According to a new Information Security report [PDF] from the US Government Accountability Office (GAO), 70% of the 24 major federal agencies surveyed last summer had not yet installed encryption technologies on laptops and handheld devices.

The report, which highlights data gathered from July - September 2007, indicates a confusion about encryption requirements. At the time of the survey, all agencies had initiated efforts to deploy encryption technologies, but none had documented a plan to guide the deployment activities.

“While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification.”

It is likely that governments will provide security solutions such as encryption for laptops before other devices such as mobile phones or thumb drives. Agencies and businesses alike will face increasing challenges in identifying and securing the myriad of mobile devices that could potentially breach sensitive information. Even then, device encryption is only one element of a comprehensive data security policy.

—

And some internal news - Absolute Software was selected for the CDW Sapphire Partners Program, which offers a proactive approach to embracing breakout technologies. Read about it here. And learn more about Absolute Software’s computer security solutions for Government here.

Via pogowasright, PC world ; image: mconnors @morguefile Tags: data security, device security, laptop security, laptops, encryption

The results of a survey that Osterman Research did for FaceTime Communicators indicates that nearly 40% of IT staff surveyed believe that unintentional leaks by employees pose a bigger threat to data security than spyware or malware. 57% of those surveyed believe their corporate data is not adequately protected from leaks via IM / unified communications.

Graph via: FaceTime Communications

And concerned they should be - the latest data indicates that data breaches are rising in 2008, not declining.

The new survey from Osterman & FaceTime surveyed 109 mid-to-large IT organizations in North America. The task of the survey was to understand current concerns and plans about about leak prevention in communications technologies.

The survey also indicates that data security is a top priority for most companies (though not all, sadly). 48.6% of respondents consider information leak prevention for communication technologies like IM to be a top priority or to have existing plans in place to address security issues.

As Matt Hines of eweek states:

So the big picture here appears to be that most IT departments are still scared as hell that they’re missing something in the old email, IM and FTP server world. And with the threat of physical theft of devices or people literally walking out the door with printed sheets or disks seemingly existing as the only other big areas for theft, one could assume that it seems that they’re pretty much still scared of messaging-based data loss in general.

For more resources & news on IM security, read up here:

• IM Security Appliances - Network Computing
• UK businesses ban IM over security concerns - Computerworld
• Facing up to security perils of outbound traffic - ComputerWeekly
• IT Needs More Security - ITWeb
• Companies still love and loathe IM - InfoWorld
• How safe is instant messaging? A security and privacy survey - CNet

Via eweek, market wire Tags: IM security, instant messaging, im, communications, business communications, data security, data breach prevention, breach prevention, it security, security

The Identity Theft Resource Center (ITRC) has compiled records of data breaches for the past 3 years. According to the data, 2008 has seen 69% more reported data breaches than the same period in 2007 (Jane 1-June 27). The breaches in 2008 involved almost 17 million consumer records, with another 40% of the breaches not reporting affected numbers. Lost laptops continue to be the top security issue.

Highlights from the 2008 Data Breach Report:

• 2008 has seen 342 data breaches reported this year
• One third of the breaches come from businesses (27% increase from 2007)
• Full breach stats breakdown: 36.8% general businesses, 21.3% educational institutions, 17.0% government / military agencies, 14.9% health care facilities / companies, 10% banking / credit / financial services entities
• Lost or stolen laptops / digital storage media are the most frequent cited cause of data breaches (>20%)
• After data storage devices, data posted online & insider theft are the next two most reported causes of breaches
• Nearly 40% of reported breaches did not disclose how many consumer records were affected

Though it is very likely that the actual number of breaches is higher due to underreporting, part of the increase in 2008 breaches may be due to an increase in reporting. Companies may be doing better audits to their own security measures as a result of better laws on data breach notification. Linda Foley, co-founder of ITRC, said it is difficult to say whether the numbers show an increase in breaches, an increase in reporting, or both. She said better state laws on data breach notification also might be encouraging more companies to audit their own security measures.

“Part of this may be that organizations are finding out about more breaches because they’re really starting to look for them,” Foley said. “The other part is that companies are coming forward because they want to control the flow and spin of the disclosure.

