Back in May, the White House proposed sweeping new data breach legislation. The purpose of the proposed law is to simplify the various State reporting and notification obligations of companies when they (inevitably) lose the personal information of their customers, agents or employees. Generally speaking, those laws require companies to encrypt their data so as to avoid the harsh consequences of losing “clear text” personal information. As I stated in a previous blog post, the proposed legislation creates new obligations on companies that handle personal information. In particular, when companies that are subject to the new law lose data, they will have to conduct a Risk Assessment as to the loss and notify the FTC of the results of the Risk Assessment. As in the past, centrally-managed encryption is one of the easiest ways to “pass” the Risk Assessment. But what about small businesses? They are clearly covered by most…
Read More »
One would have to be living under a rock to not be aware of all the news regarding the hacking scandal involving Rupert Murdoch’s News Corp publishing empire, and specifically with his News of the World publication. The headlines regarding the scandal are everywhere: on the internet, TV, print media, social network sites, and blogs such as this one. Rupert Murdoch has built an empire making headlines, writing headlines and reporting the news that impacts the world. Now, he is at the center of it all and making headlines of his own for all the wrong reasons. To put it in very simple terms, what is at stake with the issues facing Murdoch’s media company is that they accessed information that did not belong to them and they got caught. They hacked. They (allegedly) broke the law, trying to use the information to benefit themselves in the form of big…
Read More »
Ah, the joys of moving houses. Boxes everywhere, hours on hold with utility companies, trying to get everything turned off/on at the right times, multiple trips to Goodwill, dropping off the flotsam and jetsam we’ve collected over time but no longer need, and the list goes on. Arrrggghh!! I’ve also the added complication that I work from a home office—which I’ve done for many years—and as I’ve been working through the pile of ‘stuff’ accumulated around my desk and in my filing cabinets, I’ve been surprised to find a variety of CDs, DVDs and USB Thumb drives that I thought I’d lost years ago. Some have been great finds, like old pictures of my now three-year-old daughter: visiting her grandparents for the first time, pulling herself up to the side of the couch as she learned how to walk, and staring intently at Elmo on the TV. Great stuff, and…
Read More »
With the last several posts being about BitLocker (and especially Recovery Keys) hopefully you now have some idea of the things you will want to think about when planning for a BitLocker deployment. Beyond that, however, the obvious question that now needs to be addressed is: Where should you deploy BitLocker? After all, if it’s built in to Windows 7, (Enterprise and Ultimate) it should be a no-brainer, right? I think it’s fair to say that BitLocker could be perfectly fine for some of your users, or even most of your users, depending on what type of business you are and how sensitive your information is. But probably not all. As I said, BitLocker provides a good implementation of a well understood and secure algorithm, AES, and as such you can be confident that it provides protection to your data, especially against off-line attacks. And if you address some of…
Read More »
The White House announced several interesting cyber-security initiatives yesterday—one of which is a proposed Federal Breach Notification Law that is being sent to congress for consideration. On a briefing call directed to the security industry, they made it clear that this law would pre-empt the various state laws in an effort to simplify compliance and enforcement. I am not so sure that they accomplished their goals. Although the proposed Law presents many things that need to be considered, in essence it requires: 1) Businesses other than those covered under the HITECH Act (engaged in or affecting interstate commerce that use/possess personally identifiable information on more than 10,000 individuals during any 12-month period [note that this doesn’t cover every entity that is covered under the various state laws and so will present an interesting pre-emption issue—likely to be the subject of a future blog post]) who experience a 2) Security Breach…
Read More »
Last time I covered an introduction to BitLocker, the Trusted Platform Module (TPM) and what TPM does to assist in keeping your system secure. This time I’m writing about the most important aspect of BitLocker management – Recovery Keys (and Recovery Passwords too). While one of the great strengths of the TPM is providing protection against attacks on your system, the cost of this approach is evident when the TPM decides that any number of innocuous events might be part of an attack. The result – it enters what’s known as “recovery mode.” Recovery mode stops the necessary keys from being unsealed, preventing the system from continuing to boot. At this point you’ll need to supply the recovery key/password in order to bring the TPM out of recovery mode and keep going. So what are recovery passwords/recovery keys? Where do I get them and where should I keep them? [Quick note –…
Read More »
Looking at the security of Dropbox and examining some of the issues that go into protecting data in a service like Dropbox is an interesting topic. Since the first blog post on this topic, Dropbox has fallen under some significant heat and has now been the unfortunate recipient of an FTC complaint specifically because people feel they were mislead regarding the data security of Dropbox. When Dropbox recently clarified their privacy policy, some who had been using the service with sensitive data felt they had been misled, hence the FTC issue. It is interesting to note that it’s possible for a 3rd party to add data security for enterprises to Dropbox. What would need to be done by such a 3rd party to make Dropbox safe for enterprise data? What are the specific problems we need to solve to allow our most sensitive data to move into cloud storage? Encrypt all data…
Read More »
It’s hard to avoid the flurry of bad press following the recent loss of a laptop by a BP employee. Unfortunately for all concerned, the lost laptop contained the names and personal details of some 13,000 claimants from the Deepwater Horizon spill. The problem, of course, is not that the laptop was lost (happens all the time, in fact one recent study showed that organizations lose about 2% of their laptops each year). The problem isn’t even that the laptop in question contained sensitive information – it’s that the information was unencrypted and, therefore, unprotected. Had it been encrypted the loss would have been barely noticeable and certainly wouldn’t have merited the finger pointing that’s going on right now. Encryption is something we all know we should do with sensitive information (especially on laptops and removable media), but it is also an area where what we know is a good idea,…
Read More »
June 6, 1944, D-Day, was the largest and most complex military operation to have ever been put into action. Known as Operation Overlord, it took two years of planning, 156,000 Allied troops, 11,590 aircraft, 6,939 naval vessels, and the list goes on. The amount of data created and consumed during the planning must have been immeasurable. Moreover, D-Day was also one of the most defining events in the history of the world, and without sounding too dramatic, the fate of the free world depended largely on its successful execution. It is the exemplary planning and actions of those involved, and the ability to keep the plans confidential and secure, that can only be considered extraordinary. Now imagine if the Allied plans for D-Day had fallen into the wrong hands and the mission was compromised? Would the invasion of the French coast at Normandy have been successful? Would the world have…
Read More »
The other day I commented that we need to make DropBox safe for the enterprise. I mean there have got to be millions of users who put work stuff in DropBox so as an industry we need to make sure all that data is safe, right? Sure. Of course. But how? Ah, that’s where it gets tricky. As any security professional will tell you, electronic privacy is hard to do well. It requires a host of technologies like encryption, key management, identity management and authentication. More fundamentally, it requires that the provider and the customer agree on something called a threat model or risk profile. What this means in the case of DropBox and other storage providers is that users really should answer several questions: 1. Who owns the data I’m putting in DropBox? – This is the person or organization responsible ultimately for protecting the data. And this will be the party that law suits, subpoenas and…
Read More »
RSS