Blog

Posts Tagged ‘data protection’

« Older Entries

H&R Block Manager Steals Tax Customer’s Identities and Refunds

Wednesday, March 28th, 2012

When it comes to data protection and guarding sensitive information from being leaked, most organizations have policies and tools in place designed to defend against malicious outsiders. The reality, though–which is demonstrated time and time again–is that authorized users on the inside pose a much greater threat.

A manager of an H&R Block tax preparation office in California was arrested for stealing the identities of H&R Block clients and filing fraudulent tax returns on their behalf. A post on AccountingToday.com about the incident states, “He prepared bogus tax returns in their names designed to obtain tax refunds and credits, according to prosecutors, and then used H&R Block Emerald Cards to withdraw the fraudulently obtained refunds from automated teller machines.”

You should have tools and policies in place to guard your data against unauthorized access from the outside. But, don’t forget that authorized users are in a position to intentionally steal or compromise data, or inadvertently share or expose it. You need to make sure you have tools in place to monitor and defend against data leaks from the inside as well.

Tags: , , , , , ,
Posted in Data Storage Security | No Comments »

Texas Police Officer Details Exposed

Monday, February 6th, 2012

The hacktivist collective known as Anonymous is taking credit for exposing the names, addresses, and police departments of hundreds of Texas police officers. The group hacked the Texas Police Association website to obtain the data because it feels that the official response to a police officer found to be collecting child pornography is too timid.

While it is understandable to be upset, and sympathize with the cause, the actions of Anonymous can’t be excused. Compromising personal information of law enforcement officers doing their duty to protect their communities in retaliation for the actions of a sick rogue officer, or even the seemingly tepid response to his alleged crimes crosses the line no matter how you slice it.

That said, this also isn’t the first time the Texas Police Association has been targeted, and there is also no excuse for why sensitive information like the personal addresses of police officers is not better protected. The Texas Police Association needs to take a close look at its network and data security measures. It should have tools in place that encrypt and protect the data stored there even if hackers manage to compromise the server itself.

Tags: , , , ,
Posted in Data Storage Security | No Comments »

How Much Data Are You Leaving Behind?

Sunday, December 18th, 2011

The very things that make portable storage devices convenient for storing and transporting data also make them a greater risk for loss or theft. USB thumb drives hold gigabytes of information, yet fit in your pocket. You can easily have one fall out of your pocket in a taxi or on a train, and you are unlikely to miss it if someone “liberates” one from your possession.

Security vendor Sophos recently bought a number of USB thumb drives at auction that were left behind on trains. Sophos found that two-thirds of the USB thumb drives contained malware–possibly suggesting they were intentionally “left” behind to be found and used by an unsuspecting victim. But, the 50 USB drives comprised nearly 140GB of potential lost data.

None of the USB keys was encrypted, and none of the USB keys contained any encrypted data. None. Sophos found all kinds of interesting data on the USB keys, including lists of tax deductions, minutes of an activists’ meeting, school and University assignments, autoCAD drawings of work projects, photo albums of family and friends, a CV and job application, and software and web source code.

Don’t let that be your data. Make sure you have policies and security controls in place to control what data is allowed to be stored and transported on portable storage media, and make sure your data is encrypted so it is protected even if that media is lost or stolen.

Tags: , , , , ,
Posted in Data Storage Security | No Comments »

The Real “Bad Guy” Is a Simple Lack of Common Sense

Friday, December 2nd, 2011

It is convenient to think of network security and data protection in terms of “us and them”. There are good guys, and there bad guys. There are authorized users inside the network just trying to get their jobs done, and there are insidious, malicious hackers diligently trying to compromise the network and steal sensitive information. The reality is quite different.

There are, of course, attackers out there with low moral character, a lack of ethics, and too much time on their hands who will not hesitate to exploit holes and expose data if possible. However, if you review the data breaches large and small that occur on a daily basis, the vast majority have nothing to do with any attack at all. Sensitive, personal information is compromised and exposed because the authorized users entrusted with that information are often clueless–or at least careless–in how they handle it. There are school principals accidentally uploading sensitive information, employees tossing files with personal information into public trash bins, and many employees with unencrypted data on laptops, tablets, and smartphones that are easily lost or stolen. The hackers often don’t have to work very hard.

