Archive for July, 2008

According to a new Information Security report [PDF] from the US Government Accountability Office (GAO), 70% of the 24 major federal agencies surveyed last summer had not yet installed encryption technologies on laptops and handheld devices.

The report, which highlights data gathered from July – September 2007, indicates a confusion about encryption requirements. At the time of the survey, all agencies had initiated efforts to deploy encryption technologies, but none had documented a plan to guide the deployment activities.

“While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification.”

It is likely that governments will provide security solutions such as encryption for laptops before other devices such as mobile phones or thumb drives. Agencies and businesses alike will face increasing challenges in identifying and securing the myriad of mobile devices that could potentially breach sensitive information. Even then, device encryption is only one element of a comprehensive data security policy.

—

And some internal news - Absolute Software was selected for the CDW Sapphire Partners Program, which offers a proactive approach to embracing breakout technologies. Read about it here. And learn more about Absolute Software’s computer security solutions for Government here.

Via pogowasright, PC world ; image: mconnors @morguefile Tags: data security, device security, laptop security, laptops, encryption

In the week since I last checked Attrition.org, there have been some notable data breaches. Rather than detail them in individual articles, here are the fast facts for some of the larger breaches:

Who Breached: Tinley Park Village Hall
Number Affected: 20,400
Information breached: Social Security Numbers
Details: Backup tapes with data up to 15 years old lost during transport. More info…

Who Breached: Saint Mary’s Regional Medical Center
Number Affected: 128,000
Information breached: Some health information / SSNs
Details: A database may have been accessed in April, affected individuals are being mailed according to the information stored. More info…

Who Breached: Blue Cross and Blue Shield of Georgia
Number Affected: 202,000
Information breached: Medical information & some SSNs
Details: The health insurer sent letters with personal information to the wrong addresses. Information included patient ID number and some SSNs. More info…

Anheuser-Busch suffered a breach as a result of a lost laptop, but it is as yet unknown how many people were affected. And lastly, both the Ohio University and the University of Houston accidentally posted Social Security Numbers online. An increasingly common source of breach, perhaps the result of some of the obstacles to Higher Education Data Security we talked about here?

Tags: data breach, data breaches, security breach, breach

The International Society for Technology in Education (ISTE) has released the National Educational Technology Standards (NETS) 2nd edition. This 2008 edition is updated from one released in 2000 and sets the bar for integration of technology into education.

While the 1st edition focused on concepts, knowledge and skills, the change in the technological landscape in the last 8 years has meant many changes. As such, the 2008 standard provides a framework for taking education into the digital age.

Examples of information in the 2008 NETS standard include:

• engaging students with real-world issues using digital tools
• model collaborative knowledge
• use technology to enable students to pursue individual goals
• let students actively manage their own learning
• teach responsible social interactions with the use of technology
• participate in global learning communities

Check out the 2008 standards here.

Hat tip to sjbrooks-young Tags: iste, nets, technology, education, technology standards

The National Institute of Standards has released a new draft of recommended guidelines on cell phone & PDA security, helping companies to navigate this overlooked area of data security. Mobile devices pose an increasingly large risk to data security. Lost or stolen laptops are currently one of the main causes of data breaches, so the increased data access capabilities of even smaller mobile devices increases the risk of data breaches as the result of lost or stolen devices.

Publication SP 800-124 provides an overview of mobile devices in use today and insights on making IT security issues regarding their use. Threats increase for handheld devices due to their size & portability and the available wireless services. These two issues increase the risk for loss / theft, unauthorized use, malware, spam, electronic eavesdropping, electronic tracking, cloning and server-resident data.

The guidelines give many examples of these types of threats as well as safeguards that can be put in place. The safeguards suggested include:

• Central management of devices – have organization-issued devices with a system to centrally configure and manage devices & their updates
• User-oriented measures – teaching employees about procedures to follow using organization devices (understanding the security features & how to use them)
• Authentication – require user authentication with PINs and passwords
• Backup data
• Reduce data exposure – avoid sensitive information being on, or accessed by, any handheld device. Encrypt any sensitive data.
• Turn off wireless interfaces – minimize risk by only turning them on when needed
• Add security software such as firewalls, antivirus, VPN, etc.

