A UK local council has lost the personal details of hundreds of residents when a memory stick fell out of an employee’s pocket. Details lost include names, addresses, national insurance numbers, ethnicity and more.
Read More »

The personal health records of over 83,000 Canadians have been lost on an unencrypted USB memory stick.

The device was lost by a member of staff from a centre in Ontario State, and contained data collected from everyone who attended H1N1 or seasonal flu vaccination clinics in the region over a period of nearly two months. The information included personal information such as names, addresses, phone numbers, dates of birth, health card numbers, doctor’s names and so on. Read More »

This article at leading security portal Help Net Security summarizes 2009 from the point of view of the malware that was found in the wild.

As the piece points out, it was a year in which nobody that uses the Internet could ignore the dangers of malware, whether received by email, from Google’s search results, on social networks like FaceBook or Twitter, or even by direct injection from USB memory sticks, as was the case with Conficker and its variants. Read More »

One of the largest thefts of credit card details was revealed last week by web services provider Network Solutions, when it disclosed that hackers broke into its servers and stole details of over 573,000 debit and credit card accounts from its customers.

The company discovered in early June that its servers had been hacked into by unknown parties.  The servers provide e-commerce services such as Web site hosting and payment processing to nearly 4,500 small to mid-size online stores.

Worse, the hackers left behind malicious code, which allowed them to intercept financial information from people who made purchases at the online stores hosted on those servers from March to June 09.

While we often focus on data losses and leaks through lost or stolen portable storage devices, it’s a useful reminder that there are other attack vectors too.

Data Leak Prevention (DLP) is a topic that always sparks debate amongst IT people, as it demands a complex mix of technology, policies and buy-in from users to make it truly effective.  This article has drawn on the opinions and experience of a number of CSOs to focuses on five technological approaches that, when used together, should offer a solid defense for data.

As well as covering key elements such as encryption, gateway protection and email filtering, it mentions that “being able to control the use of USB devices is a key requirement of a DLP solution.”

This is certainly true.  But it’s not just the usage of USB devices.  What the article fails to mention is the need to protect the data while it’s on USB pen drives, with robust and automated encryption.  After all, without this, a user could put sensitive data unprotected on an authorised USB device. 

That’s why organisations use secure flash drives like our Cruzer Enterprise range as a core part of their DLP programme, because they secure data on the move without the user having to make decisions about it.

A major health organization in North East England, NHS South of Tyne and Wear, has deployed 800 SanDisk Cruzer Enterprise secure flash drives as part of a layered approach to device security.

The organisation has responded to UK Government drives for improved data security in the public sector, and is using FrontRange Solutions’ Device Wall to control the transfer of information to encrypted devices, alongside McAfee endpoint encryption and the SanDisk USB pen drives.

It has replaced 800 flash drives with the encrypted devices and once port control across all endpoints is enabled, staff will only be able to use their authorised, issued drive.

The Chief Technology Officer (CTO) for the State of Michigan, Dan Lohrmann, recently gave this revealing interview. 

In it, he mentioned that the state has cut its overall IT spend by around 20% to $400 million per year.  However, spending on IT security has doubled in the last five years.  Also, when asked specifically about the risks of USB flash drives for data loss and introducing malware, Lohrmann commented:
 
“Certainly, data loss prevention.  It doesn’t necessarily mean it is intentional, but it is the insider threat. People think they are doing the right thing by bringing a Word document home with them - maybe that has some sensitive information on it - and use a home PC; they can certainly bring a virus back into the enterprise. We do have some protection mechanisms in place on devices to look for endpoint viruses and things.”

It’s good to see this strong awareness of the need to protect mobile data is out there at the highest levels.  Hopefully we see data losses and leaks finally starting to diminish this year.

Here’s a useful article offering business travellers useful tips on how to secure their data when they are travelling.  It covers practical and safe methods to safeguard information on laptops, smartphones and removable storage media in airports and other areas where devices are easily lost or stolen.

However, one recommendation that demands caution is the advice to use free encryption software to protect data on laptop hard drives, USB flash drives and so on.

As we’ve posted here before, this approach gives a fair level of protection for data and is better than no encryption at all.  But it’s worth noting its shortcomings:  such software-based encryption is not “always on” – so the user has to remember to actively encrypt data.  Unlike the hardware encryption on our Cruzer Enterprise range of secure drives.

With a true secure USB flash drive, you don’t have to worry whether the data you’re packing is encrypted.

Have you ever looked at all the data breaches that have occurred in the past 18 months, and thought “that couldn’t happen to me”?  The truth is, it can happen to anyone, and at more or less any time.

All it takes is a moment’s inattention to lose a thumb drive or disk.  And if the data on that device is not protected in any way, congratulations:  it’s your own data breach. 

To highlight that it can indeed happen to anyone, this article on Enrique Salem, president and CEO of security giant Symantec is revealing.  In it, he admits that he has personally lost a USB flash drive containing confidential information.

He also points out that certain data security features need to be automated – such as mandatory encryption, alerts to administrators in the event of protected data being accessed, and more.  This security best practice helps to ensure confidential data stays confidential. 

So if you’ve ever lost a flash drive in the past, don’t worry:  it can even happen to CEOs of security companies.  But if you think it cannot happen to you, you might want to think again.

NASA is the latest organisation to clearly outline its policies on use of non-authorised USB flash drives and other removable media.

NASA CIO Jonathan Pettus issued a memo last week, instructing employees in good practice with removable storage. He stated they should not use personally-owned USB drives on government computers; nor use government-owned removable media devices on personal machines or machines that don’t belong to the agency; not to put unknown devices into ANY systems; and to ensure systems are fully patched and updated.

Read More »