Secure USB Drive

The UK Ministry of Defence’s latest resource accounts (PDF at link) show that the department suffered eight serious data breaches from 2008 to 2009, compared with just two in the preceding year.

The biggest incident was the loss of a portable hard disk from a contractor’s premises, which contained the names, passport information and bank account details of an estimated 1.7 million service personnel.

Others included the theft of three USB sticks from “secure government premises”, which contained details of all RAF service personnel who served between 2002 to 2008 and details of family members. 

As with the data loss incidents involving HSBC we mentioned recently, the Ministry says it has launched a campaign to educate staff about the importance of data security, together with training courses on protecting information.  These are good signs.  But training alone isn’t enough – security demands a mix of policies and solutions in order to be effective.  There is still some way to go before we reach the target of true security for all personal data.

What will it cost your business if you lose customer confidential data?  The UK’s biggest bank, HSBC, found out yesterday when it was fined £3.2 million ($5.2 million) by the UK Financial Services Authority for repeated failures to protect customers’ confidential details. 

On two separate occasions in 2007 and 2008, divisions of HSBC sent unencrypted customer data in the post on disks.  The disks never reached their intended destination, meaning nearly 200,000 customer details were lost. 

 Although no breaches have been reported following the losses, the Financial Services Authority found that HSBC had “weak controls” over data handling. 

 It seems that international regulators are getting tougher on consumer data losses from businesses, so it’s a timely reminder for any company to check its data security policies and practices.  A breach may cost a lot more than you imagined.

A new report on the state of IT security has warned that the weakening job market could lead to an increase in online crime as laid-off workers, especially those with computer skills, turn to scams to support themselves.

The report from networking company Cisco claims that IT staff threatened with redundancy because of the downturn could initially target their employers as an easy option for sourcing information, based on their inside knowledge of systems, processes and people.

An example was the arrest in April this year of a former IT analyst at the Federal Reserve Bank of New York, on suspicion of taking out loans using false identities.  The FBI found a USB flash drive attached to the employee’s computer with applications for $73,000 in loans in the names of stolen identities.

Whether this is just another version of the often-repeated “insider threat” remains to be seen.  But it does highlight the importance of securing data by encryption, and controlling what USB storage devices employees can use – for example, issuing authorised staff with secure flash drives.  These measures help to cut the risks of damaging data losses or theft.

The UK Government is making giant strides in tightening up data security, and in public disclosure of security breaches, following the high-profile losses from public bodies over the past 18 months. 

The issue is being policed strongly.  This week, the Government’s Information Commissioner issued further warnings to a number of National Health Service bodies about the importance of protecting data, with instructions for them to adhere to the UK Data Protection Act.

Five healthcare bodies were found to have breached regulations, ranging from stolen laptops, lost CDs and lost USB flash drives.  All were unencrypted and all contained potentially sensitive patient data.

It’s good news that data protection and corporate governance is being enforced at this level.  With the right combination of policies and products, everyone’s data can be kept a little safer.

Following a question by a member of the UK parliament, UK Government departments have revealed the numbers of laptops lost or stolen recently.

The figures are quite startling, with well over 100 laptops lost or stolen in the past year alone.  One organisation – the Department for Work and Pensions – alone lost 41 laptops last year, from its fleet of around 9,700 machines. 

Although Government departments claim that all laptops are now required to be encrypted, that’s still an awful lot of data lost.  There is also the real risk that the data may not be protected

And don’t forget, these figures are just for laptops.  You have to wonder how many other devices – such as USB memory sticks – were lost in the same period, what data was on them, and whether that data was encrypted. 

Although some UK Public Sector organisations – such as the National Health Service – are leading the way in deploying secure USB flash drives to protect data on the move, not all Government organisations are at the same level.  Unfortunately there will be many more data breaches to come in the next year.

Data Leak Prevention (DLP) is a topic that always sparks debate amongst IT people, as it demands a complex mix of technology, policies and buy-in from users to make it truly effective.  This article has drawn on the opinions and experience of a number of CSOs to focuses on five technological approaches that, when used together, should offer a solid defense for data.

As well as covering key elements such as encryption, gateway protection and email filtering, it mentions that “being able to control the use of USB devices is a key requirement of a DLP solution.”

This is certainly true.  But it’s not just the usage of USB devices.  What the article fails to mention is the need to protect the data while it’s on USB pen drives, with robust and automated encryption.  After all, without this, a user could put sensitive data unprotected on an authorised USB device. 

That’s why organisations use secure flash drives like our Cruzer Enterprise range as a core part of their DLP programme, because they secure data on the move without the user having to make decisions about it.

In the last 6 months or so we’ve seen how USB flash drives have become recognised as a vector for spreading malware, especially malware that uses Windows’ Autorun capability.

This week, Symantec is reinforcing that message during its Cyber Crime initiative.   The company’s Security Response group product manager says that as well as being a method for propagation, USB-borne malware is particularly difficult to get rid of. 

Of course, one way of stopping the spread of malware via USB memory sticks is to use secure flash drives with on-board antivirus, which stops malware on the drive itself.

It’s also worth noting just how the sheer number of threats has grown.  In 2000, antivirus vendors issued 1,500 new signatures.  In 2009, over 2.5 million signatures are expected.  AV protection on all computing devices makes more sense than ever before.

Two researchers at Carnegie Mellon University in the US have recently shown how a single piece of information can be used to commit identity theft, with a little unwitting help from the US Government.

The research has shown how to reverse-engineer an American citizen’s Social Security number (the key piece of ID data that lets an individual apply for driving licenses, credit cards, etc.) using nothing more than data from publicly available government sites, and the data users share with the world on Facebook.

They developed an algorithm which could guess the first part of the Social Security number, which is based on an individual’s date and state of birth, to 90% accuracy.  The remaining digits could then be cracked by random number generation, and then checked for accuracy in name and state against FaceBook listings.

It’s an excellent example of how a determined organisation or person could find and use information that could compromise sensitive data.  All the more reason to keep your data secured wherever it is.

A major health organization in North East England, NHS South of Tyne and Wear, has deployed 800 SanDisk Cruzer Enterprise secure flash drives as part of a layered approach to device security.

The organisation has responded to UK Government drives for improved data security in the public sector, and is using FrontRange Solutions’ Device Wall to control the transfer of information to encrypted devices, alongside McAfee endpoint encryption and the SanDisk USB pen drives.

It has replaced 800 flash drives with the encrypted devices and once port control across all endpoints is enabled, staff will only be able to use their authorised, issued drive.

The City Council of Manchester, England, has counted the cost of an outbreak of Conficker in its network earlier this year,  and it comes to a staggering £1.5M ($2.5M) according to a report in The Register. 

The Council was also prevented from issuing hundreds of motoring penalty notices after Conficker worm knocked out parts of its IT systems.  Drivers escaped punishment after the Council’s fine processing system was taken offline in February this year, causing 1,609 motoring offences to go unpunished. 

Infection by the worm left Council staff unable to send emails or print documents, and struggling with extra paperwork after they were obliged to keep additional back-up records in case data was lost.

Clean up costs and consultancy fees were estimated at £600K. In additional, council IT chiefs spent a further £600k on thin client terminals.  A further £169,000 was spent on extra staff needed to handle a backlog of benefits claims.

And the cause of the infection?  Council chiefs blame an infected USB memory stick, and have disabled all computer USB ports in response to the incident.  How much would have been saved by rolling out secure USB flash drives with on-board, integrated anti-virus to stop the infection spreading?