Printable Version of .: AlertBoot Endpoint Security :. , RSS Feeds Aggregator, RSS Directory, RSS Feeds Reader, XML, RDF, Atom, RSS 0.91, RSS 0.92, RSS 2.0, RSS 1.0

Wed, 19 Nov 2008 02:08:00 +0100

.::The Difference Between Disk Encryption, File Encryption, And Password Protection: A Very Short Primer On Encryption And Related Data Security Products::.

And I really mean short. I’ve met a lot of people who didn’t quite understand the difference between hard drive encryption software and file encryption software, or that were assuming one is the other. It seems to me that such confusion can only lead disappointment with encryption products, so here’s a really, really basic primer on what’s what.

Encryption

A process for keeping data secret. The only way it to unearth the secret is to provide the correct key. I won’t go into the details of how it works, but essentially it will take an entry like “keep this a secret, OK?” and turn it into “wKsn a@kn q si1n,z$ !nZ.” Provide the key, and that crazy jumble of words, numbers, and symbols will turn back into the original text. Modern strong encryption is so advanced that, if someone were to try every combination possible to crack the crazy jumble, they’d have to take all the computers in the world (including supercomputers) we have now and run them for centuries to take a guess at what the jumble means.

Data Encryption

Ambiguous terminology. It could mean either disk encryption or file encryption since both deal with data. I personally don’t think it’s anymore descriptive than the term “encryption.” If anyone is trying to sell you a product that does “data encryption” you may want to ask whether it’s disk encryption or file encryption. As you’ll see below, they protect your data in different ways.

Disk Encryption

Disk encryption is the encryption of an entire disk -- not just specific files. In other words, if you open up your computer and pop out the hard drive, all the contents of that physical hard drive are encrypted.
Disk encryption is also known as hard drive encryption, full disk encryption, whole disk encryption, and partial combinations of these three (hard disk encryption, full hard disk encryption, etc.). If anyone or anything alludes to an entire disk being encrypted, chances are this is what they’re talking about.

The real-world counterpart to disk encryption is the use of a safe (strongbox, if you prefer) with a built-in lock. That is, if you place any documents and close the door of the safe, the documents are protected. The only way to get back those documents is by knowing the combination or having the key to the lock, or busting the safe’s door open.

Likewise, any files that you save on a computer or digital device with full disk encryption will be encrypted (read: protected) automatically due to the fact that disk encryption is being used. However, if you decide to e-mail that same file to someone else, it will not be protected anymore, just like taking a document out of a safe means that document is now not secure.

File Encryption

File encryption is the encryption of specific files only. So, if you have only two documents on your computer, you can choose to encrypt one but not the other. Unlike disk encryption, which I mentioned above, you actually have to make a decision on what you’re going to have encrypted. (This does not necessarily mean that you have to remember which files to encrypt every time. There are managed data encryption service providers like AlertBoot that allow the use of “policies” to automate the process. For example, your Excel files will be encrypted automatically but not any jpegs saved to your computer).
Unlike disk encryption, since the actual file is encrypted, passing around the files (via e-mail or otherwise) will still ensure the security of those files.

File encryption is also known as content encryption.

There is no real-world counterpart to file encryption except encryption itself. It might be useful, though, to think of file encryption as translating a document into a language only you know. So, if you leave the translated document on a table and someone picks it up, that person can’t make heads or tails out of it.

Folder Encryption

Is the same concept as disk encryption, in that anything that’s saved to a particular folder (or, directory, if you prefer) is encrypted. Take the file out of the folder, and it’s not encrypted anymore.

Password Protection

A lot of companies and agencies announce, when their laptop computer is lost or stolen, that it had password protection. It’s the worst kind of “security” you could possibly have for your data. In fact, I call the term “password protection” a misnomer because it doesn’t really afford you any protection.
The real-world counterpart for password protection is hiding stuff beneath your mattress. Now you understand why data security professionals tear their hair out whenever they read that something was password protected. The game’s over if someone decides to look under the mattress.

