So, your company has finally decided to use full disk encryption software like AlertBoot, a centrally managed encryption software suite, to encrypt entire hard drives found on computers. But are you set, in terms of data security?
The answer will always be "no," since security is a continuous process. However, there are certain facets of data security that you must cover in order to ensure that data security breach risks are lowered significantly.
Hard disk encryption is probably one of the best ways of ensuring your data remains secure if a computer gets stolen or lost. Let's face it: sometimes you have to carry around that computer or external hard drive that contains loads of sensitive data.
Since no one can predict when something will go missing, the smart thing to do is to have data protection in place before the theft occurs (if it occurs) that will protect everything on that computer. Such is the purpose of full disk encryption.
However, full disk encryption does not protect you from e-mailing a sensitive file to the wrong person. If you'd like to find out how they differ, follow this link that explains the difference. Just scroll down to the appropriate section.
Where full disk encryption finds its shortcomings, file encryption can pick up the slack. Since individual files are protected, it doesn't matter that you've e-mailed the file by mistake…as long as you don't supply the unique username and password for accessing the contents of the file in the e-mail as well (advice: never do this. It defeats the purpose of encryption).
Technically, it's also a solution for protecting data at rest, since an encrypted file remains encrypted until decrypted. However, it's not an ideal solution, since the user defines what needs protection. Remember, people are usually the weakest link in information security.
So let's say that your computer is not hooked up to a network. And the computer is also stored in a room where the only way to access it is to pass an armed guard and unlock a door with biometric identification. Your data's safe, right?
Not quite. The multipurpose, omnipresent USB port can easily defeat all your fancy and costly security solutions in place. An employee, with ill intent or not, could copy the computer's data to a USB memory stick or even an iPod.
Fortunately, there is a way to disable those USB ports. Using port blocking software, an administrator can create blacklists as well as whitelists for the USB port. Products on the blacklist wouldn't operate when plugged in to the USB port, and vice-versa for whitelisted devices.
This way, you can ensure that the mouse works while preventing the connection of an iPod.
A children's hospital in the UK, Great Ormond Street Hospital (GOSH), has lost a laptop computer containing the details of 458 patients. Unfortunately, the computer did not make use of drive encryption software like AlertBoot.
Branded as a "leading children's hospital" by the BBC, it looks like it was anything but when it comes to data security…or was it?
According to various articles, the laptop computer was stolen from a secure area in the audiology department of the hospital. The data found on the laptop includes names, dates of birth, patient identity numbers, and an audiology graph. It isn't mentioned whether other information was also on the stolen laptop.
How secure was the area? Not mentioned. However, if my knowledge of hospitals is any indication, we're probably talking about a locked room. And, unlike the ER, the area was probably pretty tranquil, meaning that an opportunistic thief couldn't take advantage of the surrounding chaos to make off with the laptop computer.
On the other hand, that probably means there wasn't anyone there to stop the thief, either.
GOSH did make note that the laptop computer had password-protection in place, but I think everyone in the UK knows by now that this does not really afford security. At least, I'm pretty sure the hospital knows.
You see, they were in the process of encrypting all laptops, and provided encrypted USB sticks to hospital personnel, the latter devices being a major cause of data breaches across UK hospitals last year. If the hospital believed password-protection meant security, why would they go through the process? (Maybe because it's mandated by law, I guess? But then, they'd also know why it was mandated by law, no?)
It's hard to blame them for the latest mishap, though. Ideally, a computer would be encrypted before any data was stored on it. However, most organizations are stuck in a situation where they have to encrypt computers that are already in use.
And while encryption itself is easy (the computer does all the work), deploying it across a network usually takes time. Perhaps the use of centrally managed encryption software that can cut down on encryption deployment times would have been ideal for GOSH, in hindsight.
The US Department of Veteran Affairs has decided to settle a class-action suite that was filed in response to the theft of a laptop and external hard disk from a VA employee. The computer did not feature laptop encryption software nor was there any type of file encryption program protecting the contents.
The settlement of $20 million will be used as reparation for vets who can prove that they were harmed by the data loss. For example, maybe they suffered from emotional distress or signed up for credit monitoring, meaning there was a cost borne by the victims.
The total number of veterans' records was 26.5 million. To date, no veteran has come forward to say that they were negatively impacted by the loss and recovery of the laptop.
(But then, with so many companies losing information left and right, how's one to know who's responsible for a particular name showing up on fraudulent mortgage applications?)
The suit, filed in 2006, had initially asked for $1,000 for each veteran that was put at risk. Obviously, that was never going to fly. With 26.5 million names, it would have meant 26.5 billion dollars. That's nearly half of Microsoft's revenues in 2007. That was a pretty extreme request.
On the other hand, this settlement is also extreme. It resolves to about $0.75 per name. It's so little, considering how much time one must spend on the phone sorting out everything. On the other other hand, $20 million is nothing to sneeze at. That's a serious hit to any organization's pocket. Besides, what's the point of squeezing more money out of the VA? It's ultimately tax payer money, ain't it?
Chances are, there's a (un)happy medium somewhere out there, and most companies won't see such artificially depressed monetary settlements like the VA. For example, if a Fortune 100 company is sued, and the number of people affected was 10,000, chances are no one's going to settle for $7,500. That's $7,500 total.
Instead of using the above, it looks like the cost of data breaches should still rely on previously reported data.
