Last year in November, UK’s HM Revenue and Customs lost the personal records of 25 million people. In order to prevent future such losses, they will rely on 37 employees who’s role would be to protect data. According to a parliamentary written answer by Jane Kennedy, financial secretary to the Treasury, quoted by the Register, the goal for the data guardian appointed to each business unit “to strengthen the management of the department’s data assets”.
The information was lost while being transfer through postal services on unencrypted computer disks. How about portable storage devices with encryption? Wouldn’t that be cheaper than paying the salaries of 37 people?
As we can tell from the article published by the Register, other governmental agencies also rely on work force to protect data:
In response to another written question connected to the child benefit data loss, the Department for Work and Pensions said it provides data to the National Audit Office using “rigorous courier arrangements and a requirement that physical transfers of data must have the specific authority of a member of the senior civil service”, according to Anne McGuire, minister for disabled people.
A survey recently published by the Computing Technology Industry Association (CTIA) and quoted by DarkReading shows that companies do not find the IT security skills they need in the experts they hire. CTIA surveyed 3500 technology professionals from three continents, Europe, North America and Asia, and concluded most of them hold security expertise as a top of the game skill when looking for techies to hire. Yet the skill set of existing IT professionals does not match their demands.
Among organizations surveyed in nine countries with established IT industries (Australia, Canada, France, Germany, Italy, Japan, the Netherlands, U.K., and U.S.), 73 percent identified security, firewalls, and data privacy as the IT skills most important to their organizations. But just 57 percent said their IT employees are proficient in these security skills, a gap of 16 percentage points.
The gap is even wider in five countries where the IT industry is still emerging (China, India, Poland, Russia, and South Africa). Among respondents in these countries, 76 percent identified security as the top skill their organization needs; but just 57 percent said their current tech staff is proficient in security. That’s a difference of 19 percentage points, CompTIA noted.
Two years ago, a major security breach was reported by the US Department of Veterans Affairs. At the time, a laptop containing private data on an extremely large number of veterans had been stolen. Following the incident, strict guidelines were established in order to protect personal information and prevent such thefts and exposures from happening.
According to the Register, two years was not enough time for government agencies to implement the guidelines and comply with their security requirements.
According to a report issued by the Government Accountability Office (GAO) today, a number of agencies fell short on recommendations for securing databases, remote access, and mobile devices. All of the agencies received a downgrade in their scores for e-government progress on the President’s Management Agenda Scorecard
Of the 24 major agencies audited in the report, only 11 had established policies for logging data extracted from agency databases and for erasing the data within 90 days of extraction. Only 15 agencies had established a “time out” function for remote and mobile devices that requires user re-authentication after 30 minutes of inactivity.
The same report has revealed that 25 other security breaches occurred in a three year interval – 2004-2007 – three of them exposing private records of more than 100,000 individuals. It also states these are only the breaches accounted for, but the actual number might be far greater.
The Register explores the costs of data breaches for UK companies in an article published earlier today. And the numbers they publish should scare companies from both UK and different countries as laws and regulations seem to get harsher by the minute.
While the average price per lost record is of £47, the average total price paid by a company exposed to data breaches is of £1.4 million. These troubling amounts are the result of a study conducted by the Ponemone Institute. 21 UK companies took part in the research and the winners are financial companies, who report the most expensive data breaches of about £55.
The size of the losses examined ranged from 2,500 records to more than 125,000 and costs ranged from £84,000 to £3.8m.
Breaches by third parties were more expensive than in-house losses – on average £59 rather than £42 in-house. This is a difficult issue for big companies to deal with, because their supply chain will include hundreds or even thousands of partner and outsourcer companies.
An NHS hospital in Dudley reported the theft of a laptop containing the personal information over 5,000 patients. Although the theft in question happened in January, word of it got out only later, when the Dudley Group of Hospitals announced all affected patients.
