PC Data Security Blog

The Effects of Economic Downturn on Data Security

The current economic landscape has left corporations brutally exposed to loss and even abuse of sensitive data.  According to a survey conducted by SailPoint of over 100 Fortune 1000 IT managers, “nearly 70 percent can’t summarize which workers have access to the most critical applications and data. Further, if faced with a layoff, 44 percent of respondents are unable to remove access privileges of terminated employees on a timely basis.”  This is extremely dangerous with the high number of layoffs and merger/acquisitions that are increasingly happening every day.  It allows for situations where disgruntled workers can maliciously misuse their access such as in the case of the disgruntled S.F. admin who hijacked their network.

Public CIO has some useful tips on what to look for and how to keep your company from being vulnerable.  The four things to look out for are :

• Orphan Accounts – Do employees that no longer work at your company have access to any systems
• Access Level of Contractors/Temps – Do you regularly restrict the access you give to contractors as they move off and on various projects
• Entitlement Creep – Have employees who have worked at your company for a long time received more access than they should have just for being around?
• Separation of Duties – Do any employees have excessive control over critical business transactions?

Regularly monitoring these things should greatly help maintain access control over your sensitive data so that the economy does not cause more damage than it already has.

Worm Attack Forces the U.S. Army to Ban USB Drives

According to news reports, the Army initiated a temporary ban on the use of USB Flash Drives until they could get control of a Worm that propagates itself by installing itself on USB Flash Drives when they are mounted on an infected machine. When the drive is then plugged into another machine it copies itself to the new machine and then tries to download malware from the Internet.

Using a product like Beachhead Solutions’ LDDFlash could have prevented this type of malware attack. LDDFlash forces users to create encrypted vaults on any USB Flash device they plug into the computer. Because Beachhead’s product is driverless and because it creates a vault that encompasses the entire space on the device, the Worm cannot copy itself to the device. Files must be dragged and dropped into the vault after a user name and password is used to open it. Executables cannot be launched from the vault eliminating this threat completely.

A side benefit of this product is the ability destroy the data on the device based on failed logons or if the device is lost or stolen.

Security and Time

People seem to think that security software is very time consuming. The common conception is either the installation process is long and arduous, or you will be forced to constantly monitor your chosen security solution. Some solutions require an admin to go to each machine and install something, which is simply not feasible in a large company. Not all solutions take hours to install and force an administrator to physically access each machine. It takes more time to play a game of solitaire than it does to install some security software. Some laptop security solutions are as easy to install as simply adding the installer to group policy. To manage some security products, you need to constantly monitor all traffic that comes from a machine. Some solutions require administrators to take hours to examine log files to see if there is a security problem or not. With other solutions, all you need to do is log into a web based UI and see if you have any alerts.

If you spend hours managing your current security product after the installation phase, maybe you should take a look for a new solution. When you research security solutions, you should see how much time it takes to install the solution and how much time, if any, is required to manage the solution post install. Make sure any solution you find gives an intuitive web based interface that will allow you to monitor it from anywhere should the need arise.

In the time it took to read this blog post, you probably could have installed a security solution on your laptop.

The Illusion of Security by M.T. Thrett

Best I can tell, IT data security expenditures buy compliance, piece-of-mind and sometimes, little else.  But are they buying real, bona fide security? Not really. Hook these buyers to a lie detector and I’ll bet you find that you’d find that most know this to be true. We know for example that antivirus services are always behind the eight ball. The leading antivirus tools are ineffective at combating the latest and greatest viruses.

            IT also throws money into encryption. Don’t misunderstand – encryption is necessary but it alone is not true security. After authentication, encryption is ineffective. IT often reasons it prudent to mandate a policy of strong passwords as a first-level barrier to a breach. This policy is parallel to Superman’s kryptonite. Users will write down these complex passwords for fear of forgetting them.

            Security products and services offer piece-of-mind but shouldn’t kid themselves – it is not usually true security. As long as computers are operated by humans (even honest ones) this is our greatest security threat. No antivirus or encryption software will eliminate that reality.

You’re responsible for your data – wherever it may be

Data breach: ATF = Another Total Failure?

In September, the Washington Post reported on a five-year study of the ATF’s handling of government computers and firearms and found that the agency had misplaced over 400 laptops, many of which had sensitive information. While this study focuses on the ATF, the sad truth is that the loss of computers and the often confidential information that they contain has become commonplace in both the public and private sectors. To a great degree, as a reading public we’ve become anesthetized to this news, at least until it impacts us - or our networks….

