Archive for April, 2007

The success of any laptop security program depends not just on the technology, but also the employees. Previous posts have discussed the importance of training in the implementation of an effective security policy. A new survey in the UK highlights the growing need for security training.

SafeBoot conducted a survey of 750 consumers and business users, of which nearly half had security on their laptops but did not know how to use it. A quarter of the respondents have had their laptops stolen, yet the attitude towards learning more about security remains quite lax.

The data suggests that millions of workers in the UK are potential security hazards. The fact that employees don’t know how to use security technology and remain uninformed about safe laptop practices, suggests that companies are also lax in their security policies. Employees are not being properly educated about security for laptops or the consequences of a data breach.

The correlation between lax security attitudes and a 70% growth in identity theft in the UK can’t be easily ignored.

Via Channel 4 & Evening Times ; Tags: identity theft, id theft, data breach, data security, laptop security, security policy

John Leyden reports on The Register that data theft and regulatory compliance have replaced malware and hacking as the top security concerns to businesses.

Vanson Bourne and Cisco conducted a poll of 100 enterprise IT security chiefs in UK companies. 38% of respondents place information theft as their top concern and 33% worry about regulatory compliance. In 2006, the top concern indicated was viruses, at 55%. Only 27% still consider viruses the top threat.

The survey suggests that internal threats from errant employees are increasingly a concern to security professionals. 43% of respondents are concerned with staff passing off or stealing confidential information and property. The focus has reversed from external threats to internal threats.

"In 2006, security concerns were focused on mitigating specific, typically external threats, but our research finds that security professionals are taking a more business-oriented approach in 2007," Cisco senior security advisor Paul King said. "They are concentrating on safeguarding the information at the heart of the business, regardless of the form the attacks may take or where they may originate."

Over half of the respondents expressed frustration in getting their concerns heard at the board level. IT security was not being considered a board-level issue in these cases. This poses a barrier to an effective security policy.

As security threats move inwards, it is increasingly important that security be a company-wide issue.

Tags: security, internal security, data theft, security professionals, it, it security, security training, security policy

The Department of Justice (DOJ) today issued a fact sheet on identity theft and released a statement regarding the President’s Identity Theft Plan.

According to the DOJ fact sheet, the DOJ charged 507 defendants with aggravated identity theft in 2006 – more than double the 226 from 2005. Another 1945 defendants were charged with both identity theft and aggravated identity theft. The DOJ fact sheet outlines a number of specific examples of identity theft prosecution in a wide range of schemes.

In other DOJ news, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras today announced the completion of the President’s Identity Theft Task Force strategic plan to combat identity theft at the Federal level.

“Identity theft is a blight on America’s privacy and security landscape,” said FTC Chairman Majoras. “Identity thieves steal consumers’ time, money, and security, just as sure as they steal their identifying information, and they cost businesses enormous sums. The Strategic Plan submitted to the President provides a blueprint for increased federal prevention and protection.”

The plan focuses on ways to improve identity theft prosecutions, ways to enhance data protection, and improved guidance and assistance.

Recommendations include:

• Reduce the use of Social Security numbers by federal agencies
• Create national personal data safeguard standards for the private sector
• Require public disclosure of data breach
• Run an awareness campaign
• Create a National Identity Theft Law Enforcement Center for the coordination of law enforcement agencies
• Amend the identity theft statues (many specific recommendations cited)

For more about identity theft, visit the Task Force’s newly-launched website: www.ftc.gov/idtheft

Tags: doj, department of justice, identity theft, identity law, federal law, presidents task force, identity theft plan

As the Seattle PI reports, the proposed Washington State law on identity theft protection is one signature away from being passed.

The proposed law (Senate Bill 5826) would allow anyone (not just victims of identity theft) to obtain a credit security freeze. It would also give consumers access to their credit in an emergency.

Senator Jean Berkey, who originally authored the legislation in 2005, says that "Identity theft is a different kind of attack, and we can’t assume that law enforcement will protect us. We all need to take responsibility for our self-defense, and a credit freeze helps shield us from identity theft."

The bill has passed through both the House and Senate and is now awaiting a final signature from the Governor.