This week, the world found out that an MP3 player, sold from a pawnshop in Oklahoma City and bought by a guy residing in New Zealand, contained the information of 60 US soldiers. Of course, this is not news, per se. There have been lots of instances over the past four years when sensitive information has been leaked via small, digital devices, which is why the use of data encryption software like AlertBoot is imperative when it comes to dealing with sensitive information.
The real reason why this data breach made headlines was probably due to the distance involved. And because of the distance, many have made assumptions regarding the story.
For example, I've read many posts of how eBay was involved and what not, but it looks like the guy purchased the mp3 player while in the US. Apparently, the "in" thing to do for foreigners is to saunter into a pawnshop? I know I did it once or twice.
According to several sources, the information contained in the mp3 player included names, SSNs, equipment deployed to various war theaters, pregnancy status of female soldiers, and a notice that releasing the contents was prohibited by federal law. More proof that people don't read nor follow written security policies.
By the way, the purchase was back in March 2008. He came forward nearly a year after he bought this thing…and supposedly moved to New Zealand just last month. My guess is that he wanted to leave the US, or maybe he was waiting for a regime change in the US. (Does New Zealand have an extradition treaty with the US? Something to look into, perhaps).
There are many managers that believe the use of encryption on computers will solve all of their security problems. And I'm sure there are plenty of vendors who want to sell them into this fantasy.
Wake up, people!
Like the above story shows, there are plenty of ways that data can walk out of your organization. Any digital device that stores information--videos, music files, pictures, etc--are technically hard disks. They have an added value--such as displaying said pictures or playing those music files--but their base component is the hard drive; i.e., it's a data storage device.
It is imperative that any organization that is seriously considering data protection measures also give thought to such matters. For example, an employee hooks up his iPhone to a company computer to charge it. Conveniently enough, this also allows him to transfer work files into his iPhone, something that may be banned per company policy (but as shown with the mp3 player, routinely ignored).
Does a company allow it to happen? On the one hand, charging the phone is necessary. On the other, you don't to give employees the ability to trigger a data breach. Plus, if you won't allow it, can you physically enforce it?
The answer is yes. I've read of people who use superglue to shut USB ports. That's certainly one way of approaching the problem.
A more flexible solution is the use of USB port control software, which would give whitelisted devices access to a computer, while blacklisting other devices, like the iPhone above. Combine it with hard disk encryption software and you've got yourself a pretty secure platform.
I wasn't going to bring up the Heartland Payment Systems issue, since it's been pretty widely covered. Readers of this blog know that I and others have pointed out that data encryption solutions like AlertBoot are not a panacea when it comes to data security, and that the appropriate tools must be in place for different attack vectors. The Heartland Payment Systems is a case in point: since malware was involved, monitoring of their networks would have been key, it seems like. Chances are encryption wouldn't have done much to help avoid the situation.
However, I do bring up the story because it seems people are missing a key element.
"Move over TJ Maxx, payment processor Heartland Payment Systems has potentially leaked up to 100 million credit and debit accounts into the black market." [Ars Technica]
While I'm not singling out Ars (love their site for their insight), it pretty much embodies what everyone else is saying about the situation. I've got issues with this, for two reasons.
First, the 100 million figure comes from the fact that Heartland processes 100 million transactions per month on average. And while Ars had the sense to claim "up to 100 million…accounts," let's face it, there's no way the number of accounts affected will even remotely approach that figure.
Why? Because a person doesn't use a credit card once per month, that's why.
Remember, we're talking about 100 million transactions. I use a credit card once a day, every day--at least. I account for 30 transactions per month, not necessarily with Heartland. Even with the average American holding four credit cards, there's no way that 100 million transactions will convert to 100 million accounts. That figure is way out of proportion. (On the other hand, one ought to consider that December means lots of shopping, so that 100 million transactions figure might be depressed.)
Assuming a credit card is used only twice a month, that figure is cut in half: you may have 100 million transactions, but the number of cards affected is 50 million. Remember, this is with cards being used twice a month only, an unreasonable assumption. Chances are the usage per card would be much higher, and hence the number of accounts affected lower.
There are other factors that could affect the figures as well, giving both downward as well as upward pressure. Chief among them, the fact that Heartland is not the only processor out there: how many times does a person encounter a Heartland processor? Once a month would imply 100 million accounts breached; twice a month, 50 million accounts; three times, 33 million accounts; etc....and since most people tend to shop where they've shopped before…you see where this is going.
Second reason I have an issue with the above statement: the TJX breach eventually involved 94 million cards, up from the initially reported 45 million. 100 million compared to 94 million is not so jaw-dropping. And, in Heartland's case, the breach is capped at 100 million or so, with the potential to drop significantly.
TJX's place in the annals of data breach history is pretty secure for the time being, I'd say.
What are the financial ramifications of violating Massachusetts 201 CMR 17.00? You may be familiar with some of the aspects of this law, dubbed the "Massachusetts Encryption Law" by many (although, it goes far beyond the encryption of computers via the use of laptop encryption software such as AlertBoot endpoint security systems). Supposedly, the new law has more "teeth" than other state laws regarding personal information privacy because it allows for monetary fines.
So, the natural question is how much? Nobody knows yet because it has to be tested, although the law gives us a clear idea of the potential damages.
I've noticed in my research that the figures of $50,000 and $5,000 per violation are bandied about quite a bit. I've attempted to track down where these figures come from. Looks like I'll need an actual lawyer to figure out what's what, but here are my findings to the best of my knowledge:
All of the above is in addition to the other costs of a data breach: mailing letters alerting of the breach, lost revenue, setting up call centers, etc. Sounds like signing up for encryption services like AlertBoot might be a smart move.