PC Data Security Blog

Worm Attack Forces the U.S. Army to Ban USB Drives

According to news reports, the Army initiated a temporary ban on the use of USB Flash Drives until they could get control of a Worm that propagates itself by installing itself on USB Flash Drives when they are mounted on an infected machine. When the drive is then plugged into another machine it copies itself to the new machine and then tries to download malware from the Internet.

Using a product like Beachhead Solutions’ LDDFlash could have prevented this type of malware attack. LDDFlash forces users to create encrypted vaults on any USB Flash device they plug into the computer. Because Beachhead’s product is driverless and because it creates a vault that encompasses the entire space on the device, the Worm cannot copy itself to the device. Files must be dragged and dropped into the vault after a user name and password is used to open it. Executables cannot be launched from the vault eliminating this threat completely.

A side benefit of this product is the ability destroy the data on the device based on failed logons or if the device is lost or stolen.

Security and Time

People seem to think that security software is very time consuming. The common conception is either the installation process is long and arduous, or you will be forced to constantly monitor your chosen security solution. Some solutions require an admin to go to each machine and install something, which is simply not feasible in a large company. Not all solutions take hours to install and force an administrator to physically access each machine. It takes more time to play a game of solitaire than it does to install some security software. Some laptop security solutions are as easy to install as simply adding the installer to group policy. To manage some security products, you need to constantly monitor all traffic that comes from a machine. Some solutions require administrators to take hours to examine log files to see if there is a security problem or not. With other solutions, all you need to do is log into a web based UI and see if you have any alerts.

If you spend hours managing your current security product after the installation phase, maybe you should take a look for a new solution. When you research security solutions, you should see how much time it takes to install the solution and how much time, if any, is required to manage the solution post install. Make sure any solution you find gives an intuitive web based interface that will allow you to monitor it from anywhere should the need arise.

In the time it took to read this blog post, you probably could have installed a security solution on your laptop.

The Illusion of Security by M.T. Thrett

Best I can tell, IT data security expenditures buy compliance, piece-of-mind and sometimes, little else.  But are they buying real, bona fide security? Not really. Hook these buyers to a lie detector and I’ll bet you find that you’d find that most know this to be true. We know for example that antivirus services are always behind the eight ball. The leading antivirus tools are ineffective at combating the latest and greatest viruses.

            IT also throws money into encryption. Don’t misunderstand – encryption is necessary but it alone is not true security. After authentication, encryption is ineffective. IT often reasons it prudent to mandate a policy of strong passwords as a first-level barrier to a breach. This policy is parallel to Superman’s kryptonite. Users will write down these complex passwords for fear of forgetting them.

            Security products and services offer piece-of-mind but shouldn’t kid themselves – it is not usually true security. As long as computers are operated by humans (even honest ones) this is our greatest security threat. No antivirus or encryption software will eliminate that reality.

You’re responsible for your data – wherever it may be

Data breach: ATF = Another Total Failure?

In September, the Washington Post reported on a five-year study of the ATF’s handling of government computers and firearms and found that the agency had misplaced over 400 laptops, many of which had sensitive information. While this study focuses on the ATF, the sad truth is that the loss of computers and the often confidential information that they contain has become commonplace in both the public and private sectors. To a great degree, as a reading public we’ve become anesthetized to this news, at least until it impacts us - or our networks….

Of even more concern in the article was that in most cases, the ATF had absolutely no idea of what data might have been compromised and as a result, who the loss might directly impact. Since employees often don’t comply with stated data security policy, it is inevitable that data will find its way to the network’s edge - and be mobile.

It is insufficient that an organization set a data security policy without putting in place the instrumentation and systems to ensure its compliance. Furthermore, that compliance can not depend upon the end-user’s conscious adherence to manual process - it just does not work. Managed solutions must be put in place that can ensure the end user’s compliance with corporate data security policy, without requiring their active participation.

It is critical that data be encrypted - at a minimum - only then can we be assured that data losses will not easily put ourselves and others at unnecessary risk. However, encryption by itself that is not enough.
When the inevitable loss occurs, it is equally necessary to be able to ascertain the risk associated with the loss and to determine the necessary corrective action. Some may feel that plausible deniability is an effective approach to addressing this problem. “If you don’t understand the impact of the loss, you don’t need to consider it as serious.”

