in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

April 2010 - Posts

  • Portable Drive Encryption: SFN Professional Services Tatum Division Has Breach

    The SFN Group has notified the New Hampshire Attorney General that they recently suffered a data breach.  Based on the circumstances, it's quite apparent that disk encryption solutions like AlertBoot could have helped in this instance.

    Breach in Georgia

    While the letter addresses the AG in New England, the actual breach took place in Atlanta, Georgia on March 24, 2010.  An external hard disk drive was stolen from an employee's car which led to the breach of employee information, including names, addresses, and Social Security numbers.

    The letter to the AG specified that two New Hampshire residents were affected by the breach, but the total extent of the problem is not specified: for example, one imagines that Georgia residents were affected as well--assuming the employee was based out of Georgia, and not based out of NH, but driven all the way to Georgia--but this is an unknown as of yet.

    Also, it is unknown whether the breach is company-wide or just affects the Tatum division of SFN Professional Services, which reported the breach.

    Creating a Policy for Sensitive Data Downloads

    The SFN Group letter states that they are looking to shore up any inadequate aspects in their security.  Specifically, they have already prohibited the downloads of sensitive data to unencrypted external devices.

    Which is great, but doesn't change anything from a practical perspective.  After all, if an employee is not aware of such a policy, or if he forgets about it, how much good is it going to do?

    (I've heard someone state that employees will remember it "if they're certain to be fired by violating it."  I guess...but, in my experience plenty of people forget their passwords to customer contact information protected with encryption software, which they need: if they don't sell, they don't eat.  I mean, if they forget the passwords to this stuff, why would they remember a policy that is lost in a world of policies?)

    Perhaps a better solution might be to ensure that,

    1. Only encrypted portable drives are used in an office.  This can be done by using port control software that allows only a specific set of portable drives to connect to a computer.  Employees usually don't go out of their way to buy the same specific external drives that their employers use.
    2. Forces the encryption of any external storage devices.  This is a feature that is available in AlertBoot.  Not only does it encrypt any portable storage devices connected to an already encrypted computer, the solution forbids the device's use outside a particular group of computers (your encrypted USB drive may not work with Bob's computer two desks over, but not with the guy's computer you know over at HR).

    Of course, the two suggestions above are not optimal solutions.  For example, what if an employee goes out of his way to buy the same model portable drive used by the company?  Or what if half the employees in your company use iPhones, and must charge them via the USB port on their work computers? (Option #2 would essentially turn these into bricks.  Shiny, fingerprint-attracting bricks).

    However, these and other similar options probably would be more effective at preventing data breaches than a technology and data policy issued by a faceless department.

    By the way, I'm not denying that such policies and education employees about such policies is unwarranted, unnecessary, or undesirable.  I'm just noting that, in this day and age where data breaches can lead to sizable fines, companies might need to go a little further in their data protection than just relying on their employees to do the right thing.


    Related Articles and Sites:
    http://doj.nh.gov/consumer/pdf/sfn.pdf

     
  • Drive Encryption Software: A Seven Year Breach...At ESB

    ESB Financial--the parent holding company of ESB Bank, with three branches in Kansas--has announced a customer data breach that took place 7 years ago.  It involved an outside contractor, and due to the circumstances, data encryption couldn't be used to prevent the breach.

    Data Breach Seven Years Ago, Information Found Recently on Internet

    The breach occurred seven years ago, when an outside consultant made off with customers' details in his laptop computer.  Not that the consultant meant to do so.

    Apparently, there was some data going back and forth as part of a project that required the outside specialist's skills.  Bank policies regarding data were not followed, and the next thing you know, that information passed bank perimeters in the form of a backup disk.

    Seven years later, someone is surfing the web when they stumble upon the information.  It should be clarified that the data that was breached belonged to the bank, but the bank was not actually directly involved.

    A total of 3,097 customer information was affected, including names, addresses, account numbers, and SSNs, although the latter did not affect everyone.

    What's left me confused about this entire thing is, how did the information make it to the internet, where Google ended up indexing the information?  It implies that the backup was hooked up to a network?  Perhaps I'm missing some critical point.

