Archive for the ‘Theft Prevention’ Category

Some great news from Absolute Software – The ASUS B50 line of business notebooks will now provided embedded support for Absolute’s anti-theft and management solution, Computrace.

ASUS is one of the world’s top 10 notebook manufacturers, with the B50 taking into consideration the needs of mobile business executives. The B50 features an integrated biometric fingerprint scanner, Trusted Platform Module for secure login and encryption, and now embedded Computrace support. You can read more about this news here.

What does embedded support mean?

This means that all the great features of Computrace are embedded at the firmware level, not the software level. When consumers activate the service, Absolute can provide a level of security and recovery capabilities at a higher level.

Embedding support for the Computrace agent into the BIOS provides customers the highest level of persistence and allows the Computrace agent to survive operating system re-installations, hard drive reformats and even hard drive replacements. That means anyone trying to remove the security features to get at your data is going to have a much harder time.

For a full list of computers with embedded support for Computrace (Dell, Fujitsu, etc), check here.

Also in company news, Absolute will showcased it’s laptop security solutions at the Intel Developer Forum (IDF) in Taipei on October 20-21. For more information, read here.

In July, Verizon released a comprehensive study, the “2008 Data Breach Investigations Report”, that looked into 4 years of data breaches, based on forensic investigations and hundreds of data breaches. The report was discussed here on the blog. Verizon has now issued a supplemental analysis from that study.

The supplemental report compares risk factors among the various industries: finance, food, retail and tech. It identifies some important insights into the data, such as that, among all industries, the financial services industry is at the greatest risk of insider data breaches. In other sectors, business partners posed a higher risk to data.

“The supplemental report provides further insight into the nature of breaches, underscoring that good security does not lend itself to a cookie-cutter approach.” – Dr. Peter Tippett, vice president of research and intelligence, Verizon Business Security Solutions

The supplemental report indicates that financial service firms are the targets of more sophisticated attacks that often take weeks to discover. That said, financial organizations were shown to have a higher level of asset awareness and to detect breaches more quickly than other organization types. Breaches from lost systems, like laptops, tend to occur less frequently.

The data breach investigation report found that the majority of breaches could be avoided by reasonable security measures, so this supplemental report aims to help identify what industry-specific differences could lead to better proactive security measures.

Other key findings include:

• High-tech organizations: had a difficult time keeping track of information assets, affected by malicious insiders more than others, hacked more than others
• Retail: more data breaches than other sectors, wireless network attacks growing quickly, too reliant on third-parties to discover breaches, most attacks are opportunistic
• Food and beverage: many breaches involve third-party remote access to payment card data, poor security configurations are exploited, POS systems are used to spread malware, and breach detection is very poor

Resources:

• 2008 Data Breach Investigations Report [PDF]
• Verizon Business Supplemental Report [PDF]

And a fun piece of educational reading – spammers are more likely to use Obama than McCain in the subject line of spam emails [read here].

Via CSO Online, Information Week

In follow-up to the 10 Common Risks Employees Make That Put Data at Risk, another study recently showed that the majority of organizations require only passwords for employees to access critical data. In addition, the passwords used are found to be quite weak.

Quest Software conducted a study on User Authentication which showed that 52% of the 150 organizations surveyed have only basic user authentication (passwords) to access critical data. Stronger forms of authentication would include hardware tokens, digital certificates or risk-based scoring.

Other findings from the study:

• 88% of enterprise users have multiple work-related passwords, averaging between five and six
• 64% of organizations do not require users to change their passwords
• 45% of organizations allow standard dictionary terms (like “password”)
• 29% of organizations have no requirements for password length

For those investing in stronger user authentication, stronger risks from external users (remote employees, contractors, customers, etc) have prompted them to action.

Setting up a strong user authentication plan is crucial, but for those companies that are new to this area, the first and most basic area to enforce is to have your employees choose strong passwords. You can read more about that here.

Image: Clipart

This is just a common sense business tip: do not use shredded checks as packing material.

The WHH Ranch Company has been using shredded paper from a Texas-based bank for 20 years. Some of that paper came in the form of shredded checks.

When Michelle McBride ordered some food from WHH Ranch, she found it packed in shredded checks. The shredded paper was in wider strips (it was not cross-shredded) that could be easily pieced together. In fact, that’s what Michelle McBride did – she was able to easily re-assemble some checks and plainly read off account numbers and routing information for hospitals, medicare, schools, businesses and personal accounts.

After learning of the problem, WHH Ranch says they’ll ensure it doesn’t happen again.

So, two things to learn from this:

• If you are shredding sensitive information, use a good cross-shredder or confetti shredder. Particularly if you’re a business.
• If you are using shredded paper as packaging material, ensure it’s finely shredded material that contains only non-sensitive papers.

After the jump is a video of the CNN report about this incident (the video auto-plays): (more…)

Hilb Rogal & Hobbs and the Ponemon Institute have teamed up to launch a new Privacy Breach Index. The Privacy Breach Index (PBI) will be a publicly available benchmarking took to measure responsiveness to data loss or theft. It will be made available at www.privacybreachindex.com

According to the press release, the Index will include objective tools to improve a company’s ability to manage a data breach. The PBI benchmark tool will help: improve existing safeguards to prevent a data breach, determine areas vulnerable to a data breach, and benchmark responsiveness to a data breach against other companies.

