Daily Archives: 08/09/2014

Repeated security failings lead to £180,000 fine for Ministry of Justice

The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information.

The penalty follows the loss of a back-up hard drive at HMP Erlestoke Prison, Wiltshire in May 2013. The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, histories of drug misuse and material about victims and visitors. The device was not encrypted.

The incident followed a similar case in October 2011 when the ICO was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners serving time at HMP High Down Prison in Surrey.

In response to the first incident, in May 2012 the prison service provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives in this way. These devices were able to encrypt the information stored on them. However, the ICO’s investigation into this latest incident found that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly.

The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information

The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information

The end result was that highly sensitive information was insecurely handled by prisons across England and Wales for over a year, in turn leading to the latest data loss at HMP Erlestoke. If the hard drives in both of these cases had been encrypted then the information would have remained secure despite their loss.

Highly sensitive information insecurely handled

ICO head of enforcement Stephen Eckersley commented: “The fact that a Government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them how to use it beggars belief. The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.”

Eckersley continued: “This is simply not good enough. We expect Government departments to be an example of Best Practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must also understand how to use it.”

Working with the National Offenders and Management Service, the Ministry of Justice has now taken action to ensure all of the hard drives being used by prisons are securely encrypted.

Leave a comment

Filed under Risk UK News

UK civilians and military personnel learn to defend against online attacks at cyber training camp

After two days of intense hands-on training and development, a new potential generation of UK cyber security defenders (including members of the public and military personnel) have been tested to see if they have what it takes to protect their country from online attacks.

Held at the Defence Academy in Shrivenham, the Cyber Security Challenge UK’s new cyber camp was delivered by a number of the UK’s most prestigious cyber defence companies to help attendees gain foundation skills and confidence to take their first steps into the cyber security profession.

The assessment on Friday 29 August was devised by cyber security operatives from GCHQ and witnessed brave candidates assemble a cyber team battling to overcome the threat of a cyber terrorist group, the Flag Day Associates, who have been staging a number of attacks in the UK over recent months.

The latest incident was reported by the central security team at Parliament Square, a large central London meeting and conferencing space known to host classified gatherings characterised by high secrecy and sensitivity. The team confirmed that the web-based application that controls their intelligent building management software had been targeted and successfully compromised.

The cyber students in action

The cyber students in action

Under the guidance of mentors from GCHQ and other industry experts, as well as previous Challenge candidates, the cyber camp recruits were assessed on their ability to run penetration testing as part of a full security assessment of the web application in order to identify the vulnerabilities that may have been exploited by the attackers.

To prepare them for this test, the cyber camp recruits were taken through two days of training administered by some of the country’s leading cyber security experts.

Content details of the cyber camp

The cyber camp programme was put together by the Challenge with the support of C3IA Solutions (who provide information risk management training and cyber security services for the MoD, the Government and industry) and included:

• Defence, aerospace and security expert QinetiQ introducing cyber camp attendees to the principles of risk assessment and management
• Forensic technology teams at PricewaterhouseCoopers running lessons on digital forensic analysis
• Introductions to business continuity management and security architecture provided by worldwide information security training and education company Infosec Skills (two further modules were completed online ahead of the cyber camp)
• Web application security testing instruction courtesy of cyber security services and solutions specialist IRM
• A module on vulnerability research from Raytheon, the technology and innovation leader specialising in defence and national security
• An interactive session on legal and ethical practice within cyber security delivered by the National Crime Agency

The final stage of the cyber camp witnessed candidates sitting their first professional qualification – the Certificate in Information Assurance Awareness (CIAA) – free of charge. This came courtesy of InfoSec Skills and its examination provider, the Global Certification Institute (GCI).

Cyber camp attendees who performed particularly well were granted places on the new CESG-accredited Cyber Scheme Team Member course.

Growing skills gap in cyber security

The Cyber Security Challenge UK began in 2010 as three competitions run by a small group of supporters from industry, Government and academia designed to address the growing skills gap in the UK cyber security profession.

Now in its fifth year, the Challenge has grown its range of competitions to better represent the variety of skills currently demanded within the profession and is backed by over 75 sponsors from across UK Government (including through its National Cyber Security Programme) as well as major names from industry and academia.

Challenging cyber attackers in among the tanks at Shrivenham

Challenging cyber attackers in among the tanks at Shrivenham

The cyber camps are a more recent addition to the Challenge competition programme. They sit alongside a variety of exciting virtual competitions and provide a first opportunity for candidates to begin crafting their skills.

