Tuesday, October 29, 2013

What is the government doing to protect my data? Recent ICO fine is a wake-up call for us all

Daniel Hoy
UK Marketing Manager
Egress Software Technologies Ltd.
Last week, the latest Information Commissioner’s Office (ICO) fine hit the headlines – and for those of you who don’t follow the data security news as closely as I do, it was a big one! The Ministry of Justice, no less, was fined £140,000 due to a serious data breach that saw the details of prisoners at Cardiff Prison (all 1,182 of them) emailed incorrectly to three of the inmates’ families. The details included names, ethnicity, addresses and release dates – and as an internal investigation discovered, the same mistake had been made twice previously.

So concerned was the prison, they sent a member of staff accompanied by the police to the homes of each recipient to ensure the information had been properly deleted.

In isolation this story is worrying enough, but when you visit the ICO news pages you realise that this is just one of many similar incidents across the Public Sector, involving everyone from NHS trusts all the way to local authorities. This raises the following questions:

  1. What steps are being taken to protect data shared outside of government networks in order to prevent these breaches?  
  2. Is the government really protecting me and my data?

Facilitating the information security debate

Egress Software Technologies recently hosted an IL3 Certification Briefing in the Tower of London, partly to raise awareness of our status as the only UK Government CPA Foundation Grade certified email encryption product, but also to facilitate debate between government departments on the topic of secure data exchange.

Having attended the event, there is no doubting the appetite from within government to resolve the issue of how to share sensitive information with third parties that sit outside existing accredited networks, such as GCSX, NHSmail and CJSM.

Egress Switch offers part of the solution, as a spokesperson from CESG explained: “Egress’ innovative technology and commitment to demonstrating that it meets CESG’s standards means that the end-user has confidence that they are selecting an email encryption product that has been approved by CESG and is capable of protecting their organisation and the data they share from external threats.”

No easy answer

But the debate runs deeper than simply which email encryption solution to invest in. What became apparent when CESG representatives Geoff Eden (Deputy Technical Director) and Jon Lawrence (Technical Director) presented on the new Cabinet Office Classification Scheme and the CPA landscape, was the confusion and misunderstanding that seems to exist amongst the audience when it comes to sharing information outside of government. My colleague Tony Pepper presented on this topic at Infosecurity Europe 2013 in April, and again the feedback and questions posed were very similar.

Education, therefore, clearly has a part to play in this debate. Only when you combine effective technology solutions with end-user understanding of the steps that are needed to protect sensitive information, can you truly ensure you have a comprehensive data protection policy in place.

At Egress, we feel our technology offers this platform; working alongside CESG and other government bodies, the educational piece now needs to follow!

Monday, October 21, 2013

Will going paperless improve data security?

Natalie-Kym Vinnicombe
Business Development Manager
Egress Software Technologies Ltd.
Since as early as the 2nd century AD, paper has been used as the transport mechanism for information; but in today’s digital world, are the days of paper numbered?

The notion of ‘going paperless’ has hit the headlines through Health Secretary Jeremy Hunt’s ambitions for a ‘paperless NHS’ by 2018. This has got me thinking about the positives this approach could bring – although there are plenty of critics to his plans as well. Aside from the environmental benefits of going paperless (in the US and Canada alone, pulp mills are the third largest industrial polluter), there is a strong business case behind it.

What’s the value of going paperless?

When sending a document, there are several elements to consider:
  • Operational costs – such as the physical costs of paper, envelopes, printing, etc, as well as transport costs like stamps and couriers
  • Efficiency costs – how long will it take to get data from one place to another? Will this slow down operations and processes already in place? Would minimising this timescale make a business more efficient and therefore more profitable?
  • Security – once the data has left your control, you have minimal influence over whether it will reach the intended recipient in one piece and unread, or what the recipient will do with it in terms of sharing it with other people or losing it

Being an IT security company, this final element is where Egress’ main interests lie (although, obviously, we’re keen to improve efficiency and reduce costs for our customers as well). And when looking at paper as a way of sharing confidential data, there are many security concerns that can be raised.

What about data security?

The truth of the matter is, as soon as it’s in the post, there isn’t really any way of securing or controlling that data any longer, in addition to no visibility.

So, let’s take a closer look at this.

An admin assistant in Office A needs to send a sensitive document to a specific person at Office B. They either arrange a courier or send the package via post, and it is then delivered to Person B, who takes a read.

While this might seem like a simple scenario, there are endless possibilities that can put that data at risk, including:
  • Admin errors – the wrong address could have been supplied or it was accidentally written down incorrectly. Or the admin assistant could have spilt their morning coffee over it, and a letter intended for Newcastle-under-Lyme is suddenly heading towards Newcastle-upon-Tyne
  • Physical security – my first concern is: How safe is an envelope? Certainly not as safe as a padlock or AES256 bit encryption. You simply use opposable thumbs and – voila! – the document is open. Does it fill you with confidence to know even a monkey can manage that? (I know some clever clogs will be thinking monkeys can’t read, but…) Further, while sending documents via registered post increases physical security slightly, it is costly and inefficient to do so.
  • The recipient’s behaviour – so, accepting that everything thus far has gone well (the document has been delivered, unopened, to the recipient), what happens next? Well, the truth of the matter is, I don’t know – and neither will you! You have to hope that your local MP doesn’t dump it in a bin or it doesn’t fallout of a police vehicle. You have to hope that no-one leaves it on a train or in a cafĂ©, that it isn’t stolensold or sent on to everyone in the local area… The list is endless! 

