Log in

Posts Tagged ‘information security’

RSA, the Security Firm Suffers from Security Breach

March 20th, 2011

Two Factor Authentication

Sometimes even the “COPS” are not left out when it comes to being victimized and in this case the cops that we are taking about are from the world of Information Security.

In an absolutely shameful incident, the Bedford based security software maker RSA who are known the world over with its critical computer network have been found in a wanting position. Apparently, the group is recovering from a breach incident which could expose the customers to hacker attacks.

The incident was revealed last week on Thursday and it was found out that the RSA products which are available under the SecurID brand name were affected by the breach. RSA which was acquired by EMC in 2006 has termed the attack as “advance persistent threat”. As per the industry definitions, this is an industry jargon for attacks by hackers who are very severe.

SecurID protects data using a two step authentication which essentially means that if you as a user want to gain access to the network uses a technique called ‘‘two-factor authentication,’’ requiring users to enter two different passwords to gain access to a network. The first password is remembered by the user and the second is a set of random numbers which appear on a SecurID ‘‘token,’’ an electronic device that is carried by the user.

Over 40 million people in 30,000 organizations worldwide use SecureID. Premier customers include banking firm Wells Fargo & Co., the French Ministry of Education, Rolls Royce Motor Cars Ltd., Lockheed Martin Corp., and The New York Times Co., including The Boston Globe.

Apparently, this two factor authentication system is used by many government and private organizations worldwide.

The executive chairman of EMC issued a public letter and an 8-K filing with the SEI which stated that while the information stolen doesn’t enable a direct attack on SecurID customers, it “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

The reporter at Register UK, DAN Goodin felt that the stolen data could possibly be the seed tokens which are used by SecureID tokens to generate the six-digit codes that change frequently. These random numbers of the token change approximately once a minute. Assuming attackers have managed access to seed tokens, it would mean that they can generate psuedo-number of tokens thereby enabling easy access to critical information exposing customer data in the system.

However executive chairman, Art Coviello feels that all is not lost, ‘‘We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident,’’.

The current protection steps taken by RSA include suggesting customers to increase their security focus. This essentially means use strong passwords, pins for social media applications and websites and avoid the opening of e-mails which are suspicious. According to Frank Andrus, chief technology officer of Bradford Networks Inc. these recommendations actually indicate the type of techniques used by hackers to penetrate the SecureID system.

Secure your Data with Alertsec

Worried with the above incident and think you could also be a potential victim? In-order to avoid such incidents, following essential guidelines is very necessary for data security in any organization. In an incident which highlights the need of Data encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data.

Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

RSA’s SecurID targeted in data breach (thetechherald.com)
RSA Security breach sparks reseller concern (deurainfosec.com)

No comments »

Posted in RSA

Tags: Advanced Persistent Threat EMC EMC Corporation information security RSA SecurID security Two-factor authentication

News Update About Data Loss in Healthcare

February 27th, 2011

Image via Wikipedia

Ever since the usage of electronic records has increased, the vulnerability of data has become higher.

Kaufman, Rossin & Co. has released a report which shows the compromise of personal information of 4.9 million patients. The health information was compromised as a result of 166 data breaches that happened in the 1^st year of the implementation of HITECH act which is the Health Information Technology for Economic and Clinical Health (HITECH) Act

The act was implemented about a couple of years ago in February 2009. The idea was simple: Promote the usage, implementation of information technology in health sector. Not only that, it also calls for stricter rules/financial penalties for any breach incidents related to privacy.

The greatest source of the breach according to the study is laptops. Laptops were found out in 43 incidents and created an impact on more than 1.5 million individuals. The breach incidents happened occurred between Sept. 21, 2009 and Sept. 21 2010. In the first year, the breach incidents were publicly reported to the Secretary of the Department of Health and Human Services

Jorge Rey who is co-author and director of information security and compliance with Kaufman, Rossin said, “There are so many various ways for data to be breached in this day and age and many businesses are not properly prepared or are completely unaware of just how vulnerable this information is”. “The HITECH Act is changing the way PHI must be protected and those companies that are not serious about protecting their patients’ information find themselves facing serious reputation, legal and financial repercussions.”

Here are some of the other findings of the study:

Business associates, over 20% of them were affected by the data breach incidents
As far as individuals are concerned, around 3.12 million were impacted
32 percent of breaches were reported within the first three months
Needless to say, the data breach was caused by “Theft” incidents with these happening about 58% of the time.
It was only in 14% of the cases that theft was caused by loss and similar percentage accounted for misc. incidents.

The biggest learning from this report is the variety of formats in which the breach incidents can happen. Examples of such incidents are somebody sending confidential medical information to the wrong destination or the information being hacked by someone.