The initial PBI was created from the survey results completed by 768 individuals in data protection, IT security and compliance who were experts in their organization for data breaches. All participants had experienced a data breach in the past 24 months, as part of the needs of the benchmarking process.

Although the end result, the PBI benchmarking tool, will be quite useful to see, already the survey results offer some insight. The survey looked at various areas of data incident response: detection and forensics, escalation to management, notification quality and timeliness to breach victims, support to breach victims, post-mortem response, reputation management and response to regulatory or legal action.

“Our study provides further evidence of the importance of having a good quality privacy incidence response plan in place,” said Dr. Ponemon. “More than 83% of respondents believe that the individuals affected by the data breach lost trust and confidence in their organization’s ability to protect their personal information. As we have found in our consumer studies on trust, these perceptions often result in the loss of customer loyalty. In fact, 80% of respondents in the PBI study reported that a certain percentage of data breach victims terminated their relationship with the organization.”

Some interesting findings from the survey:

• 9% of respondents rated their organization’s responsiveness to the most recent data breach as an “A” or excellent. 5% gave their organization an “F” for failure.
• 80% of respondents believe that their organizations experienced some loss of customers or other data breach victims after the incident.
• 50% of participants noted the root cause of the data breach incident to be employee negligence (29% was third party negligence)
• More than 36% of respondents have 1 – 4 data breach incidents involving 100 or more records each year

You can download the 2008 Privacy Breach Index Survey here [PDF]

Via insurance journal

The National Institute of Standards has released a new draft of recommended guidelines on cell phone & PDA security, helping companies to navigate this overlooked area of data security. Mobile devices pose an increasingly large risk to data security. Lost or stolen laptops are currently one of the main causes of data breaches, so the increased data access capabilities of even smaller mobile devices increases the risk of data breaches as the result of lost or stolen devices.

Publication SP 800-124 provides an overview of mobile devices in use today and insights on making IT security issues regarding their use. Threats increase for handheld devices due to their size & portability and the available wireless services. These two issues increase the risk for loss / theft, unauthorized use, malware, spam, electronic eavesdropping, electronic tracking, cloning and server-resident data.

The guidelines give many examples of these types of threats as well as safeguards that can be put in place. The safeguards suggested include:

• Central management of devices – have organization-issued devices with a system to centrally configure and manage devices & their updates
• User-oriented measures – teaching employees about procedures to follow using organization devices (understanding the security features & how to use them)
• Authentication – require user authentication with PINs and passwords
• Backup data
• Reduce data exposure – avoid sensitive information being on, or accessed by, any handheld device. Encrypt any sensitive data.
• Turn off wireless interfaces – minimize risk by only turning them on when needed
• Add security software such as firewalls, antivirus, VPN, etc.

There are very detailed suggestions about how to centrally organize devices and their capabilities. Download the study here [PDF]: “Guidelines on Cell Phone and PDA Security (Draft).” In addition, you may wish to review the “Performance Measurement Guide for Information Security” Study [PDF].

Absolute Software also provides security solutions for handheld devices with Computrace Mobile. Check it out here!

Hat tip to Dan Lohrmann Tags: mobile security, data security, mobile security policy, it security, cell phone security, pda security, handheld devices

A new survey released by Symark and eMediaUSA indicates the security vulnerabilities associated with orphaned accounts. Orphaned accounts are user accounts that remain active after an employee has left a company. The study reveals that 42% of businesses do not know how many orphaned accounts they have, and 30% have no procedure to locate and remove them.

800 security, IT, HR and C-level executives in all industries were surveyed about orphaned accounts and the processes in place to find and remove them. When an employee leaves an organization, IT and security administrators should make it a priority to shut down access immediately. However, many IT staffers are overworked and this step is overlooked. Failure to terminate employee access creates holes in security that hackers or malicious insiders can access.

Other findings from the survey:

• 27% of respondents say that >20 orphaned accounts exist in the organization
• 30% say it takes more than 3 days to terminate access, 12% say it takes more than a month
• More than 38% have no way to know if an orphaned account was used to access information
• 15% said an orphaned account has been used to access information at least once

The survey indicates, at the very least, that there is a hole in IT security that needs to be patched. In some cases, it is clear that orphaned accounts are still being used, and this is a significant risk to security.

“Controlling access to proprietary systems and information continues to present an IT security challenge… gaps in access and entitlements control — and the significant audit defects resulting from them — are one of the concerns most frequently mentioned in focus interviews,” said Scott Crawford, research director at Enterprise Management Associates.

Larger companies face more complex challenges in managing employee access. Limiting access, and revoking it when an employee leaves the company, is a vital step to ensuring data compliance. Policies and technologies should be put in place that can manage and revoke user access easily.

If your company were surveyed, how well would you fare with these questions? Are there orphaned accounts you may not even realize you have?

