in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2007 - Posts

  • Data Protection: Need, Right, And Time Should Be Extended To Mobile Devices Such As Laptops For Better Security

    In a Government Technology article, an argument is made that access to data should be granted on a need, right, and time basis.  Now, this is not a new argument, and it was directed to securing databases and their contents.

     

    The argument is that not everyone needs to have access to information on a database or databases.  Obviously, depending on one’s seniority and ranking within an organization as well as type of job one holds, the type of information that one should have access to will differ; the higher in the hierarchy, the more information one needs to access.  Along with the need, the right to access information is to be considered as well.  In fact, some would argue that the need and the right to access information are intertwined, and are not to be considered on a separate basis.

     

    The third criterion, time, is meant to curtail access to the data as necessary.  If an employee always works from nine to five, there is no reason why he should be able to access the data outside of these hours.  One added benefit of curtailing access based on hours is that, if an employee’s username password are compromised by an outsider, the potential perpetrator won’t be able to access the data outside of business hours.  This is, apparently, an important point because most hackers will work outside of regular work hours.

     

    As stated before, the article was going into securing databases.  Most probably, such databases are physically secure as well, behind locked doors or in cages with card keys or biometric identifiers.  You can’t be too careful in this day and age.  So how does this relate to laptops?  While it makes no sense to have a laptop secure behind a cage, the use of need, right, and time can be used for better securing your mobile devices’ data.

     

    It’s not a secret laptops today contain in them a lot more data than they should; some type of encryption technology should be used, just in case.  It’s also a fact of life that laptops need maintenance just like any other types of electronics and machinery.  If there are upgrades to be made to software or hardware, chances are that the end user will not be in charge of installing these upgrades, especially in a corporate setting.  Or maybe the device won’t boot up, so troubleshooting will be involved.  Generally, the IT department is in charge of performing such routine maintenance and troubleshooting (and salvaging) work.  Depending on who’s doing what, their needs and rights to the same computer might be different.

     

    The IT staff will need access to most ports, for example, as well as the ability to install updates and patches to computers, meaning that they will need access to downloading software and installing them.  On the other hand, this is not a right you want to give to your end-users.  After all, many security breaches occur due to unauthorized software being installed in computers.  Pfizer and Citigroup, among a dozen other companies, had data breaches directly related to the installation of peer-to-peer file sharing software, probably a violation of each company’s software policies.  So, laptops also require that access be determined based on needs and rights of each user.

     

    How would the time aspect come into play?  Well, many companies are supplanting regular desktop machines with laptops.  Regardless of company policy, workers who’ve spent too much time at the office might be tempted to take these mobile devices home, to work in the comfort and relatively stress-free environment that is their domicile.  Hopefully, the company’s IT department instituted a policy and encrypted laptops issued to workers in the workplace.  This way, the contents are protected if the laptop is stolen on the way home (the assumption must be made that people will bend or break the rules if they think they won’t be caught).  However, a better way to approach this, for certain employees, is to ensure that the employee does not take the device home.  What could be a more effective way of dissuading them from doing so than locking them out of machine?  If they can’t access the computer outside of work hours, what’s the point—it just becomes a really expensive doorstop that has to be babied.  Better leave it at the office.

     

    At this point, many working in corporate IT environment would probably shake their heads and say to themselves, “too complicated.  A nightmare to support.”  Well, it needn’t be.  AlertBoot allows you to easily manage group profiles in terms of what they have access to, and allows one to easily specify who belongs to which group.  This way, if somebody gets promoted (or demoted) the administrator can easily change his rights to accessing a device.  This ease of management is on top of a very streamlined procedure for encrypting multiple computers, as well as an easy way of controlling which applications and devices employees have access to (via whitelists or blacklists).

     
  • Alumni Data And University Administrative Functions: Data Encryption Is Vital, For Now

    There is news today that over seven thousand former students of the University of Cincinnati were affected in a data breach.  A flash drive with sensitive information on 7366 students and graduates was stolen from an employee’s desk.

    One of the people interviewed for the article, Cybil Pearson, stated that she had not been at the University of Cincinnati since 1997, so this is a surprising and annoying development for her.  Like many people entering their thirties, she’s probably in a state where she monitors her credit carefully as her carrier takes off and she begins to have several opportunities for investing assets, be it a new home or otherwise.  If somebody were to take over her identity, it will be a huge setback for her.  Trying to get things straightened out would not be easy, as detailed numerous times in the media.

    One might wonder, why is a university hanging on to this information in years after graduation?  In many ways, purging information on students who are not enrolled in academia would be a way to protect former students from potential harm.