Secure your Data with Alertsec

Following the essential guidelines is very necessary for data security in any organization. This news exemplifies the need for data protection applications. In an incident which highlights the need of Data encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

UK Government Bodies Are More Vulnerable To Data Breaches (enterprisedrm.info)
EU study frowns over data breach notification rules (go.theregister.com)

No comments »

Posted in Data Protection, data breach

Tags: data data breach data security Health Insurance Portability and Accountability Act information security Information Technology Personally identifiable information security

European Data Breach Law is a Worry for Telecom Companies

January 21st, 2011

: ENISA

Time and again, we have been educating you about the stringent data breach laws that are being brought into practice by governments of various countries. Our goal is to create awareness about the changes in the IT security system and the precautionary measures that you need to take in-order to control them. Talking about laws, United States has been a key driver for such laws and is followed closely by UK. This time our discussion spans across the whole of Europe, where the organizations in Telecom sector are apparently worried about a soon to be implemented law involving data breach notification.

What is ENISA?

Getting started, let us first of all try to understand what ENISA is? ENISA stands for European Network and Information Security Agency. ENISA is primarily the cyber security agency of European Union. Its mission is to achieve a high and effective level of Network and Information Security within the European Union.

ENISA’s Report about Data Breach Notifications

On 14th of January 2011 i.e. exactly a week ago, ENISA has released a new report about data breach notifications in Europe. The report is bi-folded and addresses the following aspects:

1. The key concerns of the telecom operators (via a representative sample of companies)
2. Issues raised by data protection authorities (via interviews of DPAs)

In the wake of recent breach incidents in Europe, the law is absolutely critical to reassure citizens that their data is protected by e-communications operators.

What is the Data Breach Law then?

This security breach notification law forces companies, which have lost customers’ or employees’ personal data to announce the data loss across Europe.

Eduardo Ustaran, head of the privacy and information law group at law firm Field Fisher Waterhouse (FFW), said “the law will be introduced under an amendment to the 1995 EU Data Protection Directive, which is currently being reviewed by the EU Commission”. Ustaran, further added, “All of the European data protection regulators have made very strong calls for this mandatory breach notification”.

The Executive Director of the Agency, Prof. Udo Helmbrecht commented: “Gaining and maintaining the trust of citizens of that their data is secure and protected is an important factor in the future development and take-up of innovative technologies and online services across Europe.

Back-tracking the Data Breach Notification Law

In the UK, the data-protection regulator is the Information Commissioner’s Office. The data breach notification laws started in California, have spread over most of the USA and in Europe, with national data protection laws already in place since 1973. The data security remains just one element of their comprehensive coverage. In the United Kingdom, the data-protection regulator has the power to fine organisations for breaching data protection laws and has first fined the Hertfordshire County Council and employment services company A4e.

The Part 11 of the Anti-Terrorism, Crime and Security Act 2001 contains a number of sections which deal with the retention of communications data by fixed line and mobile telephone service providers and internet service providers.

Data Breach History in EU

More than 1,000 security breaches involving the loss of confidential customer data have been reported in UK till now. According to the Information Commissioner’s Office’s figure, this list is topped by the NHS which has reported 305 breaches since November 2007.

Enisa data-breach expert Sławomir Górniak said “Every day there seems to be headlines that personal data has been leaked, that someone has found a laptop on a train”. Measures such as encryption can mitigate the risk, “If you lose a laptop, and it’s encrypted, and you have the keys, then this is not a data breach,” he added.

Organisations must provide a clear assurance to customer that the private data will not be leaked in the software and security functions used in privacy is at up-to-date level.

How Alertsec Xpress Would Have Helped

To stay secure, and protect your data from breach incidents, it is vital to use a data security/recovery software. In an incident which highlights the need of a data security and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

“SEEN or HEARD anything?” about the Laptop

April 21st, 2010

: Image via Wikipedia

While delivering his talk in South Korea, Dr. Robert Levine would have got little idea that his laptop would be stolen. A couple of months ago, Dr. Levin, a nuerologist specializing in ears, was conducting a lecture and he later discovered that his laptop containing vital information for over 22 years was stolen from the premises.

According to the analysis done by Mass. Eye and Ear it was determined that Dr. Levine’s laptop contained critical demographic and health information of around 3,526 patients all of whom were treated by Dr. Levine at Mass. Eye and Ear during February 3, 1988 and February 16, 2010. Additionally, the laptop also included info of a small number of participants in research conducted by Dr. Levine at Mass. Eye and Ear who were not also Dr. Levine’s patients, as follows:

67 participants in somatic tinnitus modulation research
One participant in pulsatile tinnitus research.

As per the new rules defined by the legislation, the responsible authority has to inform the affected individuals. Following the regulations, Mass Eye and Ear is informing the patients and research participants about the loss of information.

