in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

March 2010 - Posts

  • Disk Encryption: USB Stick With Sensitive Files On Foster Children Found

    Stoke-on-Trent City Council has found itself in the middle of a data breach after a passer-by turned in a USB flashdrive with sensitive information to The Sentinel, a UK periodical.  The USB drive was not protected with disk encryption software like AlertBoot.

    USB Memory Stick Found By IT Consultant

    The USB stick was found on the pavement by an IT consultant.  Upon connecting it to his computer, the consultant found dozens of files with sensitive information related to foster children.  He promptly went to The Sentinel and handed over the flashdrive; the newspaper, in turn, turned over the device to the city council.

    An investigation has been promised by the council, which has noted that it's against policy to store such information on an unencrypted flashdrive.

    What's New?  How About Forced Encryption? (With Care, Of Course)

    Stories like these are a dime a dozen. With the cheap prices that USB flashdrives command, it's hard to envision a situation where sensitive data doesn't end up on a USB memory stick that subsequently gets lost or stolen.

    Among the solutions that are suggested is the use of officially sanctioned, pre-encrypted USB drives.  I can only laugh at such a suggestion.  The problem is not the lack of encryption on USB sticks.  The problem is what management has found to be problematic for decades: employees who don't follow policies.

    I mean, the person who lost the USB drive didn't follow the original policy of not carrying unencrypted data.  Who's to say that person would have followed another policy of only using encrypted USB drives?  Or perhaps a policy that prohibits one from using a non-sanctioned USB flashdrive?

    This doesn't mean that encryption software is not necessary, or that it cannot contribute towards better data security.  Instead, I'm pointing out that the approach is somewhat off.

    I'd say that a somewhat better option would be to force the encryption of any external data storage devices (an option in AlertBoot's managed endpoint security software): this way, when any (personal or corporate) USB drive is connected to a computer, the device is also encrypted and usable within an assigned group of computers.

    (Care must be taken with such an approach, though, because it encrypts all such data storage devices.  We're talking iPods, iPhones, and anything that shows up as external memory device when connected to a computer.  Of course, being burned by such an experience, people learn not to stick any random USB device to work computers, but sometimes at great personal expense.)

    Another effective approach may be port control, where an administrator presets a set of executable policies that determine which hardware can connect to a USB connector port.  For example, such a policy may allow mice and printers to be connected to a computer, but would disallow it for any foreign objects (like unsanctioned memory drives).


    Related Articles and Sites:
    http://www.infosecurity-magazine.com/view/8396/confidential-social-services-data-found-on-usb-stick-in-stokeontrent/
    http://www.scmagazineuk.com/usb-stick-containing-social-services-information-found-on-a-pavement/article/166783/

     
  • Data Encryption Software: Used In ECMC Data Breach Affecting 3.3 Million People? Would It Matter?

    The big news over the weekend was the theft of a "portable device" from ECMC, a non-profit company that guarantees federal student loans.  What's known so far is that there was a data breach involving 3.3 million people.  There are hints that data encryption like AlertBoot would have helped in this situation; however, the facts are not as forthcoming.

    "Old-Fashioned Theft"

    According to various media, a spokesman for ECMC (Educational Credit Management Corporation) has announced that the data breach of 3.3 million people included names, addresses, dates of birth, and Social Security numbers.  Other information, such as financial and bank account data, was not included.

    The breach occurred when a "portable media device" was stolen from the company's headquarters in Oakdale, MN, and has been described as an "old-fashioned theft...not a hacker incident."

    What this seems to imply is that the company experienced a regular burglary.  And, my guess is that the information was in digital format.  Why such a conclusion?  First, there's the term "portable media device."  Second, the clarification of hacking vs. "traditional"; no need to make such a clarification if a bunch of documents were stolen.

