in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

August 2010 - Posts

  • Connecticut Insurance Data Breach Notification Rules: No Safe Harbor For Data Encryption (Update)

    The Connecticut Insurance Commissioner issued Bulletin IC-25 earlier this month, officially instructing all Department of Insurance Regulated Entities to "notify the Department of any information security incident[s]."  The use of data encryption won't be grounds for granting safe harbor, a departure from the State's own personal information breach disclosure laws.

    The order to inform the Department extends to the breach of paper records as well--not just digital data found in computers, external drives, etc.--and entities will have give notification within five calendar days after the breach is found.  Notification has to be in writing: first class mail, overnight delivery, and e-mail are given as options.

    The bulletin is quick to point out that it knows that maintaining good information security is overwhelming for any business.  In fact, it even "expects" it to be so, which means, I guess, the Department is aware that information security breaches are something it will have to live with (but, of course, continuously work to eliminate).  The latest mandate is not meant as a punitive measure:

    The Department's concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information. The Department also wants to make sure that there is an opportunity for the Department to actively monitor the situation and guarantee those consumer protections throughout the process.

    On the other hand, the Insurance Commissioner also notes:

    Each incident will be evaluated on its own merits and depending on the circumstances, some situations may warrant imposition of administrative penalties by the Department. To minimize that potential, licenses and registrants are urged to follow these procedures.

    I'm sure that penalties will be assessed in only the most egregious circumstances.

    The bulletin itself is a short read, only 4 pages long, and also contains:

    • Definitions on what comprises an information security incident
    • What must be included in the content of the notification letter
    • Where the Department gains its authority to mandate notification
    • A list of Regulated Entities that needs to

    In closing, I should point out that the now-mandatory notification under Bulletin IC-25 is to the Department only.  As far as I can tell, it's up to the breached companies to figure out whether their clients should be notified of the breach as well.

    I guess that makes sense, and it also helps explains why the use of encryption software is not grounds for safe harbor, at least not for reporting to the Department itself.

    If sensitive information is breached but clients are not at risk because encryption is used...well, the clients don't really need to be alerted to the fact that "you're still safe."  However, not being informed of a breach doesn't really help the Department figure out the overall picture, and that's what it really seems to want.

    Update(14 SEP 2010): phiprivacy.net asked the Department whether there is a contradiction with the rules (all breaches of personal info must be reported vs. the clause "the loss of which could compromise or put at risk....").  The Department has answered that "all incidents have to be reported."  There are no exceptions where personal information is breached.  Follow the above link for more.


    Related Articles and Sites:
    http://www.ct.gov/cid/lib/cid/Bulletin_IC_25_Data_Breach_Notification.pdf

     
  • Drive Encryption Software: PK Yonge School of U. Florida Loses Laptop With Personal Info

    The P.K. Yonge Development Research School at the University of Florida has announced a data breach affecting students and employees.  A laptop computer was stolen from a car, and it looks like hard drive encryption was not used to secure the data (although that won't be true for long).

    8,300 People Affected

    According to the University of Florida, "P.K. Yonge is a kindergarten-through-grade-12 laboratory school affiliated with University of Florida’s College of Education."  The stolen laptop appears to have been used by an administrator, since the information includes not only student information but employee information as well, such as payroll and parking permit information.

    The information goes all the way back to 2000, and also includes names, SSNs, and driver's license numbers.  Academic and medical records for students were not stored on the computer.

    Password-protection was used to protect the data, but it appears that encryption software was not.  Which begs the question, why not?

    The theft took place in San Francisco when someone broken into a rental vehicle.  In other words, the laptop traveled all the way from Florida to California.  It also had to travel back, had it not been stolen.  I think it's pretty safe to say that the laptop--which, I remind you, contained restricted information--was outside a secure area for a good while.  Plus, one of the more common places where laptops get lost or stolen is at the airport.

    So, you've got a laptop that's full of sensitive information.  It's not only on the move, which means there's already a heightened risk of a data breach, it's heading towards a high risk area when it comes to laptop thefts.

    (Granted, the laptop was not stolen at the airport; however, you don't come out of a battlefield unscarred and say, "well, putting on my bulletproof vest was useless."  Protection requires looking at the situation beforehand and evaluating your risk profile, not evaluating your specific outcome after the fact.)

    It's quite obvious that laptop encryption like AlertBoot ought to have been used on the laptop.  In fact, I would have recommended it regardless of the travel plans, since it contained SSNs and other sensitive information, and was probably kept in a low-security area: in my experience, most college administrative offices tend to have poor physical protection due to the relative safety of campuses.

