Going, going, gone
By Kim Powell
Even if an organisation’s internal computer network is as secure as Fort Knox, misplacing a simple USB key or PDA (personal digital assistant) containing confidential documents can have huge ramifications.
This will become an increasing concern as “more and more of us travel and get the chance to work even more hours with the mobile devices”, says Fredrik Borjesson, senior security engineer at Pointsec Australia.
“It’s always the latest and most up to date information that is residing on the mobile device because that is what the user is working with,” he says.
“So the challenge for government bodies nowadays is to make sure the information that is on the mobile device is as secure as if it was in the safe network that they have in their offices with their premises guarded by physical security like high fences and alarms, and to mimic that security when you are travelling overseas and interstate and back and forth to the office.”
He says the best way to do this is to encrypt the information and force people to “prove to the device” that they are an authorised user. Pointsec works with government clients in Australia and New Zealand, as well as the US Justice Department, providing encryption software for mobile applications like PDAs, laptops, smart phones and USB keys.
Last year, Pointsec purchased a hard drive on eBay that contained the current door access codes, security pass lists and employee details of the Australian subsidiary of a global finance group. The purchase, along with 13 other disks from online auction sites, was designed to test how easy it is to access highly sensitive information stored on lost laptops and hard disks. The information could be easily accessed on 12 of the 14 hard drives – all of which had supposedly been wiped clean.
Another hard disk apparently revealed customer agreements and corporate financial information which, if exposed publicly, could have serious legal ramifications due to the Privacy Act. Two other drives revealed 21,777 pictures from an internet dating site and a large number of files containing pornographic material.
“We were able to find lots of very sensitive information, so just imagine what kind of information can be found on devices that are currently being used,” Mr Borjesson says.
“Even when companies or individuals believe they have wiped the hard disk clean, it is blatantly clear how easy it is to retrieve sensitive information from it both during its current lifetime and beyond.”
It also illustrates how easy it is to purchase and access information stored on devices lost in transit – such as at airports, on public transport and in taxis – that, if left unclaimed for two months, are either auctioned or donated to charity.
Greg Stone, national technology officer for Microsoft Australia, says one of the biggest problems with a greater number of applications operating in a mobile context is the potential for malicious code to cause considerable damage.
“Malicious code [for mobiles] is going to become quite a significant problem,” Mr Stone says.
“In addressing that we need to work with governments [to ensure] when they connect that mobile device to their PC or the network, there is a policy that says that that mobile device needs to be checked out to make sure it’s got the latest patch on it or it’s free of bugs before it can connect.”
Mr Stone says the increasing use of mobile devices means governments and users are “really learning what it means to have data that can run over multiple channels” and managing this requires a two-pronged approach.
“I think that the two aspects of personal accountability for using policy and for corporations and governments actually instituting those policies are going determine whether we can successfully use mobile channels without being compromised,” he says.
Mr Stone says in the old, paper-based days it was easy to control the movement of information, but digitisation has opened up a whole new paradigm.
“Once you get bits and bytes, the ability to move those about becomes increasingly easy but also potentially increasingly dangerous,” he says.
“When we think about security of information these days, it’s not just limited to some of the more obvious things like sending emails or taking of information from government out into the world, into the private sector where they’re unguarded. It’s also things like digital cameras or even phones that have cameras in them, being able to record information and that information then being essentially mobile and at some point likely to be connected by the internet to something else and therefore potentially compromised.
“So what we’re really seeing now is a race to comprehend what changes are occurring and what are the implications that they have for the way they do business.”
The most important things when dealing with the public sector, Mr Stone says, is knowing what the policies are that surround the protection and use of information, and then disclosing this very clearly to users.
“Is it top secret, is it confidential, so that the user can make some assessment about how secure they need to keep that,” he says.
“It directly flows from a policy decision that is clearly articulated around a problem’s base, which is the need for disclosure or otherwise of information.”
Mr Stone says there are lots and lots of security technology tools that can be used to ensure information held on a device while in transit is protected, but the hard part is working out the policy behind the technology.
“We can make sure for example, that if that mobile device is left in the back of a taxi that someone doesn’t simply turn it on and access that information. It comes back every time to the question of what is the policy, therefore how do they want to implement that policy.”
[Wed 02/08/2006 02:39:44]
|