I think this is both wrong, and short-sighted. Assuming you have the ability to respond wouldn’t it be better to fully understand your risk so that an appropriate counteraction could be chosen? File and folder cataloging on devices within control of an organization’s IT department should be an integral part of an effective PC data security solution. This feature can be used in many ways, including:

• risk assessment, by identifying the devices that contain particular sensitive data
• risk amelioration, by surgically destroying data that is found on unauthorized devices
• policy management, by identifying and establishing policies on the retention of sensitive data throughout an organization
• data forensics, by understanding the full extent of the impact of any data losses

Tools that can both assess and eliminate risk represent a much better data security strategy than either ignorance or hope.

What’s scarier than a hacker? Your employees.

In a study recently released by Compuware, results showed most data breaches are caused by employees, not hackers. The survey of 1,112 IT workers found that only one percent of data losses this year were the result of hackers. Here’s a breakdown of the results:

Negligent insiders were overwhelmingly cited as the cause of data breaches in the survey. What does this mean for company security policies? Will we soon see a shift towards tying up the internal loose ends that compromise company data?

It might be a good idea. Especially when you add to the equation the data from other security studies showing the impact of a data breach on a small company. One-third of companies in one survey said that a major security breach could put their company out of business. Additionally, a data breach that exposed personal information would cost companies an average of $268,000 to inform their customers–even if the lost data is never used. Or, to break it down further, which a Forrester survey did, a breach will cost a company between $90 and $305 per exposed record.

In today’s economy, every dollar spent in a security budget has to get scrutinized. A better strategy for security professionals is to put those dollars toward preventitive measures that combat insider negligence instead of throwing money at an outside threat.

Security News Brief: 10-22-08

• Study shows biggest threat to data security comes from the inside. 80% of respondents to the survey said they’ve had at least one data breach this year. 58% of breaches come from mobile devices, including laptops, PDAs and memory sticks. (Dark Reading, Oct. 9, 2008)
• Over half of British companies have lost data. Two-thirds of respondents said negligence was the cause for the data breach in their company. (Computerworld, Oct. 10, 2008)
• Stolen laptop in W.Virginia contained personal information of over 500 state workers. The laptop was stolen from the vehicle of an employee of the state’s accounting firm. (The Charleston Gazette, Oct. 7, 2008)
• Laptops stolen from Boston ACORN office. Police were investigating a break-in at the office of the community activist group. (WBZtv.com, October 17, 2008)
• Newark TSA employee accused of stealing 31 laptops from passenger baggage. Pythias Brown was finally caught when he allegedly stole a $50,000 camera from an HBO crewmember and a camcorder from the bag of a CNN employee. (New Jersey Star-Ledger, Oct. 7, 2008.)

I lost my USB flash drive!

What if it’s Your Data on a Lost or Stolen Device?

It’s important to consider the information you’re storing on them. Do your devices include online banking information, bills, receipts, tax returns, personal photos and videos, contact information, online account information, electronic signatures, emails, and…? If this information is intercepted by another person, they can learn a great deal about you. Losing such a device now becomes a much larger undertaking than most people realize. It’s like losing your wallet. What do you do when your wallet is lost or stolen? You cancel your credit cards, get a new id/driving license, perhaps subscribe to a credit reporting/protection agency. Would you do the same thing if you lost one of these electronic devices? You might not - but you should.

These are necessary precautions against identity theft and other damaging uses of your personal information. Your vulnerability may be even greater. Do you store photos or video of your family on these devices? How would it feel if they were in the hands of a complete stranger? A stranger with the morals that justified stealing the device in the first place?
I encourage you to think about all the information you keep on such devices and to ask yourself what would happen if someone got access to that data? What will you do? These are some questions to think about and plan for - preferably before it happens to you.

Security News Brief: 10-03-08

• New federal law targets ID theft and cybercrime. The bill lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. (Security Fix, October 1, 2008.)
• Laptop stolen in break-in at McCain campaign office in St. Louis. Campaign officials said the laptop contained information about areas that Republicans are targeting for support. (STLToday.com, October 2, 2008.)
• October is Cyber Security Awareness Month. (Network World, October 3, 2008.)