in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

March 2009 - Posts

  • Data Encryption At Schools? Locked Doors And File Cabinets Probably Even More Important

    Many may be familiar with the stories of lost laptops and stolen computers at universities.  And, once in a while, I'll read stories where elementary schools were broken into and computers stolen.  Usually, such computers are not protected via hard disk encryption like AlertBoot, but damage is generally negligible (but not all the time.  Children's Social Security numbers sometimes are stored on said computers).

    Now, most schools will make a statement that they believe the computer was stolen not for the information, but because of the computer's inherent value.  Usually, I'd dismiss such remarks as ill-conceived words of reassurance.  But not when it comes to schools.

    Chances Are Your Elementary School Has Your Birth Certificate

    There are several things required by most states when a child enrolls into school.  Generally, a certified birth certificate (photocopies will not do) and proof of immunization is required, among other things.

    I haven't been able to find out why a birth certificate is necessary (and we don't have a lawyer on retainer for finding such stuff out), but it seems to revolve around these two requirements: proof of age or proof of identity or both.  Other documents can be provided if they meet the necessary requirements.  But let's face it, children don't generally have any form of ID.  A birth certificate is as close as it gets.

    As far as I can tell, these certificates become part of the school's permanent records.

    Birth Certificates Vs. School Computers

    If you were an identity thief, would you target a computer that could possibly harbor sensitive information like students' SSNs?  Or would you make a beeline for the school's archives where each folder would hold a birth certificate?  A certified birth certificate?

    For some criminals, it's the latter.  And why not?  You can change a SSN (it's very hard to do so, but not impossible), but a birth certificate is forever: there's no way to "cancel" a birth certificate.  Plus, there are systems in place for raising red flags when a particular SSN is used--there's no such thing for birth certificates, as far as I know.

    School Records Are Permanent - That Means For Life

    If you followed the above link, you'll see how the records of 7,000 to 10,000 Puerto Rican students--going all the way back to the 1980s--have been stolen by an identity theft ring.  Thankfully, they were arrested.

    Of course, the number of people affected by this crime caper is a result of permanently archiving information.  But, a school does not have the option of shredding documents once a student has graduated.

    Different Entities Have Different Security Needs

    Encryption software is powerful and, depending on the settings, would require all the computers in the world to chug along for decades, perhaps centuries, to break into a computer's contents.

    And due to this fact alone, many see encryption programs like some kind of panacea for all data-related breaches.  However, as you can see from above, this is not necessarily the case.

    Depending on what type of data your company or organization has, you may find that thick walls and a good lock is of more value than an algorithm that the NSA has trouble breaking.

    Remember, the first rule of data security is "know what it is you're trying to secure."  Otherwise, you may find you have a formidable (and expensive) security product that doesn't do anything but drain your bank account.

     
  • Cost Of Massachusetts Encryption Law Compliance

    According to OCABR, you can expect to spend an upfront $3,000 and $500 per month to comply with 201 CMR 17.00

    The Office of Consumer Affairs and Business Regulation (OCABR) has published a hypothetical cost for complying with their MA encryption law, 201 CMR 17.00.  A lot of it seems to center around encryption:

    These notifications demonstrate, among other things, that wireless transmissions of personal information must to be encrypted in order to insure its security; and we have learned from the proliferation of laptop thefts that personal information stored thereon, and on other portable devices, must be encrypted to have meaningful protection. [My emphasis]

    They do note that other tools besides data encryption software is necessary as well (locking file cabinets, for example).  The assumption is that such tools have been figured into OCABR's calculations.  In order to make these calculations, they had to set up some assumptions.

    • 10-employee business
    • 3 laptops
    • 1 network server, serving 7 desktops
    • Network consultant already employed (having such a mix of computers usually means there is one being employed by the business)

    With the above configuration, a business should expect to spend no more than $3,000 in upfront costs, according to the OCABR, "with ongoing technical oversight, monitoring and maintenance that would likely be absorbed within any currently existing technical support program."  You can expect to add $500 per month if a tech support program is not in place already.

    Of the $3,000, the initial setup cost would be approximately $2,000, with a computer consultant taking 2 days to set up the appropriate protection (and charging $125 per hour!)

    OCABR also notes that this is a maximum limit.  I'd have to agree.  I don't know about other aspects of data security, but AlertBoot's hard disk encryption and file encryption would cost much less and finish the job in 1 day, on average.

    Related Articles:
    http://www.mass.gov/?pageID=ocaterminal&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca&b=terminalcontent&f=idtheft_sbimpact&csid=Eoca

     
  • Laptop Encryption Software Not Used In Pacific University Computer - Could Lead To Data Breach

    Pacific University in Oregon is alerting students, faculty, and staff that a laptop computer was stolen from the home of a staff member.  It looks like laptop encryption software like AlertBoot was not used, although password-protection was in place.  Of course, once you know how little protection password-protection affords a person, you may be rest a little less easy.

    On the other hand, it looks like the potential for damage may be limited.  Although the university's announcement stated that the laptop "contained names and some personal information," it also pointed out that SSNs were not stored, as far as they can tell.

    I've noted before that personal information plus some particulars are enough to run an effective scam, phishing or otherwise.  However, the lack of SSNs means that damage can be controlled, if the affected are on the lookout.  Whereas if Social Security numbers were also on the missing laptop...well, there's a lot of damage that can be done with SSNs alone.

    Full Disk Encryption on Laptops

    A key thing to note is that it's believed that SSNs are not involved in the theft.  It's a fair assumption to make if the staff member never dealt with SSNs at all.  However, belief and knowing are two different beasts.  After all, sensitive information gets passed around all the time, and all it takes is one person to make a mistake.

    For example, I remember receiving an Excel spreadsheet from a client once.  He had wanted to send me some information, which I did receive...plus more.  He never checked to see what was on the second sheet of that file, and it was stuff I was never meant to see (Excel has three sheets on each file, by default).  Things like this happen frequently.

    When you consider scenarios like the above, it's just natural that the university and the staff member can't be exactly sure of what may have been on the laptop.

    A true data security solution like full disk encryption would have been tremendously helpful in this case since it would have protected the entire contents found on the whole disk.


    Related Articles and Sites:
    http://www.pacificu.edu/alerts/identity.cfm
    http://www.oregonlive.com/news/index.ssf/2009/03/missing_laptop_could_mean_secu.html
    http://www.kptv.com/education/19035439/detail.htm

     
  • Data Breach Costs: USB vs. Laptop Computer vs. CD

    Once in a while, I'll see someone searching up "USB data breach cost" or "cost of laptop data breach."  Let's think about this for a moment.  Does it really matter how the breach took the place?

    The answer is "yes, it does matter."  But, not when it comes to data breach costs.  You see, figuring out how a breach occurred allows one to prevent it in the future (hopefully).

    For example, if you know that certain managers have to carry around sensitive data in their laptops; and these managers are a significant percentage of your workforce (say, 10%); and they travel a lot for business...it's a no-brainer: they need a hard drive encryption solution.  This way, a full-blown data breach can be prevented if any laptops are lost or stolen (airports, hotel  lobbies, taxis, random muggings,...).

    Too Many Ways Of Getting A Data Breach

    But, the world of information has too many vectors for generating information security breaches: laptops, USB flash drives, CDs, floppy disks (yes, the 3.5" kind), zip disks, mobile phones, etc.  Basically, any digital data receptacle can lead to a data breach one it goes missing.

    And with digital storage capacities growing on an exponential curve (or if you prefer, their size shrinking on an exponential curve), the loss of a laptop computer could cost as much as the loss of a USB memory disk the size of your pinky fingernail.

    So, what people should really be interested in is "what is the cost of a data breach?"

    The Cost Of Data Breaches In 2008

    The average cost of data breaches in 2008 was $202 per record, according to certain surveys.  That is, each name will cost about two-hundred dollars when a company considers the costs of mailed notifications, defense against lawsuits, setting up call-centers to handle inquiries, PR and reputation management, lost business, etc.

    Protecting Your Data - The Only Way To Bring Costs Down

    It's indisputable: there is a systemic risk of losing something if that thing can be moved.  Size doesn't matter as much as "movability:" if you didn't need a team of elephants to drag it into place, it's losable, "missable," "stealable."  In other words, it's easier to steal an armored truck than it is to steal 800 lbs of cotton--the former is designed for mobility, the latter is not.

    What this means is that, in the modern information-centric workplace, with all of its gadgets and productivity-enhancement products, you can never fully prevent a breach from occurring: the best you can do is minimize the overall risks of an actual data breach.

    How do you minimize it?  First, accept the fact that data is shapeless, formless...as flowing as water.  In other words, you need secure all types of data, not just digital but your paper documents as well.

    Second, you need the traditional type of protection--physical protection, that is.  Things like locked cabinets, doors, and the like.  Basically, prevent unauthorized personnel from accessing anything that may contain sensitive data, be they tomorrow's presentation printout or a computer containing sensitive files.

    Third, you need technological protection.  Things like biometric security, for example, are technological, but, in most cases, they tend to supplement physical protection, such as access to a room.  It's not real "protection" because what the biometrics has done is take the place of a key.  Security is still provided in the form of a locked room.

    Instead, you want products that will enhance security, not convenience.  Things like laptop encryption or file encryption software, firewalls, antivirus software, etc.--things that don't have a physical protection counterpart.

    Sure, they cost money.  But, a company tends to have more customers than employees (otherwise, you may want to bail out on your current job).  If you do the calculations, more than not you'll find that investment in security products are cheaper than dealing with a data breach.

     
  • Data Protection: KPMG Finds Data Fraud Tripled Since 2007?

    It looks like the services of centrally-managed hard disk encryption tools like AlertBoot may be of even more importance to companies.  An article at infoworld.com cites a new KPMG survey that was released at the E-Crime Congress in London.  According to this survey, fraud committed by managers, employees, and customers increased threefold since 2007, when the recession first hit.

    Sixty-six percent of those surveyed also felt that fired IT workers would be tempted to join criminal activities.  This has been pointed--and I'm inclined to agree--that it's just wishful thinking (not that I believe anyone wishes it to actually happen).

    However, when you take into consideration that similar surveys have shown approximately 80% of workers would steal corporate data, such as client lists, if they knew they were about to be canned...well, I'd say about 14% see the glass as half-full.  I mean, stealing data would make one a criminal; if 80% would actually do so, and only 66% feel like it would happen...

    But, the finding that is of true importance is the threefold increase.  The recession seems to be affecting people's moral and ethical compasses.

    Time Is Of Essence When Curtailing Data Breaches

    Of course, this finding is not new.  Fraud and crime has always increased when the economy goes south.  What's new may be that people are looking to steal data-- the currency of the new century.

    It's no secret that data can be protected from outsiders.  Programs like hard drive encryption software make it nearly impossible for unauthorized people to access a computer, for example.

    But can you do the same for insiders?  After all, they have the passwords to gain entry--they need it (or needed it) for their job.

    The answer is, it depends.  A centrally-managed encryption program like AlertBoot allows an administrator to lock out an enduser.  This can be done by dropping the now-terminated employee from a list of authorized users.  Once this is done, the employee's username and password won't decrypt the information anymore.  Data-wise, he's an outsider.

    But, this needs to be done ASAP.  If you have the ability to restrict access, but wait one week after the termination notice to prevent a fired employee from accessing corporate data, who's to say how much damage the company suffered?

    Related Articles:
    http://www.infoworld.com/article/09/03/24/In_poor_economy_more_IT_pros_turning_to_ecrime_1.html
    http://www.computerweekly.com/Articles/2009/03/25/235402/e-crime-congress-2009-enterprises-vulnerable-to-cyberattack-says.htm
    http://www.vnunet.com/vnunet/news/2239085/experts-warn-global-commerce

     
  • File Data Encryption Software Being Used To Hold People To Ransom

    A new type of scareware is making the rounds.  In fact, it does more than scare: it essentially asks for ransom: either pay up $50, or kiss your data good-bye.  At the heart of this scam, if you can call it that, is what powers AlertBoot's disk encryption software tools that will protect your digital files.  In this case, protect them from you, the rightful owner.

    How the scam works

    A Trojan tricks users into running a program.  Since this is a Trojan, it's going to look like reputable software.  But, once activated, it starts by encrypting files: Microsoft Word documents, PDF files, etc.  Apparently, it also encrypts the "My Documents" folder.

    When a user tries to open the encrypted files, a messages says that "FileFix Pro 2009" will unscramble the data.  The program will decrypt one file, and then demand $50.  I guess someone took inspiration from the drug-dealer model: the first one is free to try, to see that it works.  After that, it's gonna cost ya.

    According to networkworld.com, there are fixes for FileFix Pro 2009 at Bleeping Computer and FireEye.  FireEye also has a write-up of the new scareware program

    Thankfully, it looks like the encryption used was either weak or flawed, and figuring out how to decrypt the encryption was relatively easy.  If the criminal minds behind this ransomware had used something more powerful (or publicly vetted), like the offerings from AlertBoot, chances are there would be no fix but to pay up.

    Ransomware: Not New, Not Scareware

    Encrypting files and holding them hostage is not new.  It's happened before.  The twist on this case is that it goes out of its way to appear as something other than asking for ransom: FileFix Pro 2009 is labeled as a "winning software which help [sic] you recover corrupted files."

    Also, I have a problem with calling the above scareware, a terminology that's being bandied about in connection to this story.  Scareware works by scaring people into paying up, so if you're not scared, you can ignore the situation...and not pay.  And if you don't pay, there is no fraud, so problem solved.

    The FileFix Trojan, though, is more than scare tactics.  You can't just ignore it.

    File Encryption Also Available For Forces Of Good

    The ability to encrypt all files associated with a particular file extension (*.mp3, *.jpg, *.doc, etc.) is a legitimate tool.  There are different types of encryption methods out there.  A very useful one is whole disk encryption, where all the contents of your hard drive are protected.

    However, some like to use document encryption software where select files are protected.  Like spreadsheets only, for example (what's the use of encrypting Solitaire and Internet Explorer? is one rhetorical question I've heard).

    Encrypting spreadsheets one-by-one, however, is just asking for someone to stop encrypting files at some point, due to annoyance; the mistaken belief that "nothing will happen;" or just plain forgetfulness.

    To counter this, there is an option to automatically encrypt all documents of a specific format.  It looks like this helpful feature has been misappropriated in the above case.  I'd like to take it as an indication that encryption works (or rather, it works when implemented correctly.  No way encryption should be so easily broken.)

    Related Articles:
    http://www.pcworld.com/article/162009/new_trojan.html?tk=rss_news

     
More Posts Next page »