in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

April 2009 - Posts

  • Data Encryption On Medical USB Drives From Kaiser Permanente

    Kaiser Permanente, the HMO, is offering about a third of its members a USB flash drive filled with their medical information.  It will cost members $5 and, while it won't hold all of a member's medical information, there will be enough of it to help during an emergency.  Naturally, the information is sensitive, so the contents will be protected with drive encryption software.

    Information included in the USB flash drive includes, according to computerworld.com:

    • Emergency contacts
    • Past hospitalizations
    • Physician and contact information
    • Medical issues
    • Immunization records
    • Allergies, and other information (click the link above for a full list as compiled by computerworld.com)

    A pilot of the project was carried out last year, with nearly 600 participants.  This new offer is an expansion of that initial project to members in northern California.

    A lot of thought seems to have gone into the devices (as it should have...a year of testing ought to pay some kind of dividend).  Not only is encryption software used to protect the contents (no doubt a good portion of these are going to go missing--it can't be helped), the system has been set up so that members (patients) and doctors won't modify the information directly by writing to the disk, but via a "free service."  No mention on what this free service is, or how it's accessed.  (My guess is that members can access it on-line.)

    Of course, there are emergencies and there are emergencies.  I figure life-threatening emergencies like a heart-attack are beyond the scope of the USB stick's intended purposes.  I mean, if you're having a heart-attack, chances are you won't be able to provide the correct password for decrypting the info.  So, having that disk is pointless.

    However, if you are traveling overseas and have some kind of medical condition spring up on you, that doesn't incapacitate you, it would be extremely useful for the attending physician to know what your medical history was (all of it, not just what your selective memory can provide), and what current medication you happen to be on (also, all of it, not just what your selective memory can provide).

    Related Articles and Sites:
    http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/04/24/BU45178TO6.DTL

     
  • Hard Drive Encryption Not Present On Oklahoma DHS Stolen Laptop - 500,000 Families Affected

    The Oklahoma Department of Human Services (DHS) is notifying 500,000 households that they may be affected by one laptop that was stolen from an employee's car.  The DHS has also announced that the laptop in question only featured password protection.  If I were one of the 500,000 families, I would rest much easier if I the laptop had used disk encryption software to secure its contents.

    The number of people affected is so large because the employee who had the laptop stolen was a developer of DHS programs.  She was a handful of people who had access to such a large amount of data.

    You know what's really stupid about the entire situation?  She "left the windows cracked in her vehicle."  Both her purse and laptop computer were stolen.  No encryption software and terrible asset protection practices.  That's just asking for trouble.

    Number Affected: 500,000 Families...One Million Residents

    According to scmagazineus.com, over one million people are being notified.

    The Personal Information Involved In The Breach

    According to the OK DHS page, it looks like you may be affected if you provided personal information to receive aid related to the following:

    • Medicaid
    • Child Care assistance
    • Temporary Assistance to Needy Families (TANF)
    • Aid to the Aged, Blind and Disabled (AABD)
    • Supplemental Nutrition Assistance Program (SNAP or Food Stamps)

    The actual information affected includes:

    • Names
    • Social Security numbers
    • Dates of birth
    • Home addresses

    The data did not contain driver’s license numbers, credit card, or banking information.

    Low Risk? I Don't Think So.  Lower Risk

    The DHS has announced that the "risk of the data being accessed is low because the computer uses a password-protected system," according to newsok.com.  I take exception to that statement.

    What the DHS really means is that the risk of data being accessed is lower because the computer uses password-protection.  It may sound like semantics but it isn't, really.  Consider the risks of falling from a 50-story building: would you say that the risks of dying are low?  It certainly would be if you compare it to the damage your body would take if jumping from a plane without a parachute.

    But, a more accurate statement would be that the risks of dying are lower than jumping from a plane on its way to Africa, but higher than slipping on a banana peel.  In other words, you need to gain some perspective.

    One way of gaining this perspective is considering how long it would take, theoretically, to gain access to a computer.  The assumption is that all systems can be broken into, given enough time.

