AlertBoot Endpoint Security : full disk encryption

UK BYOD Security: 82% Of Biz Unaware Of Existing Data Protection Expenditures

sang_lee — Wed, 15 May 2013 12:24:00 GMT

The UK Information Commissioner's Office (ICO) ordered a report to find the extent of English businesses' knowledge on the European Commission's data protection reforms. Among other things, the updates to the privacy laws further encourage (indirectly) the use of data protection software, like AlertBoot's Mobile Security for smartphones and tablets, as well as introducing novel ideas such as the "right to be forgotten."

Bad News

The survey's results are not very encouraging. For example, it turns out that 82% of businesses did not know how much they spend on data protection. Observed information-age.com,
it is not surprising, then, that 87% could not estimate what the impact of the reforms would be.

Respondents were asked to describe the reforms as they understand them. Four out of ten had an inaccurate understanding of all ten reforms, and not one fully understands every one.

An Easier Way? A Totally Transparent Cost Structure

I don't know about "the inaccurate understanding of all ten reforms," but I can understand why most businesses don't have a good idea on their data protection budget. The answer is that it's not easy figuring out what it actually costs.

Consider just one example of data security: laptop computer encryption and mobile device security for smartphones and tablets. Under the traditional model you have:

License purchases. Depending on the approach, a company may have to purchase the licenses in pre-arranged blocks, say at least 100 licenses, and 50 additional license blocks after that. If you need 105 licenses, you have to purchase 150. The remaining 45 are sometimes called "shelfware" because that's where they end up; maybe you'll them all, maybe you won't.

Because computers are tracked (e.g., to install updates or new software), you have a good idea of how many machines are on your network. But the cost of the data security is actually greater than that because of shelfware as well as computers than are not plugged to the network. Unless you have meticulous records, chances are your estimates will be lower than reality.

Bring Your Own Management Server. In other words, you have to provide the infrastructure for managing, deploying, and installing the licenses you just purchased. Of course, you could do it without central management. But if you have more than, say, 50 computers to manage (again, to install updates or new software or whatever), a management server saves time and money. But only if you plunk down money. The problem is that you may add, retire, or repurpose servers as necessary or as opportunity permits.

And, by doing so, you also change the equations for what you're spending in terms of electricity, peripherals (like LAN cables and whatnot), etc. In the end, these add up to a substantial figure. But, with things moving in and out, you're never quite sure what the figure is. For example, a management server for full disk encryption is repurposed as a printer server...did you update your accounting spreadsheets as well?

Data Center. Many companies make use of data centers to ensure reliability and uptime of core operations. The data security portion probably holds a fraction of the space allocated in a data center. So what are its costs, exactly? You know you're paying saying, $5,000 per month, but how much of that is assigned to the data protection portion? Good luck finding out.

Employees. Maybe the company has an IT department. And maybe the IT department's personnel are doing double (or triple) duty as coders, troubleshooters, software installers, hardware installers, and who knows what else. How much of their time is spent on data security stuff? Or maybe they've got people dedicated to doing password resets for people who forgot their passwords and are locked out of their computers.

As you can see, trying to figure out how much data security costs is fraught with blind spots.

Of course, it doesn't necessarily have to be this way. AlertBoot's security suite for endpoints – AlertBoot Mobile Security for BYOD and AlertBoot Full Disk Encryption for laptop hard drives – are a model of cost transparency: a flat annual price without any predefined license purchases: you can obtain as many (or as little) licenses as you need.

This is possible because the solution is cloud-based, hosted on AlertBoot's data centers. This means any hardware and software issues are left up to AlertBoot. Furthermore, the company provides support and password recovery services 24/7, ensuring that the IT department is focused on more important matters.

Because all of this is included in AlertBoot's offerings, calculating data security costs are also very easy.

Data Backup Encryption: Kmart (Inadvertently) Suffers Data Breach At Gun Point

sang_lee — Mon, 29 Apr 2013 13:31:00 GMT

Do you backup your data? Excellent! Do you use encryption software to protect its contents? Not doing so means that you've joined the "Data Breach Club," where the chances of a data breach are not an "if" but "when." Take Kmart as an example, which had a data breach because a thief robbed one of its store at gunpoint.

