in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

August 2012 - Posts

  • BYOD Security: 1 In 4 Mobile Workers Bypass Corporate IT Controls (On Purpose)

    Plus ça change, plus c'est la même chose.  Or, if you prefer, the more things change, the more they stay the same.  Truer words could not have been spoken when it comes to BYOD protection, apparently.  The tech news site zdnet.com reports that nearly one in four BYOD mobile workers try to (and succeed) to bypass IT controls meant to protect and control corporate data.

    25% for Smartphones, 12% for Tablets

    According to a report, nearly 25% of the mobile workforce has admitted to employing a workaround on their smartphones, with the intent of bypassing a company's IT controls, while 12% admitted to the same.

    Ironically enough, the same people pay extra attention to securing their own data: 75% lock their smartphones with passcodes while 40% of tablet users do so.  At least, it's being pointed out as ironic.

    Personally, I feel that these adoption rates may reflect the influence of the IT department.  Statistics that I've encountered in the recent past, such as by Javelin, show that 62% of smartphone users don't set up a password -- meaning that 38% do set a password.

    38% vs. 75%.  Over the twice the adoption rate.  Either the results prove that these surveys are not worth a spit, or they show that IT departments and corporate policies do have an enormous effect in securing data.  Of course, such rates can only be held up with audits and monitoring -- if people are willing to bypass corporate IT controls, they probably wouldn't think twice about disabling passcodes (and hence the need for mobile device MDM that can follow up on such actions).

    Other Stats of Note

    There are other statistics that zdnet.com has highlighted:

    • 55% of smartphone users and 30% of tablet users say that their IT departments require remote wipe capability to be enabled.
    • 19% of smartphone users say that their IT departments do not require remote wipe capability to be enabled (which brings up the question, what about the remaining 26%?)
    • 10% of tablet users say that they don't use remote wipe
    • 74% of companies require some form of protection on smartphones, 24% on tablets.
    • Of those who admitted to bypassing controls, 21% could not wait for IT do something for them; 16% said that IT is slow in responding; 10% cited strict IT policies; and 9% said they didn't want to deal with the IT department.

    Of particular interest was the following:

    The survey concluded that the sense of ownership that accompanies BYOD may be encouraging mobile workers to bend IT rules and take the attitude of ‘my device, my rules.' [zdnet.com]

    I don't doubt that this is the case.  After all, one of the reasons why BYOD is viewed favorably is that the "sense of ownership" leads to better care of the equipment on the part of the employees (the equipment is theirs after all.  When you think about it, it makes no sense that this is a reason for advocating BYOD.  My employer doesn't care what I decide to do with, say, my refrigerator, nor should he.  Why would it be different for a phone?).


    Related Articles and Sites:
    http://www.zdnet.com/byod-mobile-workers-thumbing-nose-at-it-security-7000003519/

     
  • Laptop Encryption Software: BMO Harris Bank Notifies Clients Of Laptop Theft

    BMO Harris Bank has announced today that customers' names, addresses, and dates of birth were breached when a laptop computer was stolen from a vendor.  Per the article at jsonline.com, it appears that drive encryption software like AlertBoot was not used.

    On the one hand, the information on the stolen laptop is not traditionally considered sensitive, so it shouldn't be a big deal.  If one is imaginative enough, though, it could mean problems down the road.

    BMO Offers Credit Monitoring

    BMO Harris was alerted of the breach on June 20, 2012.  The computer belonged to an employee to a BMO vendor that was performing "routine review of information on loan applications," per jsonline.com.  Due to the data breach, BMO Harris is offering 12 months of free credit monitoring and ID theft protection.

    Seeing how SSNs are traditionally submitted when making a loan application (Social Security numbers are collected to run credit checks) but were not part of the stolen data -- the bank claims that SSNs, driver's license numbers, and account numbers were not involved -- it sounds like BMO was restricting access to data, one of the key aspects of good data security management.

    But, the bank doesn't mention the use of encryption software.  Rather, it notes that "the laptop was stolen in a random theft, and that the password for the computer was protected."  On the one hand, having password-protection is better than not; however, circumventing it is so easy and unimaginative that one wonders whether it's any protection at all.  For example, would you consider your unattended home protected if you live in a bad neighborhood, and the only security you have is locked doors and windows?  A brick is all you need to overcome "security."

    Likewise for password-protection.  Truth be told, the computer ought to have been encrypted.

    This poses a problem for BMO, though, because the laptop was not under its control.  The employee worked for a vendor (weakness in the chain #1), and my understanding of the jsonline.com article is that the laptop was the employee's own (weakness in the chain #2), meaning neither the vendor nor the bank can mandate the use of data protection tools on it.

