in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

January 2009 - Posts

  • Data Encryption Software: UK Government Departments Deny Weak Data Security

    Several media outlets are passing on a report by the Financial Times that stated the Department of Health and the Department of Transport in England are allowing employees to download information to unencrypted USB memory sticks.  Both departments are denying those findings and, based on their responses, it looks like at least one of them is using data encryption software that has an option to encrypt any USB devices plugged into a computer, virtually identical to a feature available in AlertBoot endpoint security systems.

    A spokesman for the Department of Health said that "data is automatically encrypted before it is transferred to a removable format."

    USB Port Control and Encryption

    There are lots of data security solutions out there, and some offer features that others have not thought of.  A security feature that's pretty useful when it comes to USB devices is the USB port control, where one can specify which devices will work with a computer's USB port.  If a device is not on an authorized list, the computer will not recognize the device.  End of story.

    However, AlertBoot offers an additional solution: you can have it programmed so that any memory devices--be it a USB memory stick or an external hard disk--starts encrypting the moment it's plugged into a computer.  This way, the enduser doesn't need to remember to encrypt the USB device if sensitive documents end up on it.  Remember, the weakest link in any data security scheme is people: this automatic process helps eliminate part of that weak link.

    Of course, there are problems associated with it.  For example, if you connect an iPhone to a work computer that has this USB security feature enabled, that phone's gone.  Which makes it really important for employees not to stick stuff into those USB port.  If people were not following policies before, they certainly will now.

    Forcing Encryption vs. Enforcing Encryption

    If you read the articles, you'll notice that the issue of security is nebulous: "A spokeswoman from the Department for Transport said only encrypted memory sticks may be used to connect to the department's IT network."

    Does this mean that encryption is being used?  Or does it mean encryption is supposed to be used?  Based on wording, the Financial Times accusations may have some bearing.

    The technology to stop employees from transferring sensitive data to unsecured media like USB memory sticks exist, and have existed, for years now.  Indeed, many companies that offer centrally managed encryption solutions also offer USB port control as an added service (sometimes, for free).  However, management must actively pursue its implementation.

    If management has decided that employees must bear the onus of encrypting data, it has abrogated its responsibilities.  Written policies have their place, but if workplace practices show that the policies are not followed and cannot be enforced (or will not be enforced), it is up to management to find a way that works.

    The Department of Health seems to have chosen this latter option; the other departments cited look as if they have not.  What are the chances that the next data security breach will come from this latter group?  Very big.


    Related Articles:
    http://www.publicservice.co.uk/news_story.asp?id=8186
    http://www.telegraph.co.uk/news/newstopics/politics/4220321/Government-failed-to-clamp-down-on-data-loss.html
    http://news.zdnet.co.uk/security/0,1000000189,39591098,00.htm

     
  • Massachusetts Encryption Law Compliance Checklist

    (Update, Feb 16, 2009: All dates for meeting compliance have been extended to January 1, 2010)

    Sometimes, if you surf the net long enough, you end up uncovering a gem, such as this checklist published by the Commonwealth of Massachusetts.  Titled "201 CMR 17.00 Checklist," it was compiled by the OCABR "to help small businesses in their effort to comply with 201 CMR 17.00."

    As the paper notes, it's not meant to be comprehensive, but it will show you the least you need to do to be in compliance with the law, which goes into effect on May 1, 2009, with certain, specific issues going into effect on January 1, 2010.  Originally, the compliance date was January 1 of this year, but was pushed back to give businesses some breathing room.

    And without further ado, here's the link:

    http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf

    The checklist shows why this new law is not just about encryption.  Sure, there are items that can be successfully resolved via the use of file encryption software programs like AlertBoot data security solutions.

    But then, there are others aspects of the law that cannot be solved via encryption.  For example, encryption can't keep your malware software up to date, nor can it train your employees about data security.

    So, keep that in mind--and start early: compliance will take time.  And hire a lawyer or someone who can actually guide you through the process.

     
  • Massachusetts Data Protection Law Encryption Requirement: You Must Use 128-Bits Or Higher

    (Update, Feb 16, 2009: All dates for meeting compliance have been extended to January 1, 2010)
    Note: If you're looking for more details / general coverage regarding the Massachusetts data protection laws (aka, 201 CMR 17), go here. This page is commentary to the 128-bit requirement under 201 CMR 17.00
    • What's 128-bit encryption?
    • What's a confidential process?
    • Huh? No confidential key?

    There's laptop encryption software, and then there's laptop encryption software.  What differentiates one from the other is, usually, the encryption key and whether the theory behind the algorithm makes sense.  It looks like the Massachusetts legislators had this in mind when they were drafting up the 201 CMR 17.

    I've done some research into the Massachusetts information security law, and apparently the definition of encryption is 128-bit encryption or higher "without the use of a confidential process or key."  I can't believe I've missed it before; it's right there.  I guess it's because I'm not a lawyer, and my eyes glazed over the first couple of times I've ventured into reading these things.

