CareFirst Dental HMO Exposes Data of 75,000 Members

One of the purposes of Endpoint Security is to actively prevent damages caused by inside threats. Such threats don’t always refer to malevolent employees waiting around the corners to steal proprietary technology or private records. It also refers to members of your organization being mugged or simply loosing their laptop, PDA, iPhone or flash drive with sensitive information. Moreover, it aims to prevent human errors. Though uncommon, personnel transferring the wrong data and exposing it to wrong doers does happen.

One of the most recent cases has been covered by The Baltimore Sun. A CareFirst BlueCross BlueShield dental HMO called Dental Network accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public Web site last month and didn’t notify them until about three weeks later.

Experts say security breaches such as The Dental Network’s - where the company itself inadvertently posts the information - are uncommon. More often, experts say, information is compromised when hackers break into a computer system or when computers are stolen - as happened with the theft of a National Institutes of Health laptop last month.

Although state laws impose timely notifications being sent to all those involved, The Dental Network discovered the security breach on February 20 and informed members through a letter letter send on March 10.

A state law passed last year requires businesses to promptly notify those potentially affected by a security breach or theft, according to the Maryland attorney general’s office. Approval followed the loss of computer tapes containing information on more than 135,000 Johns Hopkins employees and patients in early 2007.

The Dental Networks representative stated however that they did their best and announced their members as soon as they could. Still, drafting and editing a letter, printing it and mailing it should take a lot less than 3 weeks.

Stolen Agilent Laptop with Records of 51,000 Employees

There have been quite a few cases of stolen laptops that contained private records of hundreds, thousands and even hundreds of thousands of individuals. They’re increasing number and in some cases the consequences are a pretty strong argument when it comes to convincing other companies they need to secure their endpoints. But apparently, recognizing the risk and having a contract signed compelling another company to protect your data is not enough. At least it wasn’t in the case of Agilent Technologies.

A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of said company has been recently stolen from the car of an Agilent vendor from San Francisco. According to MercuryNews.com, the theft was announced by Agilent in a letter sent to former employees. The stolen data included employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards.

In the letter, Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - “in violation of the contracted agreement.”

“It wasn’t encrypted, which was a surprise to us,” said Agilent spokeswoman Amy Flores. She said the vendor told Agilent that an East Coast employee had brought the data-laden laptop to California for encryption, but someone broke into her car and stole the computer and her other belongings while the vehicle was parked near Fisherman’s Wharf.

Sensitive Medical Data of 2500 Patients Stolen

Private medical details of over 2,500 patients taking part in a study conducted by the National Institutes of Health have been stolen. The information was stored on a government laptop computer which was stolen in February. The data accounted for seven years of clinical trial, exposing names, medical diagnoses and details on patients’ heart scans. Although governmental policies enforce it, the stolen data was not encrypted.

It took NIH a month to reveal the theft and start notifying the patients whose sensitive records have been lost. According to the Washington Post, the reason behind NIH officials’ hesitation was their concerns they would cause false alarms.

Elizabeth G. Nabel, director of the National Heart, Lung and Blood Institute (NHLBI), said in a statement issued late Friday that “when volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically.” She said that “we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust.”

NIH officials said the laptop was taken Feb. 23 from the locked trunk of a car driven by an NHLBI laboratory chief named Andrew Arai, who had taken his daughter to a swim meet in Montgomery County. They called it a random theft. Arai oversees the institute’s research program on cardiac magnetic resonance imaging and signed the letters to those whose data was exposed.

Given this recent data theft incident, government agencies should really take the findings of the Government Accountability Office regarding security more seriously and start implementing more effective security policies.

Mindblowing Data Breaches of 2007

CSO Online has recently published a top 10 of the most significant data breaches of 2007. They have analyzed stolen hardware, malware infections and other such security breaching activities. CSO has also concluded the “most brilliant lunacy” of the year was to require the usage of social securities numbers as passwords.

If you haven’t guessed who the dark winner is, it’s the nasty TJX affair. But considering other data and facts we’ve recently told you about, the CSO estimated losses seem to be a bit off. Nevertheless, the top is quite interesting and a very good reminder security should never be taken lightly.

Data Breaches Going up

IT Security published an interesting feature this week focusing on data breaches, their trends, the laws regarding such security breakdowns and the targeted company. I thought some of the fats and issues they pointed out are highly important and worth being re-broad casted.

