Blog
With so many high profile data breaches happening to government agencies, healthcare organizations and also to businesses (e.g., financial services, data security, retail, etc.), there should be more of a move toward encryption and key management in order to prevent a full scale data breach. However, it seems as though this type of movement hasn’t garnered the attention of the IT security professionals in most organizations.
A recent survey by iStorage of 500 IT professionals revealed that more than one third had lost USB drives and portable devices that contained unencrypted personal and company data. Even more distressing is that over 50% of those surveyed reported to have transported data without any measure of encryption.
However, there are security experts who are opening calling on and urging companies and other organizations to adopt a full encryption of disks and to also implement proper key management to avoid the accidental or pre-mediated cyber criminal act from occurring.
One voice speaking about the need for encryption is the CEO of Venafi, Jeff Hudson. Hudson recently noted that he sees organizations beginning to rely on “ubiquitous encryption to protect data across the enterprise.” He pointed out that with last year’s high profile data breaches, many organizations are assuming that their firewalls and other defenses are in some way compromised or vulnerable to attack. This realization that the walls around data are relatively open has brought many to the realization that the data inside the network needs layers of protection as well. So much so, that Venafi’s Hudson is predicting that 2012 will be the “year of ubiquitous encryption.”
Other organizations have also stepped up efforts to promote encryption. The privacy rights group, Electronic Frontier Foundation has made recommendations that it’s members “commit” to a full disk encryption on all devices, both desktop and mobile. The obvious affect would be that all private data like sensitive business documents, personnel information, customer data and email correspondence. With the full encryption, even if the device is stolen or lost, the data would be safe from being accessed.
Ulf Mattsson, CTO of Protegrity spoke to eWeek and noted “Organizations need to make sure that all data, regardless of whether it is stored inhouse or managed by a third-party provider, is protected by either encryption or tokenization.” He went on to say that, “Incorporating these data security measures may add some complexity, but the protections would wind up saving the organization money in the event of a data breach.”
Jeff Hudson from Venafi also made note that as organizations begin to encrypt more and more of their data, they must also create effective processes to manage the keys for unencrypting. Often times, an employee will be tasked with encrypting their data and then leave the company. After they’ve left, the key is either missing or lost. This process will need to become more organized and have a central person or group who manages the keys as well as making note of what data has been encrypted or is next in line to be encrypted.
The issues with passwords when protecting data is that when they are entered online or through software, hackers can remotely replicate that act by penetrating a security layer. With LOK-IT, there is no way to remotely enter the password to unlock the drive, because LOK-IT uses hardware authentication where the user must have physical control of the device to enter the PIN through the onboard PIN-pad.
The Department of Defense (DoD) has announced plans to create a new methods and procedures in the way that the military handles classified material and sensitive data. This new procedure will utilize mobile technology and devices such as smartphones and tablets in the coming year.
This move by the DoD and Pentagon chiefs is controversial with some top military commanders. These commanders are afraid that the expansion of wireless technology, especially when handling classified material will put military operations and network systems at risk for data breaches. However, proponents of the meaures believe that using smartphone and table technology is the way of the future for the armed forces and their civilian counterparts.
“The question they are struggling with is this: In a military that is trying to get more secure, how do we approve technology and protocols that are inherently less secure?” said Brian Hajost, president and CEO of Steelcloud Steelcloud is providing the military and other government agencies with wireless security systems.
The move to greater use of mobile wireless devices is fraught with risk and reward. The DoD includes the use of wireless technology as a common sense move that will help to make the agency more efficient. This move is also part of a greater strategy that the Pentagon has for enhancing security of computer servers, the use of encryption codes and also the development and usage of various military frequency bands.
One area that the Pentagon is exploring to move into the mobile device realm is tht of the Common Access Card. This is a card system that troops use to verify their identity when sending sensitive emails or when they log into a DoD database. The card is swipe in order to gain access, which works in an office environment, but isn’t very practical when using a mobile device. The military is looking at alternatives to this system such as biometric identifiers on the device or usage of encrypted devices that can both identify the user, but also protect the data.
However, besides the various technical aspects and devices, there remains a fundamental concern within the DoD. This is of course, how to continually protect and safeguard American secrets and ultimately to make certain that military troops are not put into harms way by a breach that allows an enemy to use data to wage battle against the U.S.
As the military moves forward with these plans, it will continue to have a very strict policy on the popular BYOD culture in the rest of the U.S. As the military rolls out the usage of mobile devices, it plans to limit the use to only those devices that are owned and issued by the Defense Department. This strict control will allow the Pentagon to exert control over its phones and tablets. If a device is lost, there is not an issue of what to do. An administrator can quickly wipe out the contents. If a troop is placed in a sensitive situation the administrator could also disable camera and also shut off any GPS locator signal in order to protect the location of a troop or its members.
