AlertBoot Endpoint Security : endpoint security breach

Apple BYOD Protection: Pentagon Clears Apple Devices for Use In DOD Network

sang_lee — Mon, 20 May 2013 12:00:00 GMT

Many media outlets are reporting that the US Department of Defense (DOD) has finally approved the use of Apple devices on its network. I see plenty of comments like, "Great, prepare for malware to spread in our country's military networks because some government worker decided to download the wrong game" or some nonsense.

Yeah, BYOD, or Bring Your Own Device, introduces risks. That's why you need to have the appropriate infrastructure to support BYOD, including the use of MDM (mobile device management) solutions for smartphones and tablets like AlertBoot Mobile Security.

It also helps if your BYOD project is not actually a BYOD project.

Apple Devices are STIG-tastic

Defense.gov reports that:
The release of the Apple iOS 6 STIG is a major stride in building a multivendor environment, supporting a diverse selection of devices and operating systems, DISA officials said. This STIG and the recently approved STIGs for the BlackBerry and Samsung Knox operating systems demonstrate DISA's commitment to validate a range of devices that meet DOD security standards so the best technology is available to achieve mission requirements, they added.
The STIG, or Security Technical Implementation Guide, is documentation designed to standardize security in the installation and maintenance of computer hardware and software, according to Wikipedia.

It Ain't BYOD If You Don't Bring It

What this all means is that Apple can now sell their devices to the military. This does not mean that people can bring their own iPhones and connect them to the government network. Also from defense.gov (my emphasis):
government-issued iOS6 mobile devices are approved for use when connecting to Defense Department networks within current mobility pilots or the future mobile device management framework
See how it says government-issued? A further explanation by the same site (my emphasis):
Officials said the STIG does not allow personally acquired mobile devices to connect to DOD networks.
In other words, they'll give employees an iPhone. Or an Android phone (as long as it's a Samsung, I guess, or running KNOX). Or perhaps even a Blackberry. Basically, the DOD, which is already leveraging Blackberry devices for better productivity and communications, is now widening their options in terms of hardware (and possibly software).

No BYOD here. More like CYOD, Choose Your Own Device.

Fool Me Twice, Shame on Me

The capriciousness of the "here come the data breaches" comments are a little annoying. Granted, the military once had a huge problem in their hands due to USB memory sticks, and ended banning all removable media devices on DOD machines. However, I like to think that much has changed since 2008. It seems quite obvious to me that the DOD would have learned something from the experience; they're most probably not approving Apple and Samsung devices without a good idea of what they're doing.

Getting Philosophical

Now, you might say, "hey, it's a matter of when, not if. That's the nature of data breaches. You can't really escape it; you can only be lucky enough not to be there anymore when it happens." In other words, MDM, passwords, encryption, location tracking, etc. are all for naught; attempting to provide security is useless when you know it's going to eventually happen.

Well, that's also true when it comes to death. The probability of you meeting your maker is 100% (in a manner of speaking), but mass suicides are severely lacking among the logical crowd. Often times, engaging in the "impossible" is still worth doing regardless of the odds.

UK BYOD Security: 82% Of Biz Unaware Of Existing Data Protection Expenditures

sang_lee — Wed, 15 May 2013 12:24:00 GMT

The UK Information Commissioner's Office (ICO) ordered a report to find the extent of English businesses' knowledge on the European Commission's data protection reforms. Among other things, the updates to the privacy laws further encourage (indirectly) the use of data protection software, like AlertBoot's Mobile Security for smartphones and tablets, as well as introducing novel ideas such as the "right to be forgotten."

Bad News

The survey's results are not very encouraging. For example, it turns out that 82% of businesses did not know how much they spend on data protection. Observed information-age.com,
it is not surprising, then, that 87% could not estimate what the impact of the reforms would be.

Respondents were asked to describe the reforms as they understand them. Four out of ten had an inaccurate understanding of all ten reforms, and not one fully understands every one.

An Easier Way? A Totally Transparent Cost Structure

I don't know about "the inaccurate understanding of all ten reforms," but I can understand why most businesses don't have a good idea on their data protection budget. The answer is that it's not easy figuring out what it actually costs.

