AlertBoot Endpoint Security : data theft prevention

BYOD Security: Complying With Australian Privacy Principle 11

sang_lee — Thu, 09 May 2013 08:07:00 GMT

Last week (28 April to 4 May 2013) was "Privacy Awareness Week" in the Asia Pacific region. Australia is one of the entities that participates in PAW (the others are, in alphabetical order, Canada, Hong Kong, Korea, Macau, Mexico, New Zealand, and the USA).

As part of the awareness campaign, the Office of the Australian Information Commissioner (OAIC) released their "Guide to Information Security: 'reasonable steps' to protect personal information." There is much information, and an entire subsection is dedicated to the use of encryption. That doesn't come as a surprise, seeing how cryptography is a key aspect of effective IT security; it could very well end up being the only information security measure that is (indirectly) listed as a requirement in complying with the Australian Privacy Principles.

BYOD and Australian Privacy Principle 11

According to the Parliament of Australia:

Australian Privacy Principle 11 (APP 11) protects personal information by imposing specific obligations on both agencies and organisations which hold that information. The principle also provides that entities take reasonable steps to destroy or de-identify the personal information once it is no longer needed... these obligations are in line with international best practice on privacy protection.
What are these "specific obligations" that are "in line with international best practice on privacy protection"? The answer to this question is quite complex, but when it comes to BYOD, mobile devices like smartphones and tablets, and laptop computers and their storage accessories, using encryption software to protect the data is probably up there on the do-list.

Consider the following:

Best practices vary from country to country, but most include a provision for data encryption, and provide safe harbor from legal and other penalties if used.

Encryption is used extensively for destroying or de-identifying information. For example, remote wiping of smartphones is based on deleting the encryption key (Note: Best practices still require physical destruction of information – including shredding, grinding, melting, etc., but only when it is possible to do so. If a device is lost or missing, encryption is the last, and best, resort).

Encryption is at the heart of all e-commerce, including on-line banking and credit card processing.

Where such data is made available – such as the USA's HIPAA (Health Insurance Portability and Accountability) "Wall of Shame" – the loss of devices accounts for more than 50% of data breaches (in the case of HIPAA, those affecting 500 or more people).

Encryption is a time-tested, bona fide solution for the many risks that accompany the use of devices that store sensitive data. Australian law, however, will probably follow in the footsteps of established legislation around the globe and not make its use a requirement.

Instead, indirect incentives for its use, such as the extension of safe harbor for encrypted data, which was already mentioned before, or monetary fines and penalties for data breaches where encryption is not used, are much more likely (and the accepted model in other countries).

Indeed, it was revealed only one week ago that financial penalties will be assess under the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013:
Repeat and serious offenders face financial penalties of up to $340,000 for individuals or $1.7 million for organisations - a maximum penalty which was last month increased from $220,000 and $1.1 million respectively.

Small-scale offenders could be taken to court and fined up to $34,000 for individuals, and $170,000 for organisations.

Making It Easy to Install, Deploy, and Manage BYOD Encryption

Of course, there will be other ways to comply with APP 11, depending on the circumstances. However, it wouldn't be a reach to say that none of these other solutions offer the dynamism, robustness, facility, or peace of mind that encryption offers.

Just because encryption is a proven technology and easy to use, however, it doesn't mean that it's easy to set up or maintain. An individual user must, among other things:

Ensure that the machine is ready for successful installation,

Ensure that the encryption key or keys are backed up (just in case. Otherwise, it will prove impossible to recover the protected data if something were to go awry, like a disk becoming corrupted),

Ensure that there is a way to regain access to the information if one forgets one's password,

Etc.

Try doing the above for more than one computer, and soon you're running into logistical problems. Indeed, effective encryption key management is seen as the top challenge for organizations that use encryption to secure their data.

The use of an encryption management server, if one's available for the particular cryptographic software you're using, resolves these issues but introduces another problem. Namely, that you've got to maintain the server, which requires its own resources: employee time; additional costs for said time, underlying software, hardware, server space, etc.; and concerns about scalability and reliability. (On a personal note, I've seen encryption management servers slow down once they start reaching around 2,000 users, a stark contrast to its zippy past when there were only a couple of hundred endpoints listed.)

Avoiding such problems is what makes AlertBoot Mobile Security such an effective service. The cloud-based solution makes keeping track of encryption keys very simple, and installation can be started in minutes, not days (or weeks, or months!) from anywhere with an internet connection. And, the 24/7 password recovery (via phone or web-based self-service) ensures that users will have a verified method for regaining access to their machines.

