Archive for September, 2008

CertifiedMail and Osterman Research have released the findings of a study on encryption adoption.

The Encryption Solution Implementation Landscape report indicates that data is being put at risk mostly by a lack of understanding about encryption technologies. The three main areas that people cite as holding back encryption are: encryption legacy perceptions, a lack of awareness of the availability or ease of use of solutions, and a lack of understanding of the type of data that must be encrypted.

As Kelly Mackin, COO and President of CertifiedMail, notes, businesses no longer question the need for anti-virus or anti-spyware software, but it’s now the time to extend this line of thinking to other ways to protect confidential data. Encryption and laptop security software, among other security tools, should become standard practice.

Here are some of the highlights of the survey, which involved 205 organizations and more than 13,000 respondents:

• 47% of organizations did not have the ability to send encrypted emails from their desktops
• 45% can send encrypted email manually through their email client (22% of them found it difficult)
• 13% can send encrypted emails automatically through some sort of policy-based encryption capability
• 27% of organizations had experienced an accidental or malicious data leak during the previous 12 months

The survey found that users believed that encrypting email was a difficult process, although part of this has been attributed to perception rather than experience. Many users have experiences with legacy systems that have biased them against the easier tools today. The survey found an eagerness among respondents to have “click of a button” encryption available in email clients, with nearly one-half of users wanting automatic encryption capabilities.

Via security watch ; Image: iStockphoto.com

Children are increasingly becoming the targets of identity theft. Although the problem is not new, it is possible the issue is more common than was previously realized.

Children become targets by identity thieves for a number of reasons: the stolen Social Security Number can become associated with crimes, lines of credit, or for work purposes. Most people do not consider that their children are at risk for these crimes, so many go undetected for long periods of time. From 2005 – 2007, more than 34,000 reports of identity theft involving minors under age 18 were reported to the Federal Trade Commission.

With adults, identity fraud can usually be detected more quickly. Children, however, are not attempting to apply for loans or credit cards, and so don’t have that trigger situation to highlight the issues. Sadly, in about 50% of cases, the thief is someone known to the child.

Randy Waldron Jr., now 27, has spent the last 10 years trying to clean up his reputation after his father abused his Social Security Number to run up millions of dollars in debt.

Some tips to protect your child’s identity include:

• Shred all papers that contain Social Security Numbers
• Store Social Security cards in a safe place – don’t carry it
• Investigate if your child receives pre-approved credit applications
• Ask for a credit report for your child – there shouldn’t be one yet for minors, so if there is, it may be problematic
• Be wary when providing documentation to anyone that could be used for fraud

Via AP, AP ; Image: Microsoft Office Clipart / iStockphoto.com

The Federal Trade Commission (FTC) is warning victims of Hurricane Ike and Gustav, and donors to the recovery, to beware of identity theft scams.

The FTC works to prevent fraudulent, deceptive and unfair business practices, and to educate consumers about these practices. One such warning involves being extra cautious in the wake of current events, particularly those that pull at your heart strings. Many people will take advantage of natural disasters like Ike and Gustav to create bogus fund-raising operations.

The FTC advises consumers to give to charities that have been around for some time, as they are best prepared to delivery assistance, and to ensure (among other things) that you are donating to the charity you intended to. They recommend a checklist of things to do to prevent becoming a victim of fraud.

In addition to charity fraud, victims of Hurricane Ike and Gustav are cautioned against becoming victims of home repair fraud. They recommend taking the time to check the references of your contractors and to be responsible with your payment process. The FTC reminds consumers not to sign an insurance check over to a contractor.

In order to get relief benefits or replacement documents, victims of the hurricanes will need to share personal information. Be cautious of scams of people claiming to be government officials - check their IDs and know that the government never charges application fees.

Here are some resources from the FTC:

• FTC Charity Checklist – to ensure your donation dollars benefit the people and organizations you want to help
• FTC Hurricane Recovery Resources (Charity Fraud, Home Repair Fraud, Identity Protection)
• Hurricane Recovery Consumer Information – more information about a slew of scams to beware of

Via MarketWatch ; Image: NASA by Jesse Allen

Absolute Software is beefing up it’s Computrace laptop security solution with the addition of Emergency Remote Data Retrieval features.

Emergency Remote Data Retrieval will allow Absolute clients to retrieve sensitive files on a stolen or lost computer prior to initiating the data delete operation.

John Livingston, Chairman and CEO of Absolute, notes that:

“In providing theft recovery services for more than ten years, we have learned that mobile computers unfortunately go missing when our customers least expect it. Often, these computers contain sensitive information or unique documents that are not saved anywhere else. Ask yourself, how often you back up your own files, and you will get a sense for how often this is the case – particularly for regular business travelers. Delivering the ability to select these files, remotely retrieve them and then delete them from a stolen computer is a major pillar in the ultimate mobile computer management and security system.”

This new feature will add to Absolute’s comprehensive suite of theft deterrents and post-theft mitigation capabilities. It will allow customers to continue working, without the loss of files, while also having the peace of mind from the remote data delete and laptop recovery services.

Read more from the press release here.

Glen Kosaka has a feature article on CSO Online entitled “Five Ways to Turn Employees into Security Assets for Protecting Data“. Considering that employees are often the source of data breaches, this is a look at how to turn your employees from security liabilities into security assets. While some data breaches happen as the result of accidents, many are unavoidable.