Data loss and breaches can damage business reputation, as well as cause untold stress to the individuals involved. That being the case, my question is: How can you choose to share sensitive information by essentially crossing your fingers and relying on a bit of luck that it will not only reach the intended recipient, but that their behaviour isn’t going to land you with a fine from the Information Commissioner’s Office of up to £500K? It seems like a lot of responsibility to hand over to every third party you do business with on a daily basis, but this is how many organisations still behave. We may have developed the technological resources to support electronic communication, but many still live in a world of paper.

I don’t think we can be blamed for wanting to hold on to what we know – and we’ve relied on paper for almost 2,000 years! As a secret sci-fi geek, I was mortified by the fact that Captain Jean-Luc Picard read classic books on a mechanism that looked surprisingly like a Tablet device (although once someone buys you an eReader for Christmas, you finally realise it makes sense). However, the benefits of going paperless can’t be denied – with the appropriate mechanisms in place, not only will security be improved, but financial overheads will be reduced and efficiency increased. 

Friday, October 4, 2013

Encryption 101: The Playfair Cypher

Jack Hammond
Junior Developer
Egress Software Technologies Ltd.
Films such as Disney’s National Treasure would have us believe that encryption is confined to professors and academics, or that it is the stomping ground of computer whizzes who sit staring at a screen, watching line upon line of code stream past them until a big message flashes up saying that they have ‘cracked the code’.

In reality, encryption is a fascinating art that spans thousands of years and has the addictive property that the more you learn, the more you want to apply it.

Given that I opened this post mentioning the film National Treasure, I think it’s only apt that we start with the cipher that was made famous in the film: the Playfair Cipher, which was created by Charles Wheatstone in approximately 1854.


Grasping the encryption basics

The fundamentals of the Playfair cipher are fairly straight forward:

  • Pick a keyword that does not have any repeated letters
  • Draw a 5x5 square
  • Write the keyword along the top, moving on to the second line if you need to
  • With that done, add in the rest of the alphabet, skipping the letters that are already in the keyword, and putting I and J in the same cell (since there are 25 cells but 26 letters, it is common practise to place these two letters together)
So for example, if I set the keyword as ‘KEYWORD’, then my completed square would look like this:


With our square laid out, now we can begin the fun part of encrypting a message of our choosing. Just as with constructing our square, there are a few steps that need to be taken to prepare the string of text for encryption. For the purpose of this exercise, I’ll be using the following phrase:
‘The lazy hippo likes to burp’

  • Divide the phrase up into pairs of letters;
    • Th el az yh ip po li ke st ob ur px
    • As you can see here, I’ve added an ‘x’ to the end of the phrase, which is done if there’s an odd number of letters or the same letter forming one pair (so ‘tree’ would become ‘tr ex ex’)
  • Next we take each pair in turn, and depending on the location of the letters in the square, we do one of several things: (original letters are highlighted in purple, and blue ones are encrypted letters)
    •  If the letters are in the same column: Take the letter immediately below the source letter. If the letter is on the very bottom row, just wrap round and continue down from the top row

'YH' is encrypted to 'AP'

  • If they are in the same row: Take the letter immediately to the right of the source letter. If the letter is in the very right-hand column, just wrap round and continue on from the left-hand column.

'IL' is encrypted to 'LF'

  • If they are in different columns or rows: Draw a square round the two letters and then take the letters that are in the opposite corners but still on the same row as the original letter

'TH' is encrypted to 'VF'

Putting this together

So now that we know the basics of the Playfair cipher, we should be able to encrypt our original secret message to:

VF OG CV AP HQ SY FL EY MZ WC TD QV

As you can see, the encrypted text hides our original message quite well; however there are numerous drawbacks to the Playfair cipher, namely to do with repeated letters. The fact that the key word can’t contain repeated letters drastically shrinks the size of the key pool that can be used with this cipher, which of course impacts how long it would take a computer to crack this code (at today’s standards, this is usually several seconds up to a few minutes).

All in all, however, the Playfair cipher remains an early testament to the importance of encrypting sensitive information.

Your turn to crack the code (try these at your desk!)

  1. Using the keyword of ‘software’, encrypt the phrase below:
    • The City of London
    • (Answer: fi ba pb vt sn fm gs xf)
  2. Using the keyword of ‘horse’, encrypt the phrase below:
    • They’re coming from the east
    • (Answer: Ns sz sh br gk vn ce ei ns rz hf dy)
  3. Using the keyword ‘encrypt’, decrypt the secret code below;
    • Ao bc up oz fc ba md mc ru
    • (Answer: Charles Wheatstone)