Tuesday, 15 February 2011

£63 million for the police to fight Cybercrime

So, the police are going be allocated £63 million from the £650 million made available to 'beef up' Britains cyber defences.

My question is: Is this an appropriate organisation to be tasked with this role? I suspect it is not. Now the money has fallen into the police budget, it will offset other spending cuts applied by the government austerity measures. In short, those police personnel that would have been made redundant may now find themselves assigned to cyber defence work, whether they are suitable or not.
I believe the full £650 million should have been assigned to a new organisation tasked with cyber security, with the sole purpose of blocking cyber attacks and, wherever possible, identification and prosecution of offenders. With the police having the funding assigned to them, there is an imperative to retain and retrain staff for the role rather than employing suitably trained and experienced personnel who are ready to commence the tasks required.

A full UK Cyber Defence Organisation could be provided with the authority and access to identify those organisations that are actively being exploited with a view to contacting them directly and perhaps even offering a commercial service to allow said organisations to employ them to secure their systems against such further attacks.
Naturally, such an organisation would require an unprecedented level of access to Internet traffic and there would be immediate privacy concerns over what is viewed by them but surely, it would be better for this to be in the hands of an independent service rather than the police who will have other issues to deal with and might want to leverage the access afforded to facilitate additional investigations, drawing further resources away from the primary objective.

It's not an easy task and the levels of funding being suggested are appropriate to tackle the task at hand but in no way adequate to completely irradicate the threat - no level of funding could be.

I will watch closely how the remaining 90% of the £650 million will be distributed. I'm sure the MoD will be allocated a portion of the funding and the same issues will apply with regards to redeployment of staff, retraining and scope creep. I'm sure that CESG will receive a good dollop and, while I respect the ability of CESG and the issues of conflicting priorities will be lessened, there is the ever-present issue that CESG has an incredibly hard time retaining suitably cleared and experienced staff who, once they have attained the clearance and received the training that CESG provides, are tempted away to high-paying consultancy and contract positions, often returning to their previous job but costing CESG up to ten times as much. Many of the issues at CESG are down to their stringent vetting requirements but that is a post for another day!

Monday, 7 February 2011

The tragic state of NHS information security.

Recently, I have taken some time to examine the state of information security within the NHS. What I have found is a culture which would shock most information security professionals and should dismay those responsible for ensuring the safety of what is deemed to be sensitive personal information, according to the Data Protection Act.

My sources of information vary from direct observation to anecdotal evidence albeit evidence from trustworthy sources.

My interest in NHS information security stems from a chat I had with the chap who was (at the time, 4ish years ago) responsible for the secrity of the links between NHS trusts. My question to him was innocent enough - 'Who is responsible for the security of the endpoints?' I was suprised to discover the response 'They are.' Meaning, the local trusts, hospitals or even surgeries.

Following on from that chat, I have taken particular interest in the security of information whenever I am in an NHS environment. I have visited several hospitals, primarily when visiting friends or family. I have visited many surgeries and other NHS trust buildings, when employed as a contractor fro the NHS and I have family working within the NHS who often ask me advice concerning the security of their systems.

In every - not most - every hospital I have visited, the mail is delivered around the hospital by trolley, the trolley is left outside wards unattended while the post for each ward is delivered within. It would be trivially simple for an individual to take post from the trolley.

In one particular NHS trust, all laptops were fitted with whole disk encryption. The whole disk encryption installed onto the laptops had the SAME password across the entire estate and the password was written on at least two of the laptops. I have no experience of other trusts laptops so I cannot state how widespread this problem is.

I have witnessed on many sites, account sharing. This is particularly endemic within small user groups, medical centres and doctors surgeries although it is not limited to them. It should be noted that central medical records are protected via a secure session using two-factor authentication however many other sensitive client details and reports are recorded on the hosting computer, with little or no protection afforded to them.

Physical security within the NHS is abysmal. In every - not most - every hospital I have visited, I have noticed network equipment cabinets that members of the public could easily access, either to install an additional device or to cause major disruption by disconnecting cables.
The physical protection afforded to computer systems within treatment and consulting areas in medical centres, surgeries and hospitals is sadly lacking. Many areas are protected by five button simplex locks, which take up to five minutes to brute-force, usually considerably less. Other areas are protected by 13 button locks, the codes for which can be trivially captured with a dry marker pen.

The NHS trust I was contracted to, when asked who was responsible for information security, replied 'I don't know - I think it's the IT director' This was said to me by an IT manager.

I have received medical details by post, of an elderly woman who lives ten miles away from me when appointment details were sent through for my son.

In addition, I have discovered unpatched systems, unsupported operating systems and out-of-date anti-virus software.

These are only a few examples of the incredibly poor information security I have noticed whn within NHS environments. I have many more examples that I could cite but it would achieve little else. I suspect the results of audits (if any are carried out) would make for some pretty grim reading.

The overall information security measures within the NHS, in my experience, are catastrophically poor. Why this is not more widely reported is a mystery to me. Almost everyone in the country has medical information stored and processed by the NHS so this should be a concern to pretty much everyone. I doubt my observations are restricted to the absolute worst NHS trusts - they are not limited to one trust but several trusts. I am sure information security breaches within the NHS are not being reported and if they are, they must be being covered up. The Department of Health has guidelines for Information Security within the NHS but there are no hard and fast rules concerning the protection of OUR information.
I believe it would be in our interests for the NHS to be required to comply with a data security standard. I appreciate there will be a huge cost involved in this, at a time when the NHS cannot afford to spend additional resources. however it is only a matter of time before a huge data loss is reported within the NHS which will cause a knee-jerk reaction to providing adequate protection for NHS held information, along with the associated 'quick-fix' costs such as those that have been endured by the MoD following the loss of the Navystar laptop and the Revenue and Benefits CDs.
It would be prudent for the NS to commence investing in Information Security now, rather than being forced into action at a later date.