PC Data Security Blog

Security and Time

People seem to think that security software is very time consuming. The common conception is either the installation process is long and arduous, or you will be forced to constantly monitor your chosen security solution. Some solutions require an admin to go to each machine and install something, which is simply not feasible in a large company. Not all solutions take hours to install and force an administrator to physically access each machine. It takes more time to play a game of solitaire than it does to install some security software. Some laptop security solutions are as easy to install as simply adding the installer to group policy. To manage some security products, you need to constantly monitor all traffic that comes from a machine. Some solutions require administrators to take hours to examine log files to see if there is a security problem or not. With other solutions, all you need to do is log into a web based UI and see if you have any alerts.

If you spend hours managing your current security product after the installation phase, maybe you should take a look for a new solution. When you research security solutions, you should see how much time it takes to install the solution and how much time, if any, is required to manage the solution post install. Make sure any solution you find gives an intuitive web based interface that will allow you to monitor it from anywhere should the need arise.

In the time it took to read this blog post, you probably could have installed a security solution on your laptop.

Security News Brief: 10-22-08

• Study shows biggest threat to data security comes from the inside. 80% of respondents to the survey said they’ve had at least one data breach this year. 58% of breaches come from mobile devices, including laptops, PDAs and memory sticks. (Dark Reading, Oct. 9, 2008)
• Over half of British companies have lost data. Two-thirds of respondents said negligence was the cause for the data breach in their company. (Computerworld, Oct. 10, 2008)
• Stolen laptop in W.Virginia contained personal information of over 500 state workers. The laptop was stolen from the vehicle of an employee of the state’s accounting firm. (The Charleston Gazette, Oct. 7, 2008)
• Laptops stolen from Boston ACORN office. Police were investigating a break-in at the office of the community activist group. (WBZtv.com, October 17, 2008)
• Newark TSA employee accused of stealing 31 laptops from passenger baggage. Pythias Brown was finally caught when he allegedly stole a $50,000 camera from an HBO crewmember and a camcorder from the bag of a CNN employee. (New Jersey Star-Ledger, Oct. 7, 2008.)

Security News Brief: 09-09-08

• UK security expert asks, “Why bother holding up a bank when you can steal a laptop?” after Bank of Ireland and the Department of Social and Family Affairs expose personal information of over 500,000 people in separate laptop theft cases. (Sunday Business Post, September 7, 2008.)
  
• Erie County laptop stolen from a health facility in Buffalo, NY contained personal private information of county residents. (WBEN Buffalo, September 5, 2008)
• Laptop with personal data stolen from National Technical Institute for the Deaf. The data contained the names, birth dates and social security numbers of 12,700 applicants to the NTID and another 1,100 people at the Rochester Institute of Technology.  (Democrat and Chronicle, August 31, 2008)
• Ohio school district laptop with student data stolen from Reynoldsburg school employee’s car. The breach affected 4,259 students enrolled in the district. (Columbus Dispatch, August 29, 2008)

Dell’s Kill Switch

In a recent CNBC.com interview, when confronted with the scenario of a business laptop filled with sensitive data being accidentally left in a taxicab, Michael Dell explained the need for businesses to have access to a mechanism to “remotely kill the data on the device (laptop) if the device is lost”.  He went on to report that Dell offers such “Mission: Impossible” capability.  One can infer from this that Dell offers an Internet-based kill switch that allows the business administrator to remotely wipe all data if it ever again connects to the Internet.  That’s a great start but what if the crook doesn’t let it connect?  Laptops need be able to protect themselves by having behavior and time-based triggers that can take self-protective actions even if they never connect to a server again. And, of course, the data needs to be encrypted as well.  This is the security that PC makers should really offer.

A kill switch is nice but Mission: Impossible’s Mr. Phelps never connected the tape recorder to anything like the Internet – it simply self destroyed with a timer.

The Big Security Stall

The PC Data Security Blog offers the opportunity for professionals to post on topics important to those within the IT Security community. This week, Rob Weber, Product Specialist at Beachhead Solutions, brings us this post.