     

    However, for an academic institution this would not be an option.  For starters, admission to, and graduation from, an institution of higher learning means that you belong to a particular tribe—also known as being an alumnus (or alumna, for our female readers).  While it’s doubtful that they will sell alumni information, such as mailing addresses, the university will send former students newsletters, letters, requests for donations, and other missives.  I know I’m getting hit every year for pledges. (On a personal note, I’m not sure how they found me—I never updated my address with them.)

     

    At this point, you’ll probably be thinking, “but why keep Social Security numbers?”  I don’t know about other uses, but I recently had to get a new copy of my diploma, and one of the information fields that they were asking for was a Social Security number.  It kind of makes sense: you don’t want to be releasing an official university diploma to the wrong person.  Common names, such as Robert Smith, could match up and the wrong diploma could be issued (School of Engineering vs. School of Medicine).  But if you have a unique identifying number, such as a Social Security number, it’s much easier to verify the validity of the request, in combination with a signature, and much harder to make a mistake.  The same goes, I would assume, for issuing transcripts.

     

    Granted, lots of academic institutions are weaning off Social Security numbers as distinct student identification numbers, and issuing their own to prevent future problems.  This might not be the best method, however.  As an international student at my alma mater, I was issued a student identification number since I did not have an official US Social Security number at the time of enrollment.  When filling in the Social Security number field for the new diploma form, I knew from experience that I was supposed to provide my student ID number—except I couldn’t remember it.  And, I have not kept a copy of it because it is a student ID number; I figured it would be worthless to me once I graduated.  On the other hand, if it had been a Social Security number that was being used, you can bet I would have remembered it.

     

    Long story short: purging data is not really an option for academic institutions, unlike retailers who are required to purge stored credit card information after a certain amount of time.  They can use identifiers that have a lower potential of risk for current and incoming students, but this is not feasible for former students.  So, if that’s not an option, what could the University of Cincinnati have done or do going forward?

     

    To begin with, I would take a look at my current data security policy.  When it comes to dealing with sensitive information of current and former students, would I want people to have small storage devices such as a USB flash drive in the premises?  And if so, what contingency measures do I have in case a small storage device gets lost or stolen?

     

    Information in use implies information in motion.  Perhaps the University of Cincinnati uses flash drives to transfer data, as opposed to using e-mail which has its own set of potential problems.  If that’s the case, encrypting the data prior to transferring it to the flash drive or encrypting the flash drive itself, just like you would encrypt an entire laptop, would be necessary.  AlertBoot would’ve helped in such a situation, either with content encryption or device encryption or both.  If external storage devices are not to be used, there’s a need to control which devices can be connected and given access to computers.  Application control, another service offered by AlertBoot, would have been extremely useful for specifying what can be connected to ports, USB or otherwise.

     
  • University Sends Internal Student List To Student – Why Data Encryption Will Always Be Needed

    Eight thousand students and applicants to Duquesne University narrowly avoided becoming victims to a data breach.  Or, rather, they avoided becoming victims to personal information peddlers.

     

    A file containing mostly students’ financial information was sent by mistake to a Duquesne student, who promptly reported the incident to university officials.  The information included Social Security numbers and household incomes.

     

    This incident illuminates the constant need for file encryption.  The opportunities to send e-mails, with or without attachments, to the wrong recipients are numerous.  With e-mail software such as Microsoft Outlook, where the program automatically tries to find the correct address as you begin to type the name in the “To:” field, has led to numerous mistakes for many people.

     

    I myself have experienced such instances.  Common names such as Dave, Tim, or John seem to require the need to exercise great restraint and caution prior to clicking the “send” button.  On more than one occasion have I felt my inside sink as I’ve watched an e-mail being sent out to the wrong person.

     

    Such problems are, obviously, accidents.  And try as one may, accidents are not going away.  While instances of one sending an e-mail to the wrong person cannot be eliminated, there is something that can be done to prevent the wrong recipient from accessing the contents of an attachment with sensitive data: encryption.

     

    In the above scenario services offered by AlertBoot could have been configured so that documents generated by a set of users are automatically encrypted.  Knowing that financial aid information must be coming from the financial aid department, a university IT administrator could configure the AlertBoot settings so that, as an example, all spreadsheets created by anyone in the financial aid department are encrypted automatically.  This way, if the information accidentally leaks out of the department, everyone can rest assured that the information is not available.

     

    As I pointed out before, accidents cannot be eliminated and the above solution does not curtail e-mails being sent to the wrong recipient.  However, it does eliminate the need for the university to cover its bases by telling students and their families to keep an eye out for suspicious activity on their credit reports.