    Update:  Ah, I forgot.  The university for its part has stated that it has started encryption on their laptops, I assume on account of this latest data breach.


    Related Articles and Sites:
    http://news.ufl.edu/2010/08/31/yonge-privacy/
    http://privacy.ufl.edu/incidents/2010/pkyonge/
    http://www.gainesville.com/article/20100831/ARTICLES/100839928/-1/news?Title=Stolen-P-K-Yonge-laptop-had-8-300-student-employee-records&tc=ar

     
  • Laptop Encryption Software: What Exactly Are You Protecting Against? Applying Some Thought

    Sometimes I read stories like the one below, and can only click my tongue tsk, tsk.  While data security doesn't require a graduate degree, it does require some thought.  I often mention this when blogging about data encryption software, but sometimes it extends to security practices beyond encryption.

    Grad Student's Life in Ruins

    A graduate student at the University of Calgary is living the post-graduate student's nightmare after someone broke into his car and stole his laptop and backup external hard drive which contained his research, notes, and partially completed thesis:

    Boldt has said that if he isn't able to recover his work, he may have to drop out of school and is offering a cash reward for the return of his laptop. He told CTV.ca, "The computer can be replaced. It's what's on it that can't. Even if they want to save everything on a hard drive and give me that, that's fantastic."

    As a former grad student, I cannot help but sympathize.  I mean, losing all of your research?  In theory, it can be replicated.  In practice, it's generally impossible: your research is not only what you've collected so far, but also what you have discarded.  Trying to remember all the different avenues that you took to establish your final resources would be extremely time-consuming.

    Furthermore, if the student was not in the liberal arts, it means results from experiments are also gone.  Certainly, these can be run again.  However, whether he'll obtain the same or similar results?  Impossible to say.  And, a thesis would have to be based on the new results, which could mean even more research branching into an entirely different direction.

    At least when I was getting my graduate degree, a lot of it involved photocopied pages and data printouts, which tend not to be stolen.  Nowadays, chances are something would be "photocopied" to a digital file.

    Backups: What are They For?

    The only remedy to losing information, if you need to have it around?  Backups.  Prior to the internet and computer revolution, this meant lots of printed pages, written notes, manila folders, etc.  During the initial stages of the revolution, it meant an amalgam of both the above and backups to electronic media.  Today, post-revolution?

    I'm not sure, since it's been a while since academia, but based on my own work patterns, something tells me there's very little tree pulp involved.  Hence the external backup drive our grad student was using to save his data.

    Of course, it didn't help him...but that's only because he failed to consider all the ways his data was at risk.  Besides the risk of hard drive failures, these are the risks that I considered when I went into writing up my own thesis and conducting my research:

    • Natural disasters: floods, fires, etc.
    • Break-ins, muggings, and other forms of theft
    • General, unintended loss: leaving things behind in the bus, etc.

    I also considered stuff such as EMP attacks (thanks, Golden Eye, for planting that idea in my head), but figured I'd have other things to worry about if such an event came to fruition.

    After taking a hard look at what was probable and what was possible (or barely possible), I decided that I would have two backups.  One stayed in a locked drawer at the lab; the other I would leave at home.  The latest updates to in the laptop would be used to synchronize the data.  I considered mailing something out of state, but figured that was overkill.

    Thankfully, nothing ever got stolen, so my backup measures were not necessary in hindsight.  In the event something did happen, though, I was pretty well covered.

    How Does This Relate to Laptop Encryption?

    Protection from data breaches also requires some forethought.  Granted, the use of encryption software will cut down on your data breach risk.  However, you also need to consider how the technology protects your data.  Otherwise, you might believe your protection covers more ground that it actually does.

    For example, laptop encryption usually comes in the form of hard disk encryption.  In other words, the entire content of a hard drive is encrypted.   However, this protection does not extent to data copied off of the laptop.

    If you copy files of an encrypted laptop to a USB flashdrive or e-mail an attachment with confidential information, chances are those files are not encrypted the moment they're copied off the laptop.  If you assumed otherwise, you're running into the same error in assumption our grad student made above: you're not as well covered as you thought you are.

    E-mail encryption or file encryption would be necessary to ensure continued data protection.


    Related Articles and Sites:
    http://www.onenewspage.com/news/Technology/20100830/14539163/Thorough-Thieves-Steal-Canadian-Student-Thesis-Backup.htm

     
  • Encryption For E-Mail: Electronic Mail Is Leading Cause For Enterprise Data Loss

    Informationweek.com points out that electronic mail is still the leading cause of data breaches at companies, despite its use being "on the wane" due to inroads by new social media.  The same technology--such as laptop encryption software from AlertBoot--that guards data stored on computers can also be applied successfully to protect outgoing e-mails.

    Some Stats

    According to informamtionweek.com:

    • 35% of large enterprises launched investigations into data leaks via e-mail in 2009
    • 72% are worried about personal and financial information breaches via outbound e-mail
    • 71% are also concerned about ex-workers e-mailing trade secrets and other corporate secrets via e-mail
    • 48% performs audits of outbound e-mail
    • 37% have employees monitoring the contents of outbound e-mail (33% have people whose jobs are exclusively reading and analyzing such e-mail)

    Readers will readily note that some of the practices listed above are not exactly preventative, nor do they come close to being preventative.  For example, audits of outbound e-mail, while necessary in order to get a grip on whether current security is adequate, cannot do much to secure information that has already been sent out to an outside party.  Even if the audit were to catch it relatively quickly, there's no way to prevent the receiving party from reading it.

    Another example is a situation where an e-mail is sent with an attachment that contains sensitive information.  The correct person received it; however, the e-mail should have been encrypted due to the sensitive nature of the attachment.  An auditor runs across the situation, but if the company does business in Sin City, it's already afoul of Nevada's data breach law, which was amended one year later: e-mails that contain personal information, such as SSNs, must be encrypted.

    Email Encryption, Automated

    Human monitoring and auditing is needed, and this fact won't change for the foreseeable future.  However, a company can make inroads into securing their e-mails.

    DLP (Data Loss Prevention) solutions exist out there that will actively encrypt any e-mails that contain sensitive information, or prevent them from leaving a company's servers.  It works based on filters that are set to recognize key words and number patterns.  For example, a mortgage company might want to prevent any unencrypted e-mails with numbers in the xxx-xx-xxxx pattern being sent: these are probably Social Security numbers.

    Likewise, a filter would be set up for Social Security, SSN, SSNs, and other key words that indicate such a number is contained within e-mails.

    Combining the above with disk encryption software will ensure a broader degree of company data security.  Of course, it will never be total security, which is why you also need access control (via physical locks and authorization levels), employee training in good data security practices, monitoring and auditing, etc.

    However, it will go a long way in terms of reducing your company data risk profile.


    Related Articles and Sites:
    http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227101707

     
  • Drive Encryption Software Or Laptop Insurance For Protection?

    A UK company called Protect your bubble is offering laptop insurance for £3.99 a month (about US$6.00).  While such protection products are to be welcomed, one must remember that we're talking about asset protection, not data protection, which is only possible via tools like hard disk encryption such as AlertBoot.

    It's a Good Idea to Get It Insured--Just In Case.  Really?

    Protect your bubble states the following:

    When your laptop has so many precious items on it, like all your photos, bookmarks and documents, it’s a good idea to get it insured – just in case. Plus the cost of replacing your laptop is another important reason to make sure you’re covered.

    I couldn't agree--and disagree--more.  Certainly, a laptop computer can be a tremendous investment, and one may want to consider insuring it.  After all, these devices probably have a higher theft rate than cars, and pretty much everyone has auto theft insurance for the latter in one form or another (although, you really should check if you actually do).

    Of course, vehicles tend to be much more expensive than laptops; but, the price of insurance is relative to the asset being protected.  Let me pose this question, though: how is insurance going to bring back your photos, bookmarks, and documents?  It's not.

    "Risk" is a Catchall Word

    When dealing with risk involving laptops, you have to pay attention to what you mean.  Risk is a catchall term.  If you want to get down to the nitty-gritty, you'd see that there are many different kinds of risks when dealing with a lost or stolen laptop computer.

    • Asset risk
    • Data breach risk
    • Data loss risk
    • Lost opportunity risk

    Risk is not confined to the above, but these four are the ones that popped into my head.

    Asset risk is the loss of the laptop, of course.  If you're out a computer, you'll have to get a new one that at least has the same functions and capabilities as the one you just lost.  Essentially, if you're out a laptop, you'll probably have get a new one.  Insurance is about the only way to mitigate this risk unless you're willing to engage in some unorthodox asset risk mitigation practices, such as stealing the same exact model to replace your old one.  Such mitigation carries additional risks, such as jail time.