Download the 2-part report here:

• 2008 ITRC Breach Report [PDF]
• 2008 ITRC Breach Stats Report [PDF]

A number of other 2008 reports are available, breaking down this information. Examples include reports on Accidental Exposure and Insider Theft.

Via washington post Tags: data breaches, data breach, breach, breach report, 2008 data breaches, security breaches, it security, laptop security

The Identity Theft Resource Center (ITRC) has released their 5th annual Aftermath Study, looking into the impacts of identity theft on its victims. The study is both qualitative and quantitative, involving the experiences of identity theft victims. The study seeks to understand all the impacts, from emotional impacts to the financial loss suffered.

Highlights of the 2007 ITRC Aftermath Study:

• Types of identity theft crime: 78% financial, 2% criminal, 2% government (the remaining as combination cases)
• 57% of victims had their information used to open new lines of credit
• For non-financial identity theft, 62% had thieves commit financial crimes that resulted in their names being issued in warrants
• Nearly 1/3 of identity theft were started by a person known to the victim (5-yr data)
• 82% of victims found out about the theft through an adverse action (10% found out from proactive measures by businesses, 8% saw it on their credit report)
• Victims spent an average of $550.39 in out-of-pocket expenses for damage done to existing accounts (for new accounts, an average of $1,865.27) and 116 hours to repair the damage (158 for new accounts)
• 19% of victims indicate it took more than 2 years to resolve their case (70% resolve in up to 12 months)
• Credit agencies cause delays in fixing records - 31% of victims complain of negative information being put back, 32% of it not being removed, 22% of SSNs being tied to another person’s file, 19% of a fraud alert being ignored
• 49% of victims report stressed family life

The ITRC trends indicate that obtaining new credit lines, as an avenue for fraud, may be becoming more difficult. They predict that check fraud and debit card fraud, which are increasing, may see further growth as these trends continue.

Victims of identity theft do suffer greatly, and it takes a great deal of both time and money to resolve the issues. Some issues, according to the report, may continue to linger long after credit reports are cleared. For example, insurance & credit card rates may go up. Others face an inability to get credit (64%) or to have credit agencies still calling. In some cases, victims have difficulty getting jobs or in clearing their criminal records (when their identity is used in a crime).

You can download the full report here [PDF]

Tags: id theft, identity theft, aftermath, breach, financial theft, fraud, id theft victims

According to a report by the State Department Inspector General, and the subsequent press briefing, a number of high profile celebrities have had their passport information breached.

In March, it was reported that the passport records for Barack Obama, Hillary Clinton and John McCain were breached in the same way. This announcement prompted an investigation by the Inspector General into passport security.

The report tested the prevalence of snooping by looking at 150 famous Americans and how many times their files were accessed in a 5.5 year period. The new report found that 127 celebrities, including Beyonce Knowles, have had their personal details illegally accessed by federal employees or contractors. One celebrity record has been breached 356 times by more than 6 dozen people.

Currently, over 20,500 employees and contractors have access to 127 million passport files, which include data such as Social Security Numbers. The report is critical of the lack of security surrounding passports and who has access to them, stating there were many “weaknesses, including a general lack of policies, procedures, guidance and training.” Five contractors have been fired and dozens are under investigation for alleged snooping.

The Inspector General laid out 22 recommendations for improving security, but much of the report has been redacted because officials fear it could provide a road map to further abuse. State Department officials plan to implement most of the recommendations, including adding random audits of passport files and reducing by half the number of people who can view records.

Here’s a video report on that story:

In other passport news, the Identity and Passport Service published its annual report (PDF) recently, announcing that there were 9382 fraudulent attempts to get a British passport, representing 0.25% of all applications.

Via computer weekly, cbs, privacy lives Tags: passports, passport security, inspector general, state department, breach, data breach, government breach

The Privacy Commissioner of Canada, Jennifer Stoddart, has released the Annual Report to Parliament 2007, a Report on the Personal Information Protection and Electronic Documents Act (PIPEDA). The report details whether companies are complying with PIPEDA.

The Commissioner has called 2007 the “year of the data breach“, in Canada as well as the rest of the world. The report reminds us that PIPEDA imposes a legal obligation on businesses to safeguard personal data, and that human errors and a “cavalier approach to security” resulted in too many data breaches.

