Archive for April, 2007

Here are some great articles in the news recently about laptop security:

• Toward Better Teleworker Security on CIO Today – how to secure remote employees
• Absolute Software Gains on Laptop-Tracing Program written on Bloomberg.com
• Rating apologies on Network World – 10 case studies on how to respond to a data breach
• Microsoft and REN-ISAC Partner to Enhance Network Security Information Sharing With Higher Education Institutions – press release
• Rethinking Password Security on Innovactions

Tags: laptop security

How does the laptop recovery process work here at Absolute Software?

1. Report your theft to the police and keep your file number handy
2. Report your theft to us online (corporate | personal) or call 1-800-81-THEFT
3. We do the rest!

We will work with law enforcement to find your computer. We relay info such as your computer’s recent connections with our monitoring center and its last known location.

In addition to our software, the relationships we have with over 800 police departments, government agencies and private firms makes it possible for us to recover your laptop. We recover 3 out of 4 stolen computers (according to the FBI) – that’s compared to a 3% recovery rate without one of our products (according to the FBI).

For more information visit our site.

Tags: absolute software, laptop recovery, laptop theft

According to an audit [PDF] conducted by the Treasury Inspector General for Tax Administration, the IRS has lost 490 laptops over the past three years. A "large number" of these lost laptops were stolen from cars and homes of IRS employees; 111 were stolen from IRS offices.

The audit concluded that the IRS is not adequately protecting confidential information. IRS employees are not aware of security protocols and thus confidential information is being left unencrypted.

"We conducted a separate test on 100 laptop computers currently in use by employees and determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data," the report said. "As a result, we believe it is very likely a large number of the lost or stolen IRS computers contained similar unencrypted data."

An audit in 2003 noted that data on laptops and other disk drives was being left unencrypted. Corrective actions have not been sufficient as the problems still persist.

The IRS has since deployed full disk encryption technology and cable locks for all laptops.

It seems clear that the problem is twofold: inadequate technology deployment and inadequate employee training. The audit identified risks being introduced by system administrators as well as poor employee awareness of what constitutes confidential information and how to protect it. Employee training is also underway to address these issues.

Via Computer World ; Tags: IRS, government, IRS laptop theft, laptop theft, data breach, security breach, IRS data breach, government data breach

Patricia Deubel writes about data security in K-12 education on THE Journal. Patricia writes about the importance of balancing technology with security awareness – that it’s a combination of software and education that will provide the best overall data security. This is true for any organization, but educators have a greater need to teach students about data security as a part of their computer education.

Data security threats come in many forms. From laptop loss to viruses to hackers to crashes and more. Some may be intentional, some not. Patricia recommends that school districts put in place the necessary hardware and software, as well as policies, for data security.

There is a balance to achieve between data security and restricted access. Some software solutions may block valuable Internet resources and software, so educators need to find the right solution for the needs of both students and faculty.

Recommendations include:

• Store backup data offsite
• Install software for data recovery
• Set up firewalls
• Install virus and spyware protection
• Set up an identity solution for system rights
• Use software like Absolute’s for laptop recovery
• Create policies for acceptable use of data (and consequences for misuse)
• Educate students and faculty of security risks and best practices

The latter two points can be the most difficult tasks at hand. For additional resources on creating policies and educating students and faculty about data security, visit these resources:

• Sample Appropriate Use Policy (AUP) from Houson Independent School District [PDF]
• The Center for Education and Research in Information Assurance and Security (CERIAS)
• Cyber Security for School Districts

Also check out Absolute Software’s solutions for the K-12 market to learn more about how Absolute Software is keeping laptops safe for educators.

Via Educational Technology ; Tags: k-12, education, security, cyber security, cerias, data security, network security education, education IT

Heather Hayes reports on FCW.com about the increased likelihood of new National Health IT legislation. The legislation has been on the rocks for the past year, never making it to a vote. Now, the winds have changed.

The shift has a lot to do with politics. The Democrats became the majority party in the House of Representatives during the 2006 midterm elections, after 12 years as a minority party, and its caucus holds majority in the United States Senate. High on the Democratic agenda has been health care issues. Advocates for a National Health Information Network are optimistic that this will mean positive things for passing a new legislative framework for health IT.