Finally, to answer the critics of the plan, the Pentagon is also exploring the possibility of operating its own mobile network, thereby giving ultimate control over security and protection to the military itself.
By 2014, the installed base of devices based on lightweight mobile operating systems, such as Apple’s iOS, Google’s Android, and Microsoft’s Windows 8 will exceed the total installed base of all PC-based systems, according to Gartner.
“Enterprise, government and military IT managers can not ignore the move to tablets and smartphones and must understand that devices they purchase today could quickly be obsolete unless those devices are platform independent,” said John Tate, Systematic Development Group’s executive vice president. “With operating budget dollars at a premium, the flexibility of LOK-IT is an extremely valuable benefit.”
LOK-IT is the first encrypted flash drive with enterprise-level security that can be used with any operating system since it doesn’t require software for user authentication or encryption. To gain access to the drive and data within, LOK-IT users just punch a pin code into a 10-key PIN-Pad*, much like an ATM.
It’s the New Year and the predictions have begun to be assembled by experts and companies throughout the data security industry. Many are focused on the big issues that companies and governments are likely to encounter in 2012. Others are a bit more focused in their round of predictions.
Confident Technologies has released it’s top 5 authentication predictions and trends for the New Year. Confident Technologies is a San Diego based company that provides image-based authentication and verification services for websites, and mobile devices. Here are their 5 Authentication Predictions for 2012.
- Bring Your Own Mobile Device: The Confident Technologies is predicting that this ongoing issue of employees bringing their own personal mobile devices (e.g., cell phones and tablets) to the work place will not only grow but will become a major issue for companies. This combination of personal and business related activities will likely result in at least one if not more high-profile breaches. The issue is that when an employee connects their personal mobile device to a company’s network without any security precautions in place, there is a far greater likelihood of some type of infiltration to occur, or if the device is stolen that access can be obtained via the device. This BYOMD trend will bring about more authentication and security policies with a focus on what information can be accessed and stored on a personal mobile device.
- Passwords Will Become Passé: Another prediction by Confident Tech is that there will be a very large data breach due to unsecured passwords. This breach will focus companies to make changes to their password only security layer. As in the Sony online gaming breach, once a hacker gets a username and password, they can wield that information over many other websites. They know that many people use the same username and password on multiple sites. After the Sony breach, other sites like LinkedIn and Amazon had to force a password reset for its customers. This breach will occur because of poor authentication, Confident Technologies states, and because of weak credentials. This will lead to the end of the use of simple text passwords ans the only means of authentication to access websites. Expect to see healthcare, education, and social networks adopt multi-layered authentication processes.
- Zeus or Zitmo Malware to Grow: Last year there were several versions of the Zeus malware that was modified and used to target mobile phones, in particular smartphones. These attacks were used to intercept authentication text messages that financial instutitions sent to customers. With the increase in the use of SMS-based authentication by many companies, the attacks will be stepped up and will grow. This coupled with the fact that very few mobile device users have installed data security protections on their phones or tablets, will make them easy prey for cyber thieves. This increase in Zitmo use by criminals will cause companies, in particular financial institutions to step up their game on authentication and find ways to ensure that the device receiving the authentication via SMS messaging is not affected with malware.
- Image-Based Authentication and Biometrics on the Rise: An increase in the use of smartphones and tablets will provide a new avenue for new types of authentication. These devices have touchscreens and cameras, which will be the technology side of enabling these new types of authentication. Some of the new types are graphical authentication techniques and image-based authentication. Utilization of the touch screen will permit the use of pattern-based authentication. With the camera, biometrics can be used to authenticate a person’s identity via face and voice recognition. With the need for more secure means of authentication, Confident Technologies predicts there will be a triple-digit market growth for these new technologies in 2012.
- Retailers Pave Way for New Mobile Authentication: Mobile transaction via smartphones hasn’t taken off in the United States mainly due to the difficulty in users entering complex text passwords into a small mobile device in order to approve a transaction. Payment providers in particular, but also retailers see that they are missing out on transactions due to the complexity of authenticating a mobile payment. Recent surveys have shown that a vast majority of mobile users (84%) have struggled with a mobile transaction. Confident Technologies expects that retailers and payment providers will pave the way in 2012 for new easy to use authentication techniques.
The issues with passwords is that when they are entered online or through software, hackers can remotely replicate that act by penetrating a security layer. With LOK-IT, there is no way to remotely enter the password to unlock the drive, because LOK-IT uses hardware authentication where the user must have physical control of the device to enter the PIN through the onboard PIN-pad.
A solution involving LOK-IT could be put to use in several of the areas mentioned above to mitigate those inherent risks.