Via flying hamster ; Tags: identity theft, washington state, bill 5826, credit protection, law

Here are some great links on laptop security news for your Monday reading:

• Microsoft will issue a security patch on May 8 to address DNS vulnerabilities. Visit Microsoft for workarounds to avoid hacks.
• BBC News reports: Employers warned on e-mail spying
• Bob Bragdon writes on CSO Online about Identity Management
• UK survey reveals lack of consumer trust in the security of their personal data [press release]
• ChildNet laptop theft – 12,000 at risk for identity theft

Tags: laptop security, security, computer security, business security

The FTC has released a publication to help companies protect personal information. Protecting Personal Information: A Guide for Business

The 28-page guide, available for download (PDF) or order, offers suggestions to help protect sensitive data and prevent a data breach.

The Guide is based on 5 key principles:

1. Take stock. Know what sensitive information you have, where it is, and who has access to it
2. Scale down. Keep only what you need for your business
3. Lock it. Protect the information you keep
4. Pitch it. Properly dispose of what you no longer need
5. Plan ahead. Create a plan to respond to security incidents

I think the Guide is incredibly useful to help assess your security vulnerabilities. Just taking stock can be quite complicated. You need to assess every place sensitive information could be stored, how you get sensitive information (web forms, paper, email) and from whom (banks, customers, partners), and where each type of information will be stored. It’s a hefty task.

The ‘lock it’ principle is a long section, outlining general network security, password management, laptop security, firewalls, wireless & remote access, employee training, and detecting breaches.

The Guide is well laid out and is great for companies of any size.

Tags: business security, personal information, sensitive information, protecting sensitive information, data security, information security, data protection

Identity theft is a growing issue in the medical sector. It’s estimated that 200,000 people per year are victims of medical identity theft. And the Federal Trade Commission reports that these figures are increasing.

Health practitioners are under more pressure to protect confidential information. This includes training employees, restricting employee access to some information, keeping security technology & protocols up to date, and ensuring that the protocols are upheld both within the company and with partner companies.

From the patient perspective, here are some tips to keep your ID secure:

• check your medical record for accuracy
• check your bill statements to ensure all the services and charges belong to you
• contact your insurance company if you lose your ID

For more on identity theft, visit the FTC’s Identity Theft website.

Via WKBT ; Tags: medical id theft, identity theft, security, id security

Mark your calendars for a Mobile Security Webinar on April 25th. Absolute Software is hosting the seminar along with HP and Microsoft.

The webinar will be interactive and will help you understand the various security solutions available.

Register here for the Webinar.

Tags: mobile security, webinar, security webinar, hp, absolute software, microsoft

Robert Vamosi makes some great recommendations on how to secure your laptop on a public wireless network.

1. Be conscious of your information: don’t pass sensitive information over a public network. This means no checking your bank balance or paying for something online.
2. Install security programs: antivirus, antispam, antispyware, personal firewall
3. Use a wireless broadband card instead
4. Change your router information: use a unique name, change the password, add some encryption
5. Disable auto-connection to wireless networks

Laptop security is all about paying attention to what you are doing. Be conscious of the risks and take steps to protect yourself.

Tags: laptop security, wireless networks, public wireless networks

The last post inspired me to write about some options for laptop locks. Although a laptop lock won’t prevent all theft, it can deter opportunistic theft.

If you are in a library or hotel, already set up with your laptop, it’s very easy to leave it unattended for "just a second". Unfortunately, it takes just a second for your laptop to be stolen.

The Kensington 64344 MicroSaver Combination Notebook/Computer Lock (Amazon) receives high reviews for its security and ease of use.

It features a combination lock, can’t be easily pulled out or cut, and works with most PC and Mac laptops.

Features to look for in a laptop lock:

• Combination locks with more than 3 dials
• Easy turning dials
• Thick steel cable, helical-wound being the best
• Plastic coating is irrelevant to security
• Compatibility with your laptop
• Ability to secure additional items

Many locks on the market can be easily hacked in under a minute. Be sure to assess the risk of the lock you are considering by searching "Lock Name Vulnerability" on Google. The MicroSaver lock pulls up only positive reviews for this term, so that is a good sign.

More on laptop locks, and their vulnerabilities, from Engadget and Security.org.

Tags: laptop locks, laptop theft, laptop security, laptop cable lock