Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Overtis identifies security weaknesses in national children's database

Overtis Systems : 14 July, 2009  (Technical Article)
Government warned by data security experts to tighten security on ContactPoint, the national children's database before a serious breach occurs
Overtis Systems, a provider of insider threat management solutions, has highlighted a number of concerns around the security of the national children's database, ContactPoint. The database carrying the details of 11 million children in the UK will be accessible by 390,000 users making the system highly vulnerable at thousands of endpoints. Overtis warns that the system would benefit from tighter security management, citing biometric authentication, administrator monitoring, change management, and auditing as potential areas for improvement.

ContactPoint has been devised by the Department for Children, Schools and Families to help the government monitor and intervene in children's welfare. It houses the name, address, gender, birthday and ID code of each child, their carers, and contact details for local authority services such as schools and doctors. Access to the database is facilitated by the Employee Authentication Service (EAS) authentication system which went live on 8 June, allocating a token to around 800 pilot employees initially with national roll-out planned from October.

Access privileges ensure that staff can only view the details they require. However, the system has already been delayed three times following security concerns over shielding the privacy of 55,000 children whose whereabouts need to be protected.

Overtis Systems highlights a number of security weaknesses with regards to the ContactPoint system:

* Stronger authentication: Two-factor authentication is stronger than relying on a password alone and EAS is based firmly on best practice and solid technology, with timed SAML Assertion. However, it still doesn't address the issue of hijacking another user's session by using someone else's computer while they are away from their desk. Given the sensitivity of the data within ContactPoint, serious consideration should be given to the deployment of biometric devices, preferably using finger vein technology, certainly for high-level access.

* Administrator access: Across the user-base access is determined by role but there is little mention of how administrator access is monitored or managed. IT and database administrators will probably have system-wide access. This should also be secured, with administrator access subjected to the same security considerations as those lower down the chain.

* User Administration: The sheer number of users on the system means that user administration - particularly removing user access or downgrading their access to the most sensitive data when they leave a particular role - is going to require substantial management and it is not clear whether this has been considered.

* Monitoring and Audit: Logging and auditing a system of this size represents a significant challenge. Spotting suspicious or malicious activity or unusual patterns of use is likely to be highly problematic.

"Why the government has created this security headache in the first place, particularly when their track record on data handling raises serious questions, is something of a mystery. Risk Management would suggest a far safer approach is to only catalogue the details of children who have received services," said Richard Walters, Product Director, Overtis Systems. "Government spokespersons have stated that information from the database cannot be copied onto removable media but there has been no mention of endpoint security. The endpoint will almost inevitably turn out to be the weak link in the chain, with targeted malware a very real concern. Without comprehensive security at the endpoint, between the user and the data, it is relatively simple to copy data out of any application. In a Windows environment and with a little knowledge we'd even go so far as to say a child could do it".
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo