in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2008 - Posts

  • US-Style Data Breach Notifications Not The Model For UK: Data Breach, Data At Risk, And Overall Confusion

    SC Magazine reports the UK Information Commissioner has stated that the US laws requiring notification of the public in the event of a data breach is not a viable model for the island nation.  I have argued before that a blanket approach to notifications is counterproductive when companies affected by a breach have used data protection measures like hard disk encryption or file protection, so I can empathize with him.

    Let’s lay some groundwork.  The term data breach actually carries at least two meanings: data at risk and an actual data breach, which is not the same as the term data breach I used before.  Confused yet?

    I wouldn’t be surprised if you were.  The reason why there is a lot of confusion with the general populace when it comes to data breaches, I think, is the use of the term data breach to mean two different, but related, events.  Let’s see if I can clarify this.

    An unauthorized person downloading a spreadsheet full of names, Social Security numbers, addresses, and other data is an actual data breach, since we know sensitive data is in the hands of someone who shouldn’t have that data.  I mean, someone had to initiate that download, so we know a person is behind it.  It’s clearly a data breach.  No confusion there.

    However, data at risk events like the loss of a laptop containing sensitive information is also regarded as a data breach as well.  Now, make note that we don’t actually know what happened to the data in the laptop.  Someone could have accessed it to commit fraud or someone could have wiped the contents without taking a second look in order to use the computer.  The laptop could have been used, along with other laptops, to create a fort, on permanent exhibition at, I don’t know, Lego Land -- who knows?  However, common sense tells us that we have to treat this incident as if it were a data breach, and proceed from there.  Hence the notification letters when disks, laptops, and other devices go missing.

    In summary, an event where there was an actual data breach is a data breach.  An event where data is at risk, but we don’t know whether data was actually breached, is also a data breach.  Makes sense, right?  The problem, and this is my opinion, is that some laws in the US regard “data at risk” incidents as a data breach regardless of whether data security tools like laptop encryption software was used.

    I personally think that the loss of a laptop that uses encryption to protect its contents is not a data breach.  Heck, I’m not sure I would even label it “data at risk” unless it was noted the “risk” is smaller than the chances finding El Dorado (the mythic city, not the movie in the bargain bin at Blockbuster.  Speaking of which, James Caan rocks).  The risk of a lost but encrypted laptop turning into an actual data breach is miniscule.  In fact, I’d say it’s even better protected than data residing on a physically-guarded, but not encrypted, server.

    Should people be notified in the event an encrypted computer is lost?  Or when an encrypted USB memory stick is lost?  I don’t think that is any more necessary than alerting the world I had my wisdom teeth removed.  The loss of encrypted data is not news, and it certainly is not reason for concern.  It is also not a reason to alert thousands of people that, essentially, nothing happened.  The loss of an encrypted laptop is pretty much the same as the loss of a new laptop straight out of the box when it comes to data breaches: you don’t have one.  Likewise for CDs, smartphones, memory sticks, and other electronic data repositories that were encrypted.

    There are caveats, of course.  A company using weak encryption should not only notify customers but get a beating with the idiot stick.  Likewise when usernames and passwords for decrypting information are found stuck to a computer.  But if the data cannot realistically be breached…well, let’s put it this way: my impacted third molars would provide more conversation than a lost, encrypted computer.


    Related Sites:
    http://www.scmagazineuk.com/Watchdog-No-to-US-style-data-laws/article/120107

     
  • Insufficient Postage Results In Data Breach, No Word On Disk Encryption Use

    Medical Mutual of Ohio, a health insurer, has announced the loss of eleven computer disks that may affect 36,000 retired Ohio employees.  A preliminary investigation has laid the blame on insufficient postage.  Medical Mutual hasn’t revealed whether the contents on those disks were encrypted, although one hopes something like hard drive encryption or file encryption was used to protect the information of those retirees.

    Insufficient postage.  Man, this is a new low.  I’m pretty familiar with instances where CDs and other digital storage media went missing en route via mail or courier services.  And, honestly, such losses are expected.  Packages and mail go missing all the time; the fact that you sent sensitive data does not preclude it from disappearing during delivery.  However, sensitive data being circulated in the US Postal System because of insufficient postage?  Sheesh.  It’s like something out of Seinfeld.

    Five retiree groups are affected by this latest data breach, including the School Employee Retirement System (SERS), the State Teachers Retirements System (STRS), the Ohio Police and Fire Fund, and the Ohio Highway Patrol Retirement System

    According to spokesman Ed Byers at Medical Mutual, they now see that the disks should have been hand-delivered, ideally.  And, according to some accounts, the disks were hand-delivered in the past.  There is no information on why the disks were mailed in this particular instance, although it explains the odd cause of this data breach: There was insufficient postage because these disks were never mailed out before.  One’s bound to have problems the first time something is attempted, although this particular one is laughably egregious.

    Efforts to recover the disks are underway.  The mail recovery center in Atlanta (which, is a long ways away from Ohio) has been searched for the missing disks but failed to turn them up.  If the disks ultimately don’t show up, the health insurer has plans to provide credit protection to all who are affected.

    Medical Mutual had the right idea regarding data security when they decided to hand-deliver those disks in the past.  I have no doubt their investigations will show that someone wasn’t following company policies when these disks were mailed out.  However, I’d say they’re a little short when it comes to data security practices.  Where is the guarantee that the people delivering the disks won’t be robbed?  Or that they won't inadvertently lose the disks?

    Or that someone will mail that stuff out by accident?  That’s right, there are no guarantees.  The chances of such a breach happening may seem miniscule, but history has shown that it happens, and that it happens often.  Unfortunately, there is no way to eliminate the chances all the way down to zero -- it’s a mathematical impossibility.  What one can do, though, is lower the chances of a data leak all the way down to a a number that's relatively close to zero.  We're talking about a number that is so small you'd say a trail of snail slime is the Yangtze River in comparison.  There are plenty of products out in the market that will allow one to do this, including AlertBoot data security solutions.  It’s called encryption, and i allows you to stack the odds on your side in the event something goes *poof*.

    Related Articles:
    http://www.bizjournals.com/columbus/stories/2008/10/20/daily37.html
    http://www.dispatchpolitics.com/live/content/local_news/stories/2008/10/24/copy/Lost.ART_ART_10-24-08_B1_VJBMI5R.html?adsec=politics&sid=101
    http://www.nbc4i.com/midwest/cmh/news.apx.-content-articles-CMH-2008-10-24-0012.html
    http://www.marketwatch.com/news/story/Ohio-Health-Insurer-Investigates-Missing/story.aspx?guid={1986D81E-510B-45F6-BAC0-1B1299A3C4E2}
    http://www.cleveland.com/news/plaindealer/index.ssf?/base/news/122483722188720.xml&coll=2

     
  • Backup Tape Encryption Not As Prevalent At Companies, Leaves Large Data Security Hole

    According to Thales, the French aerospace, defense, and security company, more than thirty percent of companies surveyed do not know whether they will protect their back up tapes with encryption.  Plus, it was found that backup tape encryption pretty much came in last when it comes to data encryption -- much further behind than data protection solutions like full disk encryption and file encryption.

    The survey found that, in fact, that mobile device and USB device encryption is deployed more often than backup tape encryption.  This is surprising…and yet, not so much.

    It’s surprising because encryption software is generally used to protect data, and, the more data you have, the greater the need for protection.  Generally, a single backup tape will contain much more data than what you can find on your average USB device.  Many, many times more data.  And, because people tend to back up important files only, a disproportionate amount of information is concentrated in a backup tape.  In other words, megabyte per megabyte, chances are the loss of a backup tape is a much more serious data breach than the loss of a USB drive.  Why would companies not use data protection for tapes, then?

    This is where the unsurprising aspect of the story kicks in.  Most people don’t deal with backup tapes.  The guys in IT tend to deal with them, the same guys you imagine are careful when it comes to data handling.  So, when you have a budget for encryption, and you have to maximize the value of those dollars do you…

    1) Protect the backup tapes that contain lots of data but have a low probability of getting lost or stolen, since people who know their stuff are dealing with it; or
    2) Protect all those little devices that contain some sensitive data, but have a higher probability of getting lost or stolen because they’re being used by…everybody?

    The correct answer is to increase your budget so both can be covered.  Thinking that this is an either-or situation is a fallacy of the biggest order.  I mean, it’s tantamount to trying to make a decision on whether an internet-based company should pay their internet bills or their electricity bills (hint: they're both critical).  There is no real choice there.  If your company deals with sensitive information so that employees need to use laptop encryption like AlertBoot hard drive encryption, then it only makes sense to employ file encryption on backup tapes as well.

    Related Sites:
    http://www.marketwatch.com/news/story/thales-survey-shows-unencrypted-backup/story.aspx?guid={2190D8F4-0DB2-4743-AE82-245A0A142CEB}&dist=hppr
    http://www.itpro.co.uk/607644/survey-encryption-challenges-remain
    http://www.mcsolutions.co.uk/article/15755/Unencrypted-backup-tapes-leave-gaping-hole-in-data-protection.aspx
    http://www.techworld.com/security/news/index.cfm?newsID=106177&pagtype=all

     
  • Indian Firms Are Engaging Data Encryption At Faster Rates, Surpass US

    Such is the conclusion arrived in the State of Information Security Survey 2008 conducted by PricewaterhouseCoopers, CIO, and CSO magazines, according to techtree.com.  The survey polled 7,000 IT executives in 119 countries.  According to the breakdown by TechTree, 55 percent of Asian firms are encrypting databases, 50 percent are adopting laptop encryption, and 47 percent are protecting backup tapes and other media -- I imagine portable drives and flash memory sticks.

    Indeed, if one visits the PwC site, links below, they note the following:

    “Asian companies no longer lag behind North American ones in establishing leading practices in security. Boosted by the widespread advances made by companies principally in India and, to a lesser extent, Singapore and Hong Kong, Asian security (if not privacy) practices are now on a par with those in North America—and in some cases exceed them.”

    This is, no doubt, on top of any improvements the North American region has made since the last survey, when Europe and North America were found to have similar levels of information security in place (which is no more.  The same survey finds that Europe has ceded information security leadership to North America).

    However, it behooves people to know that information security cannot rely on technology alone.  While investing in file encryption to protect the contents of digital documents won’t negatively affect information security, as long as people are not aware of the need for this and other data protection measures, such spending will be the ultimate case of throwing money at the problem.

    Earlier this year, Société Générale showed how technologically advanced information security systems were useless if people are not security conscious.  Supposedly, a junior trader was able to rack up an astonishing 4.9 billion euro loss.  There were controls in place, but by using computer usernames and passwords assigned to his colleagues, the trader was able to bypass security meant to stop his actions.  How did he get those authentication factors?  He alleged, if I recollect correctly, that they were given to him to expedite work (people being out of the office when access was needed to a particular file, etc.), although now I’m reading that he had access to them when he was working in the back office, and decided to keep them once he got promoted to the front.

    Remember, tools like encryption software from AlertBoot encryption solutions are ultimately tools.  If you decide to ignore warnings and instructions, it can ultimately work against you.  Making sure employees, contractors, consultants, etc. understand the importance of data security is as important as ensuring the tool is available.


    Related Sites:
    http://www.pwc.com/extweb/insights.nsf/docid/B1CCF4C56D397639852574DB005CF7F5
    http://www.asiaone.com/News/Latest%2BNews/Tech/Story/A1Story20081016-94130.html
    http://www.ukmediacentre.pwc.com/Content/Detail.asp?ReleaseID=2917&NewsAreaID=2
    http://www.techtree.com/India/Techtree_Notes/Indian_firms_outdo_US_in_information_security/551-94506-889.html

     
  • 15% Of Data Breaches Are Physical In Nature. How Much Of Your Data Security Budget Is For Full Disk Encryption?

    I was reading through some articles today, when I happened on one that referenced the Verizon data breach report from June.  What jumped out to me in that article was that it had noted “physical threats” accounted for 15% of all breaches.  When I read that, the first thing that came to mind was a physical attack: your laptop or your life.

    And it’s not unheard of.  I noted the importance of full disk encryption solutions like AlertBoot when covering a case where a New Yorker was mugged and his laptop computer was stolen.  The laptop contained the personal information of 175,000 people who had donated blood in Ireland, but the man, who was a database consultant, used disk encryption to secure the contents, so no big deal.  However, 15% of all data breaches happening this way?  The number sounded too high.

    So, I pulled the Verizon report from the internet.  Turns out “physical threat” means more than what I had initially assumed.  The fifteen percent broke down like this:

    • 39% On-site theft (company-controlled premises)
    • 27% System access or tampering (via keyboard or console; probably on-site as well, when no one’s looking)
    • 16% Wiretapping or sniffing
    •  6%  Loss or misplacement
    •  6% Observation (shoulder-surfing)
    •  4% Off-site theft
    •  2% Assault or threat

    So, face-to-face altercations were actually 3 out of every 1000 breaches, a very low rate.  At the same time, only 15% of all breaches being accounted by the above factors sounds low.  I mean, 4% off-site theft vs. 6% on-site theft?  One would imagine the numbers would be reversed at least, since so many laptops are stolen out of car trunks, homes, coffee shops, etc.  The answer to this anomaly presented itself in the introductory part of the report.

