Housing Technology interviewed Toby Reynolds, a security consultant and penetration tester for Insomnia Security, about what housing providers should be considering in the context of cyber-security and data protection.
What are the cyber-security and data protection aspects specific to social housing?
There are lots of similarities with social housing and other companies. This can be seen through the use of corporate laptops, tablets, remote working and so on.
The important part is looking at ‘personally identifiable information’. This takes the form of date of birth and names as well as associated information. Many other types of companies also hold this type of information, but social housing has many vulnerable people so it’s even more important to protect their information.
What does the ideal CS/DP set up look like?
There are different parts that need to be looked at for this question, but in general all computer systems should be tested regularly, by a third party security testing firm that specialises in penetration testing.
- Mobile working: Everything mobile should be encrypted. This will help to protect data at rest (not in use). People with mobile devices shouldn’t use public wi-fi; this will open them up to attacks. The best approach is to use VPN connections to form secure channels between staff’s devices and the organisation’s servers.
- Internet/online: Regular penetration testing of common attacks using a security company will help to identify vulnerabilities. For example, SQL injection is a common, high-severity vulnerability issue, which can lead to the disclosure of vast amounts of information, stored within the web application’s database. This could provide the attacker with access to internal staff-only material as well as personally identifiable information.
- Payments: There are vast amounts of security-related regulations which apply to the handling of credit-card data, such as PCI compliance. Adhering to these standards could involve a lot of changes to the way an organisation operates; however, services such as PayPal have these already setup, but there are extra security rules and regulations that need to be followed.
- Passwords: I don’t actually recommend having passwords, at least not passwords which you have to remember. Personally, I use a password manager, called KeePass, which generates and saves secure passwords for me, which can be considered secure when compared with most of today’s password management policies.
- Phishing: With the rise of ransomware, it’s more important than ever to separate your different computing environments, alongside adequate user-awareness training. Something as simple of disabling macros within untested Microsoft Office documents should be standard, and not opening unexpected email attachments.
What percentage of housing providers’ IT budgets should be spent on CS/DP?
From a consultant’s perspective, as much as possible! It is important to invest heavily in general staff awareness training. This should cover points such as why you should regularly change your password and why you shouldn’t click on email links you’re not sure of.
In the context of cloud and hosted services, can you outsource your CS/DP too?
You can, but I recommend that you only do this in part. Cloud storage facilities should have lots of security and multiple layers of authorisation in place, but from a DPA angle, you should identify personal identifiable information and protect this yourself. Nothing really compares to knowing exactly how secure you data is when you consider self-hosted, but there is the data management perspective you need to be aware of.
How can you protect against deliberate or accidental internal data breaches?
Everyone should have the minimum permissions to do their job, meaning everything should be denied by default. You should use a whitelist instead of a blacklist.
Everything should be encrypted with comprehensive audit trails and data retention available. Just because something is printed, doesn’t mean it can be traced back to the originator, and the recent NSA leaks proved this.
In the event of a data-breach, turn everything offline. Take a clone or a snapshot of your systems and possibly ask a professional third party to investigate the breach. They will be looking through the log files to build up information.
What is the balance between technology and internal training to enforce CS/DP?
Phishing is a people-led breach. This kind of attack requires lots of training for people to understand exactly how modern day attackers operate. There have been cases of hackers/testers dropping USB sticks containing malicious programs onto a company’s premises; there is then the potential that these devices could be plugged into a corporate machine (if there is something like an enticing file called ‘salary info’, people will most likely attempt to see the information). From an attacker’s perspective, merely placing a malicious file on external media generally only yields unfortunate results for the affected company.
That is why external storage shouldn’t be used, and again denied by a company default policy.
Generally, security professionals say 70 per cent technology and 30 per cent people, but what I recommend is actually 60 per cent people and 40 per cent technology. People are unaware of how much of a risk they pose to an organisation, even when you only have good intentions.
How does the growth of the internet of things in housing affect CS/DP?
The internet of things has a very bad reputation within the security community because the devices are aimed purely at convenience and often security is not built into the product’s development. As a result, many of these IoT devices are vulnerable to attack, especially when first powered on.
Simple things like changing the device’s password on the first setup are not enforced. The Mirai IoT botnet used these default usernames and passwords to launch attacks, such as DDoS.
Toby Reynolds is a security consultant for Insomnia Security.