AlertBoot Endpoint Security

Data Encryption Software Does Minimize Data Security Breaches

sang_lee — Wed, 08 Jul 2009 23:47:00 GMT

The Ponemon Institute has announced the results of its study into encryption trends. Now in its third year, the study has found that 70% of UK organizations have been hit by data breaches in 2008. One of the points made in the report, apparently, is that the use of data encryption software can have a significant impact on the number of breaches a company experiences.

Companies That Experienced No Data Loss

A poll of over 600 IT security professionals at different UK organizations revealed that,

...a third of those companies reporting no data loss incident in the last year claimed to have had instigated an enterprise-wide encryption policy.

In contrast, [organizations] experiencing the highest number of data loss incidents were found to be the least likely to have introduced a consistently enforced, company-wide strategy governing the use of data encryption technologies.[ from cbonline.com]

In fact, some companies didn't have any breaches in 2008, and only because they had disk encryption like AlertBoot installed on their computers. This does not imply, of course, that no computers were lost or stolen at these companies. It just means they didn't have a breach because the data could not be accessed after the devices were lost.

Correlation, Not Causation

I would like to believe that it was encryption that saved the day for the small number of companies that experienced zero breaches; however, believing that would be a fallacy.

More likely than not, said companies probably had a well thought-out and well-planned (and well-implemented, I should add) data security plan--which happened to include, among other things, the use of data encryption programs. I mean, there are other ways of experiencing a data breach other than losing laptops. Their servers could have been hacked, someone could have made sensitive files available on the internet, an employee could have stolen data, etc.

When you consider all the different ways companies could have a data breach, you can't deny that some amount of luck is necessary--in the sense that, say, they didn't have any employees that taped their username and password to the bottom of a laptop.

Encryption Doesn't Work? Neither Do Traffic Lights...If You Want to Use That Argument

Whenever I mention the "luck factor," a small number of people seize on the comment to point out that that proves "encryption doesn't work."

Huh?

What about all the examples that show that encryption does work to protect the contents of a computer? Cases such as where law enforcement tries to get the suspect to spit out the username and password to encrypted data? Or the sworn court affidavits where FBI agents testify that it's impossible to crack encrypted information?

I guess a more accurate statement by the detractors would be "encryption doesn't work all the time, even if it's implemented." And I wouldn't deny that.

But, planes crash, people run red lights, and people get killed in their homes. Does this mean we should get rid of air travel, get rid of traffic lights, and not live in our homes?

There are various ways one can have a data breach, which is why data security comes in layers. Encryption happens to be one of those layers.

Related Articles and Sites:
http://www.cbronline.com/news/encryption_reduces_risk_of_data_breach_study_080709
http://www.press-release-service.co.uk/70-of-uk-organisations-hit-by-data-breaches-in-the-last-year-1967

Australia Personal Information Data Encryption Provision And Security Laws

sang_lee — Tue, 07 Jul 2009 23:34:00 GMT

As of July 1, 2009, Australia does not have any laws regarding notification of data breaches. However, there are efforts underway to alert Australians (and the government) in the event a company or agency experiences a breach of sensitive data that could affect Australians. There will be exceptions, of course. For example, exceptions will be made if the personal information made adequate use of encryption software like AlertBoot.

The bad news is that such efforts won't go into effect until next year at the earliest, according to Senator John Faulkner.

The ARLC's Recommendation

The Australian Law Reform Commission (ALRC) has made recommendations to amend Australia's Privacy Act, which requires something of a remedy in light of the dangers of the Information Age. The entire document, titled "For Your Information: Australian Privacy Law and Practice" can be found here.

