in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

February 2010 - Posts

  • Virginia Personal Information Data Privacy Notification And Encryption Laws: Va. Code § 18.2-186.6

    The state of Virginia's data breach notification law went into effect on July 1, 2008.  It is similarly worded to other state legislation in that the use of data encryption software provides safe harbor from costly and embarrassing breach notifications.  (Are you looking for Virginia's medical information breach notification law?  Click here.) 

    It differs in one crucial aspect.  Unlike similar state laws, a provision for imposing financial penalties has been included.  (Note: I'm not a lawyer, and you should consult with your legal representatives if you experienced a data breach).

    Data Encryption Provides Safe Harbor From Breach Notification

    Virginia Code § 18.2-186.6 was designed, like many such state legislation, to encourage entities to improve their customers' data security measures.  As such, it provides safe harbor when encryption software is used to protect customer data:

    If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes...[it] shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay [my emphasis]

    This is one of the few laws I've seen where the use of encryption provides a direct relief from going public with a data breach.  In most legislation I've seen, safe harbor seems to be provided by defining personal information as "unencrypted data."

    I think the reasoning might be, since encrypted personal information is not unecrypted data, by definition it's not personal information anymore--so, losing this encrypted information cannot be constituted as a data breach.  A confusing and roundabout way, certainly, but it gets the job done.

    It's also one of the few laws that also specifies that encryption is not enough:

    ...disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft...

    Most state laws have not gone as far as taking into the possibility of the encryption keys (or passwords) being compromised as well.  While it would be up to the courts to decide upon it, there are criticisms directed at the data breach laws because safe harbor is afforded regardless of whether the encryption in question really provides personal information security, unlike the above.

    What Is Considered A Personal Information Security Breach In Virginia?

    According to the law a "breach" is:

    "Breach of the security of the system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.

    Note how the breach is relegated to computerized data only.  There are states that are updating their data breach notification laws to include the breach of data stemming from paper documents as well, and barring the passage of a federal law governing data breach notifications, we may very well see an update to account for its absence.

    "Personal information" follows the conventional definition found in most state laws.  It's the first name (or initial) and last name combined with:

    • Social security number
    • Driver's license information
    • Financial information, such as account numbers, credit card numbers, etc.

    What Needs to Be Included In The Customer Notification Letter?

    The law is pretty straightforward.  To quote it directly:

    Notice required by this section shall include a description of the following:

    (1) The incident in general terms;
    (2) The type of personal information that was subject to the unauthorized access and acquisition;
    (3) The general acts of the individual or entity to protect the personal information from further unauthorized access;
    (4) A telephone number that the person may call for further information and assistance, if one exists; and
    (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

    Also, if the breach involves more than 1,000 people, the Office of Attorney General must be alerted of the breach without unreasonable delay, as well as consumer reporting agencies.

    Notices can be via letter, telephone, "electronic" (meaning what?  There is no definition), or a substitute notice.  The last is only possible if the cost of notification exceeds $50,000; if more than 100,000 VA residents need to be notified; or if the company that experienced the breach doesn't have contact details for customers.

    Penalties

    Virginia has given its AG the express ability to impose fines as a penalty (a maximum of $150,000 per incident):

    The Office of the Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. Nothing in this section shall limit an individual from recovering direct economic damages from a violation of this section.

    The above law, and many others like it, may not require the use of encryption software like AlertBoot; however, they do seem to be pushing hard towards their adoption where sensitive information is concerned.

    Why?  Because encryption is probably one of the most cost-effective and effective ways of protecting sensitive information.

    However, as an entity that collects sensitive information, you must remember that encryption is not a cure-all for your data security needs.  Just like the body experiences many ailments--and you have different medication for them--you'll find that your company needs different security prescriptions depending on your company's IT infrastructure.


    Related Articles and Sites:
    http://leg1.state.va.us/000/cod/18.2-186.6.HTM
    http://law.onecle.com/virginia/crimes-and-offenses-generally/18.2-186.6.html
    http://www.gentrylocke.com/showalert.aspx?Show=1034

     
  • Full Disk Encryption And Other Considerations: Security Of Corporate Data On Laptops

    TechTarget has a list of considerations that midmarket IT managers should take into account when it comes to "securing corporate data for users on the go."  The use of disk encryption, such as Alertboot endpoint security, is included.  More important, though, it also includes recommendations (some of them non-technical issues) that also require implementation for successfully securing corporate data.

    The recommendations, in no particular order, are:

    • Education on the importance of laptop security and enforcement of policies
    • Using full disk encryption to secure laptop data
    • Impose login requirements
    • Ensure that machines automatically apply security patches
    • Be aware of non-compliant machines

    Interestingly enough, a number of these recommendations can be implemented by choosing the right encryption software.

    Take AlertBoot, for example.  It's a full disk encryption software that's easily deployed over the internet and is centrally managed.  An administrator can easily push policy updates, including login requirements such as password lengths; the inclusion of special characters, letters, and numbers in passwords; how often they should be changed, etc.

    Also, due to its integrated reporting, an administrator can easily see which computers have successfully installed the encryption package, and which ones have not.  It's also possible to see how many times incorrect login attempts were made.

    By selecting AlertBoot or other similar encryption software, three of the five recommendations are already fulfilled.  What's left?

    Applying security patches can be automated to an extent--just set your computer to apply any and all patches that are recommended by our OS.  (Personally, I don't do this because I turn off my computer at the end of the day, and I've been caught unawares when a computer restarts automatically after applying patches.  I religiously monitor for updates, though, and will apply them at the end of the day).

    Probably most important above all is educating employees about laptop security.  Regardless of which encryption product you decide to use, it will require the cooperation of employees: ensuring they don't stick up passwords on their computer screens; share passwords; etc.  Otherwise, the environment guarantees a data breach will eventually take place.


    Related Articles and Sites:
    http://searchcio-midmarket.techtarget.com/tip/0,289483,sid183_gci1389674,00.html

     
  • Data Security: UT Gas Pumps Carry Card Skimmers

    One of the difficulties I have face when speaking to people about the need for better data security is denial, "because we're too small, it won't happen to us."  "It" being a data breach.  In other words, we're too small to be targeted (usually followed by the proclamation, "that kind of stuff only happens at the movies, anyway.")

    With such attitudes, it's always a little challenging to convince people that they should be using full disk encryption for securing their sensitive data on their laptops.  But, as the following story shows, life imitates art.

    Fingernail-sized Device Attached to Gas Pumps To Steal Data

    Criminals attached credit-card skimming devices inside gas pumps across Utah, according to darkreading.com.  These devices were Bluetooth-enabled, meaning data could be collected from a distance, and was "the size of a cellular phone SIM card."

    If you're not aware, because you've been using, say, Verizon as you cellphone provider, a SIM card is about the size of a dime.  Put a sticker over it--say, a warning message: "Please don't remove"--and you probably wouldn't.  I mean, it's electronic, it's attached to the gas pump's internals...it's probably a doohickey of some sort; removing it might break the pump, or perhaps transport you to Middle Earth...

    Anyway, this way of pilfering data is not as uncommon as it appears: apparently, similar situations have cropped up across Europe, and California had its own situation.  The case in Utah involved some 180 pumps.  It's believed that the devices were in place for two months.  They were removed in January.

    It Only Happens In Movies?

    The thought that someone would go around not only installing stuff inside gas pumps (how do you even do this without the employees noticing?), but would take the time to buy 180 doodads, configure them, and install them (again, 180 times)...well, it's unheard of, right?

    The above sounds like something that would only happen in the movies (maybe it can be the script to Ocean's 14: Clooney & Co. Hits Bottom).  But no, it's being done by some real criminal organization (in Utah, of all places).

    And, the gas stations are not being targeted because they've got money, or happen to be big business:  my guess is that they've been targeted regardless of whether it's a franchisee or a corporate-owned one, whether the location is profitable or not (granted, you usually don't have too many of the latter when it comes to gas stations).

    What are the criminals after?  They saw an opportunity to make a buck (illegally) and took it.  Just because it doesn't happen often enough doesn't mean it doesn't happen, nor that it won't happen.  Credit card skimming has been around for a long time, and this latest one is just an advanced twist on what used to happen at ATM machines with skimmers that were much, much bigger in size.

    Likewise with laptops and other data storage devices.  People have this general feeling that their laptops will not be targeted for the data in them because they're not rich; or perhaps they do have money but they're not famous enough, so why would they be targeted; or whatever.  The reasons are myriad.

    I've even had a discussion with a person who never stores any sensitive info on a particular laptop, but does use it for on-line banking.  If the laptop gets stolen...well, so what?  Passwords are not stored, so it doesn't matter.

    Here's one scenario I can think of: thief takes a look at the computer and notices the guy does on-line banking.  He installs a keystroke logger and returns the laptop.  Owner checks his balance on-line using compromised computer.  On-line banking compromised.