Consider just one example of data security: laptop computer encryption and mobile device security for smartphones and tablets. Under the traditional model you have:

License purchases. Depending on the approach, a company may have to purchase the licenses in pre-arranged blocks, say at least 100 licenses, and 50 additional license blocks after that. If you need 105 licenses, you have to purchase 150. The remaining 45 are sometimes called "shelfware" because that's where they end up; maybe you'll them all, maybe you won't.

Because computers are tracked (e.g., to install updates or new software), you have a good idea of how many machines are on your network. But the cost of the data security is actually greater than that because of shelfware as well as computers than are not plugged to the network. Unless you have meticulous records, chances are your estimates will be lower than reality.

Bring Your Own Management Server. In other words, you have to provide the infrastructure for managing, deploying, and installing the licenses you just purchased. Of course, you could do it without central management. But if you have more than, say, 50 computers to manage (again, to install updates or new software or whatever), a management server saves time and money. But only if you plunk down money. The problem is that you may add, retire, or repurpose servers as necessary or as opportunity permits.

And, by doing so, you also change the equations for what you're spending in terms of electricity, peripherals (like LAN cables and whatnot), etc. In the end, these add up to a substantial figure. But, with things moving in and out, you're never quite sure what the figure is. For example, a management server for full disk encryption is repurposed as a printer server...did you update your accounting spreadsheets as well?

Data Center. Many companies make use of data centers to ensure reliability and uptime of core operations. The data security portion probably holds a fraction of the space allocated in a data center. So what are its costs, exactly? You know you're paying saying, $5,000 per month, but how much of that is assigned to the data protection portion? Good luck finding out.

Employees. Maybe the company has an IT department. And maybe the IT department's personnel are doing double (or triple) duty as coders, troubleshooters, software installers, hardware installers, and who knows what else. How much of their time is spent on data security stuff? Or maybe they've got people dedicated to doing password resets for people who forgot their passwords and are locked out of their computers.

As you can see, trying to figure out how much data security costs is fraught with blind spots.

Of course, it doesn't necessarily have to be this way. AlertBoot's security suite for endpoints – AlertBoot Mobile Security for BYOD and AlertBoot Full Disk Encryption for laptop hard drives – are a model of cost transparency: a flat annual price without any predefined license purchases: you can obtain as many (or as little) licenses as you need.

This is possible because the solution is cloud-based, hosted on AlertBoot's data centers. This means any hardware and software issues are left up to AlertBoot. Furthermore, the company provides support and password recovery services 24/7, ensuring that the IT department is focused on more important matters.

Because all of this is included in AlertBoot's offerings, calculating data security costs are also very easy.

Data Backup Encryption: Kmart (Inadvertently) Suffers Data Breach At Gun Point

sang_lee — Mon, 29 Apr 2013 13:31:00 GMT

Do you backup your data? Excellent! Do you use encryption software to protect its contents? Not doing so means that you've joined the "Data Breach Club," where the chances of a data breach are not an "if" but "when." Take Kmart as an example, which had a data breach because a thief robbed one of its store at gunpoint.

Nobody Expects their Data Backup to be Stolen

When I first heard that Kmart had to publicize a data breach because of HIPAA regulations, it hit me like a bag of surrealistic bricks (Kmart and HIPAA/HITECH?). But, I remembered that many Kmart locations also include a pharmacy. The story, as storefrontbacktalk.com describes it, is as follows:

On March 17, an armed robbery took place at a Little Rock, Arkansas Kmart. The assault took about an hour after closing time, and the perpetrator pointed a gun to the assistant store manager and forced him to open the store safe. The thief wiped it clean, which included $6,000 in cash and a backup disk.

The backup disk contained "full names, addresses, dates of birth, prescription numbers, prescribers, insurance cardholder IDs and drug names for some 788 customers" and, in certain cases, SSNs as well (well, more than a few. The spokesperson noted it was a "few hundred customers."

It was expressly pointed out that disk encryption was not used, nor its enfeebled cousin, password-protection.

Aside from the obvious mistakes, the spokesperson made two additional observations: (1) that accessing the customers' information "is slim to none, because you would need to know what software package" was used, and (2) that they were quick in contacting customers because they did so in about a month, as opposed to the 60 days that they're given.

Data Breach Possibility, Slim to None: Only If You Used Encryption

The observation that accessing customers' information is slim to none is debatable at best. It is slim to none because chances are the thief is not going to look. Generally, when a laptop gets stolen, it's wiped and reformatted for sale (at least, that's the reigning consensus). One assumes the same would hold for disk drives used as backups.

