in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2007 - Posts

  • Workplace Education As Important As Data Encryption When It Comes To Endpoint Security: A Calculation

    According to a national survey conducted by ISACA, thirty-five percent of US workers have violated their company’s IT policies.  Sixteen percent have also used peer-to-peer filesharing programs at work.  When put in this context, I guess, it’s not surprising that major companies such as Pfizer and Citigroup had a major data breaches in the past six months.  The survey was conducted via phone and geared to white-collar workers, so depending on the definition of “white collar” the problem might add a couple of more points to the above stats. 

    What’s even more eye-popping is that they found that “on average, at a company of 1,000 white-collar employees, up to 70 employees are likely using peer-to-peer file sharing at work often or very often.”

     

    Let’s do some calculations, shall we?  What are the chances that there will be a data breach due to P2P filesharing applications?  First, we must make an assumption.  The assumption is that most people know how to setup P2P programs so that sensitive files are not exposed to outsiders, including accidental mishaps.  I’ll be generous and say that there’s a 1% chance that someone (anyone) might mess up.  I’ll make a second assumption that in the one instance where someone messes up, the corporate network is compromised.  Of course, this doesn’t mean that if two people mess up, the damages are double.  Regardless of one or seventy breaches, the damages are the same (and out of the scope for this exercise).

     

    If you’ve taken some basic statistics classes (and understood what was going on…I can’t claim that I did, not all the time), you know that there are multiple ways to accommodate the breach.  One person made an error.  Two people made an error.  Three… ad nauseam.  So, the chances of a data breach are actually quite high, and almost impossible to calculate one by one, then sum them up.  In such instances, what people do is calculate the opposite: what are the chances that no one will make a mistake, then subtract it from 1 (i.e, 100%).  For example, the chances of throwing a 1 when rolling a die are 1/6.  The chances of not rolling a 1 must be 5/6 (or, 1 – 1/6).  In our P2P case, the difference is the total chances of a mess-up scenario.  (The total, since it doesn’t matter if one person messes up or all seventy mess up, and all scenarios contribute towards the network breach.) 

     

    Well, the chances of no one making a mistake is (0.99) * (0.99) * (0.99) * and so on, seventy times, or (0.99)^70, since we’re dealing with seventy people, and there’s a 1% chance of someone messing up (meaning that there’s a 99% chance of someone not messing up).

     

    1-(0.99)^70  =  0.505 or 50.5%

     

    In other words, there’s a slightly better than a 50% chance that you will have a network breach.  If you run the above exercise with all 1000 employees, you get a 99.996% probability of a breach.  (It will never reach 100%, since there’s the slightly probability that all 1000 employees setup their P2P software correctly.)  Remember, this is assuming that people know what they’re doing 99% of the time.   

     

    Of course, the assumption is generous.  I know people who know what they’re doing 0% of the time, and when you consider all the horror stories you hear from the guys (and gals) manning the support desks, I’m pretty sure the zero-percenters can be found in all businesses.  The chances of a breach shrink to approximately 10% when 11 people, not 70, run P2P software.  Notice the disparity, the effect a small number of users can have?  Out of 1000 employees, 1.1% of the people account for a 1-in-10 chance of breach.  And 70 people (7% of the employees) account for over a 50% chance of a breach.

     

    In our original calculation, if the breach ends up costing $1 million, you can expect to pay that amount due to a security breach sooner than later.  I can assure readers of this post that solutions for minimizing risk can be had for much less than that one hundred grand.

     

    Some will point out that the above is not realistic, it’s too simple.  I agree.  As anyone knows, real life is more complicated.  Which implies more points of failure, in addition to the need to lower the generous 99% "people-know-what-they're-doing" rate I gave in the above example.  If anything, not having the correct safeguards shoot the chances of a breach to well over 50%.

     

    What can an IT guy do?  Well, a little education goes a long way.  Some people are not aware of how Trojans and viruses work, how easy it is to allow malware to get embedded into computers.  Others are not aware how the action of a few can have such debilitating repercussions.  A simple calculation like the one above can illuminate the reasons why computer policies are in place.  Also, when all else fails, he or she might consider setting up white lists for which applications can run on the computer in the network.  This way, employees can attempt to ignore company security policies, but they won’t be able to install any software that is not approved by the IT department to begin with.

     

    With a service such as AlertBoot, application control can be easily set up and deployed across a network.  Plus, you can get whole disk encryption for minimizing the chances of a data breach if computers and laptops are stolen, and control which devices can be hooked up to a computer (mouse to a USB port?  OK.  USB drive to a USB port?  Not OK) based on the user.

     
  • Khaki Bandit: Extreme Social Engineering (or, An Extreme Reason For Greenlighting Laptop Encryption)

    The Khaki Bandit.  That’s how Eric Almly was known in Milwaukee when they didn’t have a name to match up with the burglaries.  He’s been connected to computer thefts in Minnesota, California, Arizona, and Florida.

     

    Supposedly, Almly’s modus operandi was to walk into corporate offices and lift laptops found in the office.  He wouldn’t walk in willy-nilly.  He’d stake out the soon-to-be crime scene, studying the place.  He would dress the part to better match the surroundings (I guess corporate America is really into khakis).  He would enter the offices close to the end of business day—when things were winding down, people were leaving work, but prior to the nighttime security staff arriving—and just hang around until people left.  Hey, he looked like he belonged.  On the rare times when he was confronted, he would lie.  Hey, he sounded and looked like he belonged.

     

    He’d go around the deserted office, pick up the laptops, and saunter out.  Because he looked like the part, it was rare that anyone would stop him.  And if he was stopped, he’d just lie his way through.  The purloined laptops would be wiped of their information and sold on eBay, where he garnered a 99.4% satisfaction rate.

     

    Companies affected by Almly include FedEx, Outback Steakhouse, and Burger King.

     

    Most articles covering this case indicate that Almly was not interested in the information contained and just wanted to turn a quick profit.  As pointed out, the smaller size of laptops makes it easier for one to steal multiple machines in one go, and easier (and cheaper) to ship.  So, in a sense, the companies got lucky the security breach was relegated to hardware theft.

     

    While I would imagine situations like the above are atypical, this is what social engineering is about: get the trust of people so you can perpetrate the crime.  The above is as much phishing scam as it is “Catch Me If You Can,” and I guess if you got strip the veneer of jargon, social engineering really means “conning someone.”

     

    Situations like the above are unpredictable events.  While, technically, there was no data breach in the end (at least, there are no signs there were any), the above companies probably know that it was a matter of luck.  The situation could have easily deteriorated into a nightmare.  While it may not seem to make sense to install encryption in all computers at a company, especially without a specific threat looming in the horizon, the truth is that companies need to seriously consider such a scenario and figure out ways to minimize risk.  Not scenarios where a khaki-clad thirty year old comes to swipe laptops, but this scenario: what are the odds that someone will be able to make off with company equipment on which sensitive data resides?

     

    Rogue guards, janitors, employees, temps, etc.  I’ll bet that the probability is much higher than people think or are willing to admit.  And if that is case, what would be the ramifications of someone successfully making off with the equipment?  Would the impact be the price of the laptop?  Or is there the potential for a $900 laptop to ensue in a $100 million incident?  The theft or loss a laptop can be written off; a $100 million incident is a different story.

     

    This is why computers with sensitive data must be encrypted, laptop or otherwise, using strong encryption provided by companies such as AlertBoot.  It will ensure that equipment theft is relegated to the price of the equipment, and won’t balloon into a national incident involving negative press, fines, and lawsuits.

     

    When you think about it, laptop encryption cures many ills: it mitigates the effects of theft, to begin with.  It might also mitiage theft itelf, since there will be people interested in stealing laptops for the data, not the hardware per se.  Plus, there will be no need for the IT department to ensure that the data is wiped correctly before discarding it due to age.  They can just toss the harddrive in its encrypted state, and leave your IT department to do something more productive.

     
  • There’s That Word Again: Hope, And The Data Security Blues

     

    "Saving money and being PCI-compliant is important to us, but equally important is protecting ourselves against intruders. Even though we have some breathing room with PCI, we are still vulnerable with WEP as our security key. It must be a risk we are willing to take for the sake of saving money and hoping [emphasis added] we do not get compromised."

     

    This is a quote attributed to a member of the IT staff at TJX.  (The only source seems to be eWeek.  I’ve tried finding the original court filings but was unable to dig them up, and I cannot find anyone else making mention of it.)

     

    Supposedly, this was in response to several money-saving options that the CIO had suggested for keeping their budget in check:

     

    “I think we have an opportunity to defer some spending from FY'07's budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible.” (Also from eWeek)

     

    In this light, of course, the quote at the beginning of the post sounds less egregious.  The implication is, of course, that if the IT staff had not agreed on the security risk being low, the better encryption would have been implemented.  But one wonders, since when is hope an integral part of security?  Perhaps the IT staff was browbeaten into submission?  Wouldn’t be the first time, if true.  Business and organizational research has been studying such issues forever.  Some of them are even classics on what not to do, such as the ever-insidious cases of the Columbia and Challenger space shuttle disasters.

     

    I’ve already commented before that consumers were not turned off from shopping at TJX due to the security breach.  While I’ve wondered why this might have been—some suggest it was because the credit companies, not the customers, footed the bill, so customers haven’t felt the pain, except for the ID theft that may never occur—now I wonder if consumers will rethink their position once such details come to light in the popular media (I love eWeek, but most people don’t read this particular publication).  After all, it’s one thing to forgive somebody who was caught with his pants down, and another to forgive someone who intentionally decides to flash you, in keeping with the expression.   Fact is, TJX actively decided not to go with stronger encryption and “hoping not to get compromised,” which is a breach of another kind: a breach of customer trust.  If something like this had happened in Korea or Japan, the general populace would be regaled with shots of the CEO trotting out and offering his apologies in front of the cameras, lest a tacit boycott be underway.

     

    The silver lining on this particular cloud is that the TJX case will definitely provide IT department heads everywhere with the potential impacts of security breaches on the bottom line.  Projections will be possible; discounted cash flows will calculated; risk scenarios will be assessed with “concrete” numbers; etc.  This will in turn give the IT departments resources to use best-of-breed security measures, such as encryption services provided by AlertBoot.

     

    Whether your company is an SMB or regularly covered by Fortune magazine, security and data protection will grow to be one of the most pressing issues, if it isn’t already.  AlertBoot can be used for securing entire hard disks with advanced encryption.  Setup and deployment is easy, with minimal involvement by your company’s IT staff, allowing them to concentrate on more valuable tasks.  No company needs to trace TJX’s steps to figure out that hope is not a shield when it comes to data protection.

     
  • Continuing TJX Legal Saga Further Highlights Need For Data Protection And Encryption

    TJX is back in the news, and in a big way.  The reason for the brouhaha is the new estimated number of credit card accounts compromised when TJX security was breached last year.  The new number is 94 million, double the original TJX estimates of 46 million, as reported in a court filing.  The new estimate was provided by the bank group that is suing TJX in order to recoup costs involving the notification and issuance of new credit cards for affected customers.

     

    In light of the above, obviously a lot of people are asking if the new estimate is real, or if it has been inflated in order to induce a bigger, and faster, settlement.  I guess there is an incentive to inflate it, but at the same time people have multiple credit card numbers.  Perhaps TJX is consolidating some of their findings based on the number of people affected, whereas the Bank group is reporting a pure number of accounts affected?  Anyway, most commentators don’t seem to know what to make of the new number.

     

    There are some other salient points about the court filing.  To begin with, TJX failed nine of the twelve PCI compliance requirements, including the keeping of Track 2 information, which is explicitly banned under PCI.  Supposedly the company knew it was a violation, but continued to do so anyway—perhaps the forensic analysts that were hired had access to C-level e-mails?

     

    Of course, the entire thing started when hackers were able to steal customer data due to weak, and outdated, encryption practices that TJX was employing at the time (which, apparently, management was aware of).  Based on certain reports, supposedly more than 80 GB of cardholder data was stolen.  However, it looks like administrators wouldn’t have known about it—and clearly did not know about it, as subsequent events revealed—because they had minimal monitoring and capturing of transaction logs, according to the analysts that were hired to review the matter.

     

    How could the company had been so brazen?  Opinions in the blogosphere abound from “there are too many critical legacy applications that cannot comply with PCI requirements” (not brazen) to “why the heck not?  Everybody does the same thing, TJX only happened to get caught” (extremely brazen).  I think, in many ways, all of the opinions are valid.

     

    The truth is that TJX will be made an example of for future reference, just like WorldCom and Enron (don’t defraud investors with off-balance sheet transactions, for the latter).  I think with TJX we have entered the perfect storm where retailers, customers, and credit card companies will try to hash out their respective roles in preventing—more realistically, minimizing—what we saw with TJX.  It would be easy to point fingers at TJX, but complete culpability cannot lie with the retailer alone. 

     

    For example, to a degree I blame the customers who shop at TJX.  Despite the security breach, customers keep shopping there, and if TJX’s 10Q is to be believed, they’re shopping there more than ever.  I can tell you right now that this will not incentivize TJX to pay attention to security practices.  Indeed, they used that fact as an argument in rationalizing their settlement with lawyers representing customers: our customers still shop with us, so it doesn’t look like they were severely affected by the data breach, so we’re going to offer thirty dollars worth of coupons to potentially affected customers.  Meanwhile, one of the customers might have had a second mortgage in the six figures opened under his name.

     

    Credit card companies, supposedly, require merchants to keep a copy of credit card numbers for up to 18 months, which is to be used in case a customer decides to contest charges; apparently there is enough of an onus that earlier this month the National Retail Federation issued an open letter to credit card companies stating that merchants shouldn’t be in charge of storing sensitive account data.  The NRF’s message to credit card companies was essentially, “it’s your data.  We don't want it.  You protect it.”

     

    While this thing is being settled in court (or possibly out of court), I think any business can appreciate the need for safeguarding data.  As pointed out numerous times by numerous professionals, make sure that you have the correct level of encryption.  Also, it seems pretty obvious that there’s a need to monitor the situation.  With services such as AlertBoot, you can easily encrypt your computers or your data or both, and combine it with powerful, easy-to-use reporting.  Plus, there are a myriad of security options that you can explore to ensure that your company is protected.

     
  • The Heart Wants, And The Mind Says Yes To Mobile Encryption…But The Body Doesn’t Follow?

    There were reports last week that a laptop containing personal information on over 160,000 people was stolen from Administaff, Inc., a Houston-based company.  Administaff is a company that engages in outsourcing personnel management services, such as payroll administration.  As such, it’s not surprising that Administaff deals with a lot of personal information, or that the stolen laptop contained Social Security numbers, names, and addresses.

     

    How did the laptop get stolen?  From the backseat of an employee’s car.  Apparently, the employee stopped at a grocery store.  I cannot fault the employee in this case.  People have to eat at some point, and grocery shopping right after work is a natural thing to do.  And let’s face it, not too many people decide to put their laptops in the trunk.  To begin with, everybody knows that there is no cushioning in there—what if you drive over a rough patch and you bust your laptop?  I’m less understanding of the fact that the laptop, nor the files with sensitive information, were encrypted.

     

    According to an article in the Houston Chronicle, the computer was “password-protected.” I think it’s safe to assume that the only thing protecting this particular machine is the Windows logon prompt, which is not as secure as people think it might be.  According to Administaff, not having the file encrypted is in violation of company policy.  You’ll notice that this is what the Gap press release said when they had their security debacle earlier in the month.

     

    My guess is that Administaff figured a long time ago that they might run into the problem they are having now and decided that encryption was necessary in the workplace.  While encrypting files with sensitive data is a phenomenal method of protecting information, the problem with such a policy is that the onus falls upon the employees to secure the data: somebody copies some data to a spreadsheet temporarily and forgets to encrypt the file because he had to answer the phone and forgot about it; Murphy’s Law promptly kicks in and the laptop is stolen that same day.  More importantly, if the encryption is done at the file-level, it’s kind of hard to audit the adherence of security policies.

     

    A better method, or a complement to file encryption, might have been to encrypt the entire laptop at the hard drive level.  This way, if theft is the reason for the security breach, the company can rest assured that the criminal can not access the contents of the laptop, regardless of whether the correct files are encrypted or not.  Plus, services such as AlertBoot, which offer full disk encryption, come with robust reports for auditing the state of encryption on each machine for which AlertBoot was deployed.  This way, management can ensure that no computer slipped through the cracks when it comes to protection.  It’s obvious that companies know and want to protect their data, and their customer and worker data.  It’s just a matter of how best to enforce that protection (minimal human interference would be the best) and ensure it’s being maintained.

     
  • Data Encryption And SMBs - The Smaller You Are, The Greater The On-Line Threat

    Many of the stories covered in the media regarding data and security breaches involves companies that are large, usually Fortune 500, maybe Fortune 1000.  We must not forget, however, that any business needs to practice proper security when it comes to customer data.

     

    For example, the Boston Globe covers today the theft of customers’ credit card data at Not Your Average Joe’s, a restaurant chain based out of Dartmouth, Massachusetts.  This chain is small by most measures, with 13 restaurants in Massachusetts and one in Virginia.  Based on an ongoing investigation, about 3500 customers were affected, most of them patrons at their Hyannis restaurant.  This is despite Not Your Average Joe’s having proper security measures in place.  The Secret Service has gotten involved, and they think that there was an internal security breach, although restaurant management believes that none of their regular personnel were involved.  They have hired a forensic expert to dig deeper into the issue.