And, surprisingly enough, bypassing password protection is about as easy as lifting up a mattress. All you have to do is pull out the computer’s hard disk and plug it into another computer. That’s it.

Knowing When To Use What

When it comes to encryption products, there are pros and cons. For example, disk encryption is great in the event your laptop gets stolen. On the other hand, if you send a sensitive file to the wrong person via e-mail, you can’t rely on disk encryption to protect you; file encryption is what you want. If you’re looking into USB disk data security to protect external hard drives, your options are the same as those for a laptop or desktop computer, since the data to be protected resides in the same component: the hard disk.
Sometimes it will be hard to know what your specific data security needs are, and you’ll need to consult with a professional. You may need different encryption products to be used at the same time; it certainly is not unheard of to use both disk and file encryption on the same machine, although at first glance it sounds like overkill.

Regardless of what you decide to use, the one thing to take from this one article is that you should never, ever under any circumstances come to the conclusion that password protection is protection.

Wed, 12 Nov 2008 05:46:00 +0100

.::Tables Turn And Turn Again In Express Scripts Data Breach::.

Express Scripts -- the pharmacy benefit management company I mentioned the other day -- is in the news again, less than one week after the extortion attempt was made public. The criminals are now directly contacting Express Scripts’s clients, threatening to release personal information of employees. I never realized that extortion schemes scaled in a similar way to good software and business models. I’m just saying.

Regardless of what the final outcome may be, it looks like Express Scripts did the right thing by making the extortion scheme public and not paying up. I had imagined that, if the criminals had been paid off, they would continue to demand ransom from Express Scripts. I hadn’t considered the possibility that they would attempt to pull the same trick with other companies as well.

Imagine what would have happened if Express Scripts had decided to keep mum on the extortion attempt. Clients to Express Scripts would have assumed that they had a data breach. They’d wonder how or where they had a security lapse. IT departments would be going crazy trying to figure it out: maybe it’s a misconfiguration in the firewall? Didn’t download the latest software patches? Maybe the data encryption software we’re using is flawed? Maybe, maybe, maybe…?

On the other hand, it could be that these extortionists are actually (somewhat) good of heart, and would have stopped any criminal activities once they had been paid off. This would mean that Express Scripts erred and escalated the situation. Personally, I find it doubtful; there is no honor amongst thieves.

Which may be what Express Scripts is counting on. Along with the announcement that their clients’ were contacted, the benefit management company has announced a reward of (cue Dr. Evil of Austin Powers fame) one million dollars for help catching the criminals. They take the ransom money and use it as a bounty. It’s like the movie “Ransom,” starring Mel Gibson. If life follows the same script, chances are it’s an inside job.

Insiders. According to some reports, insiders are fast growing to becoming the number one reason for data breaches at companies, regardless of whether they had malicious intents or just happen to be klutzes. The theory is that as IT departments become more able and responsive at curtailing network attacks, other data breach sources will take the top place.

Tue, 11 Nov 2008 06:04:00 +0100

.::Seoul University In Another Data Breach, File With Personal Information On 4500 Students Uploaded To The Net::.

Seoul National University is in the news due to a data breach, yet again. A file with the information on 4500 SNU students was uploaded in May of this year, and was not taken off their site until last week. From what I gather, the file in question was uploaded to an on-line bulletin board…and nobody noticed for six months! This data breach could have been prevented if someone had decided to use file encryption; however, that wouldn’t address the root cause of SNU’s continuing remiss when it comes to data protection.

The root cause is that nobody at SNU is interested about data security. Sure, this is my personal opinion. And yes, SNU students and faculty would claim otherwise. But words are cheap, right? A file with personal information on 4500 students is uploaded to the department’s on-line bulletin board…and no one notices for six months? It’s not as if the file was hidden out of view…perhaps I should backtrack a bit, and explain what’s going on.

An excel file with the names, contact information, dates of birth, and military ID of 4500 SNU students and faculty was uploaded to the French literature department department’s on-line bulletin board, which is accessible over the internet by anyone. That’s right. Anyone. There is no need to log in. A Nigerian scammer can see what’s going on at French department at SNU if he wanted to.