There are very detailed suggestions about how to centrally organize devices and their capabilities. Download the study here [PDF]: “Guidelines on Cell Phone and PDA Security (Draft).” In addition, you may wish to review the “Performance Measurement Guide for Information Security” Study [PDF].

Absolute Software also provides security solutions for handheld devices with Computrace Mobile. Check it out here!

Hat tip to Dan Lohrmann Tags: mobile security, data security, mobile security policy, it security, cell phone security, pda security, handheld devices

Absolute Software has announced that its consumer laptop recovery product, LoJack for Laptops, will now be available from Costco.com in the US.

For a limited time, people with a Costco membership can receive special pricing on LoJack for Laptops (both Standard and Premium editions) for PC or Mac.

“We’re excited to introduce Computrace LoJack for Laptops to the large U.S. customer base of Costco.com,” said Mark Grace, Vice President of Consumer Business for Absolute. “Costco has distinguished itself among consumers as a major consumer computer retailer with a large selection of computers and software products. Offering Computrace LoJack for Laptops through Costco’s convenient online shopping cart will make it that much easier for consumers to obtain protection for their computers and the precious information they often contain.”

Read more from the press release here or purchase LoJack for Laptops from Costco here.

Tags: costco, lojack for laptops, lojack, laptop security, costco.com

The U.K. Ministry of Defence has revealed some startling figures about laptop loss for the last four years: 659 laptops have been reported stolen and 89 lost.

These figures contradict earlier investigations by the Ministry of Defence that put the new figures at double previous figures. Of the laptops lost since 2004, only 32 have been recovered. In addition to these lost laptops, 121 USB memory sticks have been lost or stolen since 2004, some of which held restricted / classified data. You can read more on these breaches here.

Liberal Democrat MP Sarah Teather stated to parliament that:

“It seems this government simply cannot be trusted with keeping sensitive information safe. It is frightening to think that secret MoD information can be lost or stolen.”

20,000 laptops have been recalled by the Ministry of Defence in order to be encrypted. But these figures highlight the importance of having a layered approach to computer security. Encryption alone is not enough to protect data. You need to be able to recover lost or stolen computers to make sure that information is not accessed by unauthorized users. Absolute Software can help companies / agencies like the MoD recover lost laptops – for more on how Absolute helped solve recent laptop thefts at US airports, read here.

Via intergovworld, computerweekly ; image: cohdra @ morguefile ; Tags: mod, ministry of defence, laptop security, laptop tracking, laptop loss, it security, data breach

SC Magazine has published an article about data security and higher education, written by Josh Shaul of Application Security. The article examines the importance of balancing the need for the free exchange of information with data security risks. As Josh Shaul points out, enterprise security systems are not set up for university data systems and needs, which makes for unique challenges.

Recommendations for data security in higher education include:

• Move towards a centralized IT policy - departmental IT policies make it impossible to be proactive with data security
• Understand the culture & its risks – the demands for access to information by students, professors, administrators and more with few control policies is a culture issue that increases risks to inside breaches
• Restrict access - given that so many people must have access to data, put all high-value data into a secure protected database – a centralized place with restricted access & tight controls. Monitor activity in real time.
• Identify flaws in the system - look at unpatched systems, weak passwords, excessive user access & monitoring. Audit regularly.
• Automate - use a system that automates security process and reports, freeing up IT time for more proactive security measures
• Add real-time detection - have an alert system to deliver intrusion detection warnings in real time (in addition to real-time monitoring of user activity)

Many of these suggestions hold true in any industry, but understanding the culture of higher education and current IT policies, it’s clear that data security requires a fundamental overhaul for many institutions.

To learn how Absolute Software can help improve data security for higher education institutions, read here.

Image: darnok @morguefile ; Tags: database security, education, education security, it security, higher education, data security

The results of a survey that Osterman Research did for FaceTime Communicators indicates that nearly 40% of IT staff surveyed believe that unintentional leaks by employees pose a bigger threat to data security than spyware or malware. 57% of those surveyed believe their corporate data is not adequately protected from leaks via IM / unified communications.

