in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

January 2011 - Posts

  • Data Security: Deloitte Says That Theft Is A Growing Problem

    Experts at Deloitte report that incidences of data theft are growing.  All the examples they give, though, are incidences where data was stolen by insiders.  It's one of those instances where the use of data encryption software like AlertBoot cannot be relied on because, truth be told, these insiders are already "trusted" to begin with.

    Disgruntled Employees

    Among the stories revealed:

    • An employee makes the brazen announcement that, when he leaves, he'll take his clients with him.  He logs into a secretary's computer, emails himself a client database in her computer, which is downloaded into his USB device from his computer.
    • A group of code developers decide to steal their own code, believing they haven't been recognized for their efforts.  Of course, "their code" is not really theirs.

    In both cases, the potential data thieves were stopped from doing further damage, not by the latest whizz-bang technology or security products, but because people did something about it.

    In the first case, the secretary noticed that she had an e-mail in her outbox that she didn't send, and alerted her boss.  In the second, one of the coders -- the new guy -- alerted the company about the plans.  Which is ironic: that's an insider working against a bunch of insiders working against the company.

    The Right Tools: Auditing and Following Up

    Like I noted at the beginning, it's hard, perhaps impossible, to stop data breaches by insiders.  The only remedy is detecting the breach after the fact and doing something about it.

    This is not as good as preventing the breach in the first place (such as using encryption software to restrict access to the data from the start), but it's pretty much the only form of redress.  Sure, you could get lucky (a guy brazenly announces his plans) and just fire the guy, and that'd be proactive, but luck isn't a data security strategy.

    So, what do you need to detect a breach?  Essentially, you need the right monitoring tools that create activity logs and reports which are actively monitored.  Without someone poring over the logs, it makes no sense to have the tools (the tools are not going to fire your brazen guy).


    Related Articles and Sites:
    http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10701468

     
  • Hard Drive Encryption: Bruyere Family Medicine Centre In Canada Data Breach

    The Bruyere Family Medicine Centre in Ottawa has revealed the theft of two computers.  The machines were "secured" with password protection.  It doesn't look like this "password protection" was attached to something more secure  like drive encryption from AlertBoot.

    Patients From 1971...?!

    This story, despite being short, is full of notables.  For example:

    Investigation revealed there was “a high probability” that password-protected patient data for some patients seen between 1971 and July 1, 2006. [ottawasun.com, my emphasis]

    That's a heck of a date range.  1971?  Either this medical facility went through the pains of digitizing their old, paper-based records, or they used to own a mainframe computer.  Incidentally, I'd bet on the latter providing more security, seeing how you can't easily find people who know what to do with a mainframe.

    The information that was lost as a consequence of the computer thefts include: names, dates of birth, addresses, health card numbers, and phone numbers.  There was no medical data.

    Another notable, a quote:

    Times have changed — it’s an electronic age, and we all need to be reminded how to best protect our personal health information. [Bruyere's CEO, Jean Bartkowiak, in ottawasun.com]

    Agreed.  However, having a data breach is probably not the best way to "remind" oneself of the need for security.  I mean, if you need a reminder, just read or watch the news: the stories involving data breaches and loss of person information is legion.  Follow up on medical laws and regulations (Canada passed the Personal Information Protection and Electronic Documents Act, or PIPEDA, a while back).

    Equating an "extremely concerning and regretful" incident (Bruyere CEO's words) to a reminder is a bad move (I get the feeling, though, that the CEO may have been quoted out of context).

    What Now?

    Obviously, the police are investigating the incident.  And, the Ontario Information and Privacy Commissioner was alerted.  Plus, the medical center has taken measures to ensure better medical data security.  They have implemented the use of encryption software for "clinic computers and secure off-site storage of data."  And, perhaps most importantly, they are educating staff about protection patient information.

    PIPEDA Says...

    The Personal Information Protection and Electronic Documents Act became law in 2000.  (Ontario medical entities also have to deal with PHIPA, the Personal Health Information Protection Act, which became law in 2001 and was further extended in 2004.  That's a lot of reminders.)

    This is what PIPEDA has to say when it comes to safeguarding data:

    4.7 Principle 7 — Safeguards
    Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
    4.7.1
    The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
    4.7.2
    The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.
    4.7.3
    The methods of protection should include
    (a) physical measures, for example, locked filing cabinets and restricted access to offices;
    (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
    (c) technological measures, for example, the use of passwords and encryption.

    Note that that last bit is passwords and encryption, not passwords or encryption.  Why is this important?  Well, password-protection doesn't really protect data.  Encryption is necessary for safeguarding the data.

    (Personally, I feel that the presence of the word "passwords" might mislead people into believing that the use of password-protection is fine, per the law.  It'd be the wrong assumption, yes, but some people don't seem to understand that there is a fundamental difference between conjunctions.)