Organizations should do more to educate users and increase awareness about sensitive data, data protection policies, and proper data handling procedures. Beyond that, though, organizations should have tools in place on the endpoint systems, monitoring the flow of network traffic, and protecting data at rest on servers to ensure that a lapse in judgment doesn’t lead to a data breach.

Tags: , , , , , ,
Posted in Data Storage Security | No Comments »

Protecting Data Is Not a Black and White Issue

Saturday, November 26th, 2011

Data protection is more nuanced than simply allowing or denying access. The ages-old concept of group and individual permissions for file and folder access are based on the fact that one person may have no business opening a given file, while the next person may need to read and review that same file as a function of their role. This same type of control is needed when it comes to allowing data to be printed, or stored on an external drive or USB flash drive.

Because protecting data is not a black and white issue, the solution needs to be more flexible than simply blocking or allowing access. Zecurion’s Zlock gives IT admins the ability to apply fine-tuned controls that prevent the unauthorized copying and storing of data without impeding legitimate, authorized use of removable media at the same time. Just as one person may have no business opening a file that another person needs to do their job, one person may have no legitimate business purpose for storing data on removable media, while the next person may need that capability to perform their job function. A solution that simply locks down USB ports is like killing a housefly with a hand grenade, and applies too broadly to provide functional data protection.

Zlock takes it a step farther, though. Jim may have a business need to store sensitive data on a removable drive, but you don’t need to grant blanket permission to Jim. You can still set up controls in Zlock that let Jim store data on a USB flash drive, but only if the data is encrypted. In fact, IT admins can configure Zlock to only allow Jim to store data on a specific brand of company-issued flash drives, or even a specific hardware ID of an individual USB flash drive issued to Jim. That way, data is protected, and the flow of sensitive data is controlled, but Jim is still able to do his job without having to jump through any additional hurdles.

Now, through the end of 2011, you can get Zecurion Zlock for 80% off.

Tags: , , , , ,
Posted in Data Storage Security | No Comments »

Trusting Employees Is Bad Security Policy

Thursday, November 10th, 2011

Companies like to be able to trust employees. This is particularly true in smaller companies, where the environment is more like a family and the founders/owners are often personal friends with the employees. In the end, though, business is business and it doesn’t mix well with personal trust–especially when it comes to protecting sensitive and confidential data.

Michael Pattison, the head of Allens Arthur Robinson’s technology law group is quoted saying, “Ultimately you trust people that you employ, so it’s depressing to find at times that the trust is breached.”

When employees leave a company–whether through firing or of their own accord–they often take proprietary and sensitive data with them out the door. Computershare is learning that lesson the hard way. An employee resigned and the company is accusing her of having stolen internal documents, emails, and possibly personal data and financial records of millions of shareholders that rely on Computershare’s global share registry.

A certain measure of trust is expected between employees and employers. If either party can’t trust the other to some extent, it creates a paranoid, hostile work environment. But, trust is a poor policy for data protection, and companies need to have tools in place to secure sensitive data even from the employees it is entrusted to.

Tags: , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Mix It Up! Don’t Use the Same Password Everywhere

Monday, May 16th, 2011

Recent cyber attacks have compromised millions upon millions of email addresses, usernames, and passwords. From small organizations like Dunes Family Health Clinic, to massive businesses like Epsilon, data breaches are a virtually daily occurrence.

Companies should be doing more to proactively protect data and prevent it from being compromised, but individuals can also do more to help themselves by making sure they don’t use the same username and password at different sites across the Internet.

A local Fox News affiliate database was hacked, and the email addresses and passwords of Fox News employees. The exposed information has led to compromised Twitter and Facebook accounts and some embarrassing messages allegedly “from” the Fox News people.

Hopefully your personal data will never be compromised. But, with the rate and scope of data breaches that seems unlikely. Take matters into your own hands, though, by making sure you use different usernames and passwords (and security verification questions) at different sites. If an attacker gets account credentials for one site,  that shouldn’t grant them the keys to every site you interact with.

Using the same username and password everywhere is like having one key that unlocks the front door of your house, starts your car, opens your locker at the gym, and gets access to your desk drawer at the office. If you lose that one key, you lose everything. Mix it up and make sure that each of the sites you use has its own unique “key”.

