Tag Archives: Data Security

Hard Drive Wiping – It doesn’t take a rocket scientist

Photo courtesy of http://www.flickr.com/photos/jurvetson/

You have likely heard about the recent NASA information security incident where PCs were sold without first having their hardrive’s properly wiped. Failing to perform this essential information security step has resulted in an embarrassing public disclosure and also the possibility that sensitive shuttle information that was subject to export control restrictions may have been disclosed.

What are the information security lessons that you should learn from the NASA incident?

1. Old assets are often overlooked in the desire to quickly get rid of them. Out with the old in with the new right? Not so fast remember that if you do not take security steps to securely wipe the data prior to selling or returning the asset your information is at risk.

2. Build the requirement to secure data prior to asset disposal into your security policy (NASA did this but failed to enforce it which brings up pt #3)

3. Audit compliance against your policies to validate that actions are happening as they should be and take corrective action when you find a problem.

Make sure to follow our previously published hard drive wiping recommendations to take the necessary steps to protect your data before it leaves your location to help keep your company’s information secure.

Information Security – Who needs it? Law Firms Do!

You own or manage a law firm and have a lot of important cases. But are you taking information security seriously? If not, you are exposing your clients and your firm to potential negative ramifications as evidenced by several Atlanta law firms who failed to secure sensitive documents. Due to poor information protection practices several law firms dumped sensitive documents containing case information, W2 information, bankruptcy files, and old checks among other data directly into an insecure location. When some of the original documents were traced back to a firm it was learned that the employee who performed that action was instructed to dispose of the documents in a large dumpster that was believed to be a secure site.  The original article linked above quoted the employee as saying “My understanding is that once stuff goes in nobody can take anything out because it’s very deep.”

Business Risk

By failing to secure sensitive client information the law firm exposed themselves to liability lawsuits and a damage to their reputation of being trust worthy representatives of their clients

Information Security Lessons Learned

  • Sensitive information residing in physical form should not just be thrown out. More thorough destruction techniques such as shredding or incineration are necessary to safely eliminate records that have outgrown their usefulness. You could also consider hiring a firm that specializes in these activities but be sure to audit their compliance on occasion.
  • Sensitive electronic media should be secured by overwriting it as detailed in a previous article.
  • Once you have implemented effective techniques as outlined above educate your employees how to perform the desired actions and audit their compliance on a periodic basis.

Remember simply putting information in a dumpster does not equal information security!

Photo by http://www.flickr.com/photos/caterina/

Information Security – Who needs it? Colleges & Universities Do!

We have previously highlighted an information security incident where a laptop theft from a hospital caused significant data loss and negative publicity. You might be thinking what does that have to do with me? I am safe because I have a desktop and those don’t get stolen like laptops do. Think again! Desktops are also a frequent target of theft as City College of New York learned the hard way. A desktop computer was stolen that contained the personal information of 7000 students who are now at an increased risk of identity theft.

Information Security Lessons Learned

  • Desktops and laptops should utilize encryption when any sensitive data will reside on the machine. Often times it is not easy to know up front if the machine will be used to store sensitive data so it is best to default to a secure installation and install encryption every time.
  • Laptops are not the only devices that could benefit from a cable lock. Desktops and other computer equipment like portable projectors should also utilize them to add an extra dimension of physical security and theft deterrence.

Information Security – Who needs it? The Police Do!

Photo courtesy of http://www.flickr.com/photos/gadgetdude

The latest in our continuing series on real life information security incidents shows that even the police need information security. The Manchester Police Department recently experienced an information security incident and the negative publicity that results from such an event. The source of the incident was an unencrypted USB drive that was lost and was found to be holding sensitive records including information about officers and emergency response information including such gems as information about crowd control plans. Losing this information potentially puts the officers at undue risk and also gives groups seeking greater knowledge about internal workings of the police department a leg up in better understanding how the department works. This incident is especially troubling since the article mentions that this department also had an issue with worm problems awhile back, so it is clear a new security mindset is needed to keep data secure.

 Information Security lessons learned

  • Do not store sensitive information on USB drives
  • If you find recommendation #1 draconian be sure to utilize an encrypted USB device such as the IronKey device available at places like Amazon.com
  • Educate your users regarding information security to help make sure your security policies are not violated

PS: I realize the picture is not the Manchester Police department but same country and it was just too tempting to pass up!

Information Security Awareness – Educate, inform, secure

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Educate your employees about information security or all the security tokens in the world won’t save you.