    • No protection: 2 minutes
      All you have to do is turn on the computer, and you're there.
    • Password-protection only (Windows startup prompt): 5 minutes to 30 minutes
      The delay depends on which track you take, and how quick you are with your fingers.  I won't go into details, but one way of getting around the Windows password prompt is to hook up the hard drive to another computer.  A child can do it, and you need is a screwdriver.
    • Using encryption: A couple of decades, maybe millennia
      Estimating how long it will take to break encryption is kind of hard to guess, but it's agreed that AES-125 encryption would require quite a long time.

    Now, considering the above numbers, would you say that the presence of password-protection means the risks of a data breach are low?

    Related Articles and Sites:
    http://www.tulsaworld.com/news/article.aspx?subjectid=11&articleid=20090424_11_A11_TheOkl984763
    http://www.newsok.com/oklahoma-dhs-data-loss-puts-1m-at-risk/article/3364058
    http://www.upi.com/Top_News/2009/04/24/Stolen-govt-laptop-has-info-on-1-million/UPI-31911240578090/

     
  • Cost of Data Breaches: Lost Laptops Cost $50,000 Per Incident

    According to Intel and the Ponemon Institute, the true cost of a stolen laptop is closer to $50,000 than it is to $5,000, the (admittedly overpriced) value for replacing the machine.  The ten-fold difference is attributed to the missing data and associated activities, and underscores the importance of data security products like hard disk encryption from AlertBoot endpoint security solutions.

    Ponemon Study Details

    A copy of the whitepaper can be found here (direct link to PDF download).

    • 138 lost or stolen laptops over a 12-month period studied
    • 29 organizations involved, including government agencies
    • 80% of the $50,000 figure is attributed to the data ($39,000)
    • Lost intellectual property accounts for $5,000
    • Replacement of equipment, productivity loss, investigations account for the remaining $5,000

    As the San Jose Mercury News notes, the FBI placed the value of a lost laptop at $89,000, when a study was conducted several years ago.

    Also of note: the study found that the true cost of the lost laptop depends on quickly a company realizes a laptop is lost: if the breach is noticed on the same day, the average cost is nearly $9,000.  Wait a week or longer, and the average cost has ballooned to a little over $115,000.

    And of even more particular note:

    "encryption on average can reduce the cost of a lost laptop by more than $20,000."

    Who Owns It?

    Another factor that has a bearing on the actual cost of the lost laptop?  Who owns it, which is not a surprise.  A director's or manager's laptop costs over $60,000, while a senior executive's lost laptop would cost a company almost $30,000.  Apparently, the lower you are on the totem pole, the greater the consequences of a breach.

    Who's Most At Risk?

    • Consulting firms
    • Law firms
    • Firms in the financial industry
    • Healthcare organizations
    • Big pharma
    • Technology firms
    • Educational firms

    In other words, any companies with significant client lists and significant revenue.  Makes sense.  The more people you serve, the more letters you have to mail out (a simplistic way of viewing things, but I'd say the law of big numbers is only too relevant in such instances).

    Internetnews.com seems to have hit up Dr. Ponemon for an interview regarding the findings.  Pretty good read, if you'd like some additional information not covered in the Intel whitepaper above.

    Make sure you read the second page of the article, where issues regarding backups is briefly discussed.

    Related Articles and Sites:
    http://www.bizjournals.com/phoenix/stories/2009/04/20/daily48.html
    http://www.pcmag.com/article2/0,2817,2345800,00.asp
    http://www.realtechnews.com/posts/6614

     
  • Hard Disk Encryption Not Used On Aberdeen Royal Infirmary Laptop Computer

    Looks like the data troubles for the UK National Health Services won't ebb away any time soon.  The Aberdeen Royal Infirmary has reported that it's missing a laptop computer with sensitive information.  It looks like there was some thought given to data security, but the lack of appropriate information protection software like data encryption from AlertBoot is troubling.

    The NHS Grampian has announced that the stolen laptop contained the details of 1,392 patients, including names, addresses, birth dates, and clinical information which was coded.  The information is double password protected (whatever that means.  I just don't trust password-protection).

    The laptop was stolen, according to the BBC, "from a locked office in a locked corridor in the [gastro-intestinal] department."  There is no mention of how the office was accessed.  Makes me wonder if this is another case of "let's break a window--there's too many locks in this place!"