    Related Articles and Sites:
    http://www.phiprivacy.net/?p=5696

     
  • Disk Encryption Software: Grays Harbor Pediatrics Announces Breach (Updated)

    According to the databreaches.net, Grays Harbor Pediatrics has announced the theft of a computer backup device.  This device, which sounds like it might be a portable hard disk, held copies of paper records (sounds like document scans) of patients.  It appears that hard disk encryption like AlertBoot may not have been used, although it's hard to tell from the press release.

    Update (25 JAN 2011): According to an update to the databreaches.net site, Grays Harbor Pediatrics stated that the data on the device was password-protected.  Of course, password-protection is not encryption.

    SSNs and Other Information Stored

    According to the press release, the device contained SSNs, insurance details, driver's license numbers, medical history (including immunizations), previous doctors' records, and patients' medical records.

    It only makes sense that all this information was there, since it sounds like the medical facility was computer-scanning hand-filled medical documents.  While I don't know whether this is conventional medical practice, I can say from personal experience it's really a space saver: ten boxes of college papers, handouts, notes, and other documents will fit into a compact external hard disk drive smaller than my wallet (actually, two disks.  One's a backup in case anything happens to the first drive).

    Of course, since my notes don't contain anything that was not shared with my classmates and professors, or found in a textbook that carries an obnoxious price tag, the use of encryption software is quite optional.  I doubt one could claim the same for a medical hard drive.

    Was the Grays Harbor Disk Encrypted?

    This is where the press release seems to imply that it wasn't:

    Grays Harbor Pediatrics has secured all current software applications by changing passwords, implementing new encryption software and updating security protocols to ensure that no patient information may be compromised.

    Implementing new encryption.  This could go either way: encryption was newly introduced to computers that previously didn't have any, or new encryption, as opposed to the old version on computers, including on the stolen backup device, was installed.

    I assume it means encryption was newly introduced, in a move also known as fixing the stable after the horses have fled.  As I noted, the above could go either way, but combine it with the fact that Grays Harbor Pediatrics has gone public with the data breach (as required by HIPAA when encryption is not used); and the fact that they didn't state that the lost device was encrypted*, and you'll understand why I'm leaning towards this position.

    *Interestingly enough, I've seen a handful of cases where an organization that suffers the theft of a laptop with sensitive information that was encrypted does not reveal this fact until much, much later.  It's senseless.  Why not announce it?  It's not as if the encryption is compromised by pointing out the fact that it's used.


    Related Articles and Sites:
    http://www.databreaches.net/?p=16495
    http://www.phiprivacy.net/?p=5687

     
  • Data Encryption Software: Remembering To Lock Out People Is As Important As The Crypto

    Remember: your security is only as good as your weakest link.  Sure, everyone's heard the expression, and everyone gets it (I don't think I've met a person who didn't understand it), but when I hear stories like that of Telecom New Zealand's Wireline, it makes me wonder if people actually "get it."  And, not following the basics will diminish the pretty good security provided by tools such as drive encryption software from AlertBoot.

    Man's Accesses Still Valid After Leaving Telecom

    A man who worked as customer service representative at Telecom New Zealand found out that he could still access the company's database.  He stopped working for the phone company in November, which is nearly two months ago.

    What prompted the man to give it a try?  He heard the accusations that there was a security breach at Telecom, and he decided to test whether the stories could be true.  It took him some time, but he finally figured out his actual password for accessing the database.  The company would not comment on this particular situation, but an anonymous interviewee who also worked at the company years ago relayed the fact that information security at the company was not top-notch when it came to restricting access.

    Installing Encryption Software and Other Tools is Not the End of It

    Restricting access to sensitive data is one of the most basic steps when it comes to data security.  (In fact, you could say that "access restriction" is the sole purpose when it comes to data security.  This is evidenced by the fact that most of the security tools out there are designed exactly with this objective in mind, be it a locked door, hiring a security guard, biometric access to computers, or the latest cryptographic tool.)

    Philosophical ruminations aside, the point is that you've got to pay attention to who should and who shouldn't be able to access particular information.  This should-shouldn't dynamic depends not only who the person is and what he does, but when he's doing it.

    A retired cop shouldn't have access to a police database.  A former US president shouldn't have access to the WWIII nuclear codes.  A former company CEO shouldn't have access to his former employer's newly-formulated 5-year strategic plans.  And a former service representative certainly shouldn't have access to his former employer's customer database.  For one thing, to the detriment of the company, he could just take that access and use it as a bargaining chip for a better job with a competitor.

    Data security is a never-ending battle, partly because who is permitted to access sensitive data is constantly changing.  As long as attention is not paid to restricting access, data protection tools cannot maximize the safety of your data.  What good is encryption, or any other data protection tool for that matter, if people other than authorized users can access protected contents?