    Also, I happen to know (but never verified) that regulations regarding encryption have never spelled out the finer details.  The laws jus say "must be encrypted" and leave it at that.  This 128-bits or higher, spelled out in black and white, is a first, as far as I know.

    What's 128-bit Encryption?

    2 x 2 x 2 x 2…128 times (also expressed as 2^128); that's what 128-bits represents.  The strength of any encryption algorithm comes from the length of the keys.  The longer it is, the stronger it is.  More importantly, the longer it is, the more random the encryption key can be in its combination of ones and zeros--the real source of encryption's strength.

    On a further note, 256-bit encryption is 2^256.  This doesn't represent twice the protection, but nearly three trillion trillion trillion trillion times more protection (or, 3.4 x 10^38, a result of dividing 256-bits by 128-bits).

    What's a Confidential Process?

    What the legislators probably are referring to is the use of "secret" encryption algorithms.  Most of the heavy duty algos used by the pros, like the CIA and FBI, are based on "open" encryption algorithms: they are sound in theory and sound in practice as well.

    However, once in a while a company will announce a secret, revolutionary encryption.  It will work for a while until some mathematicians test it out--no thanks to the company that's offering this secret algo--and it's revealed as a very insecure algorithm.  At this point, your data is not considered to be "encrypted."

    Two open, non-confidential processes are RSA and AES.

    Huh? No Confidential Key?

    This one's a head-scratcher.  It sounds like the legislators are referring to the encryption key.  But, the encryption key has to be kept confidential.  Otherwise, every single email, document, file, and hard drive you encrypt can be busted open using the key.

    In fact, if you lose your encryption key, chances are your data will be inaccessible--pretty much forever. (Hint: if you're encrypting stuff, make sure you keep your encryption key in a safe, secure place.  Some people write it down and lock it up in a bank security box.)

    Definitely a head scratcher.  Well, there is some controversy that the law is not written as clearly as it should be....  At this point, I'd say that what works for the NSA, the CIA, the FBI, and military operations in active theaters would probably work for civilians like you and me.

    As far as I can tell, AlertBoot satisfies all of the above conditions.

     
  • Hard Disk Drive Encryption Not Used On Missing Blue Ridge Community Action

    Blue Ridge Community Action's (BRCA) mission statement begins with the words "Helping People to Help Themselves in Partnership With the Community..."  After the data breach they've had, the BRCA's community may find itself helping themselves a little bit more.  If only they had used some type of hard disk drive encryption program, like AlertBoot, to protect their data....

    According to the BRCA Executive Director Mattie Patterson, an unnamed employee with BRCA found that an external computer hard drive was missing on December 31, 2008.  (That…does not portend well for the new year.)

    The drive was being used as backup solution, so information on approximately 300 people who had used the organization's services in the past four or five years is missing, including Social Security numbers.

    It is not known whether the drive is merely lost or stolen, although, does it really matter?  It's been missing for two weeks now, and if it hasn't turned up by now, it strongly indicates it's probably been stolen.  I mean, not even the Japanese have invented external drives that walk off on their own, and that country has invented its more than fair share of weird and useless stuff.

    There is no mention of whether data protection measures were in place for the missing disk, so it's a safe bet to assume that there wasn't.  Bad news.

    What Does This Mean?  Do These 300 Have To Worry?

    I'd say yes.  From the context of the story, it sounds like all of the affected were financially strapped or in help of community support.  Hardly the types to have lots of money in their bank accounts.  But, also, the types that may suffer extremely from losing what little they may have in their bank accounts.

    And, it wouldn't be beneath a thief to go after such funds.  The bigger problem, though, is that with a name and SSN, a lot of more harm can be realized.

    • Loans can be applied for, and the debt collector will come after the original SSN holder.
    • Strangers can sign up for jobs, and the IRS will come after the SSN holder for taxes owed.
    • A suspect with a fake ID could end up being booked by the police, and the original SSN holder is now listed as a criminal.

    It's hard to list all the things that could go wrong, but let's put it this way: the BRCA won't be able to help resolve any of them.

    The one thing--the least--the BRCA could have done is to encrypt that sensitive information.  Sure, it's an added cost (and, in some cases, a small added cost), but it's definitely worth it.  And it's value tends to rise the more there is to protect, since encrypting a file with 300 names is no more expensive or costly than encrypting a file with 300,000 names.


    Related Articles:
    http://www2.morganton.com/content/2009/jan/13/lost-brca-hard-drive-contains-300-social-security-/
    http://breachblog.com/2009/01/14/brca.aspx
    http://www.brcainc.org/

     
  • Hard Disk Encryption Not Used On Recovered Seventh Day Adventist Laptop

    A letter filed with the New Hampshire Attorney General reveals why relying on just laptop tracking software is not an ideal method for dealing with data breaches.  While such software is great for recovering stolen hardware, data breaches ultimately revolve around information.  Information could take on the form of hardware--papyrus, scrolls, stone tablets--but, they don't necessarily need to.  Only restricting access to sensitive information, for example, via the use of hard disk encryption software like AlertBoot endpoint security systems, can minimize the chances of a breach.