     

    The above situation, while unfortunate, is not unusual.  Based on a recent report, small and medium businesses (SMBs) are unprepared for cyber crime; indeed, the word “sitting duck” was used to describe their preparedness.  In most industrialized countries such as the United States, SMBs make up 97 to 99 percent of all companies.  Yet, because these companies are much smaller than Fortune 500 businesses, they cannot afford the full-fledged IT staff that large companies can.

     

    Before you start wondering whether SMBs would require an IT staff—of either one or more—you must take into consideration that a lot of companies now take and make payments over the Internet, which involves a computer (obviously).  This alone means that SMBs face the same threats at larger companies do.  Personally, I think the threat is higher, since SMBs usually deal with one customer at a time, and end up collecting more credit card numbers and customer information than companies such as Ford Motors would.  The latter is a bigger company, but in terms of checking accounts and credit card numbers to be protected, Ford probably numbers well below that of Not Your Average Joe’s.  For example, the Massachusetts restaurant chain served over 350,000 customers in August and September alone.  If half of them are return customers, it implies 175,000 new customers over two months, or nearly one million new customers every year.  Ford’s list of vendors and dealers is probably smaller than that combined.  Couple that huge amount of data with the little emphasis on data security, and you’ve got a potential nightmare on your hands.  Especially for small businesses.  Especially for a restaurant (great restaurants go under for fickler reasons.  Patrons who are victims of identity theft would have a valid reason for fishing out their Zagat surveys at lightning speed).

     

    The danger to SMBs doesn’t lie only on appeasing customers, however.  A court filing by Visa in the TJX credit card security breach case shows that credit card companies have gotten better at identifying instances of fraud, and the original source of the credit card breach.  In other words, the credit card companies can tell that their loss—issuing new cards and other costs—can be traced back to a particular business.  One has to wonder what will be the effect if fraud can be traced back to a security breach at a small business?  With potentially hundreds of thousands of credit card information and customer data, would the business survive if Visa or MasterCard decided to ask for reparations?

     

    What can SMBs do to minimize such threats?  To begin with, they must ensure that the computers they use for Internet transactions and recording other sensitive data remain secure.  The best thing to do is to set up firewalls and only visit those particular sites for transacting business only.  Sites such as Hotmail or Yahoo!Mail should be blocked as well, in case an employee tries to check his e-mail from the same computer and unleashes a storm of malware by mistake.

     

    Also, make sure that only people involved in making charges can access the computer.  This can be done by securing the computer with a password.  In order to make sure that the password does not get passed around, specify which users can access a computer and give those users the ability to change their own password.  Using a service such as AlertBoot, SMBs can easily create user profiles with the authority to access devices as necessary.  The users can also specify their own password, and these can be used successfully across all devices, meaning employees don’t need to remember multiple passwords for separate devices.  If the password is changed, it would be changed for all devices automatically as well—less administrative work for all involved.

     

    For computers with sensitive data, SMBs might also want to start using white lists to specify which programs are allowed to run on a computer (Internet explorer, with firewall, yes; pirated copy of Solitaire, no).  This way, if a Trojan horse or a virus, or some nefarious application running in the background, is deployed without your knowledge, it will fail to execute since it’s not part of the white list.  While legitimate business sites are safe for the most part, they are not completely failsafe, as revealed in the Monster.com security breach.

     

    Application control is different from running antivirus and anti-spyware software.  As everyone knows, such software is not preventative but reactive—the software does its job once the experts identify and determine that there is spyware and viruses to be blocked and destroyed; prior to that, the virus is free to roam your computer.  The use of application control with white lists is preventative in nature.  Since it severely limits the use of the computer, it’s great for controlling and maintaining the security of computer being used for financial transactions and legitimate business only.  With AlertBoot the hardware ports found on computers can be deactivated on a per user basis as well.  This way, the business owner can hook up a USB drive to the computer and copy files, whereas the accountants with limited rights cannot.

     

    Last but not least, any business owner with sensitive financial data, relating to the business itself or to customers, will probably want to have their computers encrypted.  After all, theft of electronic equipment happens all the time.  If somebody physically lifts your computer and takes it out of your business premises, just a simple password might not be enough to protect your data.

     
More Posts Next page »