Blog

Posts Tagged ‘encryption’

Newer Entries »

So Much Data, So Easy to Lose

Wednesday, December 30th, 2009

USB thumb drives are very convenient. It was only about ten years ago that 3.5″ floppy disks that could only hold 1.44 megabytes of data were the norm. It was revolutionary when Iomega introduced the Zip disk that could hold 100 megabytes in the same amount of space. A lot changes in a decade.

Now there are flash drives the size of your thumb that can hold 128 gigabytes of information. That is the equivalent of more than 90,000 3.5″ floppy disks and it fits nicely in your pocket, or attached to a key chain. The same features that make them useful and convenient, though, also make them easy to lose or steal and make them a significant risk to data security.

In Canada recently a USB thumb drive containing personal information such as name, address, phone number, date of birth, health card number, doctor’s name and other health information for over 83,000 patients was lost. Companies and organizations need to realize the risk posed by storing gigabytes of sensitive, unencrypted data on a device the size of your thumb.

Policies should be defined and enforced to provide guidance regarding what data is allowed to be stored on portable media like USB thumb drives. Zecurion’s Zlock can provide the tools necessary to enforce that policy–providing controls to restrict access to external devices, including printers. For data that is allowed to be stored on USB flash drives, Zlock can create a shadow copy providing an audit trail detailing the data that was transferred.

Additionally, organizations should use secure USB flash drives like Ironkey or SafeStick, and/or protect the data using tools like Microsoft’s BitLocker-to-Go encryption to ensure that any data contained on the drive is protected even if the device is lost or stolen.

Tags: , , , , , ,
Posted in Data Storage Security | 2 Comments »

Laptop Stolen, But Security Measures Make Data Compromise Unlikely

Thursday, December 17th, 2009

A story from CNN today reports that a laptop containing personal information on approximately 42,000 Fort Belvoir Morale, Welfare and Recreation (MWR) patrons was stolen over the Thanksgiving holiday weekend. The focus of the CNN story seems to center on the fact that it took two weeks for the military to respond and alert those whose information may be compromised by the theft. It goes on to exclaim that this is not the first time the military has had a laptop stolen, but assures us that there is a bill currently in the Senate which would call for greater protection for mobile data.

What seems to be somewhat glossed over in the CNN story is the fact that this data was protected. CNN does mention it when it says “information security experts for the Army say it’s unlikely that the information will be compromised because the data are guarded by three layers of security and encryption passwords.” But, somehow that part seems buried under the rest of the story as if we’re not supposed to care about it.

I am not sure we can ask much more. Portable computers like laptops and netbooks are trending up in sales, and portable storage like USB flash drives and external hard drives are relatively cheap.  The convenient and portable size of the computers also makes them easy and convenient to steal. The bottom line is that there is a lot of sensitive information being carried around on these devices.

Companies and individuals need to operate under the assumption that a laptop will be stolen. I am not suggesting that laptop theft is so rampant that there is no way to avoid it, I am just suggesting that the data on the laptop be treated as if its theft were a sure thing. If you knew, for a fact, that your laptop would be stolen tomorrow, what kind of security would you have on it to protect the information it contains? Which data is so sensitive that you would add extra layers of security and encryption to virtually guarantee that it can’t be compromised?

In this case, perhaps the military should have notified individuals sooner. It can also be argued that, because of the security controls and encryption in place, the military didn’t need to notify anyone at all. By placing adequate protection on the laptop the military essentially ensured that the thief might be able to use or sell the laptop, but they won’t be accessing any of the data it contains.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Malware Leads to Breach of Student Data

Sunday, December 6th, 2009

Eastern Illinois University revealed on Friday that an admissions office server had been infected with malware which it believes enabled attackers to freely access the system. EIU can not determine whether or not files were accessed, but IT technicians fear that as many as 9,000 files containing personal information on current and former students, as well as applicants, may have been compromised.

These stories are so common that companies and individuals alike may become de-sensitized over time. However, the fact that these stories are so common doesn’t reduce the impact on the institutions and individuals affected, nor does it eliminate the obligation of entities entrusted with sensitive information to take the necessary steps to ensure it is protected at all times.

Details are sketchy at this point for this breach, but it seems that the server was lacking antimalware protection, or that the antimalware signatures were not up to date. Its also possible that the malware was new or unknown and simply slipped right past the antimalware defenses. That is why the data on the server should also be encrypted to guarantee that it cannot be compromised even if the server itself is breached.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | 3 Comments »

Newer Entries »