March winds and April Showers bring forth …
The Spring of 2014 has seen a raft of news about online document security – both good and bad. The year was ushered in by guidance from regulatory bodies and professional organizations including the Solicitors Regulation Authority (SRA) on cloud based document security and the Institute of Chartered Accountants with the ICAEW guide to cyber security in corporate finance.
As if this was a challenge, the barometric pressure around some key security vulnerabilities was building up as Spring started and the March winds began to blow. April came, not just with rain, but with security showers and dire warnings about the need to protect the security of your valuable information. 3 significant events caused us all to check that our security raincoats were actually keeping the rain out:-
Heartbleed
First the Heartbleed vulnerability hit the headlines. This was possibly one of the most significant security vulnerabilities of recent years with two main characteristics causing it to be a real problem:
- The vulnerability exposed the encryption keys used to secure information sent between your browser and many websites. Once someone has the encryption keys it is possible to read all of the information exchanged. This could include items such as passwords, credit cards, commercially or legally sensitive documents and other personal information.
- The nature of the vulnerability also made it impossible for someone to know if their encryption keys, or other information exchanged has been intercepted. In light of this everyone who has been operating the vulnerable versions of the software needs to assume they have been compromised.
Unfortunately there was also a shower of poor advice about how to deal with Heartbleed. The most significant misdirection was the advice to immediately update your passwords in the belief this would protect your information – it wouldn’t necessarily. For this reason alone, it is worth reviewing what action was taken and whether it worked.
Did you deal effectively with Heartbleed?
If you are a user of a web site, the main imperative was to check with the provider of the services that you use that they patched the Heartbleed vulnerability before you updated your passwords. If they didn’t then you still may be at risk.
Reputable providers of web services have been very open with the status of their systems, whether they are affected, and what steps they have taken. Look for emails from the providers, or blogs on their websites. For example, we at Safe4 had a strong enough architecture and controls that our users were not at risk and we confirmed this with messages at system log in and with blog information on our website.
If you are uncertain about any of this, it is very easy to check whether the site you use is still vulnerable. Go to the free Qualys SSL Labs online test and put in the site URL. The result will tell you whether Heartbleed is still an issue or not with the site. Then, check directly with the site whether they were “clean” when you last updated your password. If this was before your last password update, then you should be safe. However, as it is good security to change your password periodically, then you might want to play absolutely safe and update it again anyway.
Windows XP and Internet Explorer 8
There was also a significant date during the month for those people who are still using Windows XP.On the 8th April Microsoft discontinued support for XP.
There may be no obvious immediate implications since the software will continue to run as before. However Microsoft will not be issuing any further security updates to XP. As time goes by, this operating system will become increasingly vulnerable.
Interestingly Windows XP already does not support a number of the modern information security protocols which have been developed to improve security.
Many companies, including Safe4, who have undertaken detailed reviews of their information security strategies, have decided to disable support for older security protocols – which unfortunately cannot be used by Internet Explorer 8 on Windows XP. Disabling support for Internet Explorer on Windows XP has enabled these companies to attain the highest possible ratings for security in independent analysis.
Safe4 therefore strongly recommends that companies and all users of secure online services look to upgrade from Windows XP to Windows 8 as soon as possible. In the meantime, if upgrading XP is not an available alternative, we would suggest using an alternative browser such as Google Chrome which will take advantage of the latest security protocols.
Dropbox and Box weblinks
As April gave way to May, there was emerging news that these two widely used free file sharing services were vulnerable to a web linking loophole exposing files to unauthorized access. The vulnerability, described here by independent security analyst Graham Cluley, laid bare sensitive information including tax returns, mortgage applications and corporate information including a business plan.
The problem appears to be that Dropbox and Box did not always require users accessing a shared link to authenticate themselves.
Safe4 always requires valid authentication from a user and checks that the user has permission to access the particular file linked to. Safe4 Technical Director, Alistair Stubbs, commented “proper user authentication has always been a foundation of the Safe4 architecture, specifically to guard against potential problems such as this.”
What next for May?
Even a quick review of history will clearly show that wars have been won and lost, or empires fallen due to intercepted information.
We assume that you have used the information above to review the current security of your documents and information. For the future and without being overwhelmed by a further downpour of technical information, how do you handle the commercial implications of staying secure through the summer and beyond?
A simple risk based approach which can provide a framework to help an organisation review its commercial exposure and to take the most appropriate mitigating actions is further explored in another blog post by Safe4 Technical Director Alistair Stubbs.
Safe4 will continue to provide a top level of security for all confidential documents stored by its customers. We hope this summary has been useful and will enable you to use the March Winds and April Showers of the recent security scares to bring forth a May flowering of a robust security environment for your documents.
Posted by: Alistair Stubbs, Safe4 Information Management Technical Director