A company may have a decent size security budget and spend it effectively on firewalls and other protection devices but if you fail to educate your end-users all that investment can be for nothing. Hackers, spammers and other evil doers regularly target end-users because it is often the easiest method of attack and is extremely effective. Targeted spam emails and malicious web sites are two of the most common threats but it is important to implement a general awareness campaign that covers a wide range of information security issues from what makes a good password to the importance of physical security. Here are some of the important factors to consider when implementing an information security awareness program.

Be Consistent – Develop a weekly or monthly routine and stick to it. Send out the email on a consistent day so the user will come to expect it and perhaps even look forward to it if you follow the other recommended steps below. Always send it from the same account to minimize the likelihood for confusion which could assist targeted spam attempts.

Keep It Simple – Do not use overly technical language that will confuse or turn off users. Speak in the communications like you would talk in a conversation and

Do I not entertain you?  – Try to write in an interesting style and even use humor to keep your users entertained. Entertaining material is more likely to be read and absorbed then stuff that would put an insomniac to sleep.

Provide Examples – Many people learn best from examples and there are plenty of those readily available. Find a recent incident that demonstrates the point you are trying to make and it will make it more real and less theoretical. People listen more when they no others have fallen for a trick and are more likely to absorb the information.

Be relevant – Providing examples that they can use at both work and home is a great way to keep people interested. Examples include safe internet surfing, avoiding spam emails, and the importance of having up to date anti-virus signature files.

Consider Posters – Emails are great but they are often times easily ignored. Utilizing posters in high traffic areas in addition to email is a great way to mix it up and capture the attention of people who otherwise might not care.

Make it a job requirement – Security is only as strong as the weakest link. It is everyone’s responsibility to follow good information security practices and keep the company secure.

In the very near future we will be offering a weekly information security email newsletter so stay tuned and stay secure!

Information Security – Who needs it? Consulting Firms Do!

Don't Mess with Delaware

I was browsing the latest information security incidents and noticed one from my home state of Delaware. The State of Delaware was affected by an information security incident due to careless data disclosure from their 3rd party service provider Aon Consulting. The end result was data disclosure of 22,000 state employees, putting them at a greater risk for identity theft. Since the data was related to health and benefits information the disclosure falls under the HIPAA regulations. Aon Consulting is notifying the individuals affected and offering credit protection services to those affected to help minimize the damage.

Lessons Learned from this Information Security Incident

  • Even if you do everything right from an information security standpoint your services providers must have a similar mindset and do likewise.
  • Think twice about providing sensitive data to 3rd party providers that likely have no specific need of that data
  • Regularly review your site for content that should not be disclosed (or even better do proactive reviews prior to making the information available on-line.

Backup Your Data – Tips for keeping your information secure

Backing up your data is one of those information security chores that we know is important but we often neglect to do, it is basically the cleaning your gutters of information security. Just as failing to clean gutters can lead to eventual roof leaks, failing to back up your data can lead to big problems should a natural or unnatural disaster occur. Disaster’s come in many forms varying from flood, theft, and electrical surges to malicious insiders or outsiders with a grudge against your business seeking to do harm.

Now that you are convinced that backing up your data is one of the most important steps you can take to ensure your business or personal files are protected how do you get started? Two items to consider are what are your Recovery Point and Recovery Time Objectives? Simply put a Recovery Point Objective guides you to frequency of backups while RecoveryTime Objectives determine a business risk based target for when the system must be operational again.

Examples

RPO – If your business Recovery Point Objective (RPO) is to lose at most a day’s worth of data you are fine performing daily backups that can recover you to the desired time. Likewise if it is a personal computer contains information that is only updated with photos and key documents on a weekly basis you are fine setting an RPO of one week.

RTO – If you perform a risk assessment and determine your Recovery Time Objective (RTO) is 3 days that means you must craft your backup and recovery program to allow system recovery within this time frame.

Data Backup Tips

  • Backup frequency should be determined by your Recovery Point Objective (RPO) and the importance of the data.
  • Automate your backups using scheduling software to ensure they happen regularly and to minimize the likelihood of human error
  • Store the backup sufficient distance away from the primary source of the data. This helps ensure that both copies of the data are not lost if you experience a fire, flood, or theft. Good ways to do this include using a secure online backup service, a professional physical backup service, or by storing physical drives or media in a bank safety deposit box
  • Verify that your technical support people are monitoring backup failure reports. Backups can fail for a wide variety of reasons so it is important to regularly monitor the success of backups.
  • The ultimate proof that your data can be recovered is to perform a restoration test. This will validate the backup is of good quality and that you are truly protected. It is recommended backups be tested annually at a minimum

Ways to backup your data:

1. Online Backup Services – Online backup is both cost effective and a convenient way to ensure the information is far enough away from your primary data source. For a business I recommend sticking with large reputable providers and avoiding free services that may not be there tomorrow. I will review online backup services in a future post but for now you can consider highly rated providers Mozy, IDrive or Amazon S3 storage services

2. External Hard drives – An external hard drive is a great way to conveniently store backups that are smaller in nature and then storing it in an off site location. I would consider getting 2 2 TB external hard drives that would enable you to set up a small off site rotation plan.