    This is a classic case where data security breaks down due to the porous nature of data.

    BYOD - Required Even If You're Not "Bringing" Anything

    In a roundabout way, the above shows why BYOD security solutions are necessary.  You don't know it yet, but your company is probably engaged in BYOD practices whether you know it or not.  The grandfather of all BYOD trends, one could argue, is the lowly and ubiquitous USB memory stick.

    (To expand: CDs and DVDs are not devices.  Neither are email or ftp servers.  External hard disk drives and personal laptops made some inroads into corporate space, but it's hard to argue that everyone brought one of these to work, even if the use of "everyone" is hyperbole...but only slightly).

    BYOD security solutions promise to curtail (and do we dare hope, eliminate?) instances like the above, but what to do when it comes to personal devices that stay at home?  One AlertBoot client has found a partial solution.  It requires all employees to encrypt any personal devices if it holds corporate data, regardless of where it is.  So, for example, a desktop computer that stays at home needs to be encrypted despite the fact that it's not mobile and it's going anywhere.

    Is this the ideal solution?  Not really.  As the world becomes ever more interconnected, it's quite obvious that a solution that concentrates on protecting the data directly -- like file encryption does -- might be a better approach.  However, this, too, has its drawbacks.  After all, it's the reason why most opt for disk encryption over file encryption.

    One thing is for certain: the answer lies in more protection, not less, and educating people about the realities regarding data security.


    Related Articles and Sites:
    http://www.jsonline.com/business/bmo-harris-warns-customers-after-laptop-stolen-g96md8b-168043466.html

     
  • Data Encryption Software: Stolen Cancer Care Group Laptop Contained Backup Media

    Patients and oncologists at the Cancer Care Group (CCG, a private physician practice based out of Indianapolis, Indiana) are being informed that the theft of a company laptop has resulted in a data breach.  It is the fourth largest data breach of 2012, and it could have been prevented with the judicious use of data encryption like AlertBoot.

    Locked Car at the Center of Breach

    According to various sources, the breach occurred on July 19, when a laptop computer was stolen from an employee's car.  The breach was not instigated by the theft of the laptop per se; rather, it was the "computer server backup media" that was in the laptop that held the data.

    I have no idea what "computer server backup media" means, but I'm assuming that -- based on the current state of technology and the fact that it was a laptop -- either a DVD or a USB thumbdrive with data is at the heart of this latest patient health information security breach.

    The breach affects nearly 55,000 individuals, including Cancer Care Group's own employees.  Compromised information includes "names, addresses, dates of birth, and Social Security numbers for both parties as well as medical and insurance information for patients and beneficiary, employment, or financial information for employees," according to ehrintelligence.com.

    Over at healthcareitnews.com, it is being pointed out that this breach is the fourth largest of 2012:

    It stands behind similar incidents at Utah Department of Health, involving the PHI of 780,000 individuals; Emory Healthcare, involving the PHI of an estimated 315,000 individuals; and South Carolina Department of Health, involving PHI of 228,000 individuals.

    Cancer Care Group's own data mismanagement looks pale and paltry in comparison.  On the other hand, it's 55,000 people.  Nothing paltry about that.  Especially if you consider that the US Department of Health and Human Services requires that cases involving more than 500 patients be publicized in their "Wall of Shame."

    Reviewing Security Measures, Some Already in Progress

    A statement by CCG notes that,

    "Cancer Care Group is encrypting all mobile media, updating policies and procedures, upgrading data storage technology, and re-educating our workforce on safety with mobile media," notes spokesman Clyde Lee, "Some of these steps already were underway at the time this incident occurred."[ehrintelligence.com]

    and that,

    There is no evidence to believe that the backup media were the target of the theft or that any of the information on the media has been accessed or used for fraudulent purposes[fiercehealthit.com]

    As usual, I have problems with such statements.  The fact that there is no evidence that the backup media was targeted doesn't mean that it didn't or won't happen.  The example I give out: if a thief's target is a handbag (in the fashion world, some of them can fetch unheard-of prices), does it mean that he won't look inside it?  Maybe take the credit cards and wad of cash found in it?

    Why would it be different for computers and other digital media?  Heck, a test by Symantec showed that 89% of people snooped on the contents of a found smartphone.  Are we supposed to believe that it would be otherwise for a laptop computer?

    Of course, you can't blame CCG too harshly; they claim that they were already in the process of securing data when the incident took place.  And, chances are that such problems will still occur once in a blue moon after their project is finished.

    The above case not only illustrates the need to use proper data security tools, but that they be easy and fast to deploy.  If a solution takes, say, one year from purchase to 100% implementation, you probably have the wrong solution, especially if analogous solutions offering the same functionality can complete the job in less than half that time.