Stephanie Daman, CEO of the Cyber Security Challenge UK, commented: “Last year’s inaugural cyber camps showed the demand from amateurs to be given the opportunity to break into this field. The camps afford everyday civilians the chance to see what it’s really like to work as a professional in this sector, and what’s involved in defending the UK from ever-growing cyber attacks.”

Daman added: “Talented individuals learn from the best in the industry and, by dint of receiving a qualification for their efforts, they’re provided with a genuine career-enhancing experience. This sector needs more people with talent and skills and all of those involved in this cyber camp will have enjoyed a truly unforgettable experience.”

Kevin Williams, head of partnerships at the National Crime Agency’s National Cyber Crime Unit, stated: “We are proud to be part of this year’s cyber security camp and help to inspire the next generation of specialists to think about a career in cyber security. Our officers tested the skills, technical ability, knowledge and understanding of the candidates to see whether they have what it takes to defend the UK and its citizens from cyber-related attacks. We look forward to continuing our support for the Cyber Security Challenge UK over the coming months.”

Virtual competitions and foundation modules

Terry Neal, CEO at InfoSec Skills, explained: “We’re delighted to support the Challenge through our virtual competitions and foundation modules in IA Governance and IA Architecture delivered during the cyber camp. We hope to inspire the next generation of cyber specialists and help to get them started on their career paths in Information Assurance.”

Charles White, CEO of IRM, said: “Watching the cyber camp recruits learn and compete while surrounded by the physical history of the British Armed Forces illustrates the extent to which the Internet has transformed our lives and how, as a society, we must respond to that change. Where once we had tanks and large armies to defend our nation, we now have skilled and tenacious individuals who thrive on a technical challenge – the UK’s Armed Forces for a Digital Age, if you like.”

On an equally serious note, White also commented: “At this time there is a severe deficit of qualified individuals who are capable of assessing and improving our cyber security defences. If our citizens, Government and businesses want to stay safe in cyber space while also continuing to reap the economic and social benefits it brings then more effort has to be invested in nurturing cyber security talent.”

Leave a comment

Filed under Risk UK News

Home Secretary announces intention to merge blue light services

The need for further public sector spending cuts by the Government will mean integrating the police, fire and ambulance services such that the ‘still large fiscal deficit’ can be reduced, Home Secretary Theresa May has announced.

In a speech made at Think Tank Reform on 3 September, the Home Secretary stated: “With a still large deficit and a record stock of debt, there will need to be further spending cuts. In the policing landscape of the future, I believe we will need to work towards the integration of the three emergency services.”

May said that the next and “even tougher” challenge is “how we can reduce demand for public services through smarter policy. The need to go on reforming will not end with this Parliament.”

It’s thought that while front line services may not change, there could be ways in which to share back office functions and be located on the same site.

Some localities have already started to merge services. Theresa May referred to Northamptonshire, where Police and Crime Commissioner Adam Simmonds has launched joint operations planning teams involving both the police and fire services. Indeed, Simmonds has been a great supporter of integration and has spoken about the future possibility of sending just one emergency vehicle to the scene of an accident which would be equipped to deal with a variety of situations.

Earlier this year, (then) fire minister Brandon Lewis outlined some examples of where plans to share blue light services have been put in place in order to save money. These included a predicted saving of £4 million in Hampshire where the police service, fire service and Hampshire County Council are sharing offices and a potential £3.5 million saving in Merseyside, where the fire and police services are planning to share a Control Room.

Home Secretary Theresa May MP

Home Secretary Theresa May MP

Cautious but firm approach needed

In an editorial following the Home Secretary’s announcement, The Guardian reported: “Although there are many successful examples of local collaboration – fire officers administering emergency First Aid, or police travelling in the same vehicle as firemen – the prospect of real integration sheds a cold light on existing management structures. The ambulance service has been (painfully) consolidated into ten regional trusts which would not lightly be levered out of the NHS in the name of integration. However, there are still 43 resolutely unconsolidated police services and 46 fire and rescue services, with 46 different governance, organisational and operational structures. While deaths from fire in the home are, happily, at a record low, the number of fire-fighters and the cost of running the fire service remains the same.”

Graham Ellicott, CEO of the Fire Industry Association (FIA), commented: “Any integration or consolidation of the blue light services will undoubtedly be difficult and a cautious but firm approach will likely be needed. However, before any approach is attempted the FIA believes that it would be prudent to try and bring more consistency to the operation of English Fire and Rescue Services.”

