PC Data Security Blog

Security News Brief: 08-26-08

• Medical identity theft is “the fastest-growing form of identity theft in America today.” (Chicago Tribune, August 22, 2008.)
• More data breaches have been reported so far this year than in all of 2007, according to Identity Theft Resource Center. (Washington Post, August 26, 2008)
• Most mid-sized U.S. firms rate information security as a higher priority than reducing business costs. (Dark Reading, August 22, 2008.)

Kill at-risk data! Apple’s iPhone does it.

Apple’s recent announcement that its wildly successful iPhone has a “kill switch” capability has been met with surprise and even outrage on the part of some industry watchers and privacy advocates. http://news.yahoo.com/story//nf/20080811/tc_nf/61270 Apple’s stated purpose for imbedding the kill switch technology in the iPhone is that it needs the capability in the event a malicious program is introduced to the device such as applications that steal users’ data.   While conspiracy theorists might see a pernicious side to the kill switch and worry that Apple might use the application to collect information about its users, the momentum toward the broader application of this technology would appear unstoppable.  And there is already precedent:   As Business Weeks’ Olga Karif points out, other industry players, including wireless carriers, regularly remove harmful and/or offensive applications from users’ handheld devices.   http://www.businessweek.com/technology/content/aug2008/tc20080818_266301.htm?campaign_id=rss_tech

Regardless of how one feels about the kill switch concept, this technology has legitimate and extremely useful applications, especially in the enterprise market, and particularly with regard to laptop computers.   Although Apple’s stated purpose for the kill switch is to remove potentially harmful applications, the same basic technology can be used by enterprises to destroy or prohibit access to lost or compromised laptop ­data.  In the same way that Apple might reach out and remove harmful content from the iPhone, an enterprise can use kill switch technology to remove data on lost or stolen laptops. Potential benefits of this capability are obvious given the myriad laws and regulations pertaining to protection and/or loss of private data.

The Big Security Stall

The PC Data Security Blog offers the opportunity for professionals to post on topics important to those within the IT Security community. This week, Rob Weber, Product Specialist at Beachhead Solutions, brings us this post.

Has your company or organization secured its laptop and desktop data yet? Maybe they have and now they can rest easy. If they have not secured the data yet, the number of reasons and excuses is mind-boggling. Security isn’t sexy, doesn’t increase the productivity of employees, and can be a drain on those charged with implementing the solution. Nobody wants to own the security solution or take on the work it involves, yet it is a necessary evil. Thus it becomes an internal battle in many organizations between the economic buyer / product champion and the IT staff that must implement the solution. The product champion pushes for their chosen solution and the IT staff puts up barriers to the encroachment of their ‘turf’. Why does IT balk? The following reasons are commonly heard:

- IT had little or no say in the selection of the solution
- IT is not staffed properly to manage the solution
- The solution creates more work for the IT staff since the end user experience has changed
- While acknowledging a solution is needed, it just isn’t seen as high on the list of priorities

Whether these reasons are spoken or implied, the solution is blocked using one or more of the following ploys:

- Utopian product requirements are put in place to block any worthwhile solution
- Other, sexier IT initiatives are elevated ahead of the security solution
- Solution inquiries are simply met with radio silence by IT

What could happen to change this behavior? It hasn’t happened yet, but it will soon . . . a real data loss followed by a real penalty charged to the offending company or organization. As soon as this happens, the world will change. A security solution will be pushed through at many organizations due to fear and anxiety. The fact that the solution is not sexy, not properly staffed, or simply annoying won’t matter anymore. Those will be smaller pain points on the path to fulfilling a company necessity. CEOs will get involved and make it uncomfortable for anyone standing in the way or delaying a solution. Why? It will be embarrassing to be caught with unsecured data, but more importantly, it may prove to be the end of the company or organization if real penalties are applied.

TSA fails to secure “trusted traveler” data.

Yesterday, a missing laptop with the names of 33,000 people enrolled in the Clear program — the most popular airport “trusted traveller” program, was found at SFO Airport. The laptop belonged to an employee of the TSA-contracted security firm and is said to have contained, “personal information on applicants to the program, including names, address and birth dates, and in some cases driver’s license, passport or green card numbers.”

The good news is the laptop turned up in the same office it was reported stolen from. The bad news is the alleged theft has exposed the serious vulnerabilities of a trusted security program associated with a government agency.

In a statement, the company said the information on the laptop, which was originally reported stolen from its locked office, “is secured by two levels of password protection.” Beer called the fact that the personal information itself was not encrypted “a mistake” that the company would fix.

Not encrypted? What?

Even Anheuser-Busch, (a brewery for crying out loud,) knows better than that. When one of their laptops went missing last month, potentially exposing the personal information of over 150,000 current and former employees, many of those affected could breathe easier knowing the laptop was encrypted.

So, how does a public company charged with the task of filling America’s beer mugs have better security policy than a private company charged with securing America’s airports?

This goes back to ensuring that all contractors and vendors have a sound security policy before signing up with them and putting your information at risk.

Secondly, when the physical security of airline passengers is at stake, wouldn’t it be a good idea to have a Plan B that gives an agency the option to destroy data if a breach is suspected? If that laptop hadn’t turned up, or in the case that the laptop was stolen, breached and returned, the data contained within could make it easier for dangerous people to travel undetected. This puts anyone who travels by plane at risk.