The recommendations effectively boil down to 5 points:

The Privacy Commissioner and affected individuals must be contacted in the event of a data breach that involves personal information if it is believed the breach will cause harm

Personal information will be defined to include names, addresses, and other identifiers such as "Medicare or account numbers"

The risk of harm to individuals will take into consideration the use of adequate encryption and how (and why) the information was collected in the first place

The Privacy Commissioner can prevent the disclosure of a breach if it deems it against the interests of the public or affected individuals

Not notifying the Privacy Commissioner of a data breach that should have been reported will be grounds for a civil penalty (which, if I'm not wrong, is usually legalese for "monetary fines")

That's the gist of Recommendation 51-1 of ALRC Report 108. The actual report describing the reasons behind the recommendation is, of course, much longer and much, much more involved. No wonder the government needed at least a year and a half to even begin implementing it...

Adequate Encryption? A Floor vs. A Ceiling

Adequate encryption? Is the government trying to shaft Aussies? After all, shouldn't they be looking for the "very best encryption," as opposed to something that's adequate?

It turns out that adequate encryption is usually more than good enough, and the very "best" encryption may not be the best solution. When it comes to data security and encryption, we can equate "the best" with "the strongest" form of encryption. The thing is, the stronger the encryption employed, the longer it takes to encrypt and decrypt data. Your data is technically more secure, but it means everything becomes relatively slower, which is not a good thing in this age where people's fingers start to twitch when waiting five seconds for a website to load.

So, the trick is to find a point where one gets plenty of security while not waiting for the cows to come home. This means that one's got to find a floor, as opposed to a ceiling, when it comes to the strength of encryption. In other words, something that is "adequate."

AES-128 or Equivalent...For Now

Standards may vary, but currently (June 2009) the acceptable level of encryption is AES 128-bit encryption or equivalent. For example, the National Security Agency (NSA) had announced back in 2003 that AES-128 could be used for classified information at the "secret" level (whereas "top secret" would require something stronger, such as AES-256). Also, it's probably what your bank uses for on-line banking services.

With time, though--as new vulnerabilities are found and as computers get faster and--the standard will shift, and 128-bit encryption will be dropped in favor of stronger encryption.

Disk Encryption Software: Bord Gais Figures Corrected To 100,000

sang_lee — Tue, 07 Jul 2009 01:25:00 GMT

The Irish Gas Board (Bord Gais) has revised their figures of customers affected in the laptop data breach from June. If you'll recall, the theft of four laptops--with one of them containing sensitive and financial information, but not protected via data encryption--have led to the loss of customer information.

Initially, it was announced to have affected 75,000 customers who had recently switched electricity providers to Bord Gais. The latest figures put the number at 100,000 affected, and according to The Sunday Business Post Online, this is not disputed by Bord Gais.

Keeping Track of Data

This revision in figures is not really unexpected, especially when one considers that the original announcement was made soon after the actual theft took place. It takes time to figure out the contents of a computer's hard disk, and with the capacity of today's disks, it takes longer than one would expect: making any announcements too soon more than often means having to make a correction down the line.

In theory there should be no need for corrections. After all, the usual, commonsense wisdom is that a person knows what he's saved on that computer. So, in the case of Bord Gais, questioning the employee who used the laptop with the sensitive data should have sufficed: He points out which files contained sensitive data, and the IT department looks through the backups to see how many people's names were in those files.

Why Encryption Trumps Company Computer Policies

As case after case shows, relying on people to do the right thing when it comes to data security is ineffective. Not because people don't try (although, there are a lot of people out there who don't try), but because people are fallible.

They may fail to follow rules; or fail to remember to delete important, temporary files; or even fail to remember that they were working on a sensitive file. When one works with sensitive files all day long, they all start to look...well, like common, everyday files because everything is relative. This is not unlike when one million dollars looks like chump change to people who've for years been involved in deciding how to budget ten billion dollars.

Which is why data security policies, while important, ultimately come short when it comes to actually protecting data: people become too comfortable once the initial worries wear off. Plus, chances are a security incident won't take place. Then the stuff hits the fan (after all, accidents don't make an announcement before they happen), and people realize, hey, I wasn't following these policies the company has spelled out for me.

If Bord Gais had actually encrypted all of their laptops (all indications seem to point that the one laptop not encrypted was an oversight) with information security software like AlertBoot hard disk encryption or if file encryption had been used to protect only the important files, their data would still be protected even if people were lax when it comes to data security.