    Related Articles and Sites:
    http://ehrintelligence.com/2012/08/28/stolen-backup-media-causes-health-data-breach-at-cancer-care-group/
    http://www.healthcareitnews.com/news/cancer-care-data-breach-affects-55000
    http://www.fiercehealthit.com/story/laptop-data-more-55000-patients-stolen/2012-08-29

     
  • Data Breach Law Heat Map Verdict: Pretty

    Among the many reasons that our clients sign up to use AlertBoot mobile data security solutions for smartphones, tablets, and laptops lie the various data breach notification and data security laws and regulations.

    Everyone has their own requirements: how soon notification letters must be sent, if they need to be sent at all; whether the use of encryption software is grounds for safe harbor from doing so; financial penalties; etc.  To put it shortly, it's a giant mess, especially if a company is doing business at a national level.

    The folks over at imation.com have created a handy heat map on US data breach laws.  At first glance, it looks quite helpful.  For example, you can tell that only four states don't have breach notification laws as of July 2012: New Mexico, South Dakota, Alabama, and Kentucky.

    The remaining US states as well as the US Virgin Islands and Puerto Rico do have laws with varying degrees of "strictness" which are represented via a color-coded scale.

    Not Meant to Be Useful?

    As pretty as it is, the heat map is less than useful if you're looking for more information.  The biggest shortcoming is the fact that we have no idea how "strictness" was scored or scaled.

    For example, Virginia is listed as the state with the strictest data breach notification law, followed by NY, MI, and MA.  This is news to me because the last time I checked, MA's data protection laws were the strictest in the country, with NV's and TX's keeping it company.  The latter two, per Imation, are in middle of the pack.

    Heather Clancy at smartplanet.com notes that VA's position makes sense, and "isn't really surprising given that the state is a hub for federal contracting and consulting."  I guess that does make sense.  On the other hand, I've seen plenty about these laws that don't make sense:

    • Allowing "encryption" to be defined so that password-protection could also be considered to be encryption
    • The breach of Social Security numbers only (without first and last names) are actually not considered a data breach

    So, "making sense" is not necessarily a condition for these laws.  One thing's for sure: data breach notification laws are quite fractured, and it's no wonder that companies claim they'd welcome the passage of a federal data breach notification law.


    Related Articles and Sites:
    http://www.smartplanet.com/blog/business-brains/where-are-us-data-breach-laws-toughest-check-this-map/25975
    http://www.imation.com/en-US/Mobile-Security/Mobile-Security-Products/Secure-Data/-Resources-/Compliance-Heat-Map/

     
  • BYOD Security: Because Insurers Might Have Second Thoughts On Paying Up

    Good news for DSW Shoe Warehouse, Inc.: a federal appellate court has found that the company is entitled to insurance coverage of nearly $7 million in connection with a 2005 computer data breach.  The real point of the story, though: make sure you've got adequate data security software like AlertBoot protecting your information assets.

    Lower and Appellate Courts in Agreement

    When DSW Shoe Warehouse experienced a data breach involving the loss of 1.4 million credit cards, their insurer -- National Union Fire Insurance -- claimed that it didn't need to pony put because

    DSW "had not sustained loss 'resulting directly from' the theft of customer information," and that it was an uncovered "indirect loss"[businessinsurance.com]

    This, despite the fact that National Union had offered a "blanket crime policy" for computer fraud.  The lower courts disagreed with the insurer, and now the 6th U.S. Circuit Court of Appeals has upheld the lower courts' ruling:

    "Without ignoring that this is a commercial crime policy directed at the insured's loss and not a commercial liability policy, our task is to determine the intention of the parties from the plain and ordinary meaning of the specific language used," said the three-judge panel's unanimous ruling.

    "Despite defendant's arguments to the contrary, we find that the phrase 'resulting directly from' does not unambiguously limit coverage to loss resulting 'solely' or 'immediately' from the theft itself," said the ruling.

    "In fact," said the ruling, a policy endorsement "provided coverage for loss that the insured sustained 'resulting from' the 'theft of any insured property by computer fraud'which includes the 'wrongful conversion of assets under the direct or indirect control of a computer system by means of … fraudulent accessing of such computer system.'"[businessinsurance.com]

    This is great news for DSW.  After seven years, it has finally managed to get what it's due.  But, the situation raises questions and observations:

    1. The insurance companies will change their language.  I watched a rerun of The Rainmaker on TV last night, and maybe I'm being affected by it, but isn't "not paying" one of the ways insurance companies ensure policy holders' money stays with the company?  Nothing as sinister as in the movie starring Matt Damon, but the introduction of legalese and other legal vehicles is certainly used.  You can bet insurers will be reflecting on the above and make changes to contractual language so they don't get caught flatfooted the next time around (and with computer hacking, there's always a next time).

