Archive for September, 2009

« Older Entries

US Federal Agencies Still Fail at Security

September 29th, 2009

gao-security-reportThe U.S. Government Accountability Office (GAO) has released another information security report which indicates that while federal agencies continue to make progress with information security policies and practices, there is still the need to “mitigate persistent weaknesses.”  The report says that for the fiscal year 2008, almost all 24 major federal agencies had weaknesses in information security controls.

The GAO’s auditors said a recent audit that examined how well agencies were protecting information and complying with the Federal Information Security Management Act (FISMA) found significant problems. “These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies,” GAO said. “Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk.”

While these security issues ranged the spectrum, many focused on the issue of securing confidential data.  An analysis of the reports reveals that 48 percent of information security control weaknesses pertained to access controls. For example, agencies did not consistently establish sufficient boundary protection mechanisms; identify and authenticate users to prevent unauthorized access; enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; apply encryption to protect sensitive data on networks and portable devices.

  • The Securities and Exchange Commission had 23 new weaknesses in controls intended to restrict access to data and systems.  “For example, it had not always (1) consistently enforced strong controls for identifying and authenticating users, (2) sufficiently restricted user access to systems, (3) encrypted network services, (4) audited and monitored security-relevant events for its databases, and (5) physically protected its computer resources.
  • While the Los Alamos National Laboratory—a weapons laboratory—implemented measures to enhance the information security of its unclassified network, vulnerabilities continued to exist in several critical areas, including encrypting sensitive information.

In response to this report, Vivek Kundra, President Obama’s newly appointed federal chief information officer, said that OMB was working to clarify FISMA reporting guidance and improve performance metrics. He also said OMB was planning to move FISMA reporting to an Internet-enabled database for fiscal 2009 reporting.  The hope here is that the transparent and public reporting of issues will, as has occurred in the private sector, encourage an increased focus on security.

The report highlighted several opportunities including the SmartBUY program. This program, led by the General Services Administration, is to support enterprise-level software management through the aggregate buying of commercial software governmentwide. The SmartBUY initiative was expanded to include commercial off-the-shelf encryption software and to permit all federal agencies to participate in the program.

The tools are all there – maybe someday all the confidential data will actually be encrypted.

No comments »

Posted in Data Protection, Encryption

Tags:

All encryption is not created equal

September 25th, 2009

One of the benefits of a software like Alertsec is that many governments do not require notifications of security breaches when the data in question was encrypted.  However, in the United States of the exceptions to this is the tiny state of New Hampshire. In New Hampshire a company is required to report a data breach notification even if sensitive information was encrypted.

Normandeau Associates Reports Stolen Laptop

laptop-is-it-safeSo just recently, Normandeau Associates filed a letter with the Attorney General when a laptop was stolen. According to the letter filed with the AG, a computer with personal information of 277 NH residents (who knows how many more people living in other states were affected) was stolen from an employee’s home in November 2008.  The laptop theft was recovered in February 2009.  However, somehow the fact that the laptop was stolen did not come to light until June 2009.

According to a copy of the letter sent to affected residents, the laptop contained a database of past and current Normandeau employees, including SSNs, names, and bank account numbers.

Confidential Data on the Laptop

So, why was this database on the laptop computer?  The official letter explained:

Normandeau has policies that prohibit personal information from being downloaded onto its laptop computers. In this instance, the database was temporarily stored on the laptop during restorative maintenance to the company’s network, and contrary to company policy, not thereafter removed. The company took action against the responsible person for unintentionally failing to remove the database containing the personal information as required by company policy. No further precautionary actions were required to prevent similar breaches.

But the letter also noted:

The perpetrator required specific computer software to access the encrypted database in its existing format on the laptop, and it is unknown if access was actually made.

Levels Of Encryption

That last note explains why states like New Hampshire require reporting even when data is encrypted.  There are different levels of encryption, and depending on how strong (or weak) the database’s encryption happens to be, there could have been a data breach.