    What are the chances of this happening?  What are the chances your credit card number got compromised at a gas pump on your road trip to Vegas?

    Now, if the laptop in my scenario had been protected with disk encryption, there would have been no way of knowing what the laptop contained, so any harm real or imagined would have been prevented.


    Related Articles and Sites:
    http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=223100233

     
  • Data Encryption Software: HHS Publishes List Of Breaches Affecting 500 Or More People

    The US Department of Health and Human Services (HHS) is charged, under the HITECH act, with collecting data breach notifications for any HIPAA-covered entities.  Under the act, these entities are required to immediately send an official letter of notification if the breach involved more than 500 people (breaches where 500 or less people affected are reported annually.  The use of data encryption like AlertBoot provides the equivalent of a safe harbor).

    36 Entities Reported - A Summary

    Thirty-six hospitals, clinics, private practices, and other medical facilities are listed in this first report.  In the six months between September 2009 and January 2010, over 1 million people were affected in total.

    Types of Breaches

    The types of breaches listed are pretty straightforward.

    Theft: 27
    Unauthorized Access: 7
    Loss: 3
    Phishing Scam: 1
    Hacking/IT Incident: 1
    Incorrect Mailing: 1
    Misdirected E-mail: 1

    The sum exceeds 36 because there are overlapping descriptions.

    Location of Breached Information

    Laptops: 9
    Desktops: 7
    Portable Electronic Devices/USB/Hard Drives: 6
    Network Servers/Computers: 3
    E-mail: 2
    Backup Tapes/CDs: 3
    Others (paper-based and such): 7

    The sum also exceeds 36 because of overlapping devices/documents.  I've also taken the liberty of combining certain categories together (e.g., portable electronic devices and portable USB devices).

    Breakdown and Analysis

    It doesn't take a genius to see that the thefts and losses of computers and similar devices (laptops, desktops, servers, USB devices, etc.) is the leading cause of data breaches--at least, where HIPAA-covered entities are involved.  In fact, it's more than the leading cause.  They compromise well over the majority of reported data breaches.  There's not much to analyze, actually.

    (Here's something to think about: are the thefts and losses of computers the real leading reason for data breaches, or are they just better reported?  I'd notice if a laptop were stolen at my office.  I'd probably never notice that a folder full of files was missing out of my file cabinet, which I haven't even peeked into in years.  Hmph; why do I still have that thing around?).

    A further breakdown and analysis is done at this site, waynerino.com.  The numbers over there are a little different from what I've reported, no doubt because I've taken the liberty of combining certain figures, but the conclusions are essentially the same.

    Something to note at waynerino.com is the breakdown by geographic location.  The state with the leading number of reported breaches is California, with 28%.  My guess is that this doesn't quite indicate that California is full of data thieves.  Rather, it probably indicates that California entities are better informed about the notifying the HHS.  This is the state that started the entire breach notification trend, after all.

    What I find most unfortunate about the above is that the use of encryption software would have prevented most of these breaches.  Not the actual theft of the devices, mind you; I mean that it would have eliminated the chances of the thieves also accessing the patient information.

    The use of disk encryption, for example, on desktops and laptops would essentially prevent access to the computer--in fact, with pre-boot authentication, the thief wouldn't even be able to start up the computer.

    As an alternative, file encryption could also have been used, and may even have been the only option for files saved to backup tapes and CDs.


    Related Articles and Sites:
    http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
    http://www.waynerino.com/wordpress/2010/02/statistics-hhs-hitech-breache/
    http://www.phiprivacy.net/?p=2038

     
  • Laptop Encryption Software: Laptop Tracking 75% Effective For Recovery?

    Anyone who's bothered to check any news sources over the weekend has probably heard of the situation at Lower Merion School District: the school was monitoring student activities at home.  But it was something else that caught my eye today as I was reading computerworld.com's write-up of the situation, and why full disk encryption like AlertBoot may still be around for a while.

    The Case at Lower Merion So Far...

    A student in the Lower Merion School District, Pennsylvania, was accused by a vice-principal of engaging in "improper activity" at the student's home, and produced a picture of him purportedly taking drugs.  Turns out that the "drugs" were Mike & Ike candy.  (Not familiar with it, so can't comment.  I mean, do you snort it or something?  Why did the school assume it was drugs?  I mean, Tic-Tacs look like pills, too.)