    2. Can you afford a seven-year lawsuit?  DSW may have won, but it took them seven years.  DSW is also a company with a $2.89 billion market capitalization and ranked as a Fortune 1000 enterprise that can afford such a protracted fight.  How many companies out there have signed up for a policy without DSW's financial resources, expecting to get remunerated.

    3. Is this the best way to use your resources?  Getting computer and cyber insurance is probably a good idea in this day and age.  However, the best policy is still to either eliminate (easier said than done) or minimize (definitely more manageable) the risks of being victimized.  Would it make sense to (1) use your financial resources to invest in data protection tools like mobile security software [http://www.alertboot.com/disk_encryption/disk_encryption_product_tour.aspx ; BYOD device protection] for devices and significantly reduce the risks of a breach or (2) have to hire lawyers to go after an insurer that won't pay because it thinks it doesn't have to due to a technicality, and wait seven years for that payout?

    Not the First Time

    Regarding point #1 above, I'm not necessarily convinced that I'm feeling a temporary Rainmaker-induced sense of indignity regarding insurance companies.  There is precedent.  For example, this one where Sony got caught with their proverbial pants down when Anonymous attacked last year.

    And, again, it's a company with vast financial resources.

    What about smaller companies that can't afford to lose their customers due to the negative PR that the breach has created and can't afford to match an insurance company's wherewithal in the court room?


    Related Articles and Sites:
    http://www.businessinsurance.com/article/20120823/NEWS07/120829934?tags=%7C299%7C75%7C83%7C302%7C303

     
  • Data Encryption: MacGyver Can Do All With His Trusty Swiss Army Knife But Secure Data

    According to some sources, Victorinox, the officials makers of the official Swiss Army knife, has decided to discontinue support for secure data protection on their line of USB-drive embedded SAKs.  When introduced, it was a fun (and expensive) USB flashdrive with serious security.  In fact, it was like they had combined a regular Swiss Army knife, a flashdrive, and AlertBoot encryption software in one package.

    But, Victorinox has apparently found out the hard way that software ought to be left to software makers.

    Announcement Posted Only on Facebook

    Not that I'm a SAK fanboy, but I did cover the knives' news before here and here.

    The weird aspect of the story is not the fact that Victorinox is "abandoning" a product line (or, at least, hampering it.  On the other hand, would a SAK be a SAK if it didn't offer the white toothpick thingy?  I think not).  It's the fact that the announcement was made in one place, and one place only: their Facebook page.

    Swiss army knife maker Victorinox has decided to take the sting out of ditching support for the security software in its range of USB-knife drives by offering customers a full refund.

    In a message posted to Facebook but not apparently anywhere else, the company said customers unhappy with the ending of the security features on the company's combined penknife/flash memory drives could send them back for a refund.

    "Ultimately, if you simply aren't happy with the product based on this development and would like to return it, we understand," read the announcement. [techworld.com]

    That was actually their second post, preceded by another Facebook post announcing the company's intentions to end support for software:

    As an economic company, we are required to provide the necessary expenditures in reasonable proportion to the possible yield. For this reason we have decided to offer only pure knife products with appropriate hardware. [facebook.com, Victorinox Secure]

    Because the software certificate for the security side of things expires on September 15 (less than one month away), Victorinox is strongly urging customers to create a back up of the data, stat!  After that date, any information in the encrypted zone will not be accessible.

    Ironically, Victorinox's Facebook page cover photo still boasts one of the knife's security features: biometric fingerprint scanning.

    Leave Software to the Software Experts?

    It's anyone's guess why the company has decided to discontinue supporting the security side of things.  I would imagine, however, that it has something to do with the reason why all software companies find dealing with software difficult: updates, upgrades, legacy support, general support, bug fixes, etc.

    For a hardware company, it's probably a little too much to handle.  And, even if the work was outsourced to a software company (most probably the case), Victorinox may have been surprised at the amount of ongoing work that was required.

    Incidentally, that's one of AlertBoot's selling points: clients really don't need to do any such upkeep.  Certainly, they need to engage in regular audits (made easy with our integrated security reporting engine) and the like, but because the AlertBoot data security solution is hosted in the cloud, it means that ensuring server uptime; installing software updates and upgrades; applying patches and fixes; etc. are out of the equation leading to a better overall value and lower total cost of ownership.


    Related Articles and Sites:
    http://news.techworld.com/security/3377751/victorinox-offers-refunds-after-usb-swiss-army-drives-lose-security/

     
More Posts Next page »