The most common example of encryption is password protection used in Microsoft Office Products like Word and Excel. However, the encryption used is primitive at best.   A simple search on the Internet will yield software that is inexpensive and often free that will allow for the breaking of this basic encryption.

While the letter from Normandeau does not identify the encryption that was used, it does say “required specific computer software to access the encrypted database” which points out that the encyrption was not on the entire laptop – but just on this database.

Hard drive encryption is used in order to encrypt all data stored on a hard drive. With a program like Alertsec all installed programs, files and system settings are encrypted.  This makes it impossible for an unauthorized person to read your files.

All encryption is not equal – but Alertsec will provide a high level of encryption for minimal cost and expenditure of time.

No comments »

Posted in Data Protection, Encryption

Tags:

Prescriptions without Encryptions!

September 22nd, 2009

broken-laptop-screenThis month the United States Naval Hospital in Pensacola, Florida began notifying thousands of people use its pharmacy services. Last month, on August 18, a laptop computer which contains personally identifiable information disappeared.

The last date that the computer can be accounted for is Aug. 18. In an internal review and investigation, the command made contact with 100 percent of its Pharmacy staff members in an attempt to discover the whereabouts of the computer.  The computer has a damaged screen and is thought to have been disposed of.

The computer’s database contains a registry of 38,000 pharmacy service customers’ names, Social Security numbers and dates of birth on all patients that used the pharmacy in the last year. “While there is no evidence to suggest personal data has been compromised, it is the Department of the Navy’s policy to apprise individuals whose Personally Identifiable Information (PII) may be at risk,” says Captain Maryalice Morro, commanding officer.

As is the case with every security breach – after the breach additional security measures are implemented.  The hospital is now  reviewing all protocols to ensure that Personally Identifiable Information is protected.  The hospital spokesperson notes that “We regret any inconvenience or undue concern this may cause and we take this potential data compromise very seriously and continue to strive to protect and secure your PII.”
So once again we have an organization that “strives to protect and secure your Personally Identifiable Information.”  So how did they strive?
  • Putting confidential medical records on a laptop
  • Not encrypting the laptop
  • Not training staff on the proper procedures were disposing of the laptop

Today, information is often an organization’s most important asset. As laptops are overtaking desktop PCs as the major source of computing and media storage, laptops frequently store an organization’s most valuable information. That is why protection of mobile devices is so important.

As our recent article Data Loss is the Other Guy’s Problem pointed out, hospital are at high risk for data loss.  Yet, they remain slow to adapt and slow to realize that services like Alertsec with hard disk encryption as a fully managed service. are so affordable as easy to manage.

It seems like the medical community is better at providing advice than it is at listening to advice!

2 comments »

Posted in Encryption, Identity and Information loss

Tags:

eBay – Allowing Unencrypted Drives to Live on!

September 18th, 2009

hard-drivesA Spring 2009 study on used hard drives by by the University of Glamorgan showed that computers sold on eBay and at computer fairs still contain sensitive corporate data from companies such as Laura Ashley, Lockheed Martin, Ford and Nokia. The school frequently undertakes research on behalf of the police and high-tech crime units, with state-of-the-art facilities and researchers who have an established record in network security and data crime analysis.   This study, funded by BT and Sims Lifecycle Services, found that a number of hard drives contained a substantial mixture of corporate and personal data.

Of the 300 drives that were purchased, the most notable one was a disk containing the test launch procedures for the Terminal High Altitude Area Defence missile system.  The same disk also contained “security policies, facility blueprints and employee social security numbers belonging to the system’s designer, aerospace manufacturer Lockheed Martin.”  The researchers turned the drive over to the FBI when they found some employee data still readable on the drive.

That story is living on because eventually personal data was found that impacted at least one resident of New Hampshire in the United States was affected by the discovery of data from Lockheed Martin on a drive.  Lockheed Martin notified some former or current employees that a hard drive that formerly belonged to them had been found for sale on eBay by academic researchers participating in a global research project.

