21/12/2014

Doesyourfirewallhaveanopendoor?|Cactus

Chris James
Doesyourfirewallhaveanopendoor?
First Published on SCL.org: 24/03/2010
Also published in Computers & Law magazine (June / July 2010 Edition)
Googles January announcement that it has uncovered a sophisticated and
targeted attack on its infrastructure is a timely reminder that the threat
posed by hackers should not be minimised. This attack originated from China
and led to Google uncovering a systematic breach of the security of certain
Google user accounts linked to Chinese human rights activists. The attack on
Google and its implication of state surveillance may be seen as esoteric, but it
reveals a basic truth: any organisation which holds personal data on
individuals must be prepared for the fact that the data has value, and is
therefore worth stealing.
In fact data is commonly stolen with much more prosaic aims. The legitimate
collection of personal data for marketing purposes is an expensive and timeconsuming exercise. Much more attractive, especially if one is already
breaking the law by selling pirated software, fake watches or regulated
medicines without a prescription, is simply to steal that personal data from a
legitimate organisation. Or, at least, purchase that stolen data from a
pseudonymous seller in a murky Internet back-alley. This creates a ready
market for hackers ill-gotten gains.
The Data Protection Act 1998 requires organisations which process personal
data to take appropriate technical and organisational measures against
accidental loss or destruction of, or damage to, personal data.
This requirement is sometimes read as a requirement to have a firewall in
place. The risk with this interpretation is that responsibility for complying
http://www.chrisjames.me.uk/posts/firewall_open_door.html

1/5

21/12/2014

Doesyourfirewallhaveanopendoor?|Cactus

with this aspect of data protection law can fall through the gaps between the
lawyers and the engineers. Lawyers think job done when the server
engineers tell them they have installed a firewall. Those engineers
implement a firewall because they are told to do so by the lawyers. It is
entirely possible that no further thought goes into whether a firewall is the
most appropriate technical measure, let alone organisational measure, to
keep personal data safe.
Like its real world name-sake, a standard firewall is a relatively dumb device:
it maintains a barrier between the system and the outside world. Clearly, if
an organisation would like the public to use its web site and electronic
services, putting those services behind a barrier is not going to be very
helpful.
It is common practice to open a door in the firewall to allow external users to
access an organisations web site. The firewall still prevents outsiders from
directly accessing your internal systems or administrative functions (eg the
web servers root console, used for systems maintenance), but allows public
users of the site to pass through that door. However, on that basis, the
firewall offers no protection to the web site. The organisation needs to be
confident that its web site is secure in its own right.
If your web site collects and keeps personal data in a database (eg mailing list
subscriptions and e-commerce order processing) it will contain software code
to process that data. This code often follows fairly standard and well
understood patterns. It does not take long for those in the know to
interrogate the site to discover the way it works and where its weaknesses
may be. Therefore your data security is only as strong as the site softwares
ability to withstand such interrogation without revealing security
weaknesses. If that software is insecure then your compliance with the Act is
potentially compromised.
For example, last month a programmer in Birmingham discovered a way to
access the name, password, e-mail address, post code and other personal data
of over 400,000 users of a brand name e-commerce web site. This was not a
sophisticated cyber-attack against that companys firewall. This was data
that was already made available on the web site, in a downloadable XML file
http://www.chrisjames.me.uk/posts/firewall_open_door.html

2/5

21/12/2014

Doesyourfirewallhaveanopendoor?|Cactus

via a software bug (possibly because of sloppy programming by the original

developer). No standard firewall would have prevented that mistake as the
file was made available on the web site to which the firewall had already
permitted access.
The programmer who discovered this breach did not reveal the name of the
compromised web site; instead he has reported it to the company in question.
That company is fixing the problem, and may also be speaking to its solicitors
about whether it should notify the Information Commissioner of its breach of
the Act. Of course, a less scrupulous individual a competitor, a disgruntled
customer or employee, or a spammer could have used that file for nefarious
ends.
As well as the clear reputational risk this presents, it is now very likely that
significant fines will be levied by the ICO for serious breaches of data
protection legislation. This new regime will come in to force on 6 April.
There are a number of steps that an organisation can take to mitigate these
risks:
Develop a comprehensive security policy, with both managers, lawyers and
software engineers coming together to:
set out the risks and identify weaknesses and pressure points in the
organisations use of personal data;
outline the procedures to audit software, hardware and business methods
to ensure that the risk of accidental disclosure of personal data is minimised;
make sure that systems and processes are designed not to hold personal
data for longer than is necessary;
identify any necessary additional precautions that need to be taken; and
give ownership of information security to an individual or team of people
in the organisation who are in charge of ensuring that the policy is complied
with.
Invest in training:
if an organisations programmers and data centre engineers are not well
versed in information security issues they will be prone to make mistakes
which can have serious consequences;
it should not be assumed that security is taught to or clearly understood by
http://www.chrisjames.me.uk/posts/firewall_open_door.html

3/5

21/12/2014

Doesyourfirewallhaveanopendoor?|Cactus

programmers as part of university or college courses often it is not;

additional training can help programmers understand how to write
software that is effective and secure; and
additionally, customer-facing areas of your business should be trained how
to react to and escalate reports of breaches of information security.
Obtain specialist technical and legal advice:
all organisations should ensure that they are aware of their legal
responsibilities, if necessary by getting advice from data protection solicitors;
it is less than optimal to speak to them for the first time only once the Data
Protection Act is breached;
specialist technology firms, and also some major professional services
firms, offer penetration testing services whereby they will act as a hacker to
identify and report upon weaknesses in your infrastructure although often
expensive this may be money well spent as it allows fixes on issues before
they become problems; and
consider whether it is appropriate to adhere to a published set of security
standards (for example ISO 27001). This will provide a comprehensive
framework upon which to develop an organisations information security
management system and processes.
It should also be remembered that any organisation that outsources its
technical development and operation is still acting as a data controller under
the Act, and is still legally and reputationally at risk from a breach. Your
provider should take these risks as seriously as you do, and likewise should
be taking steps to mitigate them. Whilst helpful protections can be won at
the contracting phase (do you know what your contract says on this issue?)
information security is an ongoing issue and it is entirely appropriate to raise
it with your provider at any time.
It is all too easy for lawyers and engineers to think the other is in charge of
information security. These issues should be dealt with by the engineers and
lawyers together. With regular examples of breaches and poor practice in
the news, and the likely move to beef up the Information Commissioners
enforcement powers, it is time to check that this risk is being dealt with
effectively. Theres no point building a firewall if you leave the door open.

http://www.chrisjames.me.uk/posts/firewall_open_door.html

4/5

21/12/2014

Posted on
Mar 24 2010

Doesyourfirewallhaveanopendoor?|Cactus

Written by
Chris James

Virtual Insanity?

http://www.chrisjames.me.uk/posts/firewall_open_door.html

Cloud Computing in Financial Services

5/5