Nobody Expects their Data Backup to be Stolen

When I first heard that Kmart had to publicize a data breach because of HIPAA regulations, it hit me like a bag of surrealistic bricks (Kmart and HIPAA/HITECH?). But, I remembered that many Kmart locations also include a pharmacy. The story, as storefrontbacktalk.com describes it, is as follows:

On March 17, an armed robbery took place at a Little Rock, Arkansas Kmart. The assault took about an hour after closing time, and the perpetrator pointed a gun to the assistant store manager and forced him to open the store safe. The thief wiped it clean, which included $6,000 in cash and a backup disk.

The backup disk contained "full names, addresses, dates of birth, prescription numbers, prescribers, insurance cardholder IDs and drug names for some 788 customers" and, in certain cases, SSNs as well (well, more than a few. The spokesperson noted it was a "few hundred customers."

It was expressly pointed out that disk encryption was not used, nor its enfeebled cousin, password-protection.

Aside from the obvious mistakes, the spokesperson made two additional observations: (1) that accessing the customers' information "is slim to none, because you would need to know what software package" was used, and (2) that they were quick in contacting customers because they did so in about a month, as opposed to the 60 days that they're given.

Data Breach Possibility, Slim to None: Only If You Used Encryption

The observation that accessing customers' information is slim to none is debatable at best. It is slim to none because chances are the thief is not going to look. Generally, when a laptop gets stolen, it's wiped and reformatted for sale (at least, that's the reigning consensus). One assumes the same would hold for disk drives used as backups.

Then again, we must remember that this disk drive was inside a safe. That already suggests that something valuable is stored in it. Under the circumstances, what are the chances that the thief will ignore the suggestion that it's worth his while to see what's in it?

And, if he does, then the odds of a data breach are not really slim to none: freely available software from the internet can be used to scan a disks contents for particular information, like Social Security numbers (either as a pattern of 000-00-0000 or as a string of 9 numbers).

Only in the event that encryption is used can one confidently declare that particular breach is nearly riskless.

HIPAA Data Breaches and Unreasonable Delays: You (Don't Really) Have 60 Days to Report It

One of the more misinformed statements I've read is the following:
Asked why the delay [a little over one month], Sears spokesperson Shannelle Armstrong-Fowler pointed out that the chain moved much more quickly than the law requires. "Under HIPAA guidelines, 60 days are available for a health care entity to investigate and report on a potential breach. We completed our investigation and notified customers in approximately thirty days," she said.
This is entirely correct as well as partially true (what, you say? That sounds like a contradiction? Read on). As the Department of Health and Human Services (HHS) has pointed out in various publications, a breached entity must contact affected patients within 60 calendar days. However, it has noted that the HIPAA covered-entity must also contact patients as soon as possible. In a previous post (Does HIPAA / HITCH Really Give You 60 Days For Patient Notification?), I wrote the following:
It behooves administrators for a HIPAA-covered entity to take a good look at the HHS's opinions on the matter of data breaches and notifications. The 60-day limit is an "upper limit" and covered entities are expected to contact patients ASAP.
and supported the argument by noting the following passages from the Federal Register:
"...if a covered entity learns of an impermissible use or disclosure but unreasonably allows the investigation to lag for 30 days, this would constitute an unreasonable delay."

"...if a covered entity has compiled the information necessary to provide notification to individuals on day 10 but waits until day 60 to send the notifications, it would constitute an unreasonable delay despite the fact that the covered entity has provided notification within 60 days."
If the HHS Office of Civil Rights (OCR) were to conduct an audit and were to find that Kmart had unnecessary delayed contacting patients, it could mean severe legal repercussions for the wholesaler. Under HIPAA, 60 days is not really 60 days.

I'm no PR expert, but it seems to me that the spokeswoman should have focused on stating that they had to conduct an investigation, couldn't finish it any sooner, and notified its customers as soon as possible.

Of course, when you consider that the stolen disk affected 788 Kmart customers, one wonders whether they couldn't have been notified any sooner, and whether 30 days was really necessary. I've certainly seen situations where even more people were affected and notification letters were sent in a couple of weeks.

On the other hand, I've seen the inverse as well. The trick, it seems, is to design your systems with the possibility that a data breach will occur. By doing so, processes for a quick recovery are implemented.