Law Required Reporting of Theft of Unencrypted Data

According to state law, Lockheed had to file a letter with the New Hampshire state’s Attorney General.  The report states that:

“We are informing you of this incident because your first and last name and Social Security Number (SSN) were contained on the hard drive in question. This was the only personal information found related to you on the drive. We’ve determined that this information was collected between the years of 1999 and 2001 as part of a process to provide access to employees and guests visiting Cape Canaveral and possibly other Lockheed Martin facilities.”

locked-hard-driveThis leads to any number of questions.  Why is a government contractor collecting SSNs?  Why didn’t the government contractor encrypt the files for security reasons?  Why didn’t they redact the data before selling the drive?

From a time line perspective the data probably should have been encrypted immediately.  If it was not encrypted at least it should have been secured via some password protection.  Then it should have been deleted when it was no longer needed.  Then before the drive was sold the drive should have been wiped.

The list of security and just plain common sense mistakes is long.  But perhaps the key is that if the first step had been encryption – all the other errors would have gone unnoticed.  When your first step is encryption - you cover yourself on down the line of the life of a hard drive.

No comments »

Posted in Data Protection, Encryption, Identity and Information loss

Tags:

Creativity but not Security

September 14th, 2009

nwscs89232-thumb-550x365-23129

Some days you just feel like you are shouting from the treetops and nobody is listening.  The theft of laptops and computers in general is real – everybody gets that.  But so many people choose silly security methods to try and prevent physical theft all the while spending more money that it would cost for simple digital security.

The mitemite unnecessary objects lab sells newspaper laptop sleeves designed to make your laptop fade into the background in public.  I kid you not.  You can choose from La Vanguarda, Le Pais, Herlad Tribune, La Gretezza Dello Sport or the Frankfurten Allgemeine editions.

We all know that reading the news online isn’t exactly helping the newspaper business so I guess you could try and rationalize this as helping out the newspaper biz.  So to fool the world into thinking you still actually read the newspaper, pick up this laptop case.  It looks like a newspaper, but within your laptop is concealed and “safe.”  Of course that zipper on the top might clue people into what’s really going on.

Managed Encryption is Affordable

You can purchase this “secure” case for the shocking price of £ 87.00 or about $144 USD.  That’s right you can get a plastic sleeve to secure your computer or for just a few dollars more you could get an entire year of managed encryption services.

newspaper-print-laptop-bag-509x382Let’s compare:

  • 144 USD = plastic newspaper case to prevent theft
  • 156 USD = Alertsec Xpress with Check Point Full Disk Encryption software, upgrades and updates. The software is guaranteed by market leading Check Point, and ensures that the information stored on your PC remains private and secure. 24/7 helpdesk with Alertsec Xpress Authentication Method.  The Alertsec Xpress delivery and administration module on Alertsec website.

You can buy computer locks, you can buy computer cases, you can buy all sorts of approaches to thwart theft – but why not first invest in protecting your digital security – all your information, all your passwords – everything you have on the PC.   Encrypt! Encrypt! Encrypt! Then you can have some fun with gadgetry.

Creativity over Laptop Security

But I should not discriminate – if you really like the laptop case than you should also consider the anti-burglar doormat that is a definite hoot – it works in pretty much the same way as that of a standard sticky pad that aims to trap insects and other pests like mice.   Certainly Victoria Richardson who had her laptop stolen form her home and the criminal use her Facebook account should have considered this “effective” security strategy.

Of course, there is always the option of removing one’s pair of shoes and getting away. Those who decide getting this ought to make sure that they remember not to step onto it when one returns home.  Or better yet, folks who decide to use this could just mail be their laptop and save time waiting for the theft of their valuable data!

4 comments »

Posted in Encryption, Identity and Information loss

Tags: