Subscribe to RSS - data


$1 billion lost from information stored on a single thumb drive

Monday, June 6, 2011

Protecting a company's assets is getting far more complicated. Physical security professionals have to worry about much more than protecting physical assets, they also have a critical role in protecting electronic assets as well. I just read an interesting article from CNN about the cost of cybercrime. Here's the gist:

A few years ago a disgruntled employee for a large multinational automotive firm left the company -- but when he walked out the door, he also walked out with plans for a new car model under development on a cheap USB drive.

When the plans were leaked, the cost to the company was an estimated $1 billion in lost sales and increased research and development costs.

Yep, you read that right: $1,000,000,000. All on a single thumb drive.

When Wikileaks story came out, I talked to several security professionals about the role of physical security practitioners in this increasingly IT world in this SDN article.

“First and foremost these recent events should be a wake-up call for organizations to make sure they understand where their data is, what is sensitive data, and who has access to it,” said Steve Salinas, product marketing manager of the forensic business unit for Guidance Software, a provider of digital investigations.

And security professionals must remain vigilant about employee behavior. Is someone coming in on weekends when they've never done that? Is an employee exhibiting strange behavior? Strong collaboration throughout an organization is really the key. Human resources needs to talk to security about possible "disgruntled" employees and security needs to talk to IT about it, too. Is there a correlation between their physical behavior and their electronic behavior?

Policy is also important. In this same SDN article, Jon Oltsik, principal analyst for Enterprise Strategy Group, a full-service IT analyst and business strategy firm, said companies should use the principle of least privileges, meaning only those who need access to certain information have it, but those who don’t need it, don’t have access. Here's more:

It’s also important for a company to limit the number of people who have access to critical information. Then, once those privileges are determined, organizations should monitor what employees are doing with the information. Are they saving information to laptops unnecessarily? Are they transferring information to thumb drives? It’s also important to set up controls. For example, a company should set up controls that employees can’t email certain types of files to email addresses outside of the company or only approved USB drives can be inserted and used to transfer information on company computers.

Does your company have these types of controls in place?

SED 101: What security practitioners need to know about self-encrypting hard drives

Friday, April 29, 2011

By Aly Sidi, development manager, Absolute Software

For many organizations and security directors, the task of encrypting information on an employee’s computer poses a significant challenge. Encryption tools often serve as the “frontline of defense” for protecting sensitive data. Organizations rely on encryption to protect against data breaches and the negative publicity that follows such events.

Encryption has evolved over the past few years from file/folder encryption to volume and full disk encryption. All of these types of encryption utilize the operating system to perform the actual encryption. The biggest hurdle to a universal acceptance of encryption is that all of these tools and methods slow down the system as a whole. In addition, these encryption methods are also susceptible to cold boot attacks as the encryption keys are stored in RAM. Most importantly, traditional encryption tools have always suffered from one major setback: human error. For example, if a user using volume encryption fails to store the documents in an appropriate volume of a hard drive or forgets to safeguard their encryption key, the encryption product can be compromised, possibly resulting in a data breach. And if the organization does not employ a multi-layered approach to security, it could have serious implications when it comes to a breached, lost, or stolen laptop.

Many manufacturers including Samsung, Seagate, Toshiba, Fujitsu, and Hitachi are now building self-encrypted drives (SEDs) providing a standardized, hardware-based method of encryption that ships with the computer. At their core, SEDs are hard drives that have an encryption chip on the device, which protects the data. Based on a specification from the Trusted Computing Group (TCG) the encryption hardware is incorporated into the drive’s electronics controllers with either a 128-bit or 256-bit AES encryption algorithm.

Though many companies have already deployed full disk encryption onto their devices, SEDs have significant benefits for both IT managers and organizations. Unlike full disk encryption, SEDs are constantly encrypting. This eliminates the usual 6-10 hour wait to encrypt or decrypt the hard drive when loading the application. Additionally, the encryption chip is actually part of the hard drive, so it does not use the operating system resources. This has long been a pain point for users, as full disk encryption methods often tax the operating system, draining resources. Finally, SEDs are not susceptible to cold boot attacks, protecting the device’s encryption keys.

Some companies are ahead of this trend and are already employing SEDs in their organizations. However, these are the original Seagate DriveTrust drives. Computer and drive manufacturers are working on a new standard, the OPAL specification from TCG. Based on an agreement between drive manufacturers to conform to a single specification rather than create their own implementations, OPAL is positioned to become the de facto standard for SEDs. This summer, more companies will begin to make the switch to OPAL certified SEDs to get ahead of the game before mass implementation by the end of the year.

New devices bring new management challenges for security staff members. Though these drives ship directly from the manufacturer, organizations may still need to take immediate action to control and administer these drives. Third-party management tools are available and necessary in order to “lock” and “unlock” the drive. These tools can also help IT managers easily administer users, authentication methods, policies, and perform system maintenance tasks from one central administration console.

The cost effectiveness of the third-party management tools is one of the key benefits of managing these drives. For companies that go through frequent refresh cycles or staff changes, these tools can also wipe the drive for decommissioning or at the end of the device’s lifecycle. Finally, IT staff can easily restore credentials should the system crash or fail.

With such a strong value proposition, analysts are predicting that SEDs will make full disk encryption obsolete as organizations adopt this new form of encryption when they add new devices as part of their regular refresh cycle. It is expected PC OEM manufacturers will be shipping SEDs before the end of the year. Security and IT staff need to start preparing their teams now for this implementation. They must be trained and ready to administer and secure these devices before integrating them into an organization’s deployment.

As organizations – both employees and data – become increasingly mobile, IT needs to ensure their security methods are keeping pace. SEDs are the next evolution in encryption and will become the de facto standard in the next few years making software and full disk encryption obsolete. IT needs to start planning now for the integration of SEDs into their security methodology and begin their assessment of third-party management tools that add a competitive advantage over and above simply locking and unlocking the drive.

Minnesota develops e-filing system to reduce pain points for police


ST. PAUL, Minn.—Once upon a time, police officers in Minnesota had to physically transport criminal complaints to the courthouse, a process that was both time consuming and frustrating for law enforcement. However, the state is currently in the midst of deploying a state-wide system that allows law enforcement to electronically file criminal cases and better track those cases.