Of course, encryption is not the be-all, end-all: seeing how APP 11 is the eleventh privacy principle, logic dictates that there must be at least ten more of these (there are thirteen in all), and their compliance bring their own unique challenges.

However, encryption is bound to be one of the core solutions for compliance, and AlertBoot is one of the easiest and cost-effective methods to do so. If you'd like more information, you can start by visiting us here or here, if you're looking to become a partner.

Android Security: Pattern Lock Is Stronger Than You Think

sang_lee — Fri, 03 May 2013 08:15:00 GMT

How secure is the pattern lock found on Google Android devices? Apparently, quite a bit. Of course, it can be made very easy to crack. For example, if the so-called pattern is a straight line, that's not much security, is it? That's the equivalent of using "password" as a password, and defeats BYOD smartphone security, even if something like AlertBoot's Mobile Security is used to enhance their protection.

But, if you're not into hamstringing yourself, it turns out that the pattern lock can be very secure. So secure, in fact, that the FBI had to issue a warrant to Google to get the device unlocked.

Or so the headlines would lead you to believe....

FBI Wants Access to Pimp's Phone

"FBI, stumped by pimp's Android pattern lock, serves warrant on Google" is the headline at arstechnica.com (14 March 2013). A similar observation is made by wired.com.

The story: a pimp with a criminal history is found to be using an Android phone to coordinate his business activities in the sex trade. The FBI gets a warrant to search his house and belongings, which includes the phone. Pimp won't cooperate. So, the FBI sends the phone to its technicians, who eventually end up triggering a device lock-out after too many erroneous attempts. Once that happens, the FBI applies for a second warrant so that Google will unlock the phone.

So, what happened? As the arstechnica.com article notes, studies have shown that smudges on the phones can defeat the pattern lock. It's a guessing game, and under "ideal conditions" researchers were able to gain access to a phone 90% of the time.

But then, those are under ideal conditions. Make the pattern long enough and complex enough, and the odds of successfully breaking into a smartphone plummet. Especially if you attempt it more than 20 times. After the twentieth entry, the phone will lock you out, as noted earlier, and the only way to regain access is to provide the Google email address and password.

Mobile Security: MDM Controls Maximum Number of Failed Attempts

One of the features in AlertBoot Mobile Security is setting a policy for the number of failed passcode attempts before data on a device is wiped. This is a powerful way of ensuring data security for two reasons:

Chances are that, if the passcode is entered incorrectly too many times, it's not the device owner who's trying to gain access. (Of course, you need to find a balance. One wrong attempt is too little, but more than 15 wrong attempts is too much, never mind 20!)

Remote wiping sometimes doesn't work because the device is not connected to a network. Why not establish a self-destruction mechanism independent of internet or cellular network connectivity?

The real star of the FBI story is not really the pattern lock – which can work wonders, obviously – but the fact that you (or, rather, someone other than you) will get locked out after too many incorrect attempts.

If there was no limit, who's to say what would have happened?

BYOD Australia: Data Breach Notification Laws Coming Sooner Than You Think (Updated)

sang_lee — Wed, 01 May 2013 11:41:00 GMT

It looks like Australia may finally join the rest of the world and push forward a data breach notification law. According to itnews.com.au, Attorney-General Mark Dreyfus is helming the introduction of a law mandating notifications when Australians' personal information end up exposed. This time, it looks real (I blogged in 2009 that such laws were coming real soon. I guess I'm not quitting my day job for fortunetelling).

Update (02 MAY 2013): Well, well...perhaps I shouldn't give up so fast on the fortunetelling. According to SC Magazine, drafts of the data breach notification law have been leaked (at least, "leaked" seems like the correct word, since they were stamped "confidential.")

Among other things, this means more Australian companies will have to start considering the use of data security software and services, such as AlertBoot's mobile device management security suite, or face the consequences when a data breach takes place.

Growing Number of Breaches Shows Need for Mandatory Notification

The road for mandatory reporting of data breaches is a long one. In 2008, the Australian Law Reform Commission (ALRC) published a report on privacy. This three-volume report also included recommendations on data breach notifications for Australia. When you take into consideration that the report is the culmination of a 28-month effort, you can see that the issue of data breach notifications could have been discussed as early as 2006. (The very first such law, California SB 1386, went into effect in 2002).

In 2009, it was rumored that Australia would be passing a mandatory data breach notification law "real soon". Four years later, we're still hearing the same story.

It's Different this Time...?