The good news is that, so far, there haven't been any customers calling Bord Gais that they've been victims of fraud. This is not a guarantee that it won't happen in the future, but it looks like

Related Articles and Sites:
http://www.sbpost.ie/post/pages/p/story.aspx-qqqt=IRELAND-qqqm=news-qqqid=42906-qqqx=1.asp

Hard Drive Encryption Software: 'MagicKey' Program For Disabled On Stolen Computer

sang_lee — Sat, 04 Jul 2009 00:17:00 GMT

A professor in Brazil has found his research set back by six months due to the theft of a computer from a university building. The initial assumption was that the computer was stolen so that it can be resold, but the professor is not so sure now. While not mentioned, it's quite apparent that drive encryption software was not used to secure the contents of the stolen computer, which could be a good thing (possibly).

MagicKey Software - Maybe the Magic Is In Backing Up Data

Professor Luís Figueiredo, at the Polytechnic Institute of Guarda (Escola Superior de Tecnologia e Gestão do Politécnico da Guarda), has been researching and developing since 2004 a software package for disabled people. Dubbed "MagicKey," it allows disabled people to control computers with the movement of the eyes.

It seems the only backup of the software was done at the beginning of the year which, honestly, is the good professor's fault. I'm sure he's a busy man, and he's got plenty of things on his plate, but he should have periodically made backups.

I mean, what if he didn't lose his data because his laptop got stolen? What if he had dropped the computer while carrying it around? His research would still be set back by 6 months, and in that case there literally would be no one else to blame but himself.

There are many facets to data security. One of them is preventing its theft so others won't "share" that data with you (preventing a case of "you have it; they, too, have it"); the other form of data security is ensuring continued access to the data no matter what (i.e., they may or may not have access to it, but you certainly don't).

Backing up data is the only method of ensuring the second scenario does not take place, especially if one's laptop gets stolen.

The Signs

There are signs, however, that Prof. Figuereido's laptop wasn't just a random theft. First, there is the fact that the computer was stored in a cabinet at the far end of a corridor with minimal traffic. Indeed, the only reason one might find himself on that corridor is because he has to go to that cabinet.

The second is that other items of value in the vicinity were not stolen. Stored inside the cabinet, right next to the laptop, were a cellular phone and a digital camera.

There is also the fact that a security camera pointing towards the cabinet was broken since April, and couldn't record images. (This is either a heck of a coincidence or a carefully planned-out theft.)

An Appeal

The professor has made an appeal for the thief to allow him access to his research. He doesn't really need the laptop back, just his work. Apparently, there is software installed on the stolen laptop that will allow him to make backups remotely.

Of course, this implies there is no encryption software like AlertBoot installed on this particular computer.

Assuming that the computer was not stolen because of the MagicKey software, it may be fortunate that hard disk encryption was not used. On the other hand, it's a less than ideal situation.

What should have happened: the professor should have encrypted the contents of his laptop and made backups of his work (which also would require encryption.)

Related Articles and Sites:
http://www.novaguarda.pt/noticia.asp?idEdicao=184&id=12224&idSeccao=2510&Action=noticia

Drive Encryption Software Matters: Working At Home Can Eventually Cause Data Breach

sang_lee — Fri, 03 Jul 2009 01:13:00 GMT

Another article, this time from the irishtimes.com, shows how second-hand hard drives sold on on-line auction sites contain enough information to make identity thieves very happy.

A twist on this particular story, however, is that these drives are being traced back to employees who work at home on their personal computers (personal as in the state of ownership, not the size of the computer). Information protection services like AlertBoot data encryption software would help prevent such breaches...but can a company dictate that employees use encryption on their home PCs?

Second-Hand Drives' Contents

A study by Ernst & Young has revealed that used drives bought for as little as five Euros can contain extremely sensitive information such as bank account details, confidential e-mails, etc.

In most cases, the sellers hadn't even erased the information, and were readily accessible. Some had gone through the process of deleting files or reformatting the drive; however, as the E &Y guys correctly pointed out, it's still easy to retrieve data.