    Encryption is No Panacea

    This event shows why information security requires multiple forms of protection.  I often point out that tools like encryption software are required because people don't follow company information security policies.

    I' also apt to point out, in the same breath, that educating people to follow company policies is an integral part of good data security practices.

    These two observations are not contradictory.  Rather, they are complementary.  No one follows all of the protocols all of the time, not even the people who dreamed up the rules (well, some do...rarely).  Encryption is meant to shore up any weaknesses that may result from this; it's never meant to be the cure.

    Indeed, when you think of all the different ways you can have a data breach incident, it's remarkable that people can follow half or more of the policies listed at any given time.


    Related Articles and Sites:
    http://www.emporiagazette.com/news/2010/apr/23/esb-tells-customers-leak/

     
  • Key Management - An Essential Part of Encryption Deployment

    (This is a continuation to a blog post titled Encryption: The Only Data Security Method That's Easy.)

    The importance of encryption key management cannot be stressed enough.  Simply put, if you lose track of your encryption keys, you won't be able to decrypt your protected content in the event something goes wrong.  And, if you're managing 20 computers or more, something always goes wrong every week.

    Many Keys, One "Keyhole"

    Usually, people think that knowing the password is all it takes to gain access to encrypted content.  If a hard drive crashes though, chances are the password will be of no use; recovery of the data will then require the direct application of the key that was used to encrypt the data.

    Now, anyone who's had to deal with a lot of physical keys--door keys, car keys, etc.--knows that there must be some kind of management system; otherwise, it means trying keys one by one.  In an episode of Friends, the NBC sitcom, I remember a character proclaiming "I've got one keyhole and a million keys.  You do the math!"

    Do the math indeed.  If you're in charge of thousands of computers, even hundreds of computers, knowing which key goes with which computer is a very important job.

    Some People Use Anachronistic Methods for Managing Keys

    Even more important is making sure that the keys remain safe: safe from being stolen, yes, but also safe from disappearing.  For example, I know of security professionals that claim that the only way to backup encryption keys is to print them out and store them in a fireproof safe deposit box, preferably in a bank vault.  Why go to such lengths?  Remember, trying to guess what the encryption key is is a futile endeavor, so the need to keep the key from disappearing--accidental loss, theft, burning up in a fire, etc.--is of paramount importance.

    Why paper, though?  Well, security professionals, being a paranoid bunch, also take into consideration the risk of EMP bombs (that's electromagnetic pulses).  While a paper printout won't be affected, encryption keys backed up to magnetic media would.  (I want to point out, though, that if you've got a regional EMP event, chances are the contents of your laptop are less relevant than knowing how to create a stone axe.)

    Central Management for Better Organization

    On a more practical level, there is something to be said about centrally managed encryption: among the many benefits that are proffered by centralizing control is the management of encryption keys.  Sounds like overkill if you're managing about ten computers; however, as the number of keys to be juggled mushroom, the task of managing them--generating, storing, exchanging, guarding, etc.--becomes a daunting one.

    By using a centrally managed encryption software like AlertBoot, a lot of this energy expended in managing keys is removed.  In a previous post, I had remarked that:

    Central management means that encryption keys are not generated and stored separately; instead, in AlertBoot, each encryption key is generated as the computer is registered.  Contrast this to encryption software where the person doing the installation has to record in a separate application, such as a spreadsheet, which key belongs to which computer, potentially creating erroneous listings by mistake.

    This is one of those areas where automation shines.

    Central Management for Better Security

    At this point you might be thinking, "OK, central management makes things easier.  But, easier tends to mean less secure.  And the point of encryption is security.  Isn't that contradictory?"

    Fair enough.

    The rebuttal to such an observations lies in-- what else?--how a product is designed.  While I can't make any guarantees about other products and services, take into consideration what AlertBoot, a hosted managed-encryption service, does in terms of security:

    • Databases are encrypted so even if someone hacks it, the data is useless to the intruder
    • Encryption keys that are stored in a central database are encrypted as well, so clear text access to the DB doesn

    Plus, AlertBoot has its data center PCI certified: our effort to create a secure environment for the encryption keys far exceeds the efforts a company would make for an in-house system.

    Furthermore, AlertBoot doesn't have access to login credentials in the databases, so we can't access the backend without the customers' permission.  Basically, it's been designed to be safe from internal intrusions, if it ever comes to that.

    Want to learn more?  Get in touch with us.

     
  • Data Encryption Software, Was It Used On Shadow Defense Minister Fox's Computer?

    Shadow defence secretary Liam Fox woke up to find that his house had been burglarized and his car taken.  Other items taken: his laptop, which led him to scrap a scheduled media briefing.  Fox and Tory sources declined to confirm whether hard disk encryption software like AlertBoot was used to safeguard the laptop's contents.

    Fox Knew Importance of Laptop Encryption

    According to computerworlduk.com, Fox was "in no doubt about the importance of encryption," seeing how he had criticized the government after the Ministry of Defence lost a laptop and its encryption key:

    As shadow defence secretary, Fox told BBC News that the theft was "extremely worrying," adding: "This goes way beyond the careless loss of a laptop or lapses in personal security that we have seen in recent times."

    Fox said the MoD theft was worse than the loss of the child benefit database in 2007, because it "could be used for identify theft, or worse, for terrorist use." [computerworlduk.com]

    Also, there was this:

    Speaking to the BBC, Mr Fox commented: "It's just been too easy for data to go missing recently and we need to look at how to protect the details of the public." [armedforces-int.com]

    Having said all of this, it would be quite ironic if it turned out that Fox did not have adequate protection on his stolen laptop.  On the other hand, if there was no sensitive data on the laptop, perhaps it wouldn't be much of a controversy.  After all, not storing sensitive data is the first step in data security, perhaps the most important step.

    What about his cancelled briefing?  Well, seeing how it was supposed to be a media briefing, my guess it cannot really be classified as "sensitive data," it was bound to become public, although one wonders if any sensitive data was referenced while creating said briefing.

    Disk Encryption Protects Everything

    And that's the point behind disk encryption programs like AlertBoot.  If you've got multiple files on your computer (who doesn't?), a chaotic mix of sensitive and not sensitive data, it becomes something of a chore to keep track of them.  Which ones need encryption and which ones don't?  Which are encrypted and which aren't?

    Is there an easier way?  Sure; encrypt everything on a computer.  Instead of having to create multiple rules to govern the security of certain files (for example, encrypt all doc files and txt files, but not jpg files), the entire disk is encrypted and everything stored to it is protected.

    Related Articles and Sites:
    http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=19968
    http://www.telegraph.co.uk/news/newstopics/politics/conservative/7619582/Burglars-at-Liam-Foxs-home-armed-themselves-with-kitchen-knives.html
    http://www.scmagazineuk.com/laptop-and-mobile-phone-of-conservative-parliamentary-candidate-stolen/article/168524/
    http://www.eweekeurope.co.uk/news/tory-liam-fox-laptop-stolen-in-home-break-in-6607

     
  • Hard Disk Encryption: CBS Reports Shows Photocopiers Need It, Too

    I had already covered the need for disk encryption software on modern photocopiers here, so didn't feel the need to cover a CBS news report on the possibility of data breaches via xerox machines.

    However, great interest has been expressed, so here are some of the salient things to note.

    CBS Reports on Sale of Used Photocopiers

    A CBS reporter and an expert with the Digital Copier Security company visited a used warehouse full of copiers.  They picked four machines based on price and number of pages copied.

    One of the copiers belonged to the Sex Crimes Division of the Buffalo (NY) Police Department.  A second belonged to the same police but to the narcotics unit.  The third was from a construction company.  The fourth belonged to an insurance company.

    Overall, the information that could be gleaned included domestic violence reports, wanted, sex offenders, drug raid targets, design plans, checks, SSNs, medical records, etc.

    How Is It Possible for Photocopiers To Do This?

    It should be noted that the problem only affects digital photocopiers.

