Monday, July 22, 2013

Email hacking: Could you be next?

Neil Larkins
Chief Operating Officer
Egress Software Technologies Ltd.
As a self-proclaimed technologist (or maybe just an IT geek), I'm always intrigued to see how the IT security industry is evolving. Often when I’m visiting both existing and potential customers, questions come up about the future of email: Will it continue to dominate business processes? Or will it be replaced? Are the security concerns around email really as big as many industry analysts claim?

Without question, any email user is aware of, and has probably experienced, issues caused by spam and malware. No matter how good your protection is, these inbound emails will still get through the net. It is a real and present problem, if not a massive inconvenience for those targeted.

However, what about the security of outbound emails? I think it’s fair to say that the majority of people aren’t really aware of threats to the emails they send.

I’ve understood the risks posed to unsecure outbound email for a long time, with analogies like ‘plain text email is as secure as a postcard’ often banded about. Until now, however, I hadn’t heard a first-hand account about real-world threats.

A close encounter

A good friend of mine, a partner in a prestigious City law firm, called last week to ask for advice. Working in the firm’s property division, he deals with many high net worth clients on regular property purchases and sales. On this occasion, he was finalising the purchase of an apartment for a particularly important client, and using mainly email correspondence, they were on the verge of completing the transaction.

My friend then went on holiday for a couple of weeks, and on returning to the office, received a rather irate and mystifying phone call from his client, demanding to know what the urgency was for the deposit for the flat to be made. Needless to say, my friend had no idea what his client was talking about – but in getting to the bottom of the situation, he unravelled an alarming tale of attempted deception.

Shortly after my friend had gone on vacation, the email trail between him and the client had been hacked. Understanding that a large purchase transaction was imminent, the hacker was then able to impersonate my friend, jumping into the existing email chain and replying without drawing attention to himself.

The target was the large sum of money that the client would be transferring as a deposit for the property. So the hacker constructed an intricate plan to convince him that there was some urgency to have the deposit transferred to the firm’s bank account. However, the hacker supplied new details, insisting that the usual account was currently unusable as it was under investigation following suspicious activity.

The hacker continued to pressure the client to transfer the funds ASAP. Although the client thought this strange, to all purposes the correspondence appeared genuine, with the hacker understanding the intricate details of the transaction in question, as well as the emails being written in a similar style. Thus the client set the wheels in motion to transfer the money; however when informed that the process would take a couple of days, the hacker replied to again stress that it be made immediately.

It was at this point that the client smelt a rat and called my friend to enquire why the funds needed to be transferred so urgently, which is when the whole story started to unfold. Luckily in this instance, disaster was narrowly avoided and the client’s email address was immediately taken offline.

An ongoing threat

So, why do I find this story so fascinating? Well, this is the first time that I have personally witnessed a clever and targeted attack for large financial gain through email hacking.

We’ve all seen phishing emails where individuals claim to be related to ‘your Great Uncle Percy’ that advise you to immediately transfer a few thousand pounds to release your rightful inheritance; however until now, I had never seen an example of anyone intercepting and joining an existing email correspondence. Having read the emails, there are a few suspicious signs, but on the whole, they were very cleverly crafted – and the plan only fell apart due to the hacker’s impatience.

This is obviously quite worrying for anyone using plain text emails to share confidential information – and hackers like these are surely only going to improve on where they went wrong last time.

I guess the real question is: Are you confident that your email correspondence is protected from prying eyes? If not, could you be next?

Wednesday, July 10, 2013

Unravelling the myths, misunderstandings and misinterpretations that surround the process of sharing IL3 (RESTRICTED) data with external third parties

Caroline Howard
Business Development Manager
Egress Software Technologies Ltd.
From the outside, much of what Egress Software Technologies does can appear a little mysterious. The very phrase ‘data encryption’ tends to conjure up thoughts of Mission Impossible and James Bond, rather than of your stereotypical office worker sharing confidential data securely as part of their job.
However, data security is a very real and serious issue that affects every organisation – large or small, public or private.

The challenge for government organisations

As transparency and cost-cutting measures continue to bite, there is an increasing demand for UK government to collaborate more effectively in order to improve efficiency and cost effectiveness. As more services are outsourced to external third parties, the amount of highly sensitive data leaving accredited government networks will only increase.

Despite this demand to share information more effectively, there remain many myths and misunderstandings about what information can be shared, and how this can be done. This isn’t down to the lack of either availability of technology that will enable secure data exchange policies and procedures to enable data security, but actually a fundamental misinterpretation of how this process should be handled.

When talking about these misunderstandings, I must bring attention to the Government Protective Marking Scheme (GPMS), which requires that broad classes of government generated information (including email) be marked with an appropriate security marking (Impact Level – IL0 to IL6) and handled appropriately. These Impact Levels are used to protect information from intentional or inadvertent release to unauthorised recipients.

