Finding The Hidden InfoSec Story

Ever Lost Your Phone?

Photo Credit: dmott9 via Compfight cc
Photo Credit: dmott9 via Compfight cc
Can’t find your phone?

Most of us have temporarily mislaid or lost a phone.  Perhaps, if very unlucky, you’ve had one stolen.

It’s a nightmare.

Initially it’s an utter pain to have no means to contact people while on the move and not to be contactable.

Then there are all your contacts, including numbers, addresses, email addresses and birthdays.

Not to mention that picture of your daughter taken on her first day of school, the video of her riding her bike for the first time or the snap taken of the whiteboard where you’d mapped out a revolutionary way to double profits, but hadn’t yet transcribed it onto your laptop.

There’s lots of bought content on there too, including movies, apps and music.

Then you think about all the websites with automatic logon enabled; Facebook, your webmail, your Amazon account, plus the odd password on there just in case cookies get deleted.  Oh dear, there’s bank account details as well.  Account number, sort code and pin.  Not something you’d usually do, but you’ve just changed banks and have struggled to memorise them.

I’m sure while reading this, you’re thinking it isn’t as bad as it sounds. Thinking there’s lots in place to keep potential fallout under control;

  • Insurance to get the handset replaced.
  • A quick way to get the phone barred.
  • A synch application so locally stored photos, videos and contacts are safely backed up to your laptop.
  • Some stuff that’s always been on the company network or personal cloud storage.
  • Records of purchases stored by media and app vendors so you can download things again without incurring additional costs.
  • A password safe on the phone with 1 hyper strong password to open it. One you haven’t put on your phone or written down.
  • Access from other devices to change your on-line passwords.
  • Two factor authentication using a smart card for your bank and the means to quickly get your pin changed.
  • Bluetooth and Wi-Fi disabled or securely configured.
  • The phone automatically locks and has a password to unlock it.
  • Encryption for data stored on your SIM and any extra storage bolted on.
  • Knowing the risks and the controls that make sense to have on the phone and generally taking good care of it.  Never leaving it in the car, on the table in the pub when you nip to the bar, or on show in an easily accessible pocket or open bag.

Not so bad….right?

Now think about all the variables here.  Things that might not have been put in place, or done right, that up the likelihood the phone will be compromised;

  • Did you bother with a password safe or just try to hide passwords amongst your contacts?
  • Have you got your access token for your bank or has it gone missing with your phone?
  • Are Bluetooth and Wi-Fi always on?
  • Does the device automatically lock, is there a device password and if there is, how strong is it?
  • Did you enable storage encryption?
  • Were you aware of the implications of losing the phone?  Did you bother to find out about controls it’s good to have and do you always take care of it when out and about?

And what about the severity of the fallout? That also depends on a number of things;

  • Whether or not you took out that phone insurance.
  • What you stored on the device;
    • Things with personal, corporate or inherent financial value (photos, videos, emails, that profit generation plan)
    • Things providing access to things with personal, corporate or inherent financial value (bank details, passwords, URLs with stored logon details that give access to sites like Amazon, your company network or your cloud storage.
  • Security of the websites that are at risk e.g. automatic flags for suspicious activity.
  • What you have added to local phone storage since the last time you backed it up, if you backed it up at all.

Then you need to take into account situational factors that can increase the probability and/or impact of your phone being compromised;

  • Where it was lost – was it mislaid somewhere busy and public or somewhere private and relatively secure like a private residence or an office?
  • How quickly you realised it was gone and how quickly you notified the right people and changed vulnerable passwords and pins.
  • Who stole it or found it – someone malicious with the means to crack phone security or with easy access to others who can?

You also have to ask yourself whether others might be at risk.

  • Does the contents of your phone impact the privacy of your personal contacts and put them at risk of data or identity theft (names, addresses, dates of birth, something in texts or something in your email)?
  • Could it impact your employer’s physical, information or commercial security (that plan on the whiteboard, other documents stored, something in texts or something in your email)?

I’m tired already, don’t know about you.

Perhaps worth summarising the kind of fallout I’ve talked about;

1. Immediate availability impact – no phone, no contacts, no mobile internet access, no access to new or stored emails or any other locally stored data.

The data availability issue is mitigated by regular backups.  Hardware loss is a very short-lived, low impact problem, if you have insurance, or funds, to cover the replacement and you can communicate in other ways in the meantime.

2. Opportunistic compromise – Stuff that can be done without much effort e.g. using the phone, transferring unsecured locally stored data, exploiting unsecured passwords and sites with automatic logon enabled.

This is more likely, but less impactful, than a determined expert attempt to compromise the phone.   Risk largely mitigated by good standard security and prompt/thorough response to the loss.

3. Expert direct compromise – People who have the skills to crack controls like access passwords, Wi-Fi encryption and storage encryption to get at local data.

4. Expert indirect compromise – When people have the motivation and means to use acquired access and data to perpetrate fraud or identity theft on either you or other people exposed by what’s on your phone.