Reformatting the drive, for example, doesn't really erase data. What it does is the following:

Erases data on the address tables (i.e., bookkeeping information to keep track of where your data files can actually be found. Information for the same file can be separated into chunks and saved in different parts of your drive, and is reassembled when called for)

Runs disk checks to figure out sector reliability, and mark the bad ones as unusable

Creates a new address table since the old one was erased

In other words, most of your data is still there...it's just that the computer can't find it on its own (on account of having deleted the address tables). However, there is plenty of cheap software out there that can recover this information for you.

Likewise, deleting data just marks a particular area in the hard drive as "available for data to be written."

Deleting Data? No! Overwriting Data

Technically, there is no way to "delete" data. As pointed out, what gets deleted is essentially the way for the computer to retrieve that particular piece of information. The only way to "delete" data is to replace it.

And, the only way to replace data is to write over it with new data. In fact, what your IT department does prior to tossing a hard disk is pretty simple: use data writing software on them to write random information throughout the disk.

Run it three times or so for modern disks, and it's pretty much guaranteed that the old data--the sensitive e-mails, bank account numbers, etc.--will not be recoverable.

Using Encryption Software

The use of encryption software can also achieve the same degree of security, since information is stored in a random format (it only turns back into usable information when a password is provided). Assuming the password to access the encrypted disk is not attached to the drive, the contents of the drive are secure when one decides to sell it on eBay.

The problem is--and I'm not lawyer but I think this sounds about right--a company can't dictate what one does with his personal property. I guess the correct solution would be not to allow corporate files to be downloaded to home computers, or to only allow encrypted files to be downloaded, or even to give corporate laptops employees working from home.

Since that particular computer is company property, installing encryption and protecting the contents would be feasible.

Related Articles and Sites:
http://www.irishtimes.com/newspaper/finance/2009/0703/1224249965663.html

Disk Encryption Software: PA State Rep's Laptop Stolen

sang_lee — Thu, 02 Jul 2009 01:30:00 GMT

State Rep. Frank Dermody, a Pennsylvania state representative, has had his state-issued laptop computer stolen. There was no sensitive data on the computer, according to the Pittsburgh Tribune-Review. This is probably the best type of data security one could have: no sensitive data means no data breach. But, this doesn't preclude the need for data security software like hard disk encryption from AlertBoot.

Why Encryption And Other Security Software Needs To Be Installed

The problem with computers is that generally one can't be absolutely sure that there was no sensitive information stored on them. Sure, they start out being used for some "official" purpose, and documents are signed and initialed to establish that a computer user has read and understood an agency's computer security policies.

But soon enough, the use of that computer devolves to other things as well, especially for laptop computers. Why? Because they are portable, and can be taken outside a workplace; and once they're out of the workplace...

Maybe the kids will want to surf the net, and the home computer has been sent for repairs, so one turns to the work computer. Or maybe the home computer can't be trusted, and one knows the workplace computer is better protected and maintained, so that's used for on-line banking...which actually turns out to be a phishing scam.

So, even though it may not be the case in this particular instance, the use of information security programs like encryption software, antivirus software, and other programs (as needed) should be installed on a computer.

Maybe Encryption Software Was Installed?

In the case of our state representative above, I get the feeling that disk encryption was used on the now-missing laptop. According to the Pittsburgh Tribune-Review, the legislature's IT department "erased [Rep. Dermody's] password" when he contacted them about the laptop's theft.

Which, outside the context of encryption, doesn't make much sense. For example, let's say that there was password-protection on that computer. If one gets rid of the password...well, what's protecting it?

On the other hand, if an encrypted computer's password is deleted, encryption still protects the contents of that computer. In fact, getting rid of the password is probably the best policy if a computer gets stolen. This way, the only way to gain access to the computer is by figuring out the encryption key, which is harder to randomly guess than a password (well, assuming your IT guy did his job properly).

Related Articles and Sites:
http://www.pittsburghlive.com/x/pittsburghtrib/news/breaking/s_631883.html