In total, the ICO’s report identified 8 common security failures that will be very familiar to any seasoned security professional. Specifically, these were:
- Failure to install software updates across all IT assets;
- SQL injection attacks (easily detectable through regular penetration testing);
- Using unnecessary services, permitting excessive and insufficiently controlled access to data assets;
- Failure to properly decommission no longer needed software or services, resulting in ongoing access to data and security risk;
- Insecure password storage;
- Failure to use or improper configuration of online encryption, like SSL and TLS;
- Inappropriate data processing locations, including failure to segregate data environments; and
- Failure to change default username / password credentials supplied with software components.
- While the report is specifically directed at online businesses, the ICO notes that ” [t]his in no way reduces the need to consider other security issues such as the importance of encrypting laptop and mobile for instance.“
- In relation to the risks of using unnecessary services, the ICO actively discourages use of services like telnet and plain FTP ” because information, including usernames and passwords, is sent unencrypted.” When accessing remote services, the ICO recommends that access should be ” via an encrypted method” and that” [a] more general solution … would be to use a Virtual Private Network (VPN), which would allow remote users to be authenticated and also ensure that data is encrypted in transit.“
- In relation to the risks of insecure password storage, the ICO ” rules out the storage of passwords in plain text because these are immediately readable by a system administrator or casual observer” before recommending the use of one-way hashing and salting algorithms, noting that ” if done appropriately, hashing makes password cracking attacks extremely time-consuming and therefore impractical“.
- Finally, in relation to the risks of failing to use or improperly configuring online encryption, the ICO advises business that ” You should have a clear concept of which information needs to be encrypted and which does not, and apply the use of SSL or TLS as appropriate. To reduce complexity, you may also which to consider using SSL or TLS throughout your entire domain.“
But we’ll let the ICO have the final word on this. As Simon Rice, Group Manager, Technology at the ICO notes in his blog “Why encryption is important to data security”: ” the time and cost of proper encryption is put into sharp perspective by a quick glance over the penalties issued in three recent cases where encryption wasn’t used (£700,000 in total). The price of getting it wrong could therefore extend well beyond upsetting people…”
That was in August 2013, by the way, and there’s been in excess of another £400,000 of fines since then relating to encryption failures in the UK alone!