     
  • Laptop Security As Part of Freshman Orientation?

    A new school year has started in the United States, and already there seems to be a deluge of laptop theft stories in the media.  A small number of them are covered in the national media, such as the laptop theft in Arizona that affected students in Iowa:  a former teaching assistant in Iowa had stored Social Security numbers on his laptop, and moved out-of-state.  Then there is the case of the professor’s office that was broken into at Carnegie Mellon University, and two of his five computers were stolen (I’d like to point out that’s a lot of computers in an office).  Students’ Social Security numbers were present in the stolen computers and, as far as I can tell, these were not encrypted. 

     

    Then there are the locally covered stories (read: school papers) where student laptops are stolen from classrooms, dorm rooms, student centers, etc.  Normally, I tend to skip the local stories when looking for blogging material.  After all, computer theft on campuses is nothing new.  It happened when I was a student; I’m sure it will happen when my grandkids are students.  I can only assume such incidences will level off as the school year progresses, as it did during my time.  Maybe it was because people became less idealistic into the year.  Or maybe it was because people spent more time in their rooms as the year progressed (you’ve got to study at some point).

     

    But reminiscing about my college years got me into thinking that in this day and age, students have to exercise more care with their devices for a number of reasons. 

     

    To begin with, there is the content.  When I was in college, you couldn’t find any sensitive material on my computer.  As a business tool, the Internet at that point was still in its infancy and not very profitable unless you were issuing an IPO, and the transmission of Social Security numbers, bank account numbers, and other information considered sensitive was pretty much nonexistent in a university setting.  I doubt many people stored such information in their computers, either.  Fast-forward ten years later, and the situation is reversed.  Most college students are punching those same numbers into their Web browsers, for on-line banking, course registration, and other activities.  They might have Quicken or Money for budgeting and financial purposes, meaning a lot of banking information is stored in the computer as well.

     

    Then there is the physical aspect.  Electronic devices are much, much smaller than they were ten years ago, and hence easier to steal.  This is true for laptops as well as desktops.  In my days you couldn’t steal a computer without getting noticed.  Even if you were trying to move as fast as possible, you were a beige or grey blur at best.  Today, I could filch my co-workers’ desktops by slipping them into a backpack and stroll.  There’s no hurry unless alarms are ringing or someone has x-ray specs.

     

    I guess the point is a lot has changed in the past ten years.  The thing is not everything has.  I’m not sure if one can claim earth-shaking changes for door locks at the dorms and student attitudes on campuses.   I remember how I would open the door for, what I assumed to be, a fellow student locked out of the building.  I also remember an incident where a laptop was stolen from a laboratory, when the most rudimentary laptops cost $4000.  Only the security chain and the lower plastic portion of the machine remained behind.  Apparently, a student had propped the lab door open.

     

    Which brings me back to the subject of laptop thefts on campus.  While theft will always happen, it’s not business as usual because, as already pointed out, there is more riding on those thefts now.  Identity theft is now more of a concern that it ever was, if only because there seems to be more people attempting it as well as the relative ease in perpetrating such a crime.  The day daddy rescued his kid from having a bad credit history  at graduation time (in my days due to the renegade use of credit cards) can be kissed goodbye for all except the super rich: Not too many can comfortably cover a second mortgage opened under the name of a recent graduate.  Or the first mortgage, for that matter.

     

    So, knowing that universities won’t be installing biometric identification in student rooms any time soon, and knowing that everyone runs a pretty good chance of having something stolen, how can students protect themselves from the inevitable repercussions?

     

    The answer is easy.  Students need to keep their information in encrypted format.  In the old days, when everyone stored their information in a paper-based format, people had safes, locks, and keys.  Now that we are in the digital age, a new method of keeping personal information is required.  The safe, lock, and key of the digital millennium is encryption, a username, and password.  Anything short of this is keeping your emergency funds and important documentation in your sock drawer—maybe they’ll look in it, maybe they won't.  Maybe the'll find stuff, maybe they won’t.  The problem with the digital era is that the thieves have stolen your “sock drawer,” so they have all the time in the world to poke around.

     
  • TSA Requires Disk Encryption Following Several Losses

    The Transportation Security Administration (TSA) has effectively ordered contractors to encrypt all data related to TSA activities.  Apparently, the tipping point was the recent loss of two laptops that carried the information of nearly four thousand Hazmat truckers.  This is not the first time the TSA has had issues with lost data: earlier this year a hard drive containing the employment records of 100,000 government workers was lost as well.  In that particular case, the information included Social Security numbers, dates of birth, payroll information, and bank account information.  The TSA got into a lot of trouble for that particular loss, as the hard drive disappeared from a controlled area at TSA headquarters.  As far as I know, the case remains unresolved and pending.

     

    Obviously, the more recent loss is not the fault of TSA, but of the contractors working for the administration—hence the order.  The TSA already has policies requiring contractors to delete data after it has been collected and served their purpose; however, I’m sure the TSA must have found, rather late, that this does not protect individuals if the devices containing the information are stolen or lost before there was a chance to delete the data. 

     

    On a side note, if I may, chances are the information, when deleted, is not truly deleted.  The news abounds with researchers who were able to extract deleted data from hard drives, not that this is exactly “news.”  If by chance the thief or thieves had stolen a laptop after sensitive information was deleted, they might be able to reconstitute the data.  The software to do so is relatively cheap and easily available in the market.  While deleting data is always a good idea (let’s not make things easy for the perps, right?), it’s not really a security measure in the strictest sense: it’s about as secure as leaving your house keys under the welcome mat at the front door.

     

    I’m sure this is why the TSA is looking for contractors to sign up for encryption services such as AlertBoot.  Encryption is a powerful tool for deterring sensitive data from being read (and, consequently, abused) by criminals.  If the TSA makes a mistake, it can accept it; make and enforce changes for better security; and move on.  If outside contractors are involved who are lax with data security, the TSA still has to deal with the issues of the data breach though they’re not at fault. 

     

    An added benefit to encrypting content is that, as I sometimes mention in my posts, encrypted data cannot be retrieved in the same way that deleted data can.  The only way to gain access to the information is to know the username and password.

     

    An added benefit for people using AlertBoot?  If a laptop gets stolen, you can get rid of usernames and passwords completely so there’s no way to access the data at all.  This is a great feature if there’s a sinking suspicion that the theft was an inside job, or there’s reason to suspect that the perps somehow figured out the keys to accessing the data.

     
  • Is Disk Encryption Effective When A Trusted Employee Is Involved In The Crime?

    I’ve read today an article where Joseph Harris, a former manager of the San Jose Medical Group, was sentenced to 21 months in prison.  He also has to pay $145,154 in restitution and will be under supervision for three years after his release.  His crime?  Stealing computer equipment from the branch he was working at and selling it on Craigslist.  The FBI got involved because one of the stolen computers had a DVD disk with patient information in it.

     

    The bad news is that 187,000 patients could have been affected by this.  The good news is that Harris made sure that nothing was in the DVD tray before selling his ill-gotten goods: FBI agents later found the disk in Harris’s car, although he initially denied knowledge of it.

     

    In retrospect, it’s not hard to see why the FBI zeroed in on Harris, although I’m sure it must have taken a lot of investigative work to sort out suspects.  There were six burglaries into the San Jose Medical Group offices after Harris had resigned.  Prior to working with the Bay Area medical care company, he had worked at the Silicon Valley Children’s Fund but was fired for conducting personal business on company time—including the selling of computers on Craiglist.  A burglary followed his dismissal and two computers were stolen for the Children’s Fund offices.  Did the FBI detect a pattern?

     

    There is no mention of what Harris’s day-to-day activities were, but let’s assume for the moment that he was a mid-level manager at the healthcare company, and for some reason had access to patient data (or at least, some of it).  His position is that of trust, obviously.  Otherwise, why give him a position that gains him access to sensitive and confidential information, right?  If he’s the one stealing equipment and data, device encryption and data encryption would be useless, since he already has usernames and passwords for accessing the data, right?  Encryption is only a safeguard when something is stolen by an outsider!

     

    Well, not exactly.

     

    With a service like AlertBoot, the status of the user profile—i.e., who gets to access what, and when—is easily managed.  In the case of Harris, since all the burglaries happened after he was no longer employed by each company, disabling his account would have been one of the administrative functions associated with his dismissal or resignation.  After all, his keys to offices, company IDs, and parking pass would have been confiscated with his leaving of company premises, not to mention disabling his phone extension, e-mail account, etc.  If AlertBoot had been installed in the company computers, disabling his access to computers would have been part of the above process.

     

    And the process is straightforward and simple.  One literally finds a name and checks off a box to disable him.  Presto!  His username and password will no longer work—no need to find all the computers he was once given access to, and disabling his access to the machines one-by-one.  Subsequent burglaries would mean that sensitive data would still be secure, even if the computer ends up on Craigslist or Ebay.  And there's no fear of the information being reconstituted since the contents are encrypted.

     

    If the past five years have shown anything, it's that data breaches can come from anywhere, internal and external sources.  Care must be taken to implement security measures that will be easy to implement and maintain.

     
More Posts « Previous page - Next page »