3. Recordable Cds/Dvds – A recordable DVD drive is a great way to make a portable backup that can be stored off-site in a bank safety deposit box or other secure location.

4. Magnetic Tape – Is cost effective for larger corporations with large volumes of data but for smaller businesses I recommend one of the options recommended above.

Information Security – Who Needs It? Restaurants Do!

Tino’s Greek Cafe located in Austin, Texas learned the hard way that negative information security exposure can get your business featured in unwanted headlines. Hacker’s compromised customer credit card data and fraudulent charges were noticed by multiple customer’s that had recently eaten at the restaurant. That correlation allowed investigators to determine the commonalities involved and point to Tino’s as the probable link.

What can you do to avoid suffering information security ruin like the Greek Cafe? Review our information security top 10 list and help ensure your company is protected.

Data Security – Tips to Keep your Data Secure

Securely wipe data off of hard drive devices prior to redeployment

As mentioned in Top 10 Information Security Items Your Business Needs to Do Now, when you plan to get rid of old computers, servers, network devices, portable storage (like USB drives) and printers your job is not yet done. These devices will walk out the door with sensitive company information on them if you do not put in place proper measures to sanitize them prior to removing them.

When you are eliminating an electronic device and wish to secure sensitive data, simply deleting files or formatting the drive is not sufficient to secure your sensitive data. Short of physical destruction of the disk itself, which is often not a viable option if you lease or wish to donate it to charity, utilizing disk wiping technology is the preferred method for safely removing data. Listed below are several disk wiping technologies with recommended products to assist with this important security process.

Recommended commercially available hard drive / disk wiping software:

#1 – WipeDrive PRO

This industry leading software is trusted and used by the Department of Defense who literally wrote the book on disk wiping requirements. In addition WipeDrive PRO is an approved compliance wipe disk tool for regulations such as HIPAA, Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, The Patriot Act, Identity Theft and the Assumption Deterrence Act. Supports all PC and Mac Computers and can also wipe external hard drives, thumb drives, memory cards, iPods & other external media.

#2 – Acronis Drive Cleanser

Is compliant with DoD standards and supports the majority of Windows and Unix Operating Systems that your small business is operating. Friendly menu driven software is easy to install and operate and comes pre-loaded with all of the standard algorithims you may wish to use.

Recommended free hard drive / disk wiping software for personal or business use:

Disk Wipe – Tool is free of annoying adware and is a fully functional disk wiping utility that also works on portable drives and other media like SD cards. My favorite of the freebies.

Eraser – Works with any Windows based drive and suports most of the common wiping methods described already.

DBAN – Last of the big 3 no cost solutions is another strong option for handling disk wiping needs on a budget.

All of the above product recommendations are for Windows based devices. If you are utilizing Apple Mac’s I recommend utilizing  WhiteCanyon’s WipeDrive for Mac

Hard Drive wiping tips:

  1. Configure the setting for number of disk wiping passes for a minimum of 3X to ensure the data is sufficiently overwritten. The setting could be set much higher but any greater then 7X does not add much to security and will add a lot of time to the process.
  2. Disk Wiping can take a lot of time depending on your configuration option so usage of a concurrent license option is recommended if you are dealing with large volumes of devices.
  3. Review the completion log to ensure the wiping completed 100% successfully
  4. If you choose to use one of the free options I recommend using a “stable” vs. “beta/preview” builds to minimize your likelihood of encountering errors.
  5. If your business must comply with a certain regulations like HIPAA it is safer to go with commercial products that have certified their products to comply with a particular standard vs. freely available products that often do not.

Leased Equipment Tips

  1. Ensure your lease agreement covers the vendor securely wiping your device whether it is a pc, server, printer, or network device. This will likely come with an extra fee associated with it but unless you are certain disclosure of the data would not cause you harm it is worth the piece of mind.
  2. The typical cost per device for a lease company to wipe the drive ranges from $20-50$ depending on the company.
  3. It is not wise to attempt to cleanse a leased device yourself without discussing with the vendor ahead of time and making sure it will not potentially violate your lease agreement.