Now, what was a list of Korean military IDs doing on a French department website? South Korea, still being officially at war with North Korea (the two nations never signed a peace treaty), requires any able-bodied men over the age of 18 to join one of the four military branches: Army, Navy, Air Force, and Marine Corps (if you’re not able-bodied, you will do what is essentially forced community service for approximately two years. For example, you may end up at a subway station. Your duty would be to ensure that people don’t step too close to the platform when a train’s coming in. It’s pretty pathetic). After serving your time, you’re on reserve for another eight years, and have to show up for reserve training for the first four years. The rest apparently only requires you to pick up the phone when the reserve calls. This allows them to contact you in the event of a war, making rapid mobilization possible. (Of course, the joke is that in the event of a war, there will be rapid mobilization by everyone…to some other country.)

Now, it’s customary for college students to put their studies on hold, do their time, and then resume their education. Once they go back to school, the military reserve administration organizes the training for these continuing students so that an entire school’s department trains on the same days. Training mostly consists of lounging around, dragging a beat-up rifle, and openly making fun of DI’s who are usually younger, and hence, less experienced. And who, technically, rank lower than you. Oh, of course; there’s the actual training such as obstacle courses, shooting, and indoctrination.

OK, enough background. Coming back to our story, it looks like the reserve administration found that one third of the cell phone numbers of reservists at the SNU French literature department were out of service. So, the administration sent a list of reservist names, with other identifying information, so that the department could update the phone numbers. Did they use encryption? I’d venture a guess and say no. I’d also venture another guess and say that the file was probably e-mailed. First instance of lack of interest in data security.

Then, someone at the French Lit. department posts an announcement on their on-line, ultra-accessible bulletin board about upcoming reserve training dates, and attaches the spreadsheet. Mind you, it’s not like P2P software programs where files leak left and right because you don’t know what you’re doing. With these bulletin boards, you actually have to search for a file to upload and attach it to the post, just like you would attach a file to an outbound e-mail. And, if you’re security-minded, you check to make sure the correct file was uploaded afterwards. Second instance of lack of interest in data security.

Now, no one in the French Lit. department notices that list for a good six months. It’s hard to believe that. No one, not one person, in the French Lit. department looked at the post and raised hell over it. Assuming someone looked at the post, that is. Third instance of lack of interest in data security. Or maybe it’s just a lack of interest, period.

It looks like SNU has had its fill of data security breaches, though. They’re increasing to 30 the people who will be in charge of data security (from the current 4) next year. And, according to reports, they’ll also be implementing the use of data security software. Or rather, they’re looking to develop data security software so they can implement it.

What they could do is save themselves some time and money (and a lot of hassle) and just use AlertBoot managed encryption. It uses the internet to centrally manage the encryption of hard drives and files, and the one thing I’ve learned is that SNU has internet access.

Sat, 08 Nov 2008 05:39:00 +0100

.::Mass. Companies: Are You Ready For The New Data Privacy Regulations?::.

Update (Nov 18, 2008): The Massachusetts Office of Consumer Affairs and Business Regulation has postponed the compliance date for its identity theft data security regulations. The general compliance deadline has been pushed to May 1, 2009. The deadline for encrypting laptop computers is now May 1, while the deadline for encrypting other portable devices has been extended a full year to January 1, 2010.

November is here, and retailers are getting ready for what is hopefully a Black Friday. The state of the economy being what it is, though, it’s debatable whether this will come to fruition. A lot of merchants are probably putting a lot of effort to figure out how much of a discount will be necessary to bring in the crowds. However, there is another date looming in the horizon, particularly for Massachusetts retailers. And they may want to look at data encryption software providers like AlertBoot before the date in question is upon them.

The date is January 1, 2009. This is the day when a new MA law regarding data privacy goes into effect. Although I made a note of it back in September, it looks like more and more news sources are making a point of mentioning it, since the law will go into effect in less than two months.