For example, the reporting engine in AlertBoot Mobile Security allows one to easily generate mobile security audit and incident reports. It's used by many of our clients to prove compliance with laws and regulations in the event a mobile device (like a smartphone or a tablet) or a laptop computer is lost or stolen.

Personal Data Breach: Consumer Churn Rate Directly Tied To Infosec Events Is Significant

sang_lee — Mon, 22 Apr 2013 08:46:00 GMT

A global study has revealed that personal data breaches lead to sizable numbers of customers to turn their back on companies. This might not be news, but perhaps the figures are: 23% of the respondents affirmatively answered that they have stopped doing business companies that failed to properly safeguard their data. All the more reason why a company should up the security ante by using some kind of data protection solution like AlertBoot (especially in this age of BYOD).

We Will vs. We Have

News of this study comes courtesy of databreaches.net. As the author at the site noted, there is a tremendous difference between what people claim they will do vs. what they actually end up doing. To account for this discrepancy, the authors of a study by the Economist Intelligence Unit asked the following (my own paraphrase):

Would you stop doing business with an organization that breached your data?

Have you actually suffered from a data breach, and if so, did you stop doing business with the company that experienced the data breach?

To the former, 32% of the respondents answered in the affirmative. To the latter, 38% answered in the affirmative.

This is a very curious outcome. Generally speaking, the latter tends to be lower than the former. That is, there are always more people that say they will do something, in contrast to those who actually do something. Hark back to New Year resolutions, for example: you'll always have more people who promise to lose weight, or to read more, or to procrastinate less; how many keep that promise, though?

What does this unexpected finding mean? Off the top of my head, it seems to indicate that it's only after they've become victims of a data breach that people realize the severity of the situation.

Spillover Effect

Not only that, it turns out that there are further ramifications:
the EIU research also found that 46% of respondents that had suffered a data breach had advised friends and family to be careful of sharing data with the organization.
Many companies look to get their products to "go viral" or make it spread via word of mouth, knowing that recommendations from friends, family, and acquaintances carry more weight than any marketing campaign some guys in an office can create.

Imagine, then, the disastrous effects the above could have on a company.

Nip It in the Bud because It's a Drop in the Bucket

An ounce of prevention is worth a pound of cure; so goes the old saying. Nowadays, I'm under the impression that the value of the cure is much, much higher.

Consider all the things that could go wrong by not employing, say, a BYOD security solution like AlertBoot Mobile Security. Assume that you can get the service for $100 per year, per device (it's actually much more cost effective, but I like easy numbers to work with).

Also, assume you've got 100 employees who opt to bring in their smartphones and tablets to use at work. This means you'd be spending $100,000 per year on what appears to be a bottomless pit. After all, it's not as if security threats are going away any time soon. One hundred large ones sound like a big number.

But what about the flipside of the coin?

There's the approximate one-third of your customers that will not be doing business with you in the foreseeable future. What does that translate to in lost revenue?

Your marketing will see a drop in ROI as you work harder to bring in new clients to replace the ones you've lost. That's money you didn't need to spend if you had proper security, on an activity whose efficiency is debatable.

Depending on which sector your business is in (finance, healthcare, e.g.), you might have to incur the costs of an audit, internal as well as external (by the government, such as an audit by HIPAA/OCR). These easily run into the five figures, at least.

Reaching out to "breachees". Most state and federal laws that oversee personal data laws require that first-class mail (or equivalent) be used. If the breach involves 200,000 people and you can mail each letter for $0.25, that's $50,000 you're spending to shoot yourself in the foot. That cost doesn't include the loss of productivity as your employees are working to help you shoot yourself in the foot.

Why do I keep writing that "you're shooting yourself in the foot"? Because around 33% of the people you're reaching out to will probably turn their backs on you, per the survey.

Lawsuits. 'Nough said.

No doubt there is more to the flipside of the coin; I've just run out of time to list them all. What would all of this cost? Depends on the size of the breach, but it could very well be in the millions of dollars.

For example, BCBS of Tennessee saw its data breach costs soar to $7 million when 220,000 patients were affected by a data breach. By the end of the whole ordeal, they had spent nearly $10 million for contacting members affected, investigating the theft, and offering free credit protection".