Then again, we must remember that this disk drive was inside a safe. That already suggests that something valuable is stored in it. Under the circumstances, what are the chances that the thief will ignore the suggestion that it's worth his while to see what's in it?

And, if he does, then the odds of a data breach are not really slim to none: freely available software from the internet can be used to scan a disks contents for particular information, like Social Security numbers (either as a pattern of 000-00-0000 or as a string of 9 numbers).

Only in the event that encryption is used can one confidently declare that particular breach is nearly riskless.

HIPAA Data Breaches and Unreasonable Delays: You (Don't Really) Have 60 Days to Report It

One of the more misinformed statements I've read is the following:
Asked why the delay [a little over one month], Sears spokesperson Shannelle Armstrong-Fowler pointed out that the chain moved much more quickly than the law requires. "Under HIPAA guidelines, 60 days are available for a health care entity to investigate and report on a potential breach. We completed our investigation and notified customers in approximately thirty days," she said.
This is entirely correct as well as partially true (what, you say? That sounds like a contradiction? Read on). As the Department of Health and Human Services (HHS) has pointed out in various publications, a breached entity must contact affected patients within 60 calendar days. However, it has noted that the HIPAA covered-entity must also contact patients as soon as possible. In a previous post (Does HIPAA / HITCH Really Give You 60 Days For Patient Notification?), I wrote the following:
It behooves administrators for a HIPAA-covered entity to take a good look at the HHS's opinions on the matter of data breaches and notifications. The 60-day limit is an "upper limit" and covered entities are expected to contact patients ASAP.
and supported the argument by noting the following passages from the Federal Register:
"...if a covered entity learns of an impermissible use or disclosure but unreasonably allows the investigation to lag for 30 days, this would constitute an unreasonable delay."

"...if a covered entity has compiled the information necessary to provide notification to individuals on day 10 but waits until day 60 to send the notifications, it would constitute an unreasonable delay despite the fact that the covered entity has provided notification within 60 days."
If the HHS Office of Civil Rights (OCR) were to conduct an audit and were to find that Kmart had unnecessary delayed contacting patients, it could mean severe legal repercussions for the wholesaler. Under HIPAA, 60 days is not really 60 days.

I'm no PR expert, but it seems to me that the spokeswoman should have focused on stating that they had to conduct an investigation, couldn't finish it any sooner, and notified its customers as soon as possible.

Of course, when you consider that the stolen disk affected 788 Kmart customers, one wonders whether they couldn't have been notified any sooner, and whether 30 days was really necessary. I've certainly seen situations where even more people were affected and notification letters were sent in a couple of weeks.

On the other hand, I've seen the inverse as well. The trick, it seems, is to design your systems with the possibility that a data breach will occur. By doing so, processes for a quick recovery are implemented.

For example, the reporting engine in AlertBoot Mobile Security allows one to easily generate mobile security audit and incident reports. It's used by many of our clients to prove compliance with laws and regulations in the event a mobile device (like a smartphone or a tablet) or a laptop computer is lost or stolen.

Canada Data Breaches: 3,000+ Cases Over 10 Years, Affects 725K

sang_lee — Wed, 24 Apr 2013 13:41:00 GMT

Organizations around the world, both in the private and public sectors, are leveraging the use of technology to their advantage. Take BYOD as an example: "bring your own device" initiatives are meant to reduce costs while increasing job satisfaction and worker efficiency. There is a darker side to BYOD, however: losing sensitive and private data, which doesn't sound like a big whoop until something goes terribly wrong. Because of the potential for data breaches, BYOD data security solutions and services like AlertBoot Mobile Security are not only a good idea, but can be a compliance requirement.

The key word there is "can," though. When you consider the value of personal data in the black market, or even to legitimate data brokers, one can only wonder why there aren't stricter laws addressing the issue of personal data security. It's a complex situation and a simple answer isn't readily available. However, a significant part of the answer could be that people have no idea how bad the situation is because it doesn't get reported. Take into consideration the Canadian government's recent revelation.

Over 725,000 Affected Over the Past 10 Years

According to a document that was presented in Canada's Parliament, there were more than 3,000 data breaches in the past 10 years. More than 725,000 Canadians were affected.