Tags: , , ,
Posted in Data Storage Security | No Comments »

Don’t Let Your Company Join the Data Breach Epidemic

Thursday, May 12th, 2011

I know I sound like a broken record, but it’s not my fault. You can’t go online, turn on the TV, or pick up a newspaper without seeing news of some major data breach exposing sensitive data on millions of users. Why?

Don’t get me wrong. I understand that there is no security silver bullet. Given an attacker with enough time, skill, and dedication, there is no server or network fortified such that it can’t be hacked. In fact, I think security administrators should keep the mindset that it is a matter of when, not if, a server will be hacked. But, as I have pointed out previously in this blog, a server breach does not have to be a data breach.

I wrote a consumer-oriented article detailing how individual users can take steps to try and protect their own data and shield it from being exposed by the companies they have entrusted it to. But, IT admins and security administrators also need to take proactive steps to prevent data from being compromised, and keep their own organization out of the headlines.

Data breaches are expensive. Really expensive. Never mind the fact that a data breach on your watch could cost you your job. Do yourself a favor. Save your organization the hassle and the money, and help preserve your job security by contacting Zecurion and finding out just how easy it is to protect your data and prevent your company from becoming a data breach epidemic statistic. Wouldn’t you rather be a hero than a fall guy?

Tags: , , , ,
Posted in Data Storage Security | No Comments »

Got a Spare $7.2 Million in Your IT Budget?

Saturday, March 12th, 2011

Does your IT budget have $7 million or so to spare? I think I can say with absolute certainty that no organization–regardless of size and revenue–has an IT budget with an extra $7.2 million of unallocated money.

The follow up question to that rhetorical lead-in is “why are you gambling with $7.2 million you don’t have?”

A new survey from the Ponemon Institute–sponsored by Symantec–found that the average cost of a data breach for a company in the United States has increased to $7.2 million. That breaks down to an average of $214 per individual exposed or compromised data record. The kicker is that the survey also reveals that the number one cause of data breaches is negligence.

Don’t gamble $7.2 million you don’t have. Don’t let you organization be negligent. Invest proactively in the tools your organization needs to prevent sensitive information from leaving your network and make sure your company isn’t tomorrow’s data breach headline.

It will cost you $7.2 million to react to a data breach incident after it’s too late. It will cost you a fraction of a percent of that $7.2 million to prevent the data breach in the first place.

Tags: , , , , , ,
Posted in Data Storage Security | 3 Comments »

Emailing Sensitive Data

Thursday, February 3rd, 2011

While the primary aim for most companies is to ensure that sensitive or confidential information is not sent out via email, for some industries the sharing of sensitive information is a business necessity. The medical, finance, and insurance industries all need to be able to exchange private or confidential information with customers. The trick is to share the information in a secure manner that protects it from unauthorized view.

Once upon a time, a medical benefits processing company I was working with needed to confirm some contract details with me via email. They had a gateway solution in place to prevent sending out sensitive information. Instead, the solution stored the message securely on a local server, then sent me an email with a link to access it over an encrypted HTTP connection. Fair enough. Except the part where they included the password necessary to access the encrypted data with the email containing the link. Oops.

Fast forward a year or two. I recently switched banks and I needed to change the automatic payment info with my life insurance company. Apparently my life insurance has a similar solution in place for protecting sensitive data, because what I received was a more or less blank email with an HTML attachment of some sort. I clicked the attachment and it asked for a password–a password I had never created and had no idea what it might be. I just typed in a random password I sometimes use, which it accepted and then took me to an initial login screen requiring me to change/create my password. So, they had enough sense to try and safeguard my private information from unauthorized access, but sent it as an email attachment requiring a password that you get to make up as you go? Well, that’s secure.

Companies like these need to have ways to protect sensitive data, and also must meet data protection compliance requirements such as HIPAA / HITECH, and PCI DSS. I question, though, just how secure my data really was in either instance. Obviously, there are some serious flaws in both solutions. Companies need tools that can identify and filter sensitive information, and deliver data securely when warranted.

Tags: , , ,
Posted in Data Storage Security | 1 Comment »

« Older Entries