    “…the data set is dependent upon cases which Verizon Business was engaged to investigate…. For instance, it is simply more likely that an organization will desire a forensic examination following a network intrusion than a lost laptop. Similarly, the evolution of disclosure and notification laws influences an organization’s decision to pursue investigation.”

    In other words, cases like lost or stolen laptops would have less weight in this report because Verizon usually doesn’t handle that stuff; nobody calls consultants to probe why a laptop was stolen at a coffee shop.  If a company were to combine all those data breaches where it’s obvious how it happened as well as those cases where outside consultants need to be called, like Verizon, chances are the “physical threat” component would bear a higher percentage.

    Nevertheless, let’s assume 15% of all breaches is as bad as it gets.  This means actual cases where your IT department can’t protect data via firewalls, patches, software updates and the like accounts for 3 out of 20 breaches. Mind you, this statistic in of itself does not show you how bad the breach is going to be.  The laptop could have 20 sensitive records or 20 million records.

    And of that 15%, slightly over half can barely be controlled at all (theft, losses, and assault), which accounts for over 7% of the total.  Again, chances are this figure is slightly depressed from reality due to how Verizon compiled its data.

    The only way to stem these breaches is physical security - locks, doors, bodyguards, bouncers, locked car trunks, what have you.  And chances are, these methods are already being used.  Is preventing data breaches in such cases a lost cause?  Not really.

    One way of preventing them would be ensuring that sensitive data is not stored on machines that have weak physical security (a computer in the office) as opposed to strong physical security (a computer in the boss’s office at the Federal Reserve Bank.  I heard they have guards with machine guns hidden behind one-way mirrors.  Now that’s security).  But as the report itself has noted, there is the problem of “unknown unknowns.”  That is, nobody has a complete idea what type of data is stored in each computer being used; no matter of control over data retention, it seems, will lead to complete data security.

    So, in the name of being pragmatic (and smart), I would recommend that people use encryption software.  Encryption is not sexy or flashy.  Most people show mild to vehement irritation at having to provide two-factor authentication (generally, a username and password) when turning on their computer.  But encryption works.  It works so well that the NSA, the only US government body that is supposedly unaccountable to anyone, is dedicated to doing nothing but trying to (and one imagines, being successful at) cracking encrypted data.

    Some might say, if someone’s able to crack it, that means encryption is not truly secure.  I agree...if you have carte blanche backed by the US government.  How many two-bit criminals who steal your laptop have such a blank check?

    Related Sites:
    http://www.verizonbusiness.com/resources/security/databreachreport.pdf

     
  • Encrypt Hard Drive? Not Encrypt Hard Drive? It Doesn’t Matter If You’re Cavalier

    A newspaper in the UK was able to find, via a Freedom of Information request, that the Devon council workers have experienced fifteen instances of computer thefts over the past three years.  It makes one wonder why it took the council such a long time to decide to encrypt hard drives.  It certainly couldn’t have been its rarity (encryption has been available since the seventies) nor its cost (AlertBoot, for example, makes it easy and affordable to protect the contents of computers across an organization’s base).

    Perhaps the answer lies in what someone interviewed for the article called a “cavalier attitude” by the council.  Harsh words, perhaps;  after all, there’s no way of knowing what the council is doing, or has done, to stem data breaches.  They could be facing impediments at a higher level in the form of budget approvals (or lack of approvals), for example.

    On the other hand, if an organization accused of being cavalier with sensitive data tries to defend itself by pointing out that “in these cases [the theft of computers], the devices were stolen from officers, not casually lost”…well, that’s not a winning or an endearing argument.  I mean, can you imagine the reaction of the public if someone said that regarding the loss a nuclear warhead?  Or maybe children from a nursing facility?  So why make the statement regarding personal information?  I guess they don’t think the loss of data warrants the same or similar level of concern -- which would seemingly be a cavalier attitude when viewed by those directly affected by a data breach.

    The good news is that the Devon County Council has wised up, and has already rolled out a program “to install encryption software on all laptops and other portable devices across the whole organisation.”  The statement goes on to point out that “this will make it impossible for unauthorised people to access the data.”

    Yes and no.  The use of encryption will certainly protect the contents of those digital devices.  However, a cavalier attitude regarding the secrecy of passwords will hamstring data security.  I imagine that people who avoid blame by saying things were stolen, not lost, wouldn’t be willing to face blame when a laptop computer gets stolen, not lost…with the password stuck to the underside of the computer.


    Related Articles:
    http://www.thisisplymouth.co.uk/news/Devon-loses-confidential-children-s-data/article-420908-detail/article.html
    http://www.pogowasright.org/article.php?story=20081023060304159

     
More Posts Next page »