    This is because digital photocopiers essentially scan a page, store the image on an internal computer hard disk, and produce copies off of that image.  I think the argument is that there is less parts failure by doing this: if you need 100 copies of a page, the copier doesn't need to move that light-bar-thingy 100 times.

    The problem though, is that now the photocopier can be breached in the same way that laptop computers can.

    The answer is to erase the information after the photocopier has become useful, or to use an encryption solution (not AlertBoot, unfortunately, in this case, as described below).

    The only problem I see is that plenty of companies lease their machines.  In such a case, one wonders on whom the responsibility falls for protecting or deleting any sensitive data.  As per the law, the owner of the data--the lessee--is responsible.  But, any servicing and maintenance is usually done by the lessor, and the lessee messing around with the hard drive could void the contract and whatnot.

    I guess the latter could give the former the option to use encryption, or add a service to delete information after the copier is returned.  Make it cheap enough and it could be a great vertical to the photocopy leasing business.

    After all, over 40 states now have a law regarding data breaches.


    Related Articles and Sites:
    http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml
    http://www.buffalonews.com/2010/04/21/1025945/police-data-on-copiers-causes.html

     
  • Laptop Encryption Software: Massachusetts Eye & Ear Has Breach In Korea

    A Massachusetts Eye & Ear Infirmary physician giving a lecture in South Korea fell victim to computer theft.  The laptop computer belonging to Dr. Robert Levine went missing on February 19.  The incident caused Mass Eye & Ear to review and implement data security policies, including the deployment of drive encryption software on laptops

    Over 3,500 Patients Affected, Spanning 22 Years

    The lost laptop may contain the following patient information: names, regular mail and e-mail addresses, phone numbers, dates of birth, sex, medical record numbers, medical diagnoses, etc.  A full list can be obtained by clicking on the links at the bottom.

    In the case of four patients, their pharmacy insurance account number was included as well.

    In total, 3,526 patients were affected.  As medical data breaches go, one could say this is one of the more modest ones.  At least, based on the number of patients.  Based on the fact that the records span 22 years--from Feb 3, 1988 through Feb 16, 2010--the situation is perhaps a testament that the longer you keep sensitive data, the greater the chances you'll eventually experience a data breach.

    Sixty-eight people who were not Dr. Levine's patients, but were participants in tinnitus-related research, were affected as well.

    Financial account numbers and SSNs were not included (qualified with a "to best of Mass. Eye and Ear's knowledge.")

    Good News

    Thankfully, Mass. Eye & Ear did load some security features on the missing laptop.  There was password-protection, which is not much, seeing how easily this feature can be by-passed.  Then there is the "laptop LoJack" tracking solution, which allowed the hospital to monitor its location and activity.

    This solution allowed a monitor to conclude that a new OS was installed on the computer and that software required to access the information was not installed.  Once it was determined that continued monitoring would not lead to the recovery of the laptop, the hard drive was permanently disabled via a command.

    Bad News

    The only problem?  The laptop went missing on February 12 and the LoJack connection was not made until March 9.  Nobody knows what happened in that full month.

    For all we know, someone could have run several programs designed to search and extract sensitive data (remember, password protection barely provides an obstacle) for an entire month; installed a new OS; and sold it on craigslist or what have you.  Thankfully, the usual stuff that criminals look for--SSNs, credit card numbers, and the like--were not present.

    The incident shows the limitations of tracking software.  I have already noted how the recovery rate for laptop tracking software is around 75%, an excellent rate.  However, chances are those rates apply to the US only because of how companies like Absolute software work with American law enforcement.  You can't expect the same deal of collaboration once you go outside the US unless the company has something similar in place in foreign countries as well.

    A better approach may have been using a combination of tracking software, as in the above, and encryption software like AlertBoot.  This way, the contents of the computer are protected from thieves, while the tracking software does its thing.


    Related Articles and Sites:
    http://www.newswise.com/articles/mass-eye-and-ear-alerts-patients-to-laptop-theft-and-data-breach
    http://www.databreaches.net/?p=11312

     
More Posts « Previous page - Next page »