However, less than 13% of data breaches were reported (the implication, I guess, is that they were supposed to be reported to the Canadian Privacy Commissioner). Furthermore, there is a good chance that the 13% figure is inflated. According to the same report, the government's list cannot possibly include all data breaches. Hence, the 13% figure would actually be lower:
For instance, the Canada Revenue Agency didn’t provide any numbers, saying that a search of the hard copy records of breaches would be too cumbersome to be completed.
And those are instances of "known unknowns." Imagine what the picture would look like if the veil of "unknown unknowns" were lifted as well.

GIGO: Garbage In, Garbage Out

If you were in charge of coming up with a policy and found that there were only 300 or so breaches over the past 10 years (as opposed to 3,000), would if affect how you approached the project? Would it affect your conclusions on what needs to be done? Would your calculations show that the use of certain information security solutions were not "cost effective"?

My guess is that the answers to all of the above would be in the affirmative.

The last question is especially interesting. In this day and age, the bottom line tends to be the arbiter of whether something gets implemented. Hence, many IT departments have attempted to calculate a ROI (return on investment) for data security products and services, including mobile device management and security services for securing devices that are used in BYOD programs.

I should mention that such a calculation is an exercise in foolishness: information security is not an investment in the financial sense. It will not produce money or any other type of financial asset; and, of course, just because it doesn't generate income doesn't mean it isn't worthwhile.

For example, what's the ROI of a toilet? None (unless you're a company that sells porcelain bowls). Would your company be better off without toilets in the workplace? Probably not. While there isn't a return on investment, there certainly is a return in some kind of value.

All of this being said, if one is going to do some calculations, it still behooves them to use data that is as accurate and as precise as possible. If one finds that a BYOD security program will cost the company $10,000, it might cause him to balk if he's looking to prevent 300 data breaches vs. 3,000 of them.

The report to Canada's Parliament could very well explain why there isn't more being done to protect sensitive data at the federal level, and why Canada's been experiencing increasingly bigger data breaches.

Personal Data Breach: Consumer Churn Rate Directly Tied To Infosec Events Is Significant

sang_lee — Mon, 22 Apr 2013 08:46:00 GMT

A global study has revealed that personal data breaches lead to sizable numbers of customers to turn their back on companies. This might not be news, but perhaps the figures are: 23% of the respondents affirmatively answered that they have stopped doing business companies that failed to properly safeguard their data. All the more reason why a company should up the security ante by using some kind of data protection solution like AlertBoot (especially in this age of BYOD).

We Will vs. We Have

News of this study comes courtesy of databreaches.net. As the author at the site noted, there is a tremendous difference between what people claim they will do vs. what they actually end up doing. To account for this discrepancy, the authors of a study by the Economist Intelligence Unit asked the following (my own paraphrase):

Would you stop doing business with an organization that breached your data?

Have you actually suffered from a data breach, and if so, did you stop doing business with the company that experienced the data breach?

To the former, 32% of the respondents answered in the affirmative. To the latter, 38% answered in the affirmative.

This is a very curious outcome. Generally speaking, the latter tends to be lower than the former. That is, there are always more people that say they will do something, in contrast to those who actually do something. Hark back to New Year resolutions, for example: you'll always have more people who promise to lose weight, or to read more, or to procrastinate less; how many keep that promise, though?

What does this unexpected finding mean? Off the top of my head, it seems to indicate that it's only after they've become victims of a data breach that people realize the severity of the situation.

Spillover Effect

Not only that, it turns out that there are further ramifications:
the EIU research also found that 46% of respondents that had suffered a data breach had advised friends and family to be careful of sharing data with the organization.
Many companies look to get their products to "go viral" or make it spread via word of mouth, knowing that recommendations from friends, family, and acquaintances carry more weight than any marketing campaign some guys in an office can create.

Imagine, then, the disastrous effects the above could have on a company.

Nip It in the Bud because It's a Drop in the Bucket

An ounce of prevention is worth a pound of cure; so goes the old saying. Nowadays, I'm under the impression that the value of the cure is much, much higher.

Consider all the things that could go wrong by not employing, say, a BYOD security solution like AlertBoot Mobile Security. Assume that you can get the service for $100 per year, per device (it's actually much more cost effective, but I like easy numbers to work with).

Also, assume you've got 100 employees who opt to bring in their smartphones and tablets to use at work. This means you'd be spending $100,000 per year on what appears to be a bottomless pit. After all, it's not as if security threats are going away any time soon. One hundred large ones sound like a big number.