• the first law in the US regarding data breaches notice dates back to 2003 and was issued in California. Since the 37 states have enforced similar stipulations.
• In 2007, over 162 million records have been stolen or lost. To better understand what a significant growth the past few years accounted for, note that in 2002 the lost or stolen records amounted to a little under 5,000.
• Big companies with numerous private records seem to be the preferred target. Yet the cause of such breaches is not the thieves’ high level of knowledge. It’s human errors that facilitate such attacks.
  

  TJX, the parent of retail chains including TJ Maxx, announced the computer incursion in January 2007 and later disclosed in an SEC (Securities and Exchange Commission) filing that the incident involved data from more than 45 million payment cards.

  Brad Johnson, vice president at SystemExperts, said he views TJX as an anomaly, suggesting most breaches stem from human error rather than an attacker’s ingenuity. “The fundamental problem is a lack of security awareness,” Johnson said. “Employees weren’t aware of the risk involved, so they didn’t take the appropriate precautions.”

  The case of HM Revenue & Customs, the United Kingdom’s tax department, fits the human-error category. In late 2007, HM Revenue & Customs acknowledged the loss of two computer disks containing personal information for 25 million people.

• Criminal gangs stealing data get 1$ to 10$ per record. Therefore, as long as the attacks are profitable, they will continue
• The first step a company should take is to realize what sensitive data they have and where it is stored. Such a step should make the implementation of an efficient Endpoint security and DLP solution easier.
• Another security measure would be to only process the data needed at a certain time (e.g. a few entries as opposed to an entire Excel file containing those entries)
• Users or consumers should investigate more the risks they expose themselves to when entrusting their private information to third parties.

Thumbnail Drive with Data of Job Seekers Lost

A company hired by the Nevada Department of Public Safety to do background checks for 109 job applicants managed to loose the private data of said job seekers. According to an article in Chron.com, their private records were stored on a thumbnail drive owned by one of the hired firm employees.

Following this incident, the Department of Public Safety has temporarily suspended the use of outside vendors for background checks while it is reviewing all its processes and procedure.

Endpoint Security…What Is it all about?

Back in 2005, people had very different opinions on what endpoint security was. They were debating what it covered, how it was achieved and who spread the concept. To see how different opinions were, here’s an article that’s over 3 years old. Currently, one could try an online IT glossary to find out what endpoint security is all about. And they’d get to a definition close to the one below:

Endpoint security is a strategy in which security software is distributed to end-user devices but centrally managed. Endpoint security systems work on a client/server model. A client program is installed on or downloaded to every endpoint, which, in this case, is every user device that connects to the corporate network. Endpoints can include PCs, laptops, handhelds, and specialized equipment such as inventory scanners and point-of-sale terminals. A server or gateway hosts the centralized security program, which verifies logins and sends updates and patches when needed.

A bit clearer, but how is this different from antivirus software and other authentication mechanisms previously used? SearchSecurity.com expands the above definition and gives a few hints on how endpoint security is more complex and thus a key point to take into account when building individual or corporate security policies:

Simple forms of endpoint security include personal firewalls or anti-virus software that is distributed and then monitored and updated from the server. The term is evolving, however, to include security elements such as intrusion detection and prevention, anti-spyware software, and behavior-blocking software (programs that monitor devices and look for operations and actions that are typically initiated by unsanctioned applications or those with malicious intent).

The most complex endpoint security programs use network access control to grant authentication and specific forms of access to user devices. When a device attempts to log in to the network, the program validates user credentials and also scans the device to make sure that it complies with defined corporate policies before allowing access.

Mix this with the initial description and you’re pretty close to home. And of course, there is always a shorter way to explain it all. Also a little clearer and easier to understand. Like this:

Systems and solutions designed to protect and control endpoints whether those endpoints are within, attached, or connected remotely to an organization’s network. Endpoint security solutions can include but are not limited to: antivirus, virtual private network (VPN), host intrusion prevention, personal firewall, anti-spyware, and multi-factor authentication solutions.