Both of the latter are typically more impactful, but far less likely.  Prompt/thorough response to the loss becomes vital and even robust controls can only reduce the risk.

Ok, so it’s happened, but how much has it cost you?

How do you measure things that don’t have an obvious financial value?  It’s easy to cost a new handset, money missing from your bank account and fraudulent purchases on Amazon.   How do you slap a pounds and pence figure on the other stuff?

  • Things you couldn’t do because you didn’t have your phone.
  • Those unique pictures of your kids
  • That plan to turn the business around.
  • The damage to relationships with others because you had to tell them you lost their personal data and put them at risk.

Of course this isn’t the whole story.  You don’t have to lose your phone for it to be at risk.

Anyone with a family knows the accidental or intentional mischief your children can get up to if you let them.  Then there’s the increasing risk of malware infection or hacking via email, Bluetooth, wireless or the web.   Things that bring nice surprises like £200 spent on Facebook app add-ons, that video you never meant to share going viral on YouTube or infected mails getting sent to your contacts.

Many of the same control considerations still apply, but focus shifts to access control, malware protection and keeping an eagle eye out for anything suspicious.

So what does all that really mean?

The answer is not much.  It’s stuff you already do.  You take risks every day and instantly make good decisions.  This thought process is a back stop to make sure you haven’t missed something.

Just make sure you have a solid feel for the fallout that can happen if your phone goes walkies or gets messed with.  Think realistically about how likely that is to happen.  Take into account how careful you are and the kind of security you already have in place.  Then make a reasonable judgement call about insurance and locking it down more.

Things like strong passwords to unlock your phone can be inconvenient, but how does that stack up to the consequences of not doing it?

That’s sorted then…

…kind of.

Now imagine you’re responsible for all phones belonging to your friends and extended family.  In fact, just for fun, imagine having responsibility to assess risks and secure phones for everyone you’ve ever met, no matter where they are in the world.

You are on the hook to gather the kind of info I’ve talked about here for each one, looking at all factors impacting the level of risk, educating owners  and advising on the right type and level of control.

All the work involved in monitoring for problems and quickly responding to unauthorised access, loss or theft.  Assessing how bad it is, minimising impact, finding out what happened and working out how to reduce the risk of it happening again.  Keeping everyone potentially impacted informed to reduce damage to relationships.

Welcome to the life of a corporate information security team.

Replace the word ‘phone’ with the words ‘data store’ or ‘data transfer mechanism’.  Wrappers around information assets.  Pots of more or less confidential data the company has responsibility to protect.  Data giving people the means to cause the business, partner companies, shareholders and/or customers financial, strategic, regulatory, operational or reputational pain.  Data on end user devices, data on removable storage devices, data on servers, data on paper, data in transit and data with third parties.

Start to grasp the challenge?

Whether assessing future risks or picking the bits out of an information security incident, it’s a universal headache to do it robustly and consistently. Especially the fun and games trying to quantify non-financial impact and cross reference lots of low level contributory risks to risks at a level the board understands and finds useful. You have to have enough expertise, budget and backing to get something worthwhile in place and maintain value-add over time.

It’s not impossible and there are great resources out there to help. ISO2700x standards, solid new methodologies like FAIR and RiskIT, excellent insights from people like Douglas Hubbard in his book “How to Measure Anything” and good risk management tools to tame mountains of risk data.

Yes, I know investment in risk management technology can be extremely costly. An interim solution, underpinned by a database might serve your purpose.  But, as a general rule of thumb, if you can’t produce a good risk assessment and useful, board friendly risk reports using spread sheets, don’t think a tool will make a difference.

If risk and incident management hasn’t worked well for a while, things have probably become reactive.  Who can blame senior management for having knee jerk reactions to problems if they weren’t aware of risks or risk information was poor?  InfoSec staff can be diverted from BAU tasks for weeks following an incident. Shoring up existing risk information, explaining what existing controls do, explaining what failed and pitching (often unsuccessfully) for investment to plug gaps and get the risk management effort back on track.

It will take time and effort to improve InfoSec awareness, rebuild credibility and garner support from key stakeholders to make a change, but perhaps less now than in the past. Board members are painfully aware of the fact that corporate InfoSec incidents are no longer relegated to the technology pages of the mainstream press, regulators are growing bigger teeth and the threat of organized Cyber-crime is a here and now reality.

So, that’s my entirely personal perspective on some key InfoSec incident and risk management challenges, including one last thought:

No risk management effort is going to work unless all stakeholders open their minds to one vital fact:  No-one can prevent all incidents, just like no-one can guarantee staff will stop losing phones.

Circling back to the analogy…

…yes, loss, theft or misuse of your phone is likely to ruin your day.  But, if you have the right protection, spot problems quickly, call who you should and close down opportunities for bad people to do harm (if they can get at phone contents), it’s not going to ruin your whole week.

That’s the kind of peace of mind all information security teams want the means to provide to their stakeholders.

Author: Sarah Clarke

Share This Post On