Of even more concern in the article was that in most cases, the ATF had absolutely no idea of what data might have been compromised and as a result, who the loss might directly impact. Since employees often don’t comply with stated data security policy, it is inevitable that data will find its way to the network’s edge - and be mobile.

It is insufficient that an organization set a data security policy without putting in place the instrumentation and systems to ensure its compliance. Furthermore, that compliance can not depend upon the end-user’s conscious adherence to manual process - it just does not work. Managed solutions must be put in place that can ensure the end user’s compliance with corporate data security policy, without requiring their active participation.

It is critical that data be encrypted - at a minimum - only then can we be assured that data losses will not easily put ourselves and others at unnecessary risk. However, encryption by itself that is not enough.
When the inevitable loss occurs, it is equally necessary to be able to ascertain the risk associated with the loss and to determine the necessary corrective action. Some may feel that plausible deniability is an effective approach to addressing this problem. “If you don’t understand the impact of the loss, you don’t need to consider it as serious.”

I think this is both wrong, and short-sighted. Assuming you have the ability to respond wouldn’t it be better to fully understand your risk so that an appropriate counteraction could be chosen? File and folder cataloging on devices within control of an organization’s IT department should be an integral part of an effective PC data security solution. This feature can be used in many ways, including:

• risk assessment, by identifying the devices that contain particular sensitive data
• risk amelioration, by surgically destroying data that is found on unauthorized devices
• policy management, by identifying and establishing policies on the retention of sensitive data throughout an organization
• data forensics, by understanding the full extent of the impact of any data losses

Tools that can both assess and eliminate risk represent a much better data security strategy than either ignorance or hope.

What’s scarier than a hacker? Your employees.

In a study recently released by Compuware, results showed most data breaches are caused by employees, not hackers. The survey of 1,112 IT workers found that only one percent of data losses this year were the result of hackers. Here’s a breakdown of the results:

Negligent insiders were overwhelmingly cited as the cause of data breaches in the survey. What does this mean for company security policies? Will we soon see a shift towards tying up the internal loose ends that compromise company data?

It might be a good idea. Especially when you add to the equation the data from other security studies showing the impact of a data breach on a small company. One-third of companies in one survey said that a major security breach could put their company out of business. Additionally, a data breach that exposed personal information would cost companies an average of $268,000 to inform their customers–even if the lost data is never used. Or, to break it down further, which a Forrester survey did, a breach will cost a company between $90 and $305 per exposed record.

In today’s economy, every dollar spent in a security budget has to get scrutinized. A better strategy for security professionals is to put those dollars toward preventitive measures that combat insider negligence instead of throwing money at an outside threat.

I lost my USB flash drive!

The financial crisis could be more costly than you think.

I have read two recent articles that are troubling: “IT administrators admit they would steal data” and “When Credit Crunch = Data Security Crunch” .Both discuss the likelihood that employees would steal from their employers if they were laid off or otherwise perceived that their loyal service to their organization was not being reciprocated.

Especially in these difficult times, companies and organizations should recognize that it is increasingly risky to rely on their employees to be an integral part of their data security posture. What, you say, are you asking them to do? If you demand that sensitive data not leave the building on laptops, are you sure this is not happening? If you instruct your employees to transport and store their laptops out of sight, are they? And how about protecting their passwords? Does anybody share and/or write down their passwords in your organization? Even if you encrypt the data on a laptop, are you aware that all it takes is the password to decrypt that data?

Do you really want to depend on your users to comply with all of your data security policies if there are technologies available that could effectively remove the user from that equation?

New economic threat: Vulnerable data.

In times of economic downturn, one of the first things organizations cut is security and compliance projects. It is also the worst time to cut in these areas. When the economy is unstable, the threats against data security increase. You have more IT-savvy individuals out of work and sometimes desperate. You may also have made cuts in your own IT staff. A recent survey of 300 IT administrators found that 88 per cent said they would steal company secrets if they were laid off.

IT staff know where you may be vulnerable and also have greater abilities to gain unauthorized access to your data. So many organizations just don’t see the immediate need for protecting sensitive data because they have yet to experience a loss. The key word here is “yet”. If your organization is currently feeling the pinch of this tight economy, just think how much worse it would be if you were to have a publicized data breach. Laptop data security is so important and the real threat evident by more and more losses publicized every month. Data Encryption and trigger-based actions taken to secure or delete at-risk data is easy to implement and is the best insurance against making tough times tougher.