According to an article published by Vnunet.com, the laptop was properly secured, requiring a password to login and a different one for the actual database containing patient personal details. The article further shows that NHS blames the large number of people going in and out of a public hospital for the theft, claiming that the security is a major concern. The company has spent quite some money on data encryption but apparently they should have tried to complete the process sooner:
“We take precautions to try to protect all the IT equipment in our hospitals from theft, but given that this is a public building with thousands of people accessing it every day, there are inevitably practical difficulties around security.”
Farenden said that the trust is in the process of rolling out encryption technology, following a £135,000 spend on data security. However, the laptop in question had not been upgraded before it was stolen.
Back in 2005, people had very different opinions on what endpoint security was. They were debating what it covered, how it was achieved and who spread the concept. To see how different opinions were, here’s an article that’s over 3 years old. Currently, one could try an online IT glossary to find out what endpoint security is all about. And they’d get to a definition close to the one below:
Endpoint security is a strategy in which security software is distributed to end-user devices but centrally managed. Endpoint security systems work on a client/server model. A client program is installed on or downloaded to every endpoint, which, in this case, is every user device that connects to the corporate network. Endpoints can include PCs, laptops, handhelds, and specialized equipment such as inventory scanners and point-of-sale terminals. A server or gateway hosts the centralized security program, which verifies logins and sends updates and patches when needed.
A bit clearer, but how is this different from antivirus software and other authentication mechanisms previously used? SearchSecurity.com expands the above definition and gives a few hints on how endpoint security is more complex and thus a key point to take into account when building individual or corporate security policies:
Simple forms of endpoint security include personal firewalls or anti-virus software that is distributed and then monitored and updated from the server. The term is evolving, however, to include security elements such as intrusion detection and prevention, anti-spyware software, and behavior-blocking software (programs that monitor devices and look for operations and actions that are typically initiated by unsanctioned applications or those with malicious intent).
The most complex endpoint security programs use network access control to grant authentication and specific forms of access to user devices. When a device attempts to log in to the network, the program validates user credentials and also scans the device to make sure that it complies with defined corporate policies before allowing access.
Mix this with the initial description and you’re pretty close to home. And of course, there is always a shorter way to explain it all. Also a little clearer and easier to understand. Like this:
Systems and solutions designed to protect and control endpoints whether those endpoints are within, attached, or connected remotely to an organization’s network. Endpoint security solutions can include but are not limited to: antivirus, virtual private network (VPN), host intrusion prevention, personal firewall, anti-spyware, and multi-factor authentication solutions.
What I personally think endpoint security should be all about (and what some good endpoint security solutions developers are actually doing) can be listed as follows:
- cover both individuals and companies
- be able to offer the same level of security to all types of businesses SOHO, SMB and large companies
- prevent data loss and leakage
- prevent data theft and other security breaches
- identify all real threats (from both outside and within a certain network)
- offer comprehensive file tracing and auditing features
- allowing trusted devices to be identified as such
- protect a network from all possible gadgets and portable data storage devices
- help customers efficiently comply with IT security and governance standards and legislation
- as a cherry on top, it should all be easy to understand and to operate, as learning time is limited
What is endpoint security to you? What important factors have I left out? Feel free to add your ideas to the checklist I’ve created.
A bug in a live update spread among Symantec’s endpoint security customers resulted in error logs piling up and rendering the solution inoperable. While the company states it is working on a fix for the issue that seems to have affected quite large numbers of users, the Register presents a different story – the hard time one of their readers has had dealing with the repeated errors.
The story sparked quite a debate on Symantec’s forums. Although the initial stories about how much damage this bug has caused are exaggerated, there still seems to be a great discrepancy in how customers and the company see things. While Symantec states only minor errors should have been reported, the quoted Registrar reader speaks of server halts and users being unable to login:
Symantec acknowledged the error-generating bug, but says the product remains functional. “This issue would have led users to see “Error 58/55″ in their SEP log files. The issue shouldn’t have done anything but generate errors — there should have been no issue with the product itself,” a spokesman said.