And this is before the fine that OCR levied on them for breaching HIPAA (technically, BCBS settled for $1.5 million, which is the maximum penalty that OCR can assess), or the reputational damage they took.

Or the security solutions they ended up adding into their risk prevention portfolio.

Smartphone And Tablet BYOD Security: Because Physical Attacks Cannot Be Discounted

sang_lee — Fri, 12 Apr 2013 12:47:00 GMT

Many websites reported earlier in the week that Vudu, a video-streaming company that's owned by Walmart, reported a data breach. Furthermore, Vudu recommended that users of the service reset their passwords, especially if their passwords are reused on other online sites. These are usually the words of a company that was hacked online, such as with a SQL injection attack.

With Vudu, however, it's different: burglars broke into the Santa Clara, California-based company on March 24, 2013 and stole computer hard drives. The data breach was limited by practicing adequate security, although the hard drives were not protected with the likes of full disk encryption such as AlertBoot. This goes to show the need for proper data security on all devices, including smartphones, tablets, and laptops. The threat is not just virtual.

Customer Data Compromised

Vudu revealed that the stolen drives contained the following information: customer names, email addresses, physical mailing addresses, Vudu account activity, dates of birth, the last four digits of credit cards, and "encrypted passwords."

Despite all the things that Vudu did correctly, it fell flat in one area: it didn't notify clients until two weeks after the break-in. In their FAQ, Vudu clarifies that they needed to "reconstruct the information" and that "law enforcement requested that [Vudu] delay notification."

I include quotes for "encrypted passwords" because they're probably not encrypted as much as they are hashed.

What's the difference, you may ask?

Encrypted Passwords Generally Not Encrypted

Generally, "encrypted passwords" are not really encrypted. If they were, they wouldn't be easy to guess or figure out. Indeed, it's the reason why devices like iPhones, iPads, and Android smartphones all use disk encryption. The use of encryption makes it virtually impossible to gain unauthorized access to the data in the devices (and, thus, is one of the core aspects of AlertBoot's mobile device management and security solution, although users of AlertBoot can manage many different aspects associated with mobile security to suit their needs).

Whereas the implication here, with Vudu strongly urging password changes, is that the passwords could be guessed, meaning that the passwords were hashed. A "hash" is when a password is passed through an algorithm and comes out looking nothing like its input. Sounds like encryption, except for two things:

You can't convert a hash back to its original input (with encryption, you can).

There's a 1-to-1 correlation between the input and the hashed output. So, if the password is "blue" and the hashed output is "920jf3no23nfoiwjfc9sjvasjd293r2," then the hashed output will always be "920jf3no23nfoiwjfc9sjvasjd293r2" for "blue" with no exceptions.

You don't need a ridiculous amount of foresight to see how this could be an Achilles heel: all you need to crack the security is to prepare a list of inputs and outputs, and compare hashed passwords to this list. This is why if you're hashing passwords you also need salt them: include random characters so that the output becomes different.

For example, "blue," "blue1," and "blue11" will all lead to extremely different outputs. Make your salt unique and keep it a secret and, the theory goes, your passwords will be safe. Not a bad theory, but the real world has a way of throwing a wrench in the works.

The problem is that different users often use the same password. You've seen the lists of words that shouldn't be employed as passwords because they're so commonly used: "password," "God," "12345," and "love", among others. Not only can you count on these popular passwords to show up on hashed password lists, if you total them up, they tend to be in the top 20.

For example, let's say that you're trying to identify two hashed passwords, 8nuv89ybt7rc32rp9824 and AF23o9fasDSf0sjwfe. You know one of them is "love" and the other is "theQu1ck8" but you don't know which one is which. But, 8nuv89ybt7rc32rp9824 shows up 500 times and AF23o9fasDSf0sjwfe shows up once. Obviously the former corresponds to "love."

Encryption: Nothing Compares

Unlike hashes, encryption uses unique "encryption keys" to convert data. What are the odds of two encryption keys being identical? Lower than the odds of your body spontaneously combusting right now. The only way to "guess" an encryption key is brute force it; that is, go through every single one of them until you find it. According to some calculations, the universe will be a cold, homogeneous mush devoid of entropy before that happens.