But, this time, it's different. In October of 2012, feedback was sought on a mandatory Australian data breach law. And, the Attorney-General commented that,
...the growing amount of breaches reported in the media continued to raise community concerns about the need for a mandatory scheme.

"If there continues to be under reporting of data breaches, or we continue to find out about them only through media reports, some would argue there is a strong case to move to a mandatory scheme," he said.
Between 2011 and 2012, there was an 11% increase in privacy complaints. Plus, many surveys are showing that Australians support the idea of mandatory data breach notifications. The Privacy Commissioner has called for such a law as well.

Guide to Information Security Published

Another indication that Australians will see such a law sooner than later? The Office of the Australian Information Commissioner (OAIC) has released the final draft of the "Guide to Information Security: 'Reasonable Steps' to Protect Personal Information".

While the guideline is not binding, the Commissioner has noted that "its recommendations provides [sic] the best insurance against data breaches" and that "[the OAIC] intend to refer to it when assessing compliance with the data security obligations under the Privacy Act."

It looks like a number of different parameters are beginning to converge, and the writing is on the wall. If your company is based in Australia, this may be a good time to check out AlertBoot's data security offerings: mobile security for BYOD (tablet and smartphone protection) and full disk encryption for laptops.

Data Backup Encryption: Kmart (Inadvertently) Suffers Data Breach At Gun Point

sang_lee — Mon, 29 Apr 2013 13:31:00 GMT

Do you backup your data? Excellent! Do you use encryption software to protect its contents? Not doing so means that you've joined the "Data Breach Club," where the chances of a data breach are not an "if" but "when." Take Kmart as an example, which had a data breach because a thief robbed one of its store at gunpoint.

Nobody Expects their Data Backup to be Stolen

When I first heard that Kmart had to publicize a data breach because of HIPAA regulations, it hit me like a bag of surrealistic bricks (Kmart and HIPAA/HITECH?). But, I remembered that many Kmart locations also include a pharmacy. The story, as storefrontbacktalk.com describes it, is as follows:

On March 17, an armed robbery took place at a Little Rock, Arkansas Kmart. The assault took about an hour after closing time, and the perpetrator pointed a gun to the assistant store manager and forced him to open the store safe. The thief wiped it clean, which included $6,000 in cash and a backup disk.

The backup disk contained "full names, addresses, dates of birth, prescription numbers, prescribers, insurance cardholder IDs and drug names for some 788 customers" and, in certain cases, SSNs as well (well, more than a few. The spokesperson noted it was a "few hundred customers."

It was expressly pointed out that disk encryption was not used, nor its enfeebled cousin, password-protection.

Aside from the obvious mistakes, the spokesperson made two additional observations: (1) that accessing the customers' information "is slim to none, because you would need to know what software package" was used, and (2) that they were quick in contacting customers because they did so in about a month, as opposed to the 60 days that they're given.

Data Breach Possibility, Slim to None: Only If You Used Encryption

The observation that accessing customers' information is slim to none is debatable at best. It is slim to none because chances are the thief is not going to look. Generally, when a laptop gets stolen, it's wiped and reformatted for sale (at least, that's the reigning consensus). One assumes the same would hold for disk drives used as backups.

Then again, we must remember that this disk drive was inside a safe. That already suggests that something valuable is stored in it. Under the circumstances, what are the chances that the thief will ignore the suggestion that it's worth his while to see what's in it?

And, if he does, then the odds of a data breach are not really slim to none: freely available software from the internet can be used to scan a disks contents for particular information, like Social Security numbers (either as a pattern of 000-00-0000 or as a string of 9 numbers).

Only in the event that encryption is used can one confidently declare that particular breach is nearly riskless.

HIPAA Data Breaches and Unreasonable Delays: You (Don't Really) Have 60 Days to Report It

One of the more misinformed statements I've read is the following:
Asked why the delay [a little over one month], Sears spokesperson Shannelle Armstrong-Fowler pointed out that the chain moved much more quickly than the law requires. "Under HIPAA guidelines, 60 days are available for a health care entity to investigate and report on a potential breach. We completed our investigation and notified customers in approximately thirty days," she said.
This is entirely correct as well as partially true (what, you say? That sounds like a contradiction? Read on). As the Department of Health and Human Services (HHS) has pointed out in various publications, a breached entity must contact affected patients within 60 calendar days. However, it has noted that the HIPAA covered-entity must also contact patients as soon as possible. In a previous post (Does HIPAA / HITCH Really Give You 60 Days For Patient Notification?), I wrote the following:
It behooves administrators for a HIPAA-covered entity to take a good look at the HHS's opinions on the matter of data breaches and notifications. The 60-day limit is an "upper limit" and covered entities are expected to contact patients ASAP.
and supported the argument by noting the following passages from the Federal Register:
"...if a covered entity learns of an impermissible use or disclosure but unreasonably allows the investigation to lag for 30 days, this would constitute an unreasonable delay."