I’m not a lawyer, so you’ll want to consult with legal experts, but as reported in the media, you need to cover the following:

• Educate your employees about data security. They are your first line of defense against data breaches. It goes without saying, but the point of data security is to prevent a data security breach from happening
• Get someone to oversee data security. This person (or persons) will have to wear a lot of hats, since he’ll be responsible for developing a security program, overseeing it, and ensuring people follow it
• Encrypt your data. Of the three requirements listed, this last one may be easiest. If you are handling Massachusetts residents’ personal data, you’ll have to encrypt that information whenever it’s transmitted (e-mail, for example) or stored on portable devices. You’ll also have to use other technological solutions like firewalls, if you’re not already.

That last one regarding encryption is tricky. For example, if you’re moving offices and transporting your desktop computer with sensitive information, does it need to be encrypted or not? It’s not normally called a portable device. On the other hand, you can probably lift it and take it to your car with ease, so it is portable (and definitely a device). Plus, it is being transmitted in a technical sense:

“To send or convey something from one person, place or thing to another; To spread or pass on something such as a disease or a signal; To impart, convey or hand down something by inheritance or heredity; To communicate news or information; To convey energy or force through a mechanism;…” [en.wiktionary.org/wiki/transmit]

It wouldn’t be the first time lawyers fixate on a word that has multiple meanings to make an argument.

There’s also a couple of other things that ought to be considered by MA merchants. The same law has specified what constitutes “personal information”:

• The first and last name, combined with
• Social Security number; or
• Driver’s license number; or
• Financial account information, such as checking account numbers; or
• Credit or debit card number

In other words, names in of themselves are not presumed to be sensitive data. And, according to what I understand of the law, losing an SSN with the last name only wouldn’t put you in breach of the law either. It seems to me, based on all the data security breach news that I’ve read over the past year, that one can still do a lot of damage with an SSN only, but, hey, that’s just me.

There are talks, as well, that this applies to any companies that deal with the personal information of MA residents. So, even if you’re a California merchant that operates out of the west coast only, if you happen to handle MA resident data, you would need to comply with the law. At least, that’s the idea. Apparently there is some uncertainty on how this would be enforced. It’s up to the Massachusetts Attorney General’s Office whether this will be enforced or not.

It’s also being mentioned that the cost for information security compliance is expected to be about $3,000 upfront and $500 per month for a business with 10 people, three laptops, seven desktops, and one network server. I’m not sure where these figures are coming from, but when I take into consideration the cost of AlertBoot encryption software, I’d say a lot of the cost must be associated with training and education. Encryption itself would average less than $200 per month only.

Fri, 07 Nov 2008 06:59:00 +0100

.::Pharmacy Benefits Manager Express Scripts Gets Extortion Letter - A Sign Of Things To Come For Data Breaches?::.

Express Scripts is a PBM, a Pharmacy Benefits Management company. What this means is that they are in charge of making sure that you get your drugs, since they’re in charge of processing and paying prescription drug claims. They also do other stuff like negotiating for discounts on drugs. In fact, some give credit to Express Scripts as the reason why Pfizer’s Lipitor sales took a hit once Zocor went generic: the PBM had dropped Lipitor from their list of preferred drugs to insurers and recommending Zocor instead, which was projected to be six times cheaper once it went generic.

In other words, Express Scripts, whether you’re aware of their existence or not, is no lightweight in the pharmaceutical industry. And it looks like some criminals are well-versed in this fact, since they decided to extort some money out of this company.

Express Scripts has gone public with the extortion attempt. According to www.esisupports.com, a site set up expressly to alert the public, the PBM received a letter with the personal information of 75 people in their database, including SSNs, addresses, and DOBs, along with a threat that millions of more names would be released if the company didn’t pay up. The amount asked was not specified.

When you consider than the company manages prescription benefits for approximately 50 million people, about one-sixth of the US population, well, even the VA laptop theft from a couple of years looks like small potatoes. With a big difference, though. In the VA case, most people agreed that the Veterans’ Association was lax regarding data security. Express Scripts, on the other hand, seems to have done many things right and gotten dinged.