Has your company or organization secured its laptop and desktop data yet? Maybe they have and now they can rest easy. If they have not secured the data yet, the number of reasons and excuses is mind-boggling. Security isn’t sexy, doesn’t increase the productivity of employees, and can be a drain on those charged with implementing the solution. Nobody wants to own the security solution or take on the work it involves, yet it is a necessary evil. Thus it becomes an internal battle in many organizations between the economic buyer / product champion and the IT staff that must implement the solution. The product champion pushes for their chosen solution and the IT staff puts up barriers to the encroachment of their ‘turf’. Why does IT balk? The following reasons are commonly heard:

- IT had little or no say in the selection of the solution
- IT is not staffed properly to manage the solution
- The solution creates more work for the IT staff since the end user experience has changed
- While acknowledging a solution is needed, it just isn’t seen as high on the list of priorities

Whether these reasons are spoken or implied, the solution is blocked using one or more of the following ploys:

- Utopian product requirements are put in place to block any worthwhile solution
- Other, sexier IT initiatives are elevated ahead of the security solution
- Solution inquiries are simply met with radio silence by IT

What could happen to change this behavior? It hasn’t happened yet, but it will soon . . . a real data loss followed by a real penalty charged to the offending company or organization. As soon as this happens, the world will change. A security solution will be pushed through at many organizations due to fear and anxiety. The fact that the solution is not sexy, not properly staffed, or simply annoying won’t matter anymore. Those will be smaller pain points on the path to fulfilling a company necessity. CEOs will get involved and make it uncomfortable for anyone standing in the way or delaying a solution. Why? It will be embarrassing to be caught with unsecured data, but more importantly, it may prove to be the end of the company or organization if real penalties are applied.

TSA fails to secure “trusted traveler” data.

Yesterday, a missing laptop with the names of 33,000 people enrolled in the Clear program — the most popular airport “trusted traveller” program, was found at SFO Airport. The laptop belonged to an employee of the TSA-contracted security firm and is said to have contained, “personal information on applicants to the program, including names, address and birth dates, and in some cases driver’s license, passport or green card numbers.”

The good news is the laptop turned up in the same office it was reported stolen from. The bad news is the alleged theft has exposed the serious vulnerabilities of a trusted security program associated with a government agency.

In a statement, the company said the information on the laptop, which was originally reported stolen from its locked office, “is secured by two levels of password protection.” Beer called the fact that the personal information itself was not encrypted “a mistake” that the company would fix.

Not encrypted? What?

Even Anheuser-Busch, (a brewery for crying out loud,) knows better than that. When one of their laptops went missing last month, potentially exposing the personal information of over 150,000 current and former employees, many of those affected could breathe easier knowing the laptop was encrypted.

So, how does a public company charged with the task of filling America’s beer mugs have better security policy than a private company charged with securing America’s airports?

This goes back to ensuring that all contractors and vendors have a sound security policy before signing up with them and putting your information at risk.

Secondly, when the physical security of airline passengers is at stake, wouldn’t it be a good idea to have a Plan B that gives an agency the option to destroy data if a breach is suspected? If that laptop hadn’t turned up, or in the case that the laptop was stolen, breached and returned, the data contained within could make it easier for dangerous people to travel undetected. This puts anyone who travels by plane at risk.

Relying on user compliance is risky business.

Most of us have become desensitized to the almost daily reports of laptop loss or theft. Heck, I barely notice them anymore - and I’m in the industry! What blows me away though, is the boilerplate mantra from the spokesman of the at-fault company when defending their indefensible position with the media. Always well-rehearsed and nearly believable, those statements are derived from the now necessary PR outline, “CYA: Laptop Loss, What to Say to the Press”. I happen to have found this early version used in 2006 by a very large aeronautics manufacturer. It has been used and personalized hundreds of times since by companies big and small. Here it is:

“CYA: Laptop Loss - What to Say to the Press”

(note to spokesman: whenever possible try to assign the loss as a theft. A simple loss implies that the user may have been flippant, careless and/or negligent).

1.    (your company name) is very concerned about protecting the privacy of its employees customers and/or clients.

2.    (your company name) has no reason to believe that the laptop was stolen for anything other than the hardware value

3.    The laptop was protected with passwords

4.    The employee of (your company name) is being reprimanded (or terminated) for violation of data security policy. Cite one of these policy violations:

a.    employees are prohibited from taking sensitive data outside business walls on laptops

b.    employee shared or otherwise exposed passwords and/or login credentials

c.    (your company name) has selected, and is in the process, of deploying encryption but have not yet completed the rollout

d.   if possible, assign blame to a rogue contractor, vendor or service provider. This action tends to confuse readers as to whom is really at fault for the breach

5.    Reiterate that “because (your company name) is very concerned about protecting sensitive data,” better and more strict employee (or vendor/contractor) data policy will be effective (fill in reasonable time schedule).

Continue reading Relying on user compliance is risky business….