In the case of Challenger it was the design of how o-rings interfaced to retain a seal and in the case of the Titan it was the how the pressure chamber should be properly evaluated for the effects of cyclic fatigue.

Why employ experts and then not listen to them? I've often felt that when certain management types feel threatened by some expert knowledge, they resort to a strategy of making their techie colleague look like the "classroom swot".

A dangerous management culture, and I can't see it changing.

ShingleStreet

Shoddy risk-management

An experimental hull design in 400 atmospheres of pressure.

A “preventative” control (deep analysis of the carbon fibre) was dismissed, along with its proposer.

A “detective” control (acoustic monitoring and alerting) was somehow thought to suffice.

What use is it to get an alert immediately before an implosion, when there is no way of doing anything about it?

Lost for words…

This event will be cited in risk management training for years to come.

My sympathies to those who have lost these friends and loved ones.

Pentagon super-leak suspect cuffed: 21-year-old Air National Guardsman

ShingleStreet
Facepalm

He's not the only idiot.

Bad enough that the leak wasn't prevented - but it wasn't detected either.

It's 2023 and we're all well-practised in applying security like the layers of an onion.

Assuming that this user did have legitimate access to the leaked data, there are quite a number of security controls which could have prevented, or at least detected this event:

- Physical checks of printouts, PCs and removable media leaving secure sites

- Lockdown of user PCs to a defined security posture which excludes use of removable media such as flash drives and not allowing users to administer their own machines

- Exfiltration prevention/detection systems at the network perimiter covering what should be a limited number of proxies which handle traffic to the outside

Other heads really need to roll too.