    Related Articles and Sites:
    http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10701805

     
  • Cost Of A Data Breach: HealthNet Settles With Vermont AG, Files Were in TIFF Format

    It looks like HealthNet's troubles weren't over when they settled with the Connecticut Attorney General back in July 2010.  According to databreaches.net, HealthNet has now settled with Vermont's Attorney General's office, adding an extra $55,000 on top of their previous fines.  It looks like, contrary to what I had reflected before, that perhaps the use of hard drive encryption like AlertBoot would have been warranted.

    Files were in Image Format

    This latest settlement has revealed an additional detail to HealthNet's data breach.  To recap the situation so far: a portable drive (not protected with encryption software) that contained sensitive information like SSNs was lost in May 2009.  Affected people were not alerted until 6 months later, prompting various state Attorney Generals to look into the situation.  In July 2010, HealthNet settled with Connecticut's AG.

    HealthNet had reassured people that the risk of harm was low.  Databreaches.net has the following quote:

    When it did notify Vermont residents, Health Net told them that it believed their risk of harm was "low" because "the files on the missing drive were not saved in a format that can be easily accessible."

    It turns out that this "not easily accessible" format is actually a TIFF file, a common image format.  In fact, this is what Wikipedia has to say on the matter:

    ... the TIFF format is widely supported by image-manipulation applications, by publishing and page layout applications, by scanning, faxing, word processing, optical character recognition and other applications. [my emphasis]

    Let me put it this way: I can open TIFF files just fine in my web-browser.  How's this not easily accessible?  It's about as accessible as it gets!  Furthermore, free image viewing software applications like Google's Picasa will show TIFFs in slideshow format; you don't even have to open the files one by one.

    While I'm not going to go as far as accuse HealthNet (or, rather, its lawyers or PR department or both) of lying, it seems to me that they should have paid more attention to what they were writing.  I mean, if I showed TIFF files opening up in a web browser to a jury, would it pass muster that it's low risk?  I'd think not.

    Vermont's First Enforcement of the Security Breach Notice Act

    This is Vermont's first case when it comes to the enforcement of their Security Breach Notice Act.  A cursory glance of the law shows that "personal information" is defined as names and other data elements that are not encrypted.  Had HealthNet used a cryptographic solution like portable disk encryption, it would mean that, under the legal definition, the loss of their hard disk wouldn't be a data breach.

    A total of 535 Vermont residents were affected.

    I had covered HealthNet's data breach earlier, here and here.  When I guesstimated HealthNet's potential costs due to the breach, I noted that it would perhaps makes sense, from a financial perspective only, to risk a data breach when taking into account the costs associated with encrypting all computers for its employees.

    However, considering that Vermont is also extracting monetary penalties, plus the fact that the breach also affected residents of Arizona, New Jersey, and New York, perhaps I might have to reconsider that decision.  Breach notification laws for New York and New Jersey do not specify monetary penalty amounts, but neither did Vermont's.  Arizona's legislation limits civil penalty amounts to no more than ten thousand dollars.


    Related Articles and Sites:
    http://www.databreaches.net/?p=16441

     
  • Second Chance For California Data Breach Law Update Bill?

    The stars aligned today to alert me to the fact that the US's favorite Austrian import, Arnold Schwarzenegger, is not governor anymore (in fact, he's been retired from public office since early this month).  First, there was the morning "news" where the Governator was announcing his return to Hollywood.  Second was an RSS feed that I read that stated Rep. Joe Simitian would re-introduce a bill that had been vetoed by Schwarzenegger.

    California's breakthrough data breach notification bill, now emulated by at least 40 states and by governments the world over, required that people whose personal data was breached be notified.  Companies that used personal information encryption got a reprieve from making the embarrassing (and, potentially, financially detrimental) announcement.

    This is due to the near impossibility for strong encryption like AES-256 (which powers AlertBoot endpoint security software) to be breached.  Short of correctly guessing the password, the thief would have a better chance of making the NBA than of breaking into an encrypted file.

    The Next Logical Step

    Breach notifications have helped more than they have harmed, but eight years into the law, it's quite apparent that there are shortcomings to the law.  For example, certain states have copied California's law onto their books and also added the caveat that the password for accessing the encrypted data must not be available the thief.

    Others have added that breaches occurring due to stolen paperwork must also be made public, while others have extended the requirement for encryption to wireless data as well.

    But what most haven't done is update their laws regarding the breach notifications themselves.  In fact, most states don't have any rules addressing what's supposed to be included in the notification letters.  This has brought its own set of abuses, with certain companies not mentioning how or when a data breach occurred, or even what type of data was lost.

    Rep. Simitian's bill, which I covered earlier, would stop such a practice by making certain information obligatory in the notification letters.

    I think it's a great idea.  The point behind the notification letters is to alert consumers so they can act.  Deprive them of useful data and you compromise the effectiveness of these letters.


    Related Articles and Sites:
    http://www.centralvalleybusinesstimes.com/stories/001/?ID=17407

     
More Posts « Previous page - Next page »