Graham Ellicott: CEO at the FIA

Graham Ellicott: CEO at the FIA

Elaborating on this last point, Ellicott explained: “For example, each of the 46 services operates a different attendance policy when it comes to automatic fire alarm systems. Surely in the 21st Century there could be more consistency brought to this situation, particularly so given that Primary Authority Schemes have now been extended to fire. Such schemes offer assured advice from one Fire and Rescue Authority to a business that operates across more than one local authority area.”

Leave a comment

Filed under Risk UK News

“Victims must not be left to investigate crimes” states Victim Support

Her Majesty’s Inspectorate of Constabulary’s (HMIC) latest report (entitled ‘Core Business: An Inspection into Crime Prevention, Police Attendance and the Use of Police Time’) reveals that victims of criminality receive a different response from the police for the same kind of incident depending on where they live.

The report – dubbed the ‘Policing Postcode Lottery’ – examines all 43 police forces in England and Wales. It looks at three principal aspects of day-to-day policing: the prevention of crime, how crime is investigated (and offenders brought to justice) and freeing up and using police time more efficiently (which includes the use of modern technology). The report merges three complementary inspections into a single assessment.

The document states that criminal damage and car crime are on the verge of being decriminalised because some forces had given up. In some cases, victims were asked to check for CCTV or fingerprints.

It also notes that partnerships are crucial for supporting crime victims and preventing further offences, highlighting the work that Victim Support pursues with victims and witnesses of crime in England and Wales.

‘Policing postcode lottery’ must stop

HMI Roger Baker, who led the inspection, said: “Police forces have done a good job in tackling crime and anti-social behaviour, in turn leading to long-term reductions over the last ten years. However, we were concerned to find that a member of the public will receive a different response from the police for the same type of crime or incident, depending on where they live. This sort of ‘postcode lottery’ has to stop and a consistent approach applied across England and Wales.”

Baker added: “It’s only by fully understanding how they use their staff that police forces can ensure they’re both efficient and responsive. We found that this vital element of evaluation and analysis is still lacking in the majority of forces, with fewer than a quarter investigating demand in order to prioritise and organise their workforce. In this age of austerity, it’s more important than ever that forces understand how to prioritise their resources.”

Tom Winsor: HM Chief Inspector of Constabulary

Tom Winsor: HM Chief Inspector of Constabulary

HM Chief Inspector of Constabulary Thomas Winsor commented: “The oxygen of effective policing is intelligence. Information is useless if it cannot be found and used at the time and in the circumstances in which it is needed. In policing, if it’s inaccessible to those who need it, great harm may occur which could and should have been prevented. Despite this, in too many respects police forces have failed to embrace and exploit the capacities of modern technology. They’ve established information systems which, even now, lack necessary standards of interoperability. Steps are now being taken in this respect – and they are to be welcomed – but progress until now has been too slow, insular and isolationist. This must change urgently. As long as these material shortcomings persist then lives are at risk.”

Winsor also stated: “England and Wales has 43 police forces. There are not, and never have been, 43 best ways of doing something. While the roots and much of the practice of policing are local, and will remain so, police forces must collectively recognise that it’s in the public interest that every force must understand and adopt Best Practice to be applied in the most efficient and effective way in each police force area.”

Placing victims at risk of further harm

Responding to the report, Adam Pemberton (assistant CEO of Victim Support) explained: “As a charity that has supported millions of crime victims, we know how important it is that they get the help they need from the police. It’s critical that victims can trust officers to investigate their case thoroughly and keep them informed of progress and the outcome. It is totally unacceptable for victims to have to investigate their own case as it could put them at risk of further harm and they may miss vital evidence which could allow offenders to evade justice.”

Victim Support believes that it's Unacceptable for victims to investigate crimes themselves

Victim Support believes that it’s Unacceptable for victims to investigate crimes themselves

Pemberton added: “We know from supporting children and young people, victims of domestic and sexual violence and those with mental health problems how devastating crime can be for their well-being and sense of security. They are also some of the people most likely to suffer repeated crimes.”

In conclusion, Pemberton said: “These are not the standards we should expect from the police and improvements must be made. We will make sure crime victims and witnesses receive the support they need and the respect they deserve.”

*Read the HMIC Report in full

Leave a comment

Filed under Risk UK News

Tavcom expands range of online training courses

Tavcom Training’s ongoing commitment to provide students who work within the electronic security sector with the flexibility to choose the best way for them to take on board essential industry knowledge has been underscored by the introduction of two brand new online e-learning courses.

Tavcom’s Access Control and Intruder and Perimeter Alarms online courses are designed to provide consultants and specifiers – as well as anyone who’s embarking on a career within the security industry – with the knowledge and understanding of how to design cost-effective systems which are fit for purpose and conform to relevant national and international regulations. 