“Businesses recognize the value of personal information to themselves – for targeted marketing campaigns, for example. Unfortunately, this perception doesn’t always translate into security measures up to the job of protecting the information from criminals.”

The report indicates that half of the 37 voluntarily reported data breaches in Canada involved electronically stored data, often held in a format not secured with firewalls or encryption.

An important area in the report addresses global concerns where data breaches can be cross-border in an International, not just National sense. This has vast implications for privacy and the responses to data breaches. In a similar line, the trends of private-sector organizations (airlines, banks) collecting personal information for the state blur the lines between privacy and security.

“The way we address security needs to reflect our society’s fundamental values – including the right to privacy. We must constantly ask ourselves why we accept the growing shift towards security at the expense of privacy. Is it always justified? Is it irreversible?”

The report points out that information technology was a component of nearly every privacy issue and complaint in 2007, and that the privacy impacts of such technologies must be understood and mitigated by consumers and businesses alike.

Ms. Stoddart has laid out many recommendations in the report about how businesses should comply with the 10 “golden rules” of privacy set out in PIPEDA. In addition to great policy & procedure recommendations, the report urges the Canadian government to adopt breach notification legislation.

“Breach notification offers people a choice. Individuals can decide for themselves how to respond to a breach. One person could decide that it would be a good idea to check her credit report more often. Another person may feel no action is warranted.”

You can read the full report here.

hat tip to Jonathon ; via national post Tags: canada, legislation, privacy act, pipeda, government security, data security, data breaches, report, study, parliament

The Information Assurance Advisory Council (IAAC) in the UK was invited to conduct an investigation into the Ministry of Defence (MOD) data protection plans in the wake of the January 2008 data breach of 600,000 Royal Navy recruits on an unencrypted laptop. The report by Sir Edmund Burton, Chairman of IAAC, gave 51 recommendations to the MOD in the policy, practice and management of personal data. You can find the relevant documents here:

• IAAC Report into the loss of MOD Data [PDF, April 30 2008]
• MOD Action Plan in resposne to Report [PDF, June 20 2008]

The IAAC report, passed to the MOD on April 30th and made public recently, contained a detailed audit of events leading up to the January data breach. Such information revealed that 4 laptops containing the database of over 600,000 records for the Army Recruit & Training Division have gone missing since 2004, all from parked cars. Although this was against rules, existing rules did not dictate the encryption of the laptops - the existing policy is too open to interpretation.

Other issues include not treating information as an operational asset, not managing information risk, a lack of awareness of threats to information, a lack of understanding of the Data Protection Act, and more. The report was quite thorough, even looking to the rapid technological changes that affect the work culture & ways of working, and how these pose risks to security. The “Facebook Generation” is accustomed to “the rapid and often uninhibited exchange of information,” and these behaviors must be tempered by common sense and informed by data protection practice.

The IAAC report contains 51 recommendations and an action plan for implementation. The recommendations include new security procedures, audits, revising the data access & retention procedures, and better training & sharing of best practices.

The MOD has created an action plan to accept all 51 recommendations in Sir Edmund Burton’s IAAC report. The action plan breaks down into a set of workstreams that include doctrine, policy, awareness, compliance, technology, governance and more. They have paired up all 51 recommendations with the outcomes and the workstreams that will be responsible for acting upon them.

The IAAC has also recently published 3 guides to managing information risk. The guides cover organization, people and process and are meant to provide directors with information to understand the risks they face and how to address them.

Via intergovworld, computer weekly (2), daily mail logo © Crown Copyright/MOD 2008 ; Tags: mod, ministry of defence, iaac, data protection act, data security, data protection, security policy, data security policy, government security

A new study from the Ponemon Institute has raised some major data security concerns in the UK. The study looked at email marketing practices and privacy, surveying more than 900 UK data protection and marketing professionals.

According to their study, the loss or theft of confidential data is “endemic” in the UK, with 61% of marketing professionals experiencing a data breach in the last 24 months. 90% of those data breaches went unreported. The survey indicates that people felt they were either not required, or were unsure, to report the data breaches to affected consumers.