Via tech target, business wire ; image anitapatterson @morguefile ; Tags: it security, data security, data access, business security, orphaned accounts

CSO Online’s Michael Overly has a good article about businesses trusting their sensitive information to consultants, and what best practices to follow. The first guideline: do not let your consultant store any of the information on a laptop.

There are practical considerations that make it difficult to ban the use of laptops in all situations. Consultants may need to move from site to site easily, with constant access to the data. One solution is to provide laptops to the consultant yourself – that way you can be satisfied with the security systems in place. When that is cost prohibitive, here are some suggestions offered for a laptop security policy to enforce with contractors:

• WiFi access should be limited to approved secured means, and used only when necessary
• Hard disk must be encrypted
• All ports on laptops to be disabled
• Strong authentication required (e.g. biometric)
• Security software installed and kept up-to-date
• Secure and irreversible erasure of data to be enforced at end of data-use period
• Tracking software with remote data delete should be used (like Absolute Software’s Computrace products)
• Breach notification protocols should be in place in the event that the laptop goes missing

You can read more suggestions here.

Tags: breach, data breach, security, data security, laptop security, it security, business security, contractors, security policy

Web 2.0 is changing the way we do business, and the way we do Internet security. With advances in the web that allow for a more "social" sphere of information sharing, collaboration, and ways of doing business. Here is a definition of Web 2.0 from John Battelle and Tim O’Reilly:

"the web had become a platform, with software above the level of a single device, leveraging the power of the "Long Tail", and with data as a driving force…" (Wikipedia)

Web 2.0 encompasses social networking sites like Facebook, blogs such as this one, Skype, Wikipedia, and so much more. No matter how you define Web 2.0, companies are in a transition period of adopting and developing around this new way of doing things.

All of these new tools and technologies of the interactive web have shepherded a new era of security vulnerabilities. Research group Fortify gave a talk at the Web 2.0 Expo in San Francisco recently about the new wave of internet security threats.

"Security was a challenge to begin with, but, if anything, it’s getting harder in the Web 2.0 world." – Jacob West, Manager, Fortify

Fortify foresees that JavaScript will be a growing issue in security as the adoption of Ajax (based on JavaScript) increases and the existing vulnerabilities become more widespread. At the same time as vulnerabilities are spreading, attack techniques are improving at a rapid rate. Some of the makers of JavaScript & Ajax toolkits are proactively closing up security issues, but others (particularly the big ones like Microsoft) are not.

This is just one example of the security issues associated with Web 2.0. Many issues with integrating Web 2.0 technologies internally or into the company website come from poor planning. A "rush to embrace" to what is trendy (InformationWeek). Additionally, social networking sites such as Facebook and MySpace can be laced with malware. Cyber criminals are co-opting social networking sites as the delivery vehicles for cyber attacks.

Companies are going to be faced with many Web 2.0 challenges, from planning the integration of new technologies to creating effective security policies outlining the use of such technologies.

"Companies need to adjust their security policies for Web 2.0 world today, they need to tailor their Internet use policies and create rules that include social Web sites, blogs, and all the other types of sites being created out there, the usage policies need to be spelled out specifically and enforced.

Beyond that they need technical safeguards to back those policies, but the outlook for all this is still pretty grim. Most companies are barely providing sufficient protection in the context of Web 1.0." – Paul Henry, Secure Computing (via InfoWorld)

Via CNet Tags: web 2.0, security, internet security, it security, business security, web security, internet, website, flaws, security policy, security planning

Well, this is a troubling piece of news. IT Governance in the UK has released a survey this month in Data Breaches: Trends, Costs and Best Practices which will show that two-thirds of employees bypass data security in order to do their work.

The Best Practice Report looks at the global trends in corporate data breaches concerning personally identifiable information. It also considers best practices in avoiding business, regulatory and brand damage as the result of a data breach.

The survey found that 68% of employees admit to bypassing information security controls in order to do their jobs. This is a troubling statistic, perhaps pointing to a failure to understand how to implement security controls: how to balance confidentiality with availability of information. The survey indicates that security controls are being undermined and that employees are putting organizations at risk. This startling information should serve as a wake-up call to the importance of planning in information security.

The survey indicated that 82% of organizations had policies for protecting personal data, but with such a high incidence of employees deliberately circumventing the policies and procedures put in place, it would appear that the security precautions taken were unduly obstructive in design or implementation.

Other interesting findings:

• 55% of employees handling personal data have been trained in their legal responsibilities in respect of the information
• 89% of organizations cover access to personal data in security regimes
• 56% of organizations have policies to detect or report data losses
• 39% of organizations have policies to correct data loss incidents

You can see from the degradation in the above stats that companies are less prepared for data breaches in their security regimes and that, if such a data breach were to occur, they would not have policies to govern the fallout, nor in some cases to detect the breach in the first place. Both the earlier information and the above statistics show a dire need for security training at all levels of the company. To understand the importance, and legal requirements, to safeguard personal information, and to do so in such a way that is manageable for employees.

Via cambridge network Tags: security, it security, data security, security policy, security policies, security training, data management, compliance, breach, data breach, breach prevention