    Data breach risk is the danger of having your--or others'--sensitive and private data exposed, such as SSNs, passwords and access to on-line bank accounts, tax returns, or other information.  The only to mitigate this risk is to use data protection tools.  When security experts are asked, most will agree that encryption software is about the only tool that truly effectively minimizes data breach risks.

    Data loss risk is the danger of losing your data permanently.  Be it a list of customer SSNs that are encrypted, your college honors thesis, or a folder full of family pictures, this data is lost if your laptop is lost.  No amount of insurance will bring back this stuff.  The only way to mitigate this particular risk is to backup data.

    Finally, the risk of lost opportunities is the "risk" you face while you wait around for your company to pay up for a new laptop.  While you're waiting, you're out a laptop.  The only way to mitigate this risk is to have a second computer available, just in case.  Or, you could borrow a friend's or use a public computer, but you'd be hampered, and this leads to lost opportunities. 

    I'm nitpicking, but Protect your bubble should rewrite the above quote so that it puts the cost of replacing a laptop front and center.  Otherwise, people might think that the offered financial product covers more than it actually does.


    Related Articles and Sites:
    http://www.protectyourbubble.com/li-laptop-insurance.html

     
  • Data Security: Guy Shoots $100,000 Server With Gun While Drunk Off His A** (Rhymes With Pass)

    Sometimes, there is such a things as too much security.  For example, instead of drive encryption software like AlertBoot, you've got a .45-caliber automatic to defend your server.  Or, instead of using a magnetic degausser, you decide to empty rounds into your server using a .45-caliber automatic.

    I mean, that's why you'd bring a gun into a server room, right?  Right?

    Guy Gets Drunk, Shoots Server, Concocts Story

    Not if you happen to be Joshua Lee Campbell, 23, working at RANlife Home Loans, a mortgage company in Utah.  After spending a night of drinking, he went to work, shot a $100,000 server then called the police to report the crime (and pinned it on some unknown assailant).

    Of course, besides being a ludicrous story (who the heck assaults a person and then proceeds to shoot out a server?), there were signs that Mr. Campbell might have been telling a tall one:

    • Police "could smell alcohol and urine on him" when they arrived on the scene [deseretnews.com]
    • Only one computer server was shot.  Nothing else happened, apparently: no other equipment was destroyed, nothing was stolen, nada [various sources]
    • A coworker found Campbell passed out with his pistol next to him [deseretnews.com]
    • An acquaintance let police know that Campbell had threatened to empty rounds into a server and save the last bullet for himself [various sources]

    If I had read this story on Variety or some other Hollywood publication, I would've assumed that this was Mike Judge's follow up to Office Space.  I can totally imagine the pitch: "It's like Office Space meets The Fugitive.  The red stapler will have a cameo, of course.  Instead of a bat to the printer, it'll be a Colt semi-automatic to a server: We've got to keep up with the times.  We'll use Rick Astley's 'Never Gonna Give You Up' for irony, instead of the gangster song...."

    Stuff Happens

    Although I cannot imagine anyone being prepared for something like the above, the truth is that this is not the first time a company has had problems with an employee.  From memory, I can think of instances where an employee planted a logic bomb; stolen hardware; stole data; hacked into company servers after being fired; and deleted files and databases.

    These are real concerns, and companies have to be prepared for such scenarios, which is why data security runs the gamut of:

    • Limiting physical access, such as locked doors and cabinets
    • Limiting software access, such as securing USB ports and using encryption software with personal passwords
    • Regularly backing up data and storing them in safe locations
    • Having contingency plans

    Some even claim that employees must be forced into week-long vacations once a year, just to see if anything breaks down and instances of fraud show up (something that won't happen if the person is around to manage the crisis).  Man, what I'd give to have that enforced....

    The point of all this rambling: data security is not just about securing data, such as using laptop encryption.  You must also ensure that you can recover any necessary data for when things go wrong.  Don't forget to backup information (and perhaps have that encrypted as well).  The more critical the data is, and the more often it is updated, the more you need to back it up.


    Related Articles and Sites:
    http://www.deseretnews.com/article/700059568/Mortgage-employee-accused-of-making-up-suspect-to-avoid-blame-for-shooting-computer-after-Twilight-Concert.html
    http://www.sltrib.com/sltrib/home/50159264-76/campbell-computer-police-server.html.csp
    http://www.datacenterknowledge.com/archives/2010/08/26/drunken-employee-shoots-up-a-server/
    http://www.geek.com/articles/geek-cetera/drunk-worker-shoots-company-server-with-45-caliber-automatic-20100826/
    http://www.theregister.co.uk/2010/08/26/server_shooting/

     
More Posts Next page »