Firms who outsource marketing functions have an increased risk of data breach incidents. The survey found that breaches were 42% more likely to be attributed to third parties than to in-house personnel. For those companies that outsource email marketing, the incidence of data breaches rises from 61% to 78%. This data highlights the importance of having a strong data security policy that extends to all third-parties.

Paul Bates, managing director of StrongMail UK, said: “A cavalier attitude towards outsourcing customer data to third-parties combined with complacent processes for keeping that data safe is a recipe for disaster. The fact is confidential customer data doesn’t travel well and providing it to third-parties for outbound marketing purposes can, as the research shows, be a risky proposition. This data is extremely valuable to most firms, and we advise them to think very carefully about how they keep it safe.”

Reducing costs was the primary reason to outsource online marketing campaigns, though firms admit that breaches have likely cost them new and existing customers.

The study indicated other troubling trends including the sharing of personal information with third parties (when not allowed).

View the Ponemon press release here [PDF] and the full study here.

Via computer weekly ; image: microsoft clipart ; Tags: email marketing, online marketing, marketing, breach, data breach, breach notification, notification, web marketing, consumer privacy

A new paper on web browser security has been released by researchers from Google, IBM and CENL (the Computer Engineering and Networks Laboratory). The paper is entitled “Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the ‘insecurity iceberg’” and can be viewed here.

The paper puts some data behind the well-known risks associated with web browsers, and how the browser has become increasingly targeted as an infection vector. Unlike traditional attacks that would need to remotely connect to a vulnerable host (server), browser vulnerabilities are exploited when the user visits a malicious website.

The vulnerabilities in the browser are expansive, affected by each rendering technology (interpreter/built-in like JavaScript or plug-in like Flash). An estimated 637 million people are not using the latest & most secure browsers, and thus are vulnerable to these attacks.

According to the research, the following percentage of users were using the latest browser version:

• 83.3% Firefox (38 million not on latest)
• 65.3% Safari (17 million not on latest)
• 56.1% Opera (5 million not on latest)
• 47.6% Internet Explorer (577 million not on latest)

I am not surprised by the figures, although I’d be interested to see a breakdown by business vs. consumer users. I think the level of security knowledge is quite low among consumers, particularly those who use the default Internet Explorer browser. Many users may not know to, or know how to, upgrade their browsers. Such upgrades require manual intervention, something that immediately hinders the security of the browser. Given also the threat that “trusted” sites pose to malware, no end to the issue is in sight.

The study is very thorough in its analysis of browser vulnerabilities, and in recommendations to stem the issues. You can read more here.

Via eweek ; image: microsoft clipart ; Tags: web browser, browser, security, it security, web security, firefox, IE, internet explorer

Verizon Business has released a comprehensive study based on 4 years of data entitled the “2008 Data Breach Investigations Report” [PDF]. They have also released a podcast to go along with their study (Part 1 here).

The study looks into 500 forensic investigations and 230 million records, looking into hundreds of corporate data breaches. The report is very detailed, revealing a lot of information that could help companies understand the nature of data breaches better.

The study found that:

• 73% of breaches result from external sources (39% from business partners, a number that is growing steadily)
• 18% of breaches result from insider threats
• Most breaches result from a combination of events, not a single hack or intrusion
• 62% of breaches were attributed to significant internal errors
• For deliberate breaches, 59% were from hacking and intrusions
• 90% of known vulnerabilities exploited in hack attempts had patches available for at least six months prior to the breach
• 90% of breaches involved an “unknown” system, data, network connection or user account
• 75% of breaches are discovered by a third party, not the victimized organization
• In 59% of data breaches, security policies and procedures existed but were not implemented
• 66% of breaches involved data the company did not know was on their system

The study indicates that many data breaches are avoidable, and steps should be taken to prevent them. Dr. Peter Tippett, VP of Research and Intelligence for Verizon Business Security Solutions, says that companies must be “proactive in their approach to security — [it is] the absolute key to safeguarding data.”

Have a policy and implement it. Know what data you have and who has access to it. Monitor event logs. And have an incidence response plan. Increase awareness and keep them well trained - run drills.

Via databreachwatch.org, CNet Tags: verizon, verizon business, data breach, data breach prevention, breach, breach prevention, security, it security, data security, business security