That's some pretty powerful stuff. You don't want to be caught without backing up individual encryption keys, then, or finding out that you can't find the right one to unlock a device. Encryption key management is one of the most harrowing aspects of ensuring good data security, (and is infinitely made easier via the use of AlertBoot).

BYOD, US Borders, Laptops, and Smartphones: Fourth Amendment Rights Coming Back Home At US Borders

sang_lee — Mon, 11 Mar 2013 12:26:00 GMT

We live in an era where BYOD – Bring Your Own Device – is transitioning from niche technical jargon to everyday reality, and people are beginning to use MDM and other mobile security solutions to counter the pitfalls of BYOD. But there are places where mobile security is not welcome. For example, the use of data security tools like encryption software is enough to raise suspicion and delay you (or stop you) at the US border. The implication is that you're a suspicious individual because a password is necessary to access your device. What are you hiding there buddy, hm? appears to be the central question by the Department of Homeland Security.

From now on, the answer could very well be "that's none of your business... unless you have reasonable suspicion" thanks to a watershed decision by the 9th U.S. Circuit Court of Appeals in San Francisco, California. This is the end of the border search exception doctrine, that there are exceptions to the Fourth Amendment at US borders, as we've known it for the last ten years. From now on, US Customs and Border Protection (CBP) agents can't dig too deep into your digital possessions without a reasonable cause.

Kiddie Porn at the Center of the Case

Last Friday, the 9th U.S. Circuit Court of Appeals ruled, according to wired.com, "that U.S. border agents do not have carte blanche authority to search the cellphones, tablets and laptops of travelers entering the country." The key word there is "carte blanche." US border agents can still go through your laptop. If they want to do more than do a cursory examination, however, they must have a tenable reason.

The ruling was divided, although not controversially so: of the 11 judges, 3 dissented from the majority opinion (which is 82 pages long. Happy reading).

The ruling was a result of an arrest at the US-Mexico border. In a nutshell, a man by the name of Cotterman was singled out for inspection based on a "fifteen-year-old conviction for child molestation." Although there was nothing incriminating on his, and his family's, two laptop computers and three digital cameras (and presumably their non-digital belongings), CBP sent the laptop to a forensic examination facility. Deleted child pornography in a variety of media was discovered, including 23 password-protected files that were cracked open to reveal images of Cotterman molesting a girl. The court ruled that this in-depth digital examination requires probable cause, and that it was met in Cotterman (the dissenting opinion, in my opinion, makes a pretty strong case that probable cause was not met).

Password-Protection and Encryption is NOT Grounds for Suspicion

In the summary to US v. Cotterman, the court noted the following (my emphasis):
The en banc court wrote that password protection of files, which is ubiquitous among many law-abiding citizens, will not in isolation give rise to reasonable suspicion, but that password protection may be considered in the totality of the circumstances where, as here, there are other indicia of criminal activity. The en banc court wrote that the existence of password-protected files is also relevant to assessing the reasonableness of the scope and duration of the search of the defendant's computer.
Within the body itself, it was commented on the presence of password-protection as a suspicious factor:
the government adds another [reasonable suspicion] – the existence of password-protected files on Cotterman's computer. We are reluctant to place much weight on this factor because it is commonplace for business travelers, casual computer users, students and others to password protect their files. Law enforcement "cannot rely solely on factors that would apply to many law-abiding citizens," Berber-Tinoco, 510 F.3d at 1087, and password protection is ubiquitous. National standards require that users of mobile electronic devices password protect their files.... Computer users are routinely advised – and in some cases, required by employers – to protect their files when traveling overseas.
The majority opinion goes on to note that password protection alone, in isolation, "will not give rise to reasonable suspicion" and that "to contribute to reasonable suspicion, encryption or password protection of files must have some relationship to the suspected criminal activity."

The court also made a comment on full disk encryption:
We do not suggest that password protecting an entire device – as opposed to files within a device – can be a factor supporting a reasonable suspicion determination. Using a password on a device is a basic means of ensuring that the device cannot be accessed by another in the event it is lost or stolen.
Well, technically, it appears to be a comment on password-protection, but let's face it, if you're looking for a means that ensures that a device remains inaccessible when lost or stolen, it's encryption that you want, not password protection.