More and more companies are adopting and using Cloud based computing. This is creating some unique paths to innovation and collaboration; however, it is opening up more and more questions about security. How each organization will cope with securing its cloud-bound data is a question that all IT managers will need to ask in the coming months. Also, who exactly is responsible for the security of the organizations data when it is in the cloud? Is it the provider of cloud services or is it the IT manager and ultimately the organization’s task to secure the data? Many critics believe that the cloud provider has the ultimate responsibility for network, system and physical security of sensitive data. However, the organization that owns the data is responsible for maintenance of passwords, the integrity of the applications and the security of access to data.
Some things to consider in order to prevent cloud compromises include the following suggestions. The first is to select a capable cloud-computing provider. Some questions to ask when selecting a vendor include questions about the physical, network and system security. Ask about patch cycles. Ask about firmware updates. Another key question is to find out what type of insurance they have in case of a data breach. Also determine if the vendor carries regulatory compliance certifications or compliance levels such as HIPAA, SOX or PCI.
Next make sure that you’ve secured the programming. Perhaps the compromise most often blamed for data loss is SQL Injection. Hackers count on lazy programming so that they can send a malformed string to a database for processing. If this happens, data loss could happen and a hacker could acquire a list of usernames, passwords, credit card account numbers or the entire contents of a table or database. Application security is the organizations responsibility. If a hacker steals data from the company’s database via SQL injection, select programmers carefully when interviewing.
Physical security is both the organization and the vendor’s responsibility. This point has shared responsibility between the organization and the cloud provider. The vendor has the responsibility for maintaining physical security at the data centers. The organization has the responsibility for the physical security of the office and work computers. Since many compromises originate from a lost or stolen device, physical security shouldn’t be forgotten.
System locks, disk encryption, portable drive encryption and personal vigilance are key to preventing theft and data loss from mobile systems. Hard drives, standard flash drives and SIM cards should all be wiped using software tools or destroyed prior to disposal. Remember that there is no perfect system and that people aren’t perfect either. Vulnerabilities will exist and it is important to stay vigilant against them and be ready to respond if vulnerability is discovered. It isn’t that the cloud is insecure it is that there are entry points to be exploited, just in any other computing/networking scenario.
This is that time of the year for top ten lists and predictions for the New Year. Even in data security there are a host of companies and experts who are making their lists and checking them twice for what the future holds in the field of securing data. Here’s a great trend list for 2012 by Cryptzone. Cryptzone is a Swedish solutions provider that helps mitigate IT risks and issues. Here are four of their key predictions for the coming year:
- Bring Your Own Device (BYOD): Companies will have a continued challenge of adapting their mobile strategy with the increase of employees bringing their own devices to work with the expectation that they will use them for work related projects. This personal device diversity in itself is a major challenge facing IT managers. However, the fact that multiple corporate users will take these devices far beyond the walls of company buildings loaded with corporate data, as well as points of access to the corporate network will be a hardy challenge for all IT departments. Cryptzone suggests that one over-arching security policy won’t be a suitable approach to this problem. A “take-no-prisoners” policy is suggested so that employees who must use their personal device know that if it goes missing or becomes infected with some malware, that the company has the right to delete all data on the device both corporate and personal. BYOD is becoming more and more popular, as people do not want to have to carry with them separate laptops, tablets and smartphones for both their work and personal needs. Peripherals that have the ability to connect to any of these devices, no matter what the operating system, are badly needed. LOK-IT is one of the few secure devices that can operate in this BYOD strategy. Additionally, the LOK-IT encrypted flash drive provides a simple way to secure mobile content, versus an overall security of all content.
- Content Security Vs. Hardware Security: Throughout 2012, hardware security will remain a priority for companies. But, Cryptzone predicts that companies will begin to look into securing content rather than the storage device. Since data can be replicated throughout the organization knowing all the locations where it is stored securely is often hard to determine. The new wave of data security will not be focused on storage, but rather it will focus on the identification of what content is at risk and how to secure it. With this tactic, no matter how much the data is replicated, it will remain secure wherever it is stored.
- Targeted Attacks: 2011 was a banner year for targeted cyber attacks, especially with the likes of the group Anonymous targeting governments, businesses and even criminals. Cryptzone predicts that this trend will continue to grow. Hackers will be less likely to attack random targets, but will work together to target organizations due to its political views or to make right a perceived wrong.
- Incident Response Management: With risks of data breaches at an all time high, corporations have to be aware that an attack can occur at any time. Having a plan to respond to each incident will be key in 2012. Cryptzone suggests that companies implement and communicate an incident handling policy and incident procedures that can be quickly used when a breach occurs. They suggest that companies should make the corporate culture one that permits staff to freely raise security issues or to be encouraged to quickly report suspicious activity.
These are just a few of Cryptzone’s predictions. You can read more about what they are looking at for 2012 on their website.
COMPLIMENTARY REPORT
 |
The 5 Most Costly Mistakes in Selecting Encrypted Flash Drives |
 |
|
Worldwide Sales Agencies
 |
Seeking agent representation and distributors worldwide Inquire Within |