Richard said the problem didn’t cause problems in downloading anti-virus definitions even without applying workarounds (contrary to earlier versions of this story). Nonetheless the issue is still causing all sorts of grief. “Anti-virus updates appear to come down fine. It’s just a decomposer issue, but does that mean that anti-virus can’t scan inside archives until the problem is fixed? Symantec aren’t saying,” he said.
“However many many people are still having problems with things like the errors filling up logs and grinding servers to a halt. I personally figured something was wrong when none of my users could log on, there were temp files from live update littering the boot drive of the server and it had no free space,” Richard reports.
Starting as cool give-aways, easily brandable and not taking too much space, USB sticks have developed into quite efficient means of carrying data to and from PCs. As numbers of mobile employees and freelancers numbers increase, fast and easy means of carrying information around gains more attention. And with that attention the threats of having proprietary information and private details lost and stolen increases.
As endpoint security evolves, so do protection forms, varying more and embedding the latest technology. So why would a USB stick need biometrics, if passwords and data encryption are already available? To answer that question, we first need to better define biometrics. The term covers the study of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. According to Wikipedia, there are two major categories used to divide biometric traits:
- physiological – related to the shape of the body. The oldest traits, that have been used for over 100 years, are fingerprints. Other examples are face recognition, hand geometry and iris recognition.
- behavioral – related to the behavior of a person. The first characteristic to be used and still very popular today is the signature. More modern approaches are the study of keystroke dynamics and of voice.
So, what is so special about biometrics-based authentication? It is believed to be impossible to reproduce or forge. Besides, you don’t have to worry about misplacing the encryption key or forgetting the 8 character password you cleverly invented.
That is of course an amazing idea to keep your data safe if you are not part of the group that believes stories in spy movies are true. We’ve all seen passwords of 6 alphanumeric characters broken in less than a minute, haven’t we? Or eyes being remade and fingerprints “printed” within seconds.
Details of a mysterious data theft have just been published by Dark Reading. Canada’s largest telecom provider, Bell Canada, has recovered personal data of about 3.4 million customers after a puzzling stealing incident.
Apparently, the person responsible for stealing the confidential information has never worked for Bell South. The company however chose not to disclose where the respective data was stored.
The data was found after a search of two locations in Montreal, and a suspect has been arrested. No credit card or account information was included, but about 5 percent of the phone numbers recovered were unlisted, Bell Canada said.
A spokesman for Bell Canada said that police were able to track down the data and the suspect because of a tip from a witness, who reported that the suspect was attempting to shop the data around to a number of people.
It looks like you don’t have to be very smart to steal all confidential details of over 3 million people. To my mind, the thief was not that bright if he tried to sell the info so openly, without thinking of possible witnesses.
As private data can be so easily stolen, endpoint security and data loss prevention solution should be on the list of any company being only remotely concerned about what such a theft might entail. There is no such thing as full proof security, but there are efficient security policies that can prevent such things from happening.
Wireless USBs, besides bringing data transfers and portability to a new level and diminishing restrictions of the traditional USB protocol, also harbor specific threats. While transfers between these portable devices and computers comes with no impressive tricks, the data the store can be easily leaked to third party PCs or devices supporting wireless transfers.
The new Endpoint Protector 2008 efficiently protects PCs from data loss, data theft and other forms of data leakage. Endpoint Protector allows the controlled use of USB devices, external hard drives, FireWire devices, CD/DVD-Readers/Writers and many other potentially harmful devices, with the goal of stopping malware, viruses and other unwanted data intrusions.
Endpoint Protector 2008 also monitors and records all data transferred to and from portable storage devices. This new feature gives IT administrators the possibility to trace all data activity regarding removable storage and endpoint devices. This file tracing option allows the prevention of possible data breaches or of data being copied without authorization.
While the client product only runs on Windows operating systems, the Endpoint Protector Server 2008 is available for both Windows and Linux platforms, addressing a wider range of working scenarios.