    Practicing Security

    It's hard to fault Aberdeen for the data breach.  Consider what they had in place:

    • Double-passwords (again, I'd have preferred--nay, demanded--the use of hard disk encryption)
    • Locked doors
    • Laptop stored in a cupboard.  I'm assuming that it was basically hidden from view
    • Has issued a press release with the ID numbers for the computer: NHS Grampian identification number (NHSG4422) and computer serial number (HUB60310Y8)
    • Has sent notification letters to all affected within a week of having the breach

    Yes, the laptop is still missing.  And I'm not too crazy about the lack of encryption.  However, when you take a look at the above, you can tell that this is one hospital with a data security policy, and more importantly, that these policies were being followed, which is more than I can say for most hospitals that experience a data breach.

    I'm not sure, though, if the person(s) who drafted up these security policies can be excused for believing it was good enough.  Granted, the data's safer because there are the locked doors and double-passwords.  But if you're going to require people to memorize passwords, why not employ encryption as well?  I mean, encryption still requires the use of passwords and actually provides data security (plain password protection does not while still requiring a password).

    Encryption is not overkill when it comes to data security.  Having 200-lbs armed security guards with no excess fat posted to protect each and every computer--now that's overkill.  Encryption, when it comes to computers that contained sensitive data is just good sense, perhaps even commonsense.

    Related Articles and Sites:
    http://news.scotsman.com/health/Patients-are-alerted-as-details.5202143.jp
    http://www.allheadlinenews.com/articles/7014905054
    http://www.eveningexpress.co.uk/Article.aspx/1184983

     
  • Disk Encryption Software: OESC Loses Flashdrive With Information On 5500 People

    The Oklahoma Employment Security Commission has alerted more than 5,500 people that their private information was on a lost flashdrive.  Drive encryption was not used to secure the contents of the missing drive, which could be problematic.

    The private information included names and SSNs, and the earnings of corporate officers at more than 80 businesses.

    According to spokesman John Carpenter, an employee copied the information to a flashdrive when his computer became infected with a virus.  The flashdrive was subsequently lost during a conference trip in Dallas.

    The above story is amusing (ironic?) in the sense that the employee was concerned enough to copy data off of a computer because of a virus, thus practicing data security, but not concerned enough about losing a USB disk.  He should have had the content encrypted.

    I think I read a comment somewhere how the employee involved in the breach should be investigated for "criminal intent."  Are you kidding me?  People don't report the loss of data if they had a criminal intent to begin with.  Most likely, the only thing "criminal" about this the amount of hubris the employee showed by assuming that everything would be perfectly safe.

    Unfortunately, this hubris is hard-wired into every one of us.  If I'm not wrong, some study showed that 80% of people believe that they're better than average drivers, which can't be correct when you work out the numbers: at least 30% are wrong.  And study after study shows that we overestimate how good we are at something.

    It's the same sense of superiority that has people thinking, "hey, it's not going to happen to me," leading to hilarious results that end up videotaped and shown on YouTube.

    Lack of Encryption + USB Flashdrive = Déjà Vu

    I've already covered a couple of stories regarding USB security, including how to provide USB protection when it comes to accessing the hardware ports on a computer (hint: it doesn't involve super-gluing parts).

    What the OESC may want to do is to put better data security in place--slightly restrictive ones.  The breach happened because information was copied off to a USB drive.  The use of whole disk encryption on office USB sticks would minimize the chances of a data breach.

    And if company policy is to never have data copied off computers (CDs, USB flashdrives, external HDDs, etc.), then they should just block the USB ports.

    Related Articles and Sites:
    http://www.newson6.com/Global/story.asp?S=10225245
    http://www.ktul.com/news/stories/0409/615603.html

     
  • Data Encryption Software For Small And Medium Sized Businesses - Overkill?

    Stories about data security breaches are commonplace in the news.  Generally, such stories tend to cover breaches at large organizations: Fortune 500 companies, governments the world over, the military, etc.  Based on what’s reported, one would assume that it's only the big guys that need data encryption software like AlertBoot endpoint security systems.