But what about the flipside of the coin?

There's the approximate one-third of your customers that will not be doing business with you in the foreseeable future. What does that translate to in lost revenue?

Your marketing will see a drop in ROI as you work harder to bring in new clients to replace the ones you've lost. That's money you didn't need to spend if you had proper security, on an activity whose efficiency is debatable.

Depending on which sector your business is in (finance, healthcare, e.g.), you might have to incur the costs of an audit, internal as well as external (by the government, such as an audit by HIPAA/OCR). These easily run into the five figures, at least.

Reaching out to "breachees". Most state and federal laws that oversee personal data laws require that first-class mail (or equivalent) be used. If the breach involves 200,000 people and you can mail each letter for $0.25, that's $50,000 you're spending to shoot yourself in the foot. That cost doesn't include the loss of productivity as your employees are working to help you shoot yourself in the foot.

Why do I keep writing that "you're shooting yourself in the foot"? Because around 33% of the people you're reaching out to will probably turn their backs on you, per the survey.

Lawsuits. 'Nough said.

No doubt there is more to the flipside of the coin; I've just run out of time to list them all. What would all of this cost? Depends on the size of the breach, but it could very well be in the millions of dollars.

For example, BCBS of Tennessee saw its data breach costs soar to $7 million when 220,000 patients were affected by a data breach. By the end of the whole ordeal, they had spent nearly $10 million for contacting members affected, investigating the theft, and offering free credit protection".

And this is before the fine that OCR levied on them for breaching HIPAA (technically, BCBS settled for $1.5 million, which is the maximum penalty that OCR can assess), or the reputational damage they took.

Or the security solutions they ended up adding into their risk prevention portfolio.

Financial Data BYOD: Investment Industry Regulatory Organization of Canada Loses Info On 50K

sang_lee — Wed, 17 Apr 2013 08:22:00 GMT

According to Canadian media, the Investment Industry Regulatory Organization of Canada (IIROC) has lost a "portable device" that contained information on over 50,000 people. The IIROC has not been very responsive regarding the details, including whether the device was protected with a mobile data management software like AlertBoot. However, we know this much: they're "very sorry."

52,000 Clients of 32 Brokerage Firms Affected

According to theglobeandmail.com, among other media outlets, the IIROC has blamed itself for the "unfortunate but isolated incident" and has promised to strengthen their internal controls so that the situation does not present itself in the future.

The regulator's spokeswoman noted that the IIROC does not want to make public details about the case (and make things worse):
"We are concerned that disclosing details of the incident may put clients' information at greater risk of being targeted for unauthorized use," she said. "We have communicated with all affected firms and are notifying their clients whose information was on the device."
Maybe it's just me, but this does not sound like the words of a confident organization that knows their data is secure, despite not exactly knowing its current whereabouts. Could this be indicative of a situation where this lost device has not been encrypted?

This would not be the first (or last) time that something like this has happened. The loss of USB drives and external hard drives have accounted for hundreds of public data breaches around the world. You can bet that many more go unreported.

The combination of "extremely portable" and "high capacity," compounded with people's inability to delete data – it's always easier to keep it around if you've got lots of storage space left, which is why my web-browser bookmarks point to YouTube clips that don't exist anymore – creates a potent and poisonous mix that will lead to a data breach, sooner or later.

Our Recommendation: Control and Encrypt

The best way to ensure that a portable device doesn't turn into a data breach is to not use one. Now, you might think this is easier said than done, but it isn't, in a way. There are companies out there in the world where they prevent the use of USB flash drives and such by taking a penny and gluing it to USB ports (my guess is that they're big into Bluetooth keyboards and mice).

Most companies, however, will benefit from the use of their USB ports. But, keeping them open and accessible also means that an employee could use their own USB sticks to copy data. What to do? At AlertBoot, we recommend controlling where the USB device can be used, and making sure that it's encrypted.

First, the use of encryption software will ensure that there is no unauthorized access when and if the device goes missing. Second, you can control where and how the device can be used by ensuring it doesn't work on unauthorized computers. Under the AlertBoot solution for full disk encryption, a USB storage device can only be shared with computers that are part of a trusted group.

So, for example, a USB device will work among computers lined at the front of the room, but not with those at the back of the same room (the device would show as unformatted thanks to encryption). It's just a matter of how you group the computers: by department, by team, by floor, etc.