How to control device use the easiest way possible?
Take it to the could. See how it works explaind in plain english.
Device Control and DLP taken to the cloud to help you reduce cost and deploy much faster.
Months later, consequensces knocking on breached door
One might think that if several months have passed since an embarrsing data breach and nothing has happened, it’s all cool. One can relax, mind their own business and forget all about security.
That’s not the case if we’re talking UK health authority. Namely, London-based Camden Primary Care Trust. They thought, sometime last August, that dumping PCs containing 2,500 patients’ names, addresses and medical histories beside a skip inside the grounds of St Pancras Hospital was a good idea. They might reconsider now, as the Information Commissioner’s Office has given Camden Primary Care Trust until the end of the month to improve security, consequence of its breaching the Data Protection Act.
According to the Register, “data on the obsolete computers was left unencrypted. The machines were subsequently swiped without authorisation and never recovered”. Given such gross negligence and obvious proof of being completely irresponsible, I cannot help being extremely happy they are forced to do something about their security!
Air France tries out biometric boarding cards
Biometric security is on the rise, as new possibilities to use it come into shape, from entrance access and USB card security to the lastest trick: biometric boarding cards, a new usage thought up by Air France. What are they testing? RFID-equipped smartcards which store passenger fingerprints to allow automated boarding, according to the Register.
How does the card do the trick? It is said to contain an encrypted version of forefinger and thumb prints for each passenger. It would be used dedicated gate, which checks the card, compares it to the passenger’s finger or thumb print and if it matches, it opens the gate. No clerk, no time wasted, all simple and easy.
This little baby can be re-used up to 500 times. It also has a barcode inserted into it, containing all the information a traditional paper boarding pass. Said passenger can check in online, insert their card into a dedicated machine withing the airport, get the flight info and seat number printed onto the card. According to Air France, getting such a card takes only a couple of minutes.The also claim once the information is transmitted to the card, it isn’t stored elsewhere, so your data is safe.
If you’re as impressed as I am and want a similar gadget, you have until the end of the year to become and AF frequent flier to be eligible for one. For a first hand experience, you’ll have to fly between Paris and Amsterdam. I think I’ll wait until they extend the program though!
US 2008 data breach growth blamed on insiders
Apart from the economic downturn, the year 2008 brought another critical issue to US companies: a nearly 50% increase in data breaches, leading them to lose considerably more sensitive data. According to an Identity Theft Resources Center (ITRC) study quoted by the Register, last year 35 million data records were exposed in 656 admitted incidents, amounting to a 47% increase compared to the 446 data loss incidents reported in 2007.
ITRC also states that about 40% of security breaches are never reported, thus the true number of exposed confidential records is most likely to be far greater than the study suggests.
Computer malware, hacking, and insider theft accounted for 29.6 per cent of recorded breaches, where the root cause of the attack is known. One in six breaches (15.7 per cent) were blamed to insider theft, a figure that’s more then doubled between 2007 and 2008.
The good news is that as education regarding data loss prevention reached more companies, the number of incidents caused by human errors has decreased. But that is a very small light in a highly untrained corporate world, where most reported data breaches involved data unprotected by either encryption or the simplest password protection. Let’s hope for a better protected 2009!
Self-encrypting laptop from Dell
One of the most common causes of security breaches is stolen hardware. And I’m sure you’ve all heard of the thousands and thousands of laptops stolen in airports, from parking lots and other public places. And as most companies fail to implement a comprehensive endpoint security solution, a stolen laptop means trouble. For the end users, a laptop sometimes stores most of their documents, personal and business, memories from trips and other important events and everything that is private and dear to them. Picturing everything lost to a stranger’s hand is hard to cope it.
Dell states there’s a new way to prevent such bad things from happening: a self-encrypting laptop. Your data is still lost, but at least no one can acess it. The drives with self-encryption features are produced by Seagate and embedded in the new Dell product. And apparently, the Seagate hardware will soon be shipped by IBM and LSI as well. Let’s hope no one breaks the encryption system!
Deloitte Lost Hundreds of Thousands of Pension Details
Deloitte has recently admitted it had lost a laptop containing pension details on hundreds of thousands of individuals. What is different though is that finally this laptop contained encrypted information, was password-protected and no misuse of the stored information has been discovered. While losing laptops is not something to take lightly, I am happy to report those having it won’t be able to easily access the stored information.
So what did the laptop contain? According to the Register, 150,000 railway workers’ details, details on all UK Vodafone staff with pensions and as well as records of other unnamed pension funds were stored on the said laptop. No addresses or bank information though. How it was stolen? From a handbag of a Deloitte employee. Vodafone Staffers, as well as the railway workers have received letters letting them know what has happened soon after the theft. We’re now looking forward to see where the “thorough investigation” takes Deloitte.
Stockbrokers Get Fine for Poor Security
The Financial Services Authority (FSA) has recently fined a firm of stockbrokers for failing to adequately protect their customers from the risk of identity fraud. FSA, quoted by the Register, said the company’s poor security included failing to manage, among others, the risks posed by staff using instant messaging and web-based email.
London-based Merchant Securities Group Limited also failed to verify the identities of customers contacting the firm by telephone. They instead relied on being able to recognize customers’ voices and informally asking them about personal matters such as holidays or hobbies. The firm also had the habit of including private account numbers in routine letters which could then lead to fraud or identity theft.
The FSA also found that back-up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff.
The London-based firm also failed to implement adequate controls “to mitigate the risk of customers’ personal data being transmitted outside the firm by failing to prevent the use of instant messaging and web-based email,” according to the penalty notice (pdf) served by the FSA.
New PCI Standards Disregard Inside Threats
Starting June 30, new measures inserted in the Payment Card Industry (PCI) standard will be inforced. However, representatives of a database security firm point out that the new additions do nothing to address inside threats.
As Vnunet.com shows in a recent article, the new measures require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.
Secerno representatives showed that the new and “improved” standard does not address real threats effectively:
“The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data,” said Paul Davie, founder of Secerno.
“It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users.”
Other than completely ignoring ill willed insiders, the PCI standard also fails to regulate data encryption requirements, database security policies, measures of protecting data on private networks.
New Easier Way to Encrypt Large Amounts of Data
Researchers from many world renowned universities and research labs such as UCLA or Root Labs have been focusing for quite a while on data encryption. According to the Register, current research lead to an encryption scheme that has the potential to simplify the protection of sensitive information. This encryption scheme allows banks, hospitals and other organizations to lock files using keys that are based on specific attributes: an employee’s position or geographic location.
The method, which was unveiled last week, adds to the growing body of research known as functional, or attribute-based encryption. Functional encryption is designed to solve the hassle tied to traditional public-key encryption resulting from distributing and managing thousands or millions of private keys authorized people need to decrypt protected data. If 1,000 people in an organization need to securely share their public key with their co-workers, that requires close to one million separate exchanges.
Functional encryption tries to simplify things. It allows data to be encrypted using attributes directly tied to the recipients, such as their names or email addresses, without the need for the parties to have exchanged keys ahead of time. Rather than relying on a single key that unlocks all data, functional encryption envisions a more flexible sort of system where a personal key unlocks some doors but not others.