    When I first read of the situation I told myself that the school was in deep doo-doo, drugs or no drugs: you can't go around monitoring what students do outside school.  And if you're monitoring what they do at home, well...I was pretty sure that couldn't be legal.

    Also, besides the violations of privacy and wiretapping and whatnot, I was wondering "what if the kid was naked or something?"  All around a bad idea to be monitoring a kid in his room.

    The school claims, of course, that they don't monitor kids.  The cameras are only turned on when a laptop is reported lost or stolen, etc.  Seeing how the candy-popping student never reported the laptop stolen, though, the school's explanation falls flat.

    I woke up today to find that the feds are now involved, since there may be violations of wiretapping and privacy laws.  It was just a matter of time, really.

    What Caught My Eye

    I wasn't really going to comment on the issue, since it was bound to be covered by everyone.

    Besides, I had noted in the past that security needs to come in layers, so using encryption doesn't mean tracking software can't be used, which definitely has its uses.  For example, encryption software, while it can protect your data, cannot realistically do anything about recovering the stolen hardware (you could place a startup screen with your contact info and offer for its safe return...but how likely is it that someone will do so?)

    But then I found an article at computerworld.com that covered the story.  In the article, it was noted that "Absolute [providers of LoJack-like services for stolen laptops] claims that it recovers about 75% of all laptops reported stolen."

    I've been looking for some stats on recovery rates, and there you have it.  Seventy-five percent.  It is an excellent recovery rate.  I mean, without tracking software, recovery is like, what, 0.2%?  I don't think anybody knows, really.

    On the other hand, the same stat shows why there needs to be different layers to security for the same machine.  There's that 25% of the cases where your stolen computer can't be traced and recovered.

    Also, as I've noted in the past, you can't just rely on tracking software for your security needs even if the recovery rate is 100%: There is no guarantee that sensitive data will be stolen between the time your laptop disappears and the time it's recovered.


    Related Articles and Sites:
    http://www.computerworld.com/s/article/9160278/Software_maker_blasts_vigilantism_in_Pa._school_spying_case?taxonomyId=12&pageNumber=2
    http://www.philly.com/philly/news/homepage/84835492.html

     
  • Hard Disk Encryption: "Please Rob Me" Site Shows How Innocuous Information Is Not Trivial

    And now for something completely different...from what I usually blog about.  A Dutch group has created a site called pleaserobme.com (please rob me dot com) that essentially goes through twitter posts and plucks only those tweets that "check-in" using Foursquare.  Essentially, you can tell when someone's not home, and that's great information for would-be burglars.

    Foursquare

    I've got to say this is the first time I've heard of Foursquare.  According to Wikipedia, it's a "location-based social networking website, software for mobile devices, and game. Users "check-in" at venues using text messaging or a device specific application."

    I guess the idea is that, if you're at a particular bar or something, and a friend sees that he's also in the neighborhood, he can just kind of drop by and say hello.

    The problem, though, is that the act of checking in, and making the information public and easily available, also means that pretty much anyone can keep tabs on where you are.  And how much more public or far-reaching can you get than Twitter?

    What Does This Have To Do With Disk Encryption?

    Nothing, and yet, everything.  Obviously, it makes no sense to encrypt the above data: social media sites and services like Twitter and Foursquare are meant to be public.  Sharing information is a given.

    On the other hand, it plays into the observation I made in yesterday's post about the "hidden dimension": Just because the information seems innocuous at first glance doesn't mean it cannot be easily tweaked and used for nefarious deeds.

    Consider e-mail addresses.  No one really thinks of it as private, sensitive information.  You'd be crazy to do so; I mean, if you kept your e-mail address truly private, you'd probably never receive any e-mail.  However, consolidate 10,000 of the same, and suddenly there may be a way to use it for criminal purposes.

    Companies (OK, most companies) make it a policy to encrypt or hash client passwords, but don't extend the policy to other data such as e-mail addresses.  The idea is that, if their security perimeter is breached, passwords are sensitive information while e-mail addresses are not.

    But, as I pointed out in yesterday's post, plain-vanilla e-mail addresses can be used for carrying out scams as well.  It seems to me that anytime you've got a large enough database of any type of data identifying people, you should really take a look into securing it.


    Related Articles and Sites:
    http://www.csmonitor.com/Innovation/Horizons/2010/0217/Please-Rob-Me-and-the-problem-with-social-media
    http://news.bbc.co.uk/2/hi/technology/8521598.stm

     
More Posts Next page »