    Such an assumption makes sense.  Large companies have more people.  More people means more computers.  And with each computer being a node for a potential data breach, chances are that a big company will have more instances of data breaches.

    Notice, though, that I wrote "more instances" in the last sentence.  Small and medium-sized business will have breaches as well; it's just that they won't have them as often.  And that may give SMBs a false sense of security.

    A Breach Affects Big Companies And SMBs Differently

    While small and medium businesses won't experience breaches as often, the effects can be even more disastrous.

    Consider the resources a big company has versus an SMB: big companies have deep coffers; they have outside council on retainer; they have PR departments.  In other words, it's a machine that can take on most challenges.  And as long as a company doesn't go out of its way to perpetrate all-out fraud--so that the government comes after them in full force--the company will usually survive a damaging situation.  I mean, notice how Union Carbide is still in business, despite its travails at Bhopal, India.

    But what about SMBs?  Chances are an SMB doesn't have the resources of a Fortune 500 company.  What would happen if they suffered a data breach?  My guess is that the negative consequences would have a magnified effect on them.

    For example, take the issue of customer turnover.  TJX suffered one of the biggest (or, rather, the biggest to date) data breaches of all time, which was caused in part by their decision not to upgrade their data security.  And yet, TJX found that their revenue numbers didn't suffer after the breach.  In fact, sales grew, which was contrary to expectations.  Many were expecting customers to stop shopping with TJX in disgust.  Polls conducted on customers showed an agreement with such assessments.

    So, what happened?  Does this mean customers didn't care about the breach?  Study after study shows that this is not the case: people get angry when their information is breached, and businesses have felt the impact of irate customers--with the exception of TJX.

    I opined a couple of years back that TJX didn't face repercussions because people who already shop at TJX can't stop shopping there--they really don't have options (price and distance...kind of hard to find a Wal-Mart right next to TJX and vice versa.  And, if you're shopping at a Wal-Mart or a TJX, chances are you won't be shopping at Target).  Being a low-priced behemoth in a 50-mile radius has its benefits.

    But SMBs?  Customer turnover resulting from a data breach could be disastrous.  Unless an SMB is a monopoly in its field, chances are there will be noticeable customer turnover.

    And what if they're sued?  There could be serious damage.  Remember, small and medium-sized companies are designated as SMBs because they have a low employee count, not because they serve a small number of customers.  In fact, the number of customers at some SMBs rival some of the smallest Fortune 500 companies.  If all these customers file suit with an SMB…well, they could choose to vigorously defend themselves, but they don't have the resources of bigger companies.

    A long story short: SMBs are in greater need of minimizing the chances of a data breach from occurring.  For large companies it's a matter of making next quarter's numbers; for small companies, it could be a matter of survival.

    Data Protection For SMBs - Not Overkill, Just As Necessary

    And from a survival perspective, it may turn out that investing in data protection is not overkill, but even more necessary for SMBs.  In fact, I don't see how any security measure can be overkill: the requirements for protecting the data of a small business will be pretty much the same as for big businesses; the difference will lie in the scale.

    For example, all types of businesses need firewalls; data encryption software for laptops, desktops, and external drives; file encryption software for files that are copied around, say, via e-mail or to a CD.  But, bigger companies need more of them: more licenses for hard drive encryption software, for example.

    So, if there are any SMBs out there that believe that, because they’re copying the strategies employed by their bigger brethren, they’ve gone a little overboard, this may not be the case.

    Are you employing the same strategies but scaling it down to what your needs are?  If you are, you haven't gone overboard, you're just being smart about data security:

    • You use laptop data protection, but not at the scale the NSA would employ it.
    • You host information at a data center that employs a high level of security.  But, it's nothing like that of a Wall Street investment bank that has a data center six stories underground and protected by a SWAT team-equivalent.

    Same technologies, same tools, same practices--just a little lower in  intensity than what the big guys use (but, of course, still following accepted secure practices--there's no point in having "security as a show" solutions).

    Granted, the use of encryption means that there are background processes that need to be taken care of, such as encryption key management, which are not easy to do for the average person.  But, there are services out there that offer encryption as a service which will take care of a lot of the headaches that would require hiring an IT and security consultant.

     
More Posts « Previous page - Next page »