"...if a covered entity has compiled the information necessary to provide notification to individuals on day 10 but waits until day 60 to send the notifications, it would constitute an unreasonable delay despite the fact that the covered entity has provided notification within 60 days."
If the HHS Office of Civil Rights (OCR) were to conduct an audit and were to find that Kmart had unnecessary delayed contacting patients, it could mean severe legal repercussions for the wholesaler. Under HIPAA, 60 days is not really 60 days.

I'm no PR expert, but it seems to me that the spokeswoman should have focused on stating that they had to conduct an investigation, couldn't finish it any sooner, and notified its customers as soon as possible.

Of course, when you consider that the stolen disk affected 788 Kmart customers, one wonders whether they couldn't have been notified any sooner, and whether 30 days was really necessary. I've certainly seen situations where even more people were affected and notification letters were sent in a couple of weeks.

On the other hand, I've seen the inverse as well. The trick, it seems, is to design your systems with the possibility that a data breach will occur. By doing so, processes for a quick recovery are implemented.

For example, the reporting engine in AlertBoot Mobile Security allows one to easily generate mobile security audit and incident reports. It's used by many of our clients to prove compliance with laws and regulations in the event a mobile device (like a smartphone or a tablet) or a laptop computer is lost or stolen.

Canada Data Breaches: 3,000+ Cases Over 10 Years, Affects 725K

sang_lee — Wed, 24 Apr 2013 13:41:00 GMT

Organizations around the world, both in the private and public sectors, are leveraging the use of technology to their advantage. Take BYOD as an example: "bring your own device" initiatives are meant to reduce costs while increasing job satisfaction and worker efficiency. There is a darker side to BYOD, however: losing sensitive and private data, which doesn't sound like a big whoop until something goes terribly wrong. Because of the potential for data breaches, BYOD data security solutions and services like AlertBoot Mobile Security are not only a good idea, but can be a compliance requirement.

The key word there is "can," though. When you consider the value of personal data in the black market, or even to legitimate data brokers, one can only wonder why there aren't stricter laws addressing the issue of personal data security. It's a complex situation and a simple answer isn't readily available. However, a significant part of the answer could be that people have no idea how bad the situation is because it doesn't get reported. Take into consideration the Canadian government's recent revelation.

Over 725,000 Affected Over the Past 10 Years

According to a document that was presented in Canada's Parliament, there were more than 3,000 data breaches in the past 10 years. More than 725,000 Canadians were affected.

However, less than 13% of data breaches were reported (the implication, I guess, is that they were supposed to be reported to the Canadian Privacy Commissioner). Furthermore, there is a good chance that the 13% figure is inflated. According to the same report, the government's list cannot possibly include all data breaches. Hence, the 13% figure would actually be lower:
For instance, the Canada Revenue Agency didn’t provide any numbers, saying that a search of the hard copy records of breaches would be too cumbersome to be completed.
And those are instances of "known unknowns." Imagine what the picture would look like if the veil of "unknown unknowns" were lifted as well.

GIGO: Garbage In, Garbage Out

If you were in charge of coming up with a policy and found that there were only 300 or so breaches over the past 10 years (as opposed to 3,000), would if affect how you approached the project? Would it affect your conclusions on what needs to be done? Would your calculations show that the use of certain information security solutions were not "cost effective"?

My guess is that the answers to all of the above would be in the affirmative.

The last question is especially interesting. In this day and age, the bottom line tends to be the arbiter of whether something gets implemented. Hence, many IT departments have attempted to calculate a ROI (return on investment) for data security products and services, including mobile device management and security services for securing devices that are used in BYOD programs.

I should mention that such a calculation is an exercise in foolishness: information security is not an investment in the financial sense. It will not produce money or any other type of financial asset; and, of course, just because it doesn't generate income doesn't mean it isn't worthwhile.

For example, what's the ROI of a toilet? None (unless you're a company that sells porcelain bowls). Would your company be better off without toilets in the workplace? Probably not. While there isn't a return on investment, there certainly is a return in some kind of value.