Both courses are BTEC Level 3 certificated, with each course broken down into eight individual training modules to make it easy for students to learn at their own pace and in their own time. Collectively, the courses cover all the important aspects of either access control or intruder and perimeter alarm systems.

Tavcom is now offering online training courses in access control and intruder/perimeter alarms

Tavcom is now offering online training courses in access control and intruder/perimeter alarms

The Tavcom online e-learning courses are intended to offer a practical alternative to traditional classroom-style courses, allowing students to acquire new skill sets without having to ‘leave the road’.

“We understand that, in a competitive world, people need to manage their time very carefully,” said Paul Tennent, managing director of Tavcom Training. “That’s why we are determined to provide our clients with maximum choice as to how they may wish to learn new skills.”

Tennent concluded: “The development of these two new tutor-supported courses is a further demonstration of how we are delivering against that commitment by providing an effective, alternative option to our traditional classroom-style training courses.”

Tavcom is a leading supplier of security systems training courses for installers, operators, managers and designers of CCTV, network IP, intruder alarm, access control, fire alarm and all other types of electronic security systems. A wide range of technical and non-technical courses cover all security systems-related fields, among them security management, Control Room operations, system planning and project management, structured cabling, disaster recovery, counter-eavesdropping, PAT testing and covert CCTV.

Leave a comment

Filed under Risk UK News

Office of Surveillance Commissioners issues warning over social media snooping

The Office of Surveillance Commissioners (OSC), led by Chief Surveillance Commissioner The Rt Hon Sir Christopher Rose, has published its Annual Report for 2013-2014. Emma Carr (director of Big Brother Watch) highlights some of the main points.

*Intrusive surveillance authorisations have increased from 362 to 392
*Directed surveillance by law enforcement agencies (LEAs) has increased from 9,515 to 9,664
*Directed surveillance by public authorities (PAs) has decreased from 5,827 to 4,412
*Active LEA covert human intelligence sources: 4,377 were authorised, 3,025 remain authorised
*Active covert human intelligence sources (non-LEA): 53 were authorised

The Commissioner notes that the information included in the 2013-2014 Annual Report is for 100% of LEAs and 96.6% of all other PAs. However, Sir Christopher Rose notes: “I am once again slightly disappointed that a few public authorities appear to treat my request for statistical returns as an option” and that: “I have therefore decided that, as from next year, those public authorities which have failed to respond within the set deadline will be named in my Annual Report.”

The Commissioner also raises the fact that there have been a number of occasions where senior officers have failed to meet with inspectors. These comments would therefore indicate that among some LEA and PAs there’s a potential problem of the OSC not being taken seriously.

The Commissioner also notes that, since the Protection of Freedoms Act 2012 was introduced, there has been a “downward trend” in the number of applications made and authorisations granted which “may or may not be attributable to this enactment.”

Emma Carr: director of Big Brother Watch

Emma Carr: director of Big Brother Watch

The Commissioner raises concerns about the lack of a common approach from councils towards the authorising process now that it’s controlled by Magistrates. He goes on to warn that “the knowledge and understanding of RIPA among magistrates and their staff varies widely.” The Commissioner notes that there’s certainly a need for “adequate training or magistrates” and their colleagues.

Worryingly, the Commissioner cites two examples of inappropriate authorisations: one having granted approval for activity retrospectively, and another having signed a formal notice despite it having been erroneously completed by the applicant with details of a different case altogether.

Social media and covert investigations

One of the most interesting sections of the report relates to the use of social media for covert investigations by PAs. The Commissioner states that he “strongly” advises all public bodies to put in place proper policies designed to deal with social media investigations due to a lack of demonstrable understanding of the law from some workers involved in investigations.

The report states that: “In cash-strapped public authorities, it might be tempting to conduct online investigations from a desktop as this saves time and money and often provides far more detail about someone’s personal lifestyle, employment and associates, etc, but just because one can does not mean one should.”

While long overdue, the Commissioner is absolutely right to acknowledge that many PAs around the country may well be covertly gathering intelligence from social media sites on an illegal basis.

RIPA 2000 was created while Google was still in its infancy and social media sites like Facebook and Twitter didn’t exist. It would therefore be ridiculous to expect that the legislation would allow the use of the Internet to proportionately investigate crimes while ensuring that safeguards are in place to protect the public’s privacy.

A far more open discussion about what data should be monitored – as well as whether the legal framework is truly fit for the digital age – is now required.

Leave a comment

Filed under Risk UK News