It isn’t surprising that the PBM had data security practices in place long before the breach happened. As a benefits manager, I’d imagine that it has to follow HIPAA covenants, which have been in place for over a decade. Of course, that doesn’t guarantee that a company’s network will be rock-solid. There may be a small hole in the wall, so to speak, or even a case of internal malfeasance, a consideration that is not being dismissed by the company.

At first, when I couldn’t find many details regarding the story, I considered the possibility that the information had been found on a lost laptop that didn’t have its contents protected with the use of laptop encryption software like AlertBoot. My assumption was, Express Scripts being what it was, it would have topnotch network security. The data breach had to come from something a bit more prosaic than a bunch of hackers getting into the PBM’s network.

I also made the assumption, with absolutely no basis on what little facts I had, that the criminals were blowing a lot of smoke. I mean, a list of 75 names? Not 100? Why? It looks like an odd number when you consider that they had millions of names. Were these guys eco-conscious, trying to fit everything in one page in the extortion letter? My inclination was that they’ve got about 80 names, which fetches about eight dollars in the black market, so they’ve decided to go for broke and attempted this scheme, claiming millions of names.

This was before I found that the company was able to identify from the 75 names where they’re having an information leak. So, chances are Express Scripts understands how dire, or not, the situation may actually be.

Will the criminals get caught? The FBI is involved, and it seems to me that there is a good chance clues were left behind. Usually, companies that have a data breach don’t know what hit them or how it happened. But not in this case. Plus, there’s the nature of the reward. The problem with extortion is that the criminals have to show up, in one way or another, to claim their money, even if it’s being wired overseas.

Thu, 06 Nov 2008 07:08:00 +0100

.::Laptop Encryption Software Not Used For NC State Laptop::.

A laptop computer belonging to the state of North Carolina was lost in Atlanta. This loss could potentially turn into the data breach of over 85,000 N.C. residents who are registered with the Division of Aging and Adult Services, a part of the Department of Health and Human Services of North Carolina. It appears that the stolen laptop did not incorporate the use of information security software like hard drive encryption, available from companies like AlertBoot, a managed encryption service provider.

Instead, the only attempt at data security was the use of password protection. Lamentable, since the use of passwords only will not really protect data. I’ve often alluded that this form of “protection” (always in quotation marks) is no better than hiding your house’s keys beneath the welcome mat (an object named in response to the “thank you” the house burglar will offer nonchalantly as he proceeds to steal your valuables).

Of the affected, 50,000-plus clients had their full Social Security number listed, while an additional 30,000 had the last four digits of their SSNs compromised. Letters are being sent to both groups, the one being asked to place a fraud alert on their credit reports, and the other being asked to keep their eyes peeled, since someone could attempt to defraud them with the limited data.

The question that some may ask is, what’s a guy from North Carolina doing in Georgia with a list of SSNs of 85,000 people? And the reply in this case would be, doing his job. He had to attend some kind of conference. He probably took his laptop because unlike proctologists that hold their parties/conferences in Maui, he had work to do, e-mail to check, and other work-related stuff that required him to take his work computer with him.

Which leads to this question: why wasn’t the laptop computer encrypted? The DAAS is a division of the HHS of North Carolina. This makes it a covered entity under HIPAA regulations (I would assume, since, as I understand it, HIPAA guidelines were meant to be adopted by the HHS as well), and this means there are strict regulations regarding the storage and protection of data.

For example, there are HIPAA regulations stating that passers-by should not be able to shoulder-surf medical data, meaning the screen of computer monitors should be facing away from corridors and hallways. Computers with sensitive data should be located in rooms that can be locked. Encryption, if I recollect correctly, is not required unless other methods of protection (like the locked door) is not available or possible.

A laptop computer at the airport is in open space by definition. I’m sure locked cars were not what legislators were thinking of, even if the original law was drafted back in 1996, and the world was, arguably, a safer place back then. The above case, even if the laptop computer was not stolen, is a prime example of situations where hard drive encryption should have been used.