And, last but not least, the use of passwords has been described as a "basic privacy right," although I've got to wonder whether I'm quoting out of context. In the dissenting opinion (my emphasis):
Perhaps the most concerning aspect of the majority's opinion, especially given its stated stance on privacy rights at the border, is its readiness to strip former sex offenders and others convicted of past crimes (and who are, theoretically, entitled to be presumption of innocence) of even the most basic of privacy rights, such as the right to password-protect their electronic devices.... Indeed, as the majority acknowledges, making legal files difficult to access makes "perfect sense" for anyone.
Who'd have thunk it? Encryption is a type of basic right.

The case is interesting in many ways. You can find thoughtful, intelligent coverage at arstechnica.com, wired.com, and techdirt.com, among other online media.

Deleting Solid State Drives: Cleaning SSDs Almost Impossible, So Use Encryption

sang_lee — Tue, 19 Feb 2013 11:16:00 GMT

According to the National Association of Information Destruction (NAID), solid state drives (SSD) used in ultrabooks, tablets, smartphones, and other devices are proving to be a headache when it comes to end-of-life operations. Namely, the usual methods of deleting digital data – so that hardware may be discarded safely – are proving to be ineffective when it comes to flash-based storage media. This shouldn't be news, however, at least not to NAID.

The solution to the above difficulty is at least 2 years old: place laptop disk encryption at the heart of your data destruction strategy.

SSDs an Unknown Quantity

According to a NAID conference that was held in Sydney, Australia, NAID chief Bob Johnson noted that:
SSDs are an unknown quantity when it comes to being sterilised for disposal at the end of their working lives.

"There is currently work being done at the University of California, San Diego, about the best ways to make sure these solid state drives are clean before they're disposed of," he said. "Unfortunately the information out there at the moment is very squirrelly."
I'm not sure what information Johnson's referring to, but I've known for at least two years that the best way to ensure that information is properly wiped is to encrypt it and lose the encryption key:
The researchers propose an approach called SAFE (Scramble and Finally Erase) that sanitizes the stored key:

The technique, called Scramble and Finally Erase (SAFE), stores encrypted data in the drive and uses a two step process for sanitization. First, it destroys the key. Then, SAFE erases every physical page in the SSD. After this step, veriﬁcation is a simple matter of dismantling the drive and verifying that the flash chips are actually erased.

Encryption is at the heart of this technique, you'll notice, with attention given to the key's destruction.
The above is from a post I wrote in 2011 on why media sanitation requires encryption, and is based on research done by a team at the University of California, San Diego.

If that looks like déjà vu to you, it's because it's the same San Diego team that Johnson is referring to.

Encryption Sometimes CANNOT be the Solution for SSD

And now that I've revealed how encryption software is the only way to secure devices during their EOL, here's a kick to the head: under certain circumstances, encryption is not an option from a policy perspective. For example, under HIPAA.

HIPAA is a set of rules, overseen by the Department of Health and Human Services (HHS), that governs healthcare companies and their business associates. While the use of encryption is strongly encouraged to protect patient data (indeed, the director for the Office for Civil Rights at the HHS was quoted as saying "we love encryption, and those who use encryption love it, too"), there is one area where encryption is not to be used as a tool when it comes to medical data: when a device is being disposed of.

When a computer, external drive, flashdrive, or other data storage device that used to store health data is to be discarded – be it in a landfill or via a donation – the information on it has to be scrubbed. The usual methods include overwriting every sector of the storage device; degaussing it by placing the medium in a magnetic field; or physical destroying it, all of them procedures approved by NIST. Encryption, on the other hand, is not considered to be a reliable method of destroying data because it is designed to "recover" data when the correct key is applied.

This is problematic as organizations start to embrace BYOD, bring your own device. One wonders how the HHS will react as more and more devices that use SSDs – like smartphones and tablets – make their way into hospitals and other businesses that handle protected health information. Degaussing will not work, since SSDs don't store data in a magnetic medium. Overwriting does not work due to SSDs' internal workings. Destroying devices would work but is wasteful when they might still be useful to some.

Plus, I've got to assume that the owners of these devices would be quite against destroying their phones and tablets.

It seems that an exception will have to be made for flash-based devices, or that the use of encryption to "destroy" data will be accepted as a norm.