What I personally think endpoint security should be all about (and what some good endpoint security solutions developers are actually doing) can be listed as follows:

• cover both individuals and companies
• be able to offer the same level of security to all types of businesses SOHO, SMB and large companies
• prevent data loss and leakage
• prevent data theft and other security breaches
• identify all real threats (from both outside and within a certain network)
• offer comprehensive file tracing and auditing features
• allowing trusted devices to be identified as such
• protect a network from all possible gadgets and portable data storage devices
• help customers efficiently comply with IT security and governance standards and legislation
• as a cherry on top, it should all be easy to understand and to operate, as learning time is limited

What is endpoint security to you? What important factors have I left out? Feel free to add your ideas to the checklist I’ve created.

Symantec Customers Angered by Update Bug

A bug in a live update spread among Symantec’s endpoint security customers resulted in error logs piling up and rendering the solution inoperable. While the company states it is working on a fix for the issue that seems to have affected quite large numbers of users, the Register presents a different story - the hard time one of their readers has had dealing with the repeated errors.

The story sparked quite a debate on Symantec’s forums. Although the initial stories about how much damage this bug has caused are exaggerated, there still seems to be a great discrepancy in how customers and the company see things. While Symantec states only minor errors should have been reported, the quoted Registrar reader speaks of server halts and users being unable to login:

Symantec acknowledged the error-generating bug, but says the product remains functional. “This issue would have led users to see “Error 58/55″ in their SEP log files. The issue shouldn’t have done anything but generate errors — there should have been no issue with the product itself,” a spokesman said.

Richard said the problem didn’t cause problems in downloading anti-virus definitions even without applying workarounds (contrary to earlier versions of this story). Nonetheless the issue is still causing all sorts of grief. “Anti-virus updates appear to come down fine. It’s just a decomposer issue, but does that mean that anti-virus can’t scan inside archives until the problem is fixed? Symantec aren’t saying,” he said.

“However many many people are still having problems with things like the errors filling up logs and grinding servers to a halt. I personally figured something was wrong when none of my users could log on, there were temp files from live update littering the boot drive of the server and it had no free space,” Richard reports.

Is Biometric Authentication a Must for USB Sticks?

Starting as cool give-aways, easily brandable and not taking too much space, USB sticks have developed into quite efficient means of carrying data to and from PCs. As numbers of mobile employees and freelancers numbers increase, fast and easy means of carrying information around gains more attention. And with that attention the threats of having proprietary information and private details lost and stolen increases.

As endpoint security evolves, so do protection forms, varying more and embedding the latest technology. So why would a USB stick need biometrics, if passwords and data encryption are already available? To answer that question, we first need to better define biometrics. The term covers the study of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. According to Wikipedia, there are two major categories used to divide biometric traits:

• physiological - related to the shape of the body. The oldest traits, that have been used for over 100 years, are fingerprints. Other examples are face recognition, hand geometry and iris recognition.
• behavioral - related to the behavior of a person. The first characteristic to be used and still very popular today is the signature. More modern approaches are the study of keystroke dynamics and of voice.

So, what is so special about biometrics-based authentication? It is believed to be impossible to reproduce or forge. Besides, you don’t have to worry about misplacing the encryption key or forgetting the 8 character password you cleverly invented.

That is of course an amazing idea to keep your data safe if you are not part of the group that believes stories in spy movies are true. We’ve all seen passwords of 6 alphanumeric characters broken in less than a minute, haven’t we? Or eyes being remade and fingerprints “printed” within seconds.

Endpoint Protector 2008 Addresses Wireless USB Security Issues

Wireless USBs, besides bringing data transfers and portability to a new level and diminishing restrictions of the traditional USB protocol, also harbor specific threats. While transfers between these portable devices and computers comes with no impressive tricks, the data the store can be easily leaked to third party PCs or devices supporting wireless transfers.

The new Endpoint Protector 2008 developed by CoSoSys is the first endpoint security and DLP solution to address such threats specifically. More details on the new version from PR Inside:

The new Endpoint Protector 2008 efficiently protects PCs from data loss, data theft and other forms of data leakage. Endpoint Protector allows the controlled use of USB devices, external hard drives, FireWire devices, CD/DVD-Readers/Writers and many other potentially harmful devices, with the goal of stopping malware, viruses and other unwanted data intrusions.

Endpoint Protector 2008 also monitors and records all data transferred to and from portable storage devices. This new feature gives IT administrators the possibility to trace all data activity regarding removable storage and endpoint devices. This file tracing option allows the prevention of possible data breaches or of data being copied without authorization.

While the client product only runs on Windows operating systems, the Endpoint Protector Server 2008 is available for both Windows and Linux platforms, addressing a wider range of working scenarios.