The 5 recommendations for turning employees into security assets are:

1. Make data security part of the company culture - getting department managers involved in locating sensitive data & setting access, use & protection policies; training employees for their own use and on ensuring others observe policies
2. Integrate data leak prevention processes into overall workflow – have policies on data access & tracking that extend to new data, new employees, new departments and for mobile computing (or other new threat vectors)
3. Make employees feel like security assets, not liabilities – with training and awareness programs
4. Prevent the temptation to engage in “harmless” policy violations – by clarifying grey areas like taking data offsite, copying or storing data and transporting data
5. Teach employees about policies while enforcing them – take action quickly and block actions that are not desirable. Have data leak protection technologies to monitor and prevent leaks, but also to educate employees if they try to do something that is against policy.

Read more details about these recommendations here.

Ars Technica has published a great article about Wireless Security. The article references their past work looking at wireless security, in both theory and practice.

The second piece of work they reference, The ABCs of Securing Your Wireless Network, is a very valuable piece of work. It sets out basic instructions on securing your wireless router and is geared more towards the non-tech crowd, rather than IT security experts. For small businesses, this is a great resource.

For other Wireless Security Basics, check out these other resources:

• Wireless Security: The Basics (CSO Online)
• Introduction to Wireless Network Security (About.com)

—-

Bruce Schneier has also announced that he has a new book of essays out called “Schneier on Security“. Bruce is a security expert I enjoy reading – his articles are insightful but also understandable.

I’ve previously written about some creative techniques for laptop security training in the office (see: Mission: Laptop Security, Guerilla marketing security campaign), but this one trumps those in terms of impact. This technique is sure to be remembered – and that’s rather the point.

Augusto Quadros Paes de Barros wrote on Security Balance about visiting a company whose employees work almost exclusively on laptops. Each employee is given a laptop security cable, as part of their security training, but the unique aspect comes into play when the cable is forgotten.

When an employee forgets to use the security cable, an IT support employee will “steal” the laptop and leave a note in its place. The note would indicate that the laptop had not been stolen, but was taken to another room to illustrate how easily it could have been stolen. Granted a security cable isn’t the end-all solution to laptop security. It’s a theft deterrent and should be used with other security measures, like a theft recovery service. But if you’re a thief and have a choice of stealing one with or without a cable – you’d probably go for the one without.

Comments on his post indicate that this practice has been used by other companies, some of which place the laptop in the boss’ office. Another incentive not to get “caught.”

What do you think of this technique?

A number of great articles have come to the forefront in the news of late about the risks of social networking and privacy. Specifically, privacy issues that are the result of users (mostly younger people) sharing too much information online.

Many teens would be astonished to know how much information about themselves that someone could glean from their Facebook profile, for example. Or how much additional information can be gleaned by using free tools like Canada411.com. Phone numbers, home addresses, schools – all of this information poses a security risk to young people when posted online. Not to mention all the photos. Identity theft becomes an issue, in addition to risks to ones reputation or even personal safety.

comScore indicates that nearly 17 million Canadians are on Facebook, and 4.5 million are on MySpace. The Globe and Mail recently completed a 2 month investigation of social networking sites to prove a point about the information a casual observer can gather on an individual.

Anastasia Goodstein, author of Totally Wired: What Teens and Tweens are Really Doing Online, believes that teens are pre-conditioned to sharing personal information because of a level of openness that is reflected to them in reality television. Attention is sought after, and part of that involves openly sharing minute details of one’s life, and privacy goes out the window.

That said, somewhere in the area of 30-40% of Facebook users actually read and modify their privacy settings, opposed to less than 1% on most other websites. In terms of privacy, 100% of people need to be aware of the privacy options available to them, and also of the risks associated with exposing certain types of information.

A whole new industry has sprung up to help people clean up information they have shared online. For example, parents will hire a company to clean up the social networking profiles of their kids as they graduate from university. Research indicates that 77% of employers check social networking profiles, so this isn’t a bad idea.

Continue reading more here or read about 5 ways to save face with Facebook here.

The Transportation Security Administration (TSA) has changed its policies (as of August 16) to allow for certain types of laptop bags to go through the security scanner with the laptop inside. No need to take out the laptop – a process that takes time and risks the laptop being accidentally dropped or stolen.

There are several new laptop bags that meet the TSA criteria of:

• Designated laptop-only section
• Laptop section completely unfolds to lay flat on x-ray belt
• No metal snaps, zippers or buckles around the laptop section
• No pockets around the laptop section
• Nothing packed in the laptop-only section other than the laptop

Computerworld has put together a good list of the laptop bags available already to meet these new specs. The laptop bags fall into 3 types:

1. Butterfly-style to open flat: one side the laptop, the other side storage
2. Double- or triple-compartment bags that unfold (like a garment bag)
3. Notebook sleeves (many existing on the market)

The bags that have been manufactured fall into many categories – from standard shoulder bags to wheeled bags to folded-backpacks. There’s probably one to fit your preference.

Having one of these bags will not guarantee that you won’t have to remove your laptop – if the security scan doesn’t give a clear enough picture of your laptop, you will have to take it out.

Health Care Compliance Strategies (HCCS) announced this week three new versions of its online compliance courses.

HCCS is a provider of online healthcare compliance and competency training. The three courses they provide are:

• HCCS Professional Compliance
• Corporate Compliance
• HIPAA for Health Plans

The courses are aimed at physicians, billing staff and other employees. They teach fraud awareness, coding and documentation, risk areas, how to build a compliance program, provider relationships, HIPAA awareness, electronic transactions and enforcement.

The courses change whenever rules, regulations, laws or other information is updated. Given that employees form one of the largest “issues” in any security program, online and interactive courses are a great way to enhance your training program. Also visit Absolute Software’s website to learn how we can help with healthcare computer security.

—-

And in other news, Absolute Software has added another conference to its schedule – the ASIS 2008 conference in Atlanta, Georgia.

Meet Absolute at the Booth

Location: Booth 2425
Dates: Monday – Wednesday, September 15-17, 2008
Time: 9:00 am – 4:30 pm