What kind of information was present?

It is typically believed, that Dr. Lveine’s laptop contained the following types of information:

Name, Address, Telephone numbers, E-mail, Date of birth and age, Sex, Medical record numbers, Dates of service, Medical information, including diagnoses, symptoms, test results, and prescriptions, Name and contact information for patient pharmacies and Research participant status.

The light at the end of this news is that critical information like Social Security numbers, financial account numbers, and credit or debit card numbers were not present on the laptop. Due credit needs to be given to the hospital for taking all the necessary action from their side. Letters have been dispatched to the affected individuals and also a notice has been posted on the website to inform all the individuals whose contact data is out of date.

Individuals who fit into one of the categories above, and who do not receive a letter directly from Mass. Eye and Ear, may contact the Mass. Eye and Ear Breach Response Center at 877-313-1395 to determine if they are affected.

According to the hospital, the computer was password protected and contained a tracking device called as “LoJack.” The hospital contacted contacted LoJack and they discovered the installation of a new operating system on the computer following the theft. It was also discovered that the software through which information about the affected Mass. Eye and Ear individuals was not installed again.

On April 9 it was determined that it was unlikely that continued monitoring of the computer would lead to its retrieval, and a command was sent by LoJack to the computer permanently disabling the hard drive and rendering any information, including information about affected Mass. Eye and Ear individuals contained on the hard drive, permanently unreadable.

Although there is no risk of exposure of financial information, it is believed that the information of the patients could be used to obtain medical care or medications in their name.

John Fernandez, Mass. Eye and Ear president and CEO said, “Mass. Eye and Ear apologizes to those affected for any concern, inconvenience, or risk that this incident may cause,”. “We regret that this incident occurred and are taking appropriate steps to protect individuals associated with Mass. Eye and Ear who may have been affected by this breach and to limit or prevent where possible such breaches in the future.”

About Alertsec Xpress

Alertsec Xpress offers computer security software from Check Point as a fully customizable and pre-packaged data encryption software solution.For more information visit us at www.alertsec.com

2 comments »

Posted in Data Protection, Encryption

Tags: Debit card Health care identity theft information security LoJack Social Security number South Korea Theft

Alert: New ICO Penalties Beginning Next Month

March 23rd, 2010

: Image by smallcaps via Flickr

If you & your brand were thinking that you could get away with incidents of data theft and loss, think again ! The security industry is planning to come up with stringent and stricter rules which will lead to sever penalties for any cases that report data loss.

These new rules have been issued by the Information Commissioners Office (ICO) and are all set to be rolled out starting 1st week of April. According to Clearswift CEO Richard turner, the level of financial penalty is set to rise to a maximum of £500 000 (from £5 000), for those companies who do not comply with the Act.

Apparently, Clearswift has been helping organizations to equip themselves with the most sophisticated content inspection technology in the industry & protect companies of confidential data.

According to Turner, “Organisations can no longer ignore the seriousness of corporate data breaches and not complying with the Data Protection Act. On 6th April 2010, the Information Commissioner is upping the financial penalties to act as a deterrent for companies who flout these rules”.

In a recent incident, Information Commissioner’s Office (ICO) had reprimanded the Royal London Mutual Insurance Society for breaching the Data Protection Act. The penalty was issued after the theft of eight of the firm’s laptops, two of which contained details of 2,135 people from the company’s Edinburgh offices. The data were password protected but unencrypted.

What the Analysts Say

Industry analysts have expressed their view points on the imposition of these fines,

Susan Hall, partner and IT specialist at Cobbetts thinks, “These new fines will have a profound impact on internal procedures, especially at medium-sized, data-rich businesses, whose growth commonly outmatches their internal development and the maintenance of procedures”.

Dave Ellis, e-security director at security distributor Computerlinks said, “Mid-market firms have not been under as much pressure so this should open up some good opportunities.”

Stewart Room, a keynote speaker at Infosecurity Europe & partner at Field Fisher Waterhouse LLP, believes that organisations need to focus on two vital aspects: the system and the operations. The system defines the security position via documented rules, policies and procedures. Operations details out the implementation of system in daily activities. According to Stewart, in a recent online poll a third of organisations admitted if they have experienced a security breach tomorrow they do not have a system in place to adequately deal with the incident.

Go Secure, Choose Alertsec Now

Alertsec is the frontrunner in offering hard disk encryption as a fully managed service. We provide protection for all information stored on laptops and PCs in an easy, convenient, and cost-effective way. By using industry leading Check Point Full Disk Encryption (former Pointsec) software, Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption. Alertsec Xpress offers computer security software from Check Point as a fully customizable and pre-packaged data encryption software solution.

For further information, please email us on info@alertsec.com.