    I only point this out because I've read commentary that a binder is also a "portable media device," and could be what was stolen.  My response?  Hardly possible.  Chances are, each name covers one line, at least.  With 3.3 million names, printed on letter-sized pages with 10-point font and single-spaced, a printout would run well over 50,000 pages.  The full set of the Encyclopedia Britannica runs 32,640 pages, per amazon.com's product details.  'Nuff said.

    Plus, there are media sources that are claiming that discs were stolen.  Another claims it was a "removable media device"; regardless, according to darkreading.com, the information was not supposed to have been copied and stored in such a way and was a "very clear violation of our company policies and protocols."

    Would Company-Wide Encryption Have Helped?

    No, I don't think so.  Yes, blasphemous words for a disk encryption software company's blog.  However, we must face up to the fact that, in this case, what we have is an "insider" situation.

    Even if the company decided to have all of their information encrypted (and who's to say it hasn't and wasn't?), if an employee decides to bring their own portable device--say, a USB thumbdrive or a portable hard disk--and copy data to it...

    Well, I guess file encryption could have helped, as well as usb port control applications, the latter by preventing unauthorized external devices from connecting to PCs (and both of which are available with AlertBoot); however, disk encryption wouldn't.  The moment information is copied off of an encrypted device, that information is not secure anymore.

    Of course, this is not to say that ECMC wouldn't find disk encryption to be valuable or unnecessary.  Rather, I'm just pointing out that data security consists of many different approaches.


    Related Articles and Sites:
    http://www.washingtonpost.com/wp-dyn/content/article/2010/03/26/AR2010032605475.html
    http://blogs.computerworld.com/15836/second_guessing_the_data_theft_at_ecmc

     
  • Laptop Encryption Software: St. Albans Admits Laptop Loss, Signs Undertaking

    St. Albans City and District Council has signed an Undertaking regarding the theft of four laptop computers.  While hard drive encryption software like AlertBoot was not present to protect the contents of those laptops, there were plenty of ways existing security policies could have prevented a data breach

    An Unfortunate Series of Events

    St. Albans had collected "a large number of postal voters records" which was supposed to be deleted once an election was over.  During the election, the information was stored on a laptop computer with password-protection in place.  This met IT security policies in place at the time (my guess is that, today, data encryption in one form or other would be required).

    Once the election was over, the laptop was stored in a locked safe (good) but the data was not deleted (bad).  On June 15, 2009, the laptop was taken by contractors and not locked down (bad).  Furthermore, it was left in an open space for several weeks (bad) until someone requested that the laptop be secured (good) on September 22.

    The device was moved to another place (good) but not secured (bad).  On October 13, three other laptops were found missing (bad).  On November 5, the laptop with the voter records was also found missing as well (bad).

    It's not known whether the laptop was stolen at around the same time as the other three laptops and was found missing later on, or just stolen at a later date.

    Policies in Place?

    I'm sure policies for sensitive data and computer usage were in place at St. Albans.  I mean, they had that "password protection" in place and they also had someone request that the laptop be secured at one point.

    But, as the list of "bads" show, not everyone follows these policies.  The voter data was not deleted, as required.  The policy of locking the computers was followed haphazardly.

    This reminds me of an article at businessweek.com that left a bad taste in my mouth (link below).  The author of the opinion piece made an argument that data security products are not necessary because "we all work with adults"--or at least, he does--and if these adults follow the correct practices, one couldn't have a breach.  He was a CPA, though.

    All correct, in theory.  But, for those who have to live in the non-theoretical world, the truth is that "adults" don't always follow what they're supposed to do: maybe because they don't feel like it; maybe because they don't know better; maybe because they don't have time; etc.  Cases like the St. Albans situation above offer proof.


    Related Articles and Sites:
    http://www.ico.gov.uk/upload/documents/library/data_protection/notices/st_albans_undertaking_170210.pdf
    http://www.businessweek.com/technology/content/mar2010/tc2010038_678497.htm

     
  • Disk Encryption: U Of South Carolina Beaufort Alerts Alumni Of Stolen Laptop

    The University of South Carolina Beaufort (USCB) has alerted alumni that their personal information may have been compromised when a laptop computer was stolen.  The use of drive encryption software like AlertBoot was not mentioned.

    Laptop Stolen In Atlanta

    The laptop was stolen when a staff member for the Office of Housing and Residence Life experienced a break-in at a relative's home in Atlanta.  As a result 488 former students enrolled between 2005 and 2006 had their names and SSNs breached.

    This figure, however, is actually a guess, since the IT team at USCB had to reconstitute what "could have been" on the laptop at the time of the theft.  The figures could be easily more...or even less.  The only way to really know would have been the analysis of a recent, full disk backup.  Apparently, such a backup is not available in this case.

    Office of Housing and Residence Life?

    While I know what the housing office is in charge of, I've got to admit that I have no idea of what they actually do.

    For example, why do they need SSNs?  I can see why a property management company would need it (credit checks to see whether an applicant is desirable as a tenant).  But a university department in charge of dorms and the like?  Why would they need SSNs?  My guess is that SSNs were used as a student identifier

    Also, why is a laptop with the housing office at a relative's house?  This is probably the more pertinent question.  Was the staff member authorized to take this laptop?  And if so, why weren't the proper security programs in place?

    The use of full disk encryption would have been warranted, considering that the housing office deals with Social Security numbers.  Plus, other security tools would have been necessary as well, such as firewalls; I'm assuming the network within USCB is protected, providing a safe computing environment, whereas the same controls are not present at the relative's home.


    Related Articles and Sites:
    http://www.islandpacket.com/2010/03/24/1183832/uscb-warns-alumni-that-their-personal.html

     
  • Laptop Encryption Software: Data Protection Increases Brand Or Marketplace Image? Yes (A Continuation)

    Yesterday I was griping on how I didn't agree with the belief that "the purpose of data protection programs is to increase brand or marketplace image," a response shared by 51% of the C-level execs surveyed by IBM and the Ponemon Institute.  I had noted that data encryption--any data protection tool, really--was "serious" stuff, and that it being associated with marketing was a travesty.

    Well, I didn't actually write that, but I did imply it.  I also seemed to have implied that data security products can't, or don't, work to increase brand or marketplace image (and I meant it, too, although I'm about to do an about-face).  And, it also looks like I just stopped writing at some point, without a conclusion or anything.

    Nyquil and B2B

    There are a couple of things I learned since yesterday's post.  First: never take Nyquil or its equivalent if you need to work.  The warning message on drowsiness and incapacitated states is there for a reason, and it's not just geared towards people handling heavy machinery. (Actually, this was a lesson I learned some time ago; apparently, I needed a refresher course).

    Second, and the more important lesson, data security tools can increase your company's brand or marketplace image.  How so?  As someone pointed it out to me, data security makes a difference in the B2B, business-to-business, arena.

    When companies are looking for outsourced solutions, vendors, partnerships, etc., they place a great degree of significance on information security.  After all, there are all sorts of confidential information being exchanged and transferred: customer information, proprietary controls and processes, schematics, designs, etc.

    Many companies will ask what type of security is in place.  And, being able to prove that you're already working in a secure environment goes a long way in securing that deal.

    Proving Encryption Is Being Used

    Mind you, that's proving, not just stating that you're using (or going to use), data security tools.  For example, take our own solution, AlertBoot.  The integrated encryption report and audit tools lets an administrator quickly analyze which machines are encrypted, allowing the admin to focus on the ones that aren't.

    The same report could be generated on the spot during a business meeting (AlertBoot is a managed encryption service, so it's available where an internet connection is present), to prove that your company does, in fact, use encryption on production computers (and non-production computers as well, if necessary).  Proving security exists gives you an edge, especially when you consider instances like what The Gap had to go through.

    If you'll recall, the theft of a laptop belonging to a third party contractor caused GAP, Inc. to mail 800,000 job applicants a letter of apology and an offer for free credit monitoring to any victims.  While the contractor was contractually obligated to use encryption software on their laptops, it didn't (hence the letters of apology).  Similar instances have pop up often enough that you know this is something that's weighing on decision-makers' minds.

    And, even if your company is not selected in the end, you'll stand out among a pool of future potential contenders.  Especially if a "Gap situation" takes place.  What else can you call that but an increased brand or marketplace image?

    Furthermore, if you have the proper data security tools in place and still experience a breach, most companies are bound to understand: they, too, have the same concerns, if not the same experiences.  They, too, know it's impossible to guarantee 100% data security.  On the other hand, if it turns out that the proper controls weren't in place...well, that's a different story.

    Of course, I still don't think that "marketplace image" ought to be the reason for using data security tools.  But, it can definitely help and add towards increasing one's desirability as a business partner.

    Also, in a moment of practical enlightenment, my pragmatic side asks, "so what if a company is protecting their data because it increases their brand value?  Protected data is protected data; at the end of the day, what we really care about--and should care about--is the fact that sensitive information is protected."

     
  • Laptop Encryption Software: Data Protection Increases Brand Or Marketplace Image?

    According to a new survey by IBM and the Ponemon Institute, 100% of C-level executives interviewed in the UK have reported attacks targeting corporate data.  Seventy-five percent of them experienced a breach.  It looks like more and more people in charge are beginning to feel that investments in data security products, such as hard disk encryption from AlertBoot is not a bad idea.

    What's really surprising to me, actually, is that according to a press release regarding the survey, 51% of them think that "the purpose of data protection programs is to increase brand or marketplace image."  That's an interesting conclusion.

    Data Security Products: Sunk Costs, Not Investments, But Definitely Worth It

    I've noted before that trying to figure out the ROI on data protection software is a practice in futility: an investment, by definition, requires the possibility of future returns.  This is just not possible with data security products, since they don't produce anything and hence cannot "return" anything.

    Think of it this way: with apple seeds planted in the soil, there is a chance of future returns in the form of an apple tree that will bear many more apples for many years.  However, what kind of return can you get from an outer wall protecting a castle?  The wall doesn't create more walls as time goes by; if anything, the wall will require repair and maintenance, meaning even more resources will be spent over the years once it's up.

    Of course, that doesn't meant the wall is "not worth it."  Everybody knows that the wall is definitely worth it.  It's just that you can't realistically calculate an ROI on the thing.

    And I guess that's my point: if you're deciding on whether to "invest" in data security, the numbers will always point towards "no."  But, again, like the castle walls, that doesn't mean that it's not worth it.  I can assure you, data security is definitely worth it (especially with all the laws regarding data privacy being passed around).

    Data Security to Increase Brand Marketing?  Interesting Idea

    I have to say I'm against this approach to data security, although I have to admit that there might be parallels between it and brand marketing.

    For one, calculating expected marketing ROI is generally a crapshoot; what you want to do is to calculate an ROI after a particular marketing campaign has taken place, and see how big an increase (or decrease) in sales was effected by said marketing.

     Likewise, if there were any ROI calculations to be made about data security software, such as encryption software, it would be after something happens, such as a laptop getting stolen: how much was saved as a result of having that protection in place?  (Yeah, it sounds weird; like I said, ROI can't be calculated for data protection.  But, this is as close as you can get to it).

    Or, the fact that there is a value to having data security in place as there is value in a brand...but how do you know what it is? Accounting-wise, the value of a brand is essentially the "goodwill" generated during an acquisition, but that doesn't really quite cover it.  While the same problem exists for data security, there is no pat answer (most probably because the issue wasn't forced).

    On the other hand, I see problems with binding data security to brand marketing.  For example, there is the perception, unfounded or not, that marketing is not "serious" or that it's "expendable."  I'd hate to see a scenario where, a company facing budget cuts, decides to cut their data security budget "because it's a marketing thing anyway."


    Related Articles and Sites:
    http://www-03.ibm.com/press/us/en/pressrelease/29743.wss

     
More Posts Next page »