One big improvement in health IT will likely be in favor of tighter privacy rights for patients. The Democrats have taken strong positions on privacy issues including the right to consent to data disclosure and the private right of action if and when a privacy breach occurs.

Michael Zamore, a senior policy adviser to Rep. Patrick Kennedy (D-R.I.) said the inclusion of strong privacy provisions will be critical to the passage of any health IT bill because many Democratic lawmakers believe that without strong privacy protections, health IT will fail in the long term.

“Success in transforming health care through information technology is predicated on a level of acceptance and trust by consumers,” Zamore said. “If that trust level isn’t there, then the whole IT enterprise will be set back. There’s nothing that could undo the years of effort toward a digital health information system faster than one or more highly publicized breaches that compromise patient privacy.”

For more information on patient privacy rights and the current legislation, visit the non-profit Patient Privacy Rights site. For those interested in the future of health care in the United States, read Thomas Elwood’s report in the Journal of Allied Health.

Tags: national health, health it, it legislation, health legislation, national health it legislation, privacy, patient privacy

A report issued this month by the Inspector General of the Department of Energy (DOE) found that security at the DOE’s Counterintelligence Directorate (CN) was not up to par.

The investigation’s objective was to assess the internal controls on computer data at the CN, which is tasked to protect classified data and nuclear weapons against espionage by foreign entities. The investigation revealed that the CN had lost 20 computers, 14 of which held classified information, and the remaining 6 which may contain classified information. Several security protocols were overlooked in relation to the labeling of computers holding classified information.

Inspector General Gregory Friedman reports that "the inventory records were so imprecise and inaccurate that the Directorate had to resort to extraordinary means to locate an additional 125 computers."

The report concluded that the CN’s computers were not properly safeguarded against loss and theft.

The Inspector General’s recommendations include strengthening the internal controls, changing the reporting structure for lost computers, and labeling all computers with Unclassified, Confidential, Secret, or Top Secret.

Read the full report here (PDF).

Via UPI, TechWeb’s darkReading, Information Week

Tags: doe, cn, inspector general, data loss, data breach, department of energy, counterintelligence, government data, classified data

According to the most recent report released by Symantec Corp. (March 19, 2007), data theft, data leakage and targeted attacks are posing an increased threat as hackers become more sophisticated in their methods to access confidential information for financial gain. Theft or loss of a data storage device (such as a laptop) accounted for the majority of all identity theft-related data breaches.

Symantec’s Internet Security Threat Report indicates that ‘cyber criminals’ are collaborating at a global level and are continuing to refine their methods. Bot network owners are consolidating their servers and increasing their attacks – there were 29% more bot-infected computers in the latter half of 2006 over the first half. Trojans accounted for 45% of the top 50 malicious code samples. Together, bots and Trojans increased the threats to confidential information.

Theft or loss of a computer or data storage device (e.g. USB key) accounted for 54% of all identity theft-related data breaches.

“As cyber criminals become increasingly malicious, they continue to evolve their attack methods to become more complex and sophisticated in order to prevent detection,” said Arthur Wong, senior vice president, Symantec Security Response and Managed Services. “End users, whether consumers or enterprises, need to ensure proper security measures to prevent an attacker from gaining access to their confidential information, causing financial loss, harming valuable customers, or damaging their own reputation.”

Symantec reported, for the first time, on the trade of stolen confidential information. The data indicates that 51% of known Underground Economy Servers – used to sell information – are in the US and that an identity sells for very little – $14 – $18. The underground economy for identity trade could be in the millions or billions of dollars.

Symantec reports that data breaches (the result of hackers, theft, computer loss or security policy failure) affected the government the most heavily, at 25% of all data breaches. The attacks on governments often exploit medium severity vulnerabilities that often are not patched as quickly.

Cyber criminals are becoming more creative and collaborative in their attacks. The underground economy for identity trade is lucrative, and data from large organizations and governments will be particularly at risk.

Hat tip to flying hamster ; Tags: symantec, internet security, data breach, data threat, internet security report, government data, government security, identity theft, identity trade