    According to the letter, filed by Seventh-day Adventists Retirement Plans, an employee lost a laptop computer that contained sensitive information, including Social Security numbers.  The laptop was recovered four days later, but because they can't account for the whereabouts of this computer, they've signed up with Kroll, a risk consulting company that offers ID theft-related services.

    The letter doesn't mention either encryption or laptop tracking software, but I assume that the former wasn't in place and the latter was, based on the subsequent events to the theft.

    Is Computer Tracking Software "Worth It?"

    I'd answer an emphatic "yes" because I don't discount human nature.  In other words, there are those instances where you just have to get that computer back.  Maybe you didn't back up your data, so the only remaining copy of an agreement is on that computer.  Or, perhaps due to VPN software on that laptop, it's the only way for you to connect with corporate servers.  It's worth something to recover data.

    But, data recovery is not data security.  If you're looking to prevent a thief from getting his hands on hundreds of names and SSNs, relying only on tracking software is a race against time--and the thief holds the advantage.  Copying a file takes minutes, perhaps seconds.  Tracking a laptop, dispatching the law, and getting a hold of the criminals?  It takes much longer.  And who knows what the thief may have done in the meantime?

    Plus, most tracking software uses the internet to locate the stolen goods.  As long as the thief decides not to get on-line, you're out of luck.  So, not only is there a question of "what happened while the laptop was out of sight," the entire thing centers on whether the thief will take a particular action.

    This contrasts sharply with whole disk encryption or file encryption solutions.  Time is on your side if a thief tries to force his way in:  with modern encryption, it will probably take years to get access to the data, most likely decades, if not centuries.  Plus, encryption doesn't depend on the thief's actions to kick in.  Encrypted data will remain encrypted unless someone, most likely the person who encrypted the data in the first place, decides otherwise.


    Related Articles:
    http://doj.nh.gov/consumer/pdf/seventh.pdf
    http://www.databreaches.net/?p=609

     
  • Massachusetts Encryption Law: It's Not Just About Encryption

    If you think that the "Massachusetts encryption law," more formally known as regulation 201 CMR 17.00, is about encryption, you're in for a rude awakening.  Yes, there are provisions for the use of data encryption software for protecting personally sensitive data, and for which centrally managed encryption software companies like AlertBoot will be able to offer a solution

    But, there are also other provisions where encryption won't help at all.  This encryption law, as many are calling it, involves more...much more.  It would be more accurate to call it a personal information protection law, more than anything else.

    If you're looking for some details regarding 201 CMR 17, including deadlines, you may want to take a look at an earlier post.

    Some Rules of Thumb for Massachusetts Encryption Law

    If you're looking for quick pointers, here are some rules of thumb (obviously, this is not legal advice, although I've tried to incorporate any specifics found in the regulations):

    • Use at least 128-bit encryption to protect any personal data that's going to move from point A to point B.  This includes not just data sent via e-mail and laptops, but also found in external hard drives, USB memory sticks, CDs, etc.--anything that can easily move around (and get lost)
    • Secure your networks (use firewalls and wireless encryption, for example)
    • Educate yourself and your employees about data security.  You'll know you did this correctly when:
      • Access to sensitive data is restricted based on function
      • People stop sharing passwords with each other
      • People stop sticking passwords to their computer screens
    • Dispose of personal data carefully.  This applies to both digital as well as analog data
      • Got paper documents that list SSNs and names?  Shred them
      • Dumping computers and other electronic data storage media?  Don't just delete the personal data; make sure you write over it (or even better...dump your computer in its encrypted state)
    • Know where you're keeping personal data.  Otherwise, how are you going to protect it?

    On a general level, the law is attempting to protect personal data at all stages: retention, transfer, and disposal.  Also, the regulations try to shore up the weakest link in data security: people.  Or rather, people who don't have data security in their mind.

    Still Think This is "An Encryption Law?" 

    Encryption is the easy part to comply with this law.  With centrally managed encryption software like AlertBoot, you can start encrypting computers' hard drives with the briefest internet connection.  We're literally talking about encrypting hundreds of drives in hours--not days, weeks, or months.

    The hard part will be securing networks and educating employees.  In fact, if you think about the time invested, it may be more accurate to call this law the "Massachusetts law for educating employees about the importance of data security so they'll take action."  Doesn't quite have the same ring as "encryption law," though.

    Time's running out.  The general compliance date is May 1, 2009 (Update, Feb 16, 2009: All dates for meeting compliance have been extended to January 1, 2010), which includes the encryption of any laptops that contain personal data.  After that date, if you're caught not having the appropriate safeguards...the law allows for fines of up to $5,000 per violation.  Supposedly, "per violation" essentially means "per personal data record breached."

    That means that if you lose the data of 10 people, you're facing a maximum fine of $50,000.

    Ouch.

     Related Sites:

    http://www.mass.gov/?pageID=ocaterminal&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17faq&csid=Eoca

    http://www.mass.gov/?pageID=ocamodulechunk&L=1&L0=Home&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17&csid=Eoca

    http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=081114_IDTheftupdate&csid=Eoca

     
More Posts « Previous page - Next page »