However, inadvertently I believe that Impact Levels have become the source of much of the confusion regarding information sharing in government – particularly when it comes to sharing IL2, IL3 (RESTRICTED) and IL4 data, which make up over 95% of government data.

It's not about 'playing' with Impact Levels

There seems to be an apparent contradiction between Impact Levels, the procedural policies organisations put in place and the real-life scenarios that individuals face when sharing information with third parties. Too many government organisations are either preventing data sharing because it is ‘too sensitive’ or re-grading IL3 information to justify its release through an IL2 mechanism.  

This, however, either hinders business processes or places confidential data at unnecessary risk.

At the heart of the matter lies the perceived misconception that because a third party is not on an accredited IL3 network, information cannot be shared with them. Instead, however, government organisations should be encouraged to take a ‘Risk Managed Approach’, rather than ‘playing with Impact Levels’ and adjusting them to suit their needs.

What is a Risk Managed Approach?

CESG are clear that organisations should not expose sensitive information to unnecessary risk, but instead examine ‘the appropriate procedures and technologies in place so that they can be used to protect the information to the best of an organisation’s ability and at all points where they are responsible for that information’. However, CESG also acknowledge that ‘too many automatically associate IL3 assets with something that ‘can’t be released’, as opposed to something that needs to be released, a massive misinterpretation of how impact levels are supposed to work.’

So, how can IL3 data be shared securely?

The answer lies in taking a Risk Managed Approach to secure data sharing, regardless of whether the data is marked IL2, 3 or 4. Working closely with their lead accreditor and SIRO, organisations need to identify the associated risks of sharing data, set out the policies to manage this risk, and ensure that the chosen technology solution has been evaluated and tested against these risks and policies. This doesn’t lower or re-grade the Impact Level, but rather uses it appropriately to gauge the sensitivity of the data being shared and any risks posed to it. In doing so, the organisation can complete necessary business transactions and ensure that the data is protected ‘to the best of their ability’ while they are responsible for it.

Finding the balance

Currently, there are too many myths and misinterpretations around the way sensitive information can be shared outside government, with many hiding behind Impact Levels. As a security community, we must work together to encourage best practice data sharing outside of government secure networks. Ultimately, we must remain cognisant of the risks that this poses, focusing on ensuring confidentiality and integrity.

Thus we must find the proper balance between affording information the right level of protection at all times and facilitating the growing need to share data with the third sector. By applying a sensible risk assessment and using CESG’s recommendations, organisations must rid themselves of these misunderstanding and misinterpretations that prevent data from being shared – either securely or not at all.

Through a combination of the correct technology and risk assessment procedures, data can flow securely between organisations, with Impact Levels existing to complement and protect, rather than hinder, this process.

Monday, July 1, 2013

Is Pandora’s Box finally open?

Tony Pepper
Chief Executive Officer and Co-Founder
Egress Software Technologies Ltd.
A couple of days ago I was waiting in an airport departure lounge about to board a plane to Oslo. While sipping a coffee and watching the clock count down, I noticed out of the corner of my eye that one of the TV screens was playing a BBC update on the GCHQ data hacking story. I found myself listening to so-called ‘data security experts’ offering advice and guidelines surrounding best practice information security designed to help protect organisations and individuals from unauthorised personnel (including Government bodies) accessing sensitive information.

Suddenly, a thought came over me: Is this the story that will provide the catalyst for finally opening the lid on the public’s perception of data security? Will this story contribute towards long-term change in traditional data sharing habits and trends – in particular how cavalier businesses can often be when handling sensitive data?

From my perspective, I think there are two issues here.

Firstly, I'm amazed that organisations and individuals are so surprised by this recent ‘revelation’. If you’re happy to place personal data in the Cloud without any assurance from your Cloud Provider as to the physical location of that data and what legal jurisdiction/laws it subsequently falls under, are you really that shocked when governments collaborate to access your crown jewels?

Secondly, are businesses and individuals outraged by this news because they feel their privacy has been violated by the global brands they have come to trust or is there a deeper seated issue here? Do organisations and individuals want their basic human right to data privacy irrespective of ‘greater good’ intentions from governments claiming national security waivers?

I wonder if this story has brought into question the very foundations on which democratic society has been built by placing the spotlight on the age-old balance between individual privacy rights and the utilitarian approach to managing national security – the paradoxical struggle between security services and human rights activists that has existed since the beginning of time.

As Chief Executive of a company that develops encryption software designed to provide customers with assurances around precisely who is accessing their data and where it is being accessed, I feel we definitively address one aspect of this debate but remain somewhat philosophical about the broader subject of an open and transparent society, questioning whether this is something we should collectively endorse or not. However in either instance, I’m pleased to see this debate raised at national and international levels and watch in anticipation to see how this plays out over the coming months and years.