All of this being said, if one is going to do some calculations, it still behooves them to use data that is as accurate and as precise as possible. If one finds that a BYOD security program will cost the company $10,000, it might cause him to balk if he's looking to prevent 300 data breaches vs. 3,000 of them.

The report to Canada's Parliament could very well explain why there isn't more being done to protect sensitive data at the federal level, and why Canada's been experiencing increasingly bigger data breaches.

Personal Data Breach: Consumer Churn Rate Directly Tied To Infosec Events Is Significant

sang_lee — Mon, 22 Apr 2013 08:46:00 GMT

A global study has revealed that personal data breaches lead to sizable numbers of customers to turn their back on companies. This might not be news, but perhaps the figures are: 23% of the respondents affirmatively answered that they have stopped doing business companies that failed to properly safeguard their data. All the more reason why a company should up the security ante by using some kind of data protection solution like AlertBoot (especially in this age of BYOD).

We Will vs. We Have

News of this study comes courtesy of databreaches.net. As the author at the site noted, there is a tremendous difference between what people claim they will do vs. what they actually end up doing. To account for this discrepancy, the authors of a study by the Economist Intelligence Unit asked the following (my own paraphrase):

Would you stop doing business with an organization that breached your data?

Have you actually suffered from a data breach, and if so, did you stop doing business with the company that experienced the data breach?

To the former, 32% of the respondents answered in the affirmative. To the latter, 38% answered in the affirmative.

This is a very curious outcome. Generally speaking, the latter tends to be lower than the former. That is, there are always more people that say they will do something, in contrast to those who actually do something. Hark back to New Year resolutions, for example: you'll always have more people who promise to lose weight, or to read more, or to procrastinate less; how many keep that promise, though?

What does this unexpected finding mean? Off the top of my head, it seems to indicate that it's only after they've become victims of a data breach that people realize the severity of the situation.

Spillover Effect

Not only that, it turns out that there are further ramifications:
the EIU research also found that 46% of respondents that had suffered a data breach had advised friends and family to be careful of sharing data with the organization.
Many companies look to get their products to "go viral" or make it spread via word of mouth, knowing that recommendations from friends, family, and acquaintances carry more weight than any marketing campaign some guys in an office can create.

Imagine, then, the disastrous effects the above could have on a company.

Nip It in the Bud because It's a Drop in the Bucket

An ounce of prevention is worth a pound of cure; so goes the old saying. Nowadays, I'm under the impression that the value of the cure is much, much higher.

Consider all the things that could go wrong by not employing, say, a BYOD security solution like AlertBoot Mobile Security. Assume that you can get the service for $100 per year, per device (it's actually much more cost effective, but I like easy numbers to work with).

Also, assume you've got 100 employees who opt to bring in their smartphones and tablets to use at work. This means you'd be spending $100,000 per year on what appears to be a bottomless pit. After all, it's not as if security threats are going away any time soon. One hundred large ones sound like a big number.

But what about the flipside of the coin?

There's the approximate one-third of your customers that will not be doing business with you in the foreseeable future. What does that translate to in lost revenue?

Your marketing will see a drop in ROI as you work harder to bring in new clients to replace the ones you've lost. That's money you didn't need to spend if you had proper security, on an activity whose efficiency is debatable.

Depending on which sector your business is in (finance, healthcare, e.g.), you might have to incur the costs of an audit, internal as well as external (by the government, such as an audit by HIPAA/OCR). These easily run into the five figures, at least.

Reaching out to "breachees". Most state and federal laws that oversee personal data laws require that first-class mail (or equivalent) be used. If the breach involves 200,000 people and you can mail each letter for $0.25, that's $50,000 you're spending to shoot yourself in the foot. That cost doesn't include the loss of productivity as your employees are working to help you shoot yourself in the foot.

Why do I keep writing that "you're shooting yourself in the foot"? Because around 33% of the people you're reaching out to will probably turn their backs on you, per the survey.

Lawsuits. 'Nough said.

No doubt there is more to the flipside of the coin; I've just run out of time to list them all. What would all of this cost? Depends on the size of the breach, but it could very well be in the millions of dollars.

For example, BCBS of Tennessee saw its data breach costs soar to $7 million when 220,000 patients were affected by a data breach. By the end of the whole ordeal, they had spent nearly $10 million for contacting members affected, investigating the theft, and offering free credit protection".

And this is before the fine that OCR levied on them for breaching HIPAA (technically, BCBS settled for $1.5 million, which is the maximum penalty that OCR can assess), or the reputational damage they took.

Or the security solutions they ended up adding into their risk prevention portfolio.