Discussion in 'Current Affairs' started by seafarer1939, Aug 26, 2008.

Welcome to the Navy Net aka Rum Ration

The UK's largest and busiest UNofficial RN website.

The heart of the site is the forum area, including:

  1. As it is confirmed that about 3200 laptops have been nicked from the MOD I have a couple of questions;
    1.The FBI and CIA do not allow USB or CD recordings devices in their buildings and none of their PC's can record data,why do we?
    2.As it is impossible[nearly] to remove any electrical item[or clothes] from a shop without an alarm sounding off at the door why don't laptops have something like this?A secured alarmed tag that cannot be removed.Too easy?
    As a last resort,put a electronic lead on all laptops and secure to desk.Knobheads!
  2. wave_dodger

    wave_dodger War Hero Book Reviewer

    Well the latter of those two agencies definately do have laptops that use USB and have DVDs that work, I fixed one in Iraq two years ago when their resident tech ran out of bits and my techs had some to hand.

    Anyway the real issue isn't the physical laptops they are just a tool for work, the real issue is our incredibly bad data handling and IM practices. We use laptops in an amazing variety of places for an equally amazing variety of purposes. The real snag is making sure that an appropriately secured device is used for the right level of information its processing. Here we are pi** poor, because people automatically downgraded the data classification in their own minds and accept the risk.

    You could easily peform a knee jerk and say prevent all laptops moving, ban USB memory sticks being carried about and call for encryption of all magnetic media but that's just foolish and impractical. Will MGS search everyone and check to see if your CD is encrypted? How would they ever know, would we install people with laptops to check at all exits? Course not never happen, to inflexible, too expensive and too error prone.

    Instead we need to make sure data owners understand what they have and its value and give them the proper tools to protect it. Then everyone else can go back to using computers in an appropriate manner as they should be.

  3. Yeah! it was a knee jerk reaction from the article I read.Considering I received 14 days nines for losing a paybook at Whale Island I get annoyed when secure data goes AWOL and nothing happens as in the case of Admiral West.
    The report of no recorded data allowed in the FBI/CIA came on the CNN news[I watch it more than our news reports]whether it came in recently I don't know but it was stressed by them as a tool against terror.
    Makes sense to me to have laptops fitted with tags that activate alarms when moved from the building.
  4. any chance of a link to it so that we can all see?

    I agree with WD on this one, CNN are wrong. Thin client laptops need a USB stick to save documents on when they're not connected to their Citrix farm, and if you want to avoid that then you're stuck with a thick client device which does save the data onboard. Both those agencies use laptops, however I do agree that their fixed infrastructure is thin client technology, that doesn't save data to the desktop device.

    Unfortuntely for CNN the world they both operate in isn't as simple as all that.

    The point of a laptop is that it's portable, even if you put in process around getting it in and out you don't really reduce the risk of any data held on-board being compromised if the device is lost. WD has the right answer here, we need to be better about managing our data, including improving the mechanisms to protect it where required. Enhanced grade encryption for devices up to CONF, High grade above that.

    The reality is that the controls put in will be compromised by people developing short cuts and workarounds.
  5. I take it you haven't seen the latest version of JSP440 then! :crash:
  6. chieftiff

    chieftiff War Hero Moderator

    The weakness is people to be honest. You know who I work for mate and can probably guess the personal data I deal with (it's nothing that special or near to what could be described as secret) Nevertheless my laptop is encrypted and encrypted USB device are available for any data defined as personal: NI numbers, addresses etc. Yet there is nothing physically restricting me from copying data to an unencrypted USB device or burning it to CD, I wouldn't obviously- it really is more than my job's worth the rules strictly forbid it. The fact is though it's possible and if it's possible it could happen!

    Surely there is some sort of system available that will only allow data to be copied as encrypted and retain it as encrypted unless it's in a certain system?
  7. There are a number of different technical controls that can be applied, but as you say, the weakness is always people. Change is painful, and people don't like either change or technical controls that restrict their ability to do business. I was in a training session yesterday, my clients are rolling out a new infrastructure and the first users, including yours truly, went onto it yesterday. In the coffee break halfway through we already had people on the phone to colleagues trying to work around the new security restrictions. I ended up having words with the trainer afterwards about how they communicate these things, didn't even charge for the advice either :D

    My company is similar to yours, our laptops are encrypted with commercial algorithms and keymat at Enhanced grade. If we wanted to invest the money we could quite easily get list X status, but we don't need it.

    One of the snags in government is that few departments are on the same system, so any secured data has to go through an unprotected point in time when you're crossing organisational boundaries. There are moves afoot to reconcile that, but with government not being a single entity, rather a loosely federated collection of entities with occasionally aligned objectives, it'll be an uphill struggle. When I was in the service we couldn't even get the whole RN on a single system, never mind the whole of MOD, DII Programme was supposed to improve that, but last week I heard about an initiative in one area which is kicking off because DII doesn't meet their needs, although from what I know of the requirement that's bollocks and it sounds like weak leadership higher up the food chain and a bit of good old fashioned empire building.
  8. Isuspect the real problem for govt departments and agencies is security measures cost money and meeting financial targets has been seen as more imortant than data security, hence not all security measures that could be taken are taken to save money. After all lost data does not generally cost the govt dept or agency anything.
  9. the report re.3200 laptops stolen from MOD was in the Express/Mail Tuesday I think,certainly this week early along with the fact Mod mob.phones, too numerous to count were also stolen
    The CNN report was about three weeks ago on a report of leakages from State dept.buildings.
    I only picked up on it thinking it was superior to our lacklustre efforts protecting data.
    I think the last few months of lost data in this country is treated with indifference ,on the face of it,by those in charge.
    Heard of any heads being rolled for any of these cockups? because I have not,probably shunted aside to another Dept.
    It just dosn't give me confidence in ID cards,not when we out source everything to whoever and from any country who gives a good bid.
    The Russians don't need spies anymore they just need to set up a data storing company then they will have the lot.
    It's life I know, but it's a shambles,and does not get any better.
  10. wave_dodger

    wave_dodger War Hero Book Reviewer

    yes Ch37 - had discussions with DSSO and DDefSyPol too because of the implications it had for a service my (latter) team provided. There are ways to dance around it though and herein is the issue people are the problem, they will develop workarounds and new procedures to circumvent security requirements which they perceive to be merely hindering them.

    As Karma has alluded there are a myriad to software and hardware tools for data security/integrity but these all cost and will inhibit streamlined working practise.
  11. It hasn't been, there has been a lot of investment in improving things. You still can't mitigate for people circumventing the technical and procedural measures put in place.

    Fundamentally, until government gets more joined up, there are always going to be gaps where the data is vulnerable. The way to mitigate for that is to use representative, rather than real, data where possible; only move around that which needs to be moved around; put audit measures in place to identify where breaches have occurred; encrypt where possible and minimise the numbers with access to the data where possible.

    There are a number of factors which prevent that happening, partly the demand from users of government service and part from human nature looking for the path of least resistance.

    Yes, but it's not considered newsworthy. It's also not particularly public domain.

    I think that's a whole different issue, the threats are significant and we could do without the political filth trying to suggest that it's a panacea.

Share This Page