Graph via: FaceTime Communications

And concerned they should be – the latest data indicates that data breaches are rising in 2008, not declining.

The new survey from Osterman & FaceTime surveyed 109 mid-to-large IT organizations in North America. The task of the survey was to understand current concerns and plans about about leak prevention in communications technologies.

The survey also indicates that data security is a top priority for most companies (though not all, sadly). 48.6% of respondents consider information leak prevention for communication technologies like IM to be a top priority or to have existing plans in place to address security issues.

As Matt Hines of eweek states:

So the big picture here appears to be that most IT departments are still scared as hell that they’re missing something in the old email, IM and FTP server world. And with the threat of physical theft of devices or people literally walking out the door with printed sheets or disks seemingly existing as the only other big areas for theft, one could assume that it seems that they’re pretty much still scared of messaging-based data loss in general.

For more resources & news on IM security, read up here:

• IM Security Appliances – Network Computing
• UK businesses ban IM over security concerns – Computerworld
• Facing up to security perils of outbound traffic – ComputerWeekly
• IT Needs More Security – ITWeb
• Companies still love and loathe IM – InfoWorld
• How safe is instant messaging? A security and privacy survey – CNet

Via eweek, market wire Tags: IM security, instant messaging, im, communications, business communications, data security, data breach prevention, breach prevention, it security, security

The Identity Theft Resource Center (ITRC) has compiled records of data breaches for the past 3 years. According to the data, 2008 has seen 69% more reported data breaches than the same period in 2007 (Jane 1-June 27). The breaches in 2008 involved almost 17 million consumer records, with another 40% of the breaches not reporting affected numbers. Lost laptops continue to be the top security issue.

Highlights from the 2008 Data Breach Report:

• 2008 has seen 342 data breaches reported this year
• One third of the breaches come from businesses (27% increase from 2007)
• Full breach stats breakdown: 36.8% general businesses, 21.3% educational institutions, 17.0% government / military agencies, 14.9% health care facilities / companies, 10% banking / credit / financial services entities
• Lost or stolen laptops / digital storage media are the most frequent cited cause of data breaches (>20%)
• After data storage devices, data posted online & insider theft are the next two most reported causes of breaches
• Nearly 40% of reported breaches did not disclose how many consumer records were affected

Though it is very likely that the actual number of breaches is higher due to underreporting, part of the increase in 2008 breaches may be due to an increase in reporting. Companies may be doing better audits to their own security measures as a result of better laws on data breach notification. Linda Foley, co-founder of ITRC, said it is difficult to say whether the numbers show an increase in breaches, an increase in reporting, or both. She said better state laws on data breach notification also might be encouraging more companies to audit their own security measures.

“Part of this may be that organizations are finding out about more breaches because they’re really starting to look for them,” Foley said. “The other part is that companies are coming forward because they want to control the flow and spin of the disclosure.

Download the 2-part report here:

• 2008 ITRC Breach Report [PDF]
• 2008 ITRC Breach Stats Report [PDF]

A number of other 2008 reports are available, breaking down this information. Examples include reports on Accidental Exposure and Insider Theft.

Via washington post Tags: data breaches, data breach, breach, breach report, 2008 data breaches, security breaches, it security, laptop security

The Scottish Ambulance Service in the UK has lost a data disk containing personal information for nearly 900,000 people, but has avoided a serious data breach incident. Unlike many other incidents of a similar kind, the computer disc was both password protected and encrypted.

A computer disc was being transported from the Paisley Emergency Medical Dispatch Centre (EMDC) by the courier TNT when it was misplaced on June 9th. The information included phone records – numbers and patient names – from patients calling in to the ambulance service. None of the information could be used to commit fraud or identity theft.

Given that the disc was well protected and the information not sensitive, it is unclear if the Scottish Ambulance Service will be contacting affected individuals. That said, there is public pressure to understand why a courier was used for patient information and how it could be lost by TNT.

Although there has been some public criticism of the incident, I think it should be applauded that the Scottish Ambulance Service went public with the incident, which was not required in this instance. It appears they followed strict data procedures but that, as this example shows, some data loss incidents happen anyway.

Via Schneier, BBC Tags: scottish ambulance service, data breach, data loss, data security, encryption