Townsend Security Data Privacy Blog

2012 was a big blogging year for Townsend Security.  By the close of December we published a grand total of 285 blogs!  Wondering what data security compliance regulations your organization faces?  We covered it.  Do you need to learn more about securing your SharePoint server with encryption and key management?   We’ve got 490 words on it.  Did you know email addresses can be considered Personally Identifiable Information (PII) and need to be encrypted?  Patrick Townsend, Founder and CEO, wrote about that in “Protecting PII – Passwords, Bank Accounts, and Email Addresses?”

With all the great blogs on protecting sensitive information, examining data breaches, and how to meet data privacy compliance regulations, our bloggers created some great content that we hope you found valuable. Without further ado, here the three top read blogs from 2012:

#1 Skip V6R1 on IBM i and Upgrade to V7R1 – A Security Note

IBM provides a new automatic encryption facility in V7R1 for DB2/400 called FIELDPROC.  This new facility gives IBM i customers their first shot at making encryption of sensitive data really easy to do. With the right software support you can implement column level encryption without any programming.  The earlier trigger and SQL View options were very unsatisfactory, and the new FIELDPROC is strategically important for users who need to protect sensitive data. [More]

#2 How LinkedIn Could Have Avoided a Breach – And Things You Should Do

The loss of passwords by LinkedIn, eHarmony, and Last.FM should be a wakeup call for CIOs, security auditors, and IT security professionals everywhere.  Let’s take a look at what probably happened, what you can do, and why you need to look beyond passwords on your own systems. [More]

#3 What is the Difference Between AES and PGP Encryption?

AES encryption is the standard when it comes to encrypting data in a database.  Advanced Encryption Standard (AES) has been adopted as a standard by the US government and many state and local agencies.  AES is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations.  AES encryption uses an encryption key to encrypt the data. [More]

As compliance regulations get tighter, data breaches get more sophisticated, and security best practices advance, Townsend Security will be here to blog on what is new and what you need to know about.  Here is to 2013 being the most secure year yet!

Are you free on January 30th at 10:00am Pacific?  We will be presenting a webinar titled “Top IBM i Security Tips for 2013” with Patrick Botz, former Lead Security Architect and founder of the IBM Lab Services security consulting practice and discuss:

• Using FIELDPROC for automatic encryption
• Key Management best practices – and what to look out for
• A practical way to  implement Single Sign On (SSO)
• How to easily collect IBM i logs and transmit them to ANY SIEM

We hear it all the time: a business was hacked, a database compromised, accounts ransacked, notification and liability, password cracked, blah blah blah. “How can this happen?” “Why didn’t they create a stronger password?” Well before you get too indignant, how well are you protecting your own data?

Is your password sufficient to stop the minions of organized crime, bored fifteen year olds killing time, or other ne’er do-wells intent on accessing your data?

It is difficult to remember different passwords, which is why 60-65% of people use the same password or similar passwords.  This translates into it being more convenient to use your cat's name plus the month number and something about the website itself, then just change it every month.  And that would look like this:

Amazon: (Puddy06Amaz) then (Puddy07Amaz) then (Puddy08Amaz)
Comcast (Puddy09Com) then (Puddy10Com) then (Puddy11Com)

And before you blame the cat for having an insufficiently difficult name, just think how silly it would be standing outside and calling “Here BH-jk!nhb#$@$n_8.”

So you can see it's just a matter of time before they get to your bank. How do they figure out the pattern? Look at your Facebook page, your Twitter, How often do you post about your favorite sports team, your pets, your kids, your hobbies? After they look at that, it's just a matter of time before they figure you out, and they have all the patience in the world.

You might slow the attackers down by using a passphrase instead of a password. Use a phrase from your favorite book, movie, or song. (1 phrase will rule them all!!) (I ain't never birthed no babies b4) (8 Days a Week)

Alternatively, have a password pattern for general accounts and a very different pattern for more sensitive accounts. Preferably one that you don’t plaster all over Facebook!

Then of course there are the other attacks, such as dictionary, malware, phishing and brute-force.

One way to help protect yourself is to get a password vault. With these you only have to remember one password or passphrase to unlock the vault and have access to your passwords. 

Once you set it up, these vaults will randomly generate unique passwords for each website or account making it easier for you to reset passwords on a regular basis (a good practice to get into) and you don't have to make them up or remember them!

I'm not saying that businesses don't have responsibility in this; they need to get on board as well. How many sites do you go to where the passwords are restricted and:

• Has to be between 6 and 10 characters long
• Has to start with a letter
• Has to have at least 1 number
• No spaces or symbols

Really? That limits you so much and, again, just a matter of time with the right computer program to figure that one out.

And then you forget your password anyway, so you call them.  Customer service tries to be as helpful as they can be: "Well, your password is a word and number." And when you still don't quite get it: "It's a place you might like to vacation and it starts with H" and by feigning forgetfulness, injected with humor, chatting up the Help Desk, you can get it narrowed down even more.

For the most part, people like you and me understand we are taking a risk, but we are still not willing to give up convenience.

How do you respond when your bank or other account calls you? Sometimes they ask for your zip code, date of birth, or address maybe to confirm they are indeed speaking with the owner of the account. But how do you know with whom YOU are speaking? You could call them back but that's inconvenient. Simon Davies of Privacy International suggests putting a nonsense word in the special instructions field on your account. Then when they call you, you ask them to read you that word. If they indeed are the bank, they have that word and can confirm it.

Technology is moving away from passwords and towards those things easier for us to remember and recognize on a personal level. We've seen pictures, for example, used with a pattern swipe, or face recognition. Right now that is still tied to a password or PIN and those are used as back up - so still hackable. But it's a move in the right direction.

Fingerprint recognition is accepted as highly secure and practically impossible to fool.  But a Japanese cryptographer got past such a device by using Gummi Bears.

Kevin Mitnick, a famous hacker turned good guy, got around a voice authentication by using a program that fakes his phone number on caller ID. He then made sure that each number was represented, and, calling the CEO of the company he was testing with, asked the CEO if he had the "new" phone number and would he read it off to confirm it displayed properly. Now he had the CEO's voice with every number and broke in.

As data thieves get smarter and your one-size-fits-all password becomes less secure, it is important to routinely change your passwords and not use the same password on multiple sites. Being in the security industry, we see plenty of preventable data losses. While there isn't much you can do to prevent the next big breach, you can at least make it hard for data thieves to take your lost information and use it to access your other accounts.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CEO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

SHA-1 is perhaps the most often encountered hash algorithm in use today. But its use in digital signatures will be restricted by NIST in the near future. NIST has already restricted use of SHA-1 for federal organizations starting back in 2010, but the weaknesses found in the SHA-1 algorithm has prompted NIST to restrict it’s use for all digital signature generation.

Digital signatures have two aspects: signature generation and signature verification. In January 2011 NIST issued Special Publication 800-131A titled "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths." Digital signature generation is addressed in Appendix B.2, Digital Signature Generation Using Asymmetric (Public) Keys and SHA-1. Here NIST states, "Some applications, such as signing a public key certificate, are very high risk and the use of SHA-1 in those applications should be avoided as much as possible. In NIST’s view, after 2013, the risk is unacceptable in all applications, and the use of SHA-1 when generating a digital signature is not allowed after that date."

Signature verification of already calculated hashes will still be allowed in what is termed a "legacy-use" period.

SSL uses X.509 certificates which are frequently seen with the Signature Algorithm attribute sha1WithRSAEncryption. As December 31, 2013 is fast approaching you may want to consider recreating these certificates with one of the newer SHA-2 algorithms such as SHA-256 or SHA-512. For example when creating certificate signing requests with OpenSSL try using "openssl req -new -sha256 etc...".

NIST has good reason to restrict the use of SHA-1 after 2013. Not only have experts found weaknesses in the SHA-1 algorithm through differential attacks, companies using SHA-1, such as LinkedIn, have already fallen prey to hackers. LinkedIn’s data breach this year could have likely been prevented if they had been using stronger hash algorithms with proper salting.

Is your company still using SHA-1 hash algorithms? Learn more about why you should move to SHA-2 or higher  in our podcast, “How LinkedIn Could Have Avoided a Data Breach” featuring security expert, Patrick Townsend.

Encryption key management has a bad reputation. How bad? I once heard a SQL Server professional describe encryption key management as so costly and difficult to implement, it is a “nightmare.”  It’s hard to imagine that attempting to simply manage your encryption keys evokes images of terrifying dreams that wake you up at night in a cold sweat. However, for many database administrators who must encrypt data, the idea of incorporating a good encryption key management strategy (dual control, separation of duties, etc.) really does sound like a daunting task. Most DBAs assume that a key management project is time consuming, expensive, incredibly complicated, and requires specialized third-party consultants. Simply getting the encryption key manager up and running is a huge headache.

We don’t believe good encryption key management needs to be difficult. In fact, we believe that good encryption key management should have these 9 easy features:

1. Easy to Install: A single-use (1U) server plugs right into your IT infrastructure and requires no on-site technician to install.
2. Easy to Configure: Install your license, certificates and keys, configure options, and start the server all within a standard, secure web browser and administrator console.
3. Easy to Manage: Operate your console within secure and authenticated TLS sessions, use two admins for dual control, collect logs, manage multiple servers as well as manage local and remote key servers, all through one interface.
4. Easy to Evaluate: Evaluating a product before you buy shouldn’t be difficult. You should be able to evaluate the product without any hardware on a ready-to-use VMware instance or an internet-based demo server, pre-configured with licenses, certificates, and keys.
5. Easy on Developers: Developers should be provided with a rich library of documentation and sample code to use in their applications for any platforms that need more development to get key management running smoothly.
6. Easy to License: You should not need to license every end point that connects to the key server. The cost and complexity of licensing all endpoints is unnecessary and can be a huge barrier to getting data protection up and running quickly across the organization.
7. Easy to Own: Key management should be affordable to small and mid-sized businesses. The solution should be scalable to each organization’s needs.
8. Easy to Deploy: Customers should always have access to direct shipping, a simplified order process, remote configuration, and installation services.
9. Easy to Sell: Integrating a key management solution should be easy for partners and include easy software integration, thorough technical and sales training, multiple support plans, and flexible and tiered solutions!

Looking for key management as easy as this? View our webcast, “Encryption Key Management Simplified - Removing Complexity & Cost” to learn more. Or contact us for a technical overview on Alliance Key Manager, our encryption key manager, with one of our technical sales support representatives.

Data breaches happen all the time and we do what we can to prevent that, still cyber crimes are on the rise. Verizon Business Data Breach Investigations Report for 2012 counts as many as 174 million records compromised that year. Verizon compiles the 2012 report with data collected in 2011. You can find the full report here, but I'm going to summarize just a few of the highlights.

• 98% stemmed from external agents, meaning one way or another, cyber criminals gained access to systems storing sensitive data and compromised them.
• 81% used some form of hacking, in many cases in conjunction with malware.
• The statistic that hits home hardest, 96% of victims subject to PCI DSS had not achieved compliance at the time of the breach.

That is really hard to palate because here at Townsend Security we work so hard to spread the word about the importance of merchants being PCI DSS compliant. It's not just about appeasing the auditors or passing an Annual Self-Assessment Questionnaire, it's about protecting everyone's sensitive personal information. These are our credit card numbers that are being stolen, our dates of birth, social security numbers, and a myriad of other information criminals can use to their gain, and our fault. The report lists that 48% of data compromised was payment card data, like credit card numbers.

According to the report from the 855 incidents recorded, 54% of companies affected by that year's data breaches were in Accommodation and Food Services, 20% were Retail Trade, and 10% Finance and Insurance fields. And it's not just companies in the US that are affected, in 2011 data breaches were reported in as many as 36 countries worldwide.

And as if all this information wasn't already scary enough, apparently as many as 55% of data breaches remained undiscovered for months or longer. And the majority of data breaches are discovered by external parties; meaning that the companies experiencing the data breach end up learning about it from someone else, causing bad publicity and damage to the company's reputation.

This report did not talk about the cost experienced by companies or consumers as an effect of these data breaches, however Symantec took the time to compile those numbers for 2011 and in September of 2011 extrapolated the costs over the 12 months that year to $144 Billion in cost. Obviously this has become a very lucrative business for cyber criminals and it's not surprising why they expend so much effort on their endeavors.

The Verizon Business report has one more piece of information worth sharing - their recommendations. Implementing sound security policies around system credentials, like using strong passphrases and changing them on a regular basis, as well as ensuring essential controls on data are met, like encrypting sensitive data and using recommended encryption key management practices like separation of duties and encryption key storage. Especially for larger organizations, monitoring and mining event logs is recommended to aid in discovering active data breaches quickly and internally.

A new report should be published soon and although there has been a lot of attention on these subjects in 2012, the trends in the past have been an increase in data breaches, rather than a decrease. However, knowledge is power, and we have a lot of knowledge for you. Empower yourself and your company by reading some of our white papers on encryption, logging, and data security.

If you knew that something was going to happen to your business that would cost you not only your clients' trust but also $13 million (the average cost of a healthcare data breach), would you try to prevent that thing from happening?

According to the Ponemon Institute study, Third Annual Benchmark Study on Patient Privacy & Data Security, healthcare data breaches cost the industry $7 billion dollars annually. Unfortunately, that's not the most shocking number of the study. As it turns out, 94% of healthcare organizations have experienced at least one data breach over the past two years. Almost half of all healthcare organizations have experience at least five data breaches each over the past two years. This means that almost 100% of healthcare organizations have lost patient data such as private health information, names and addresses, credit card information, and social security numbers. If you're wondering how identity theft happens, this is it!

In a recent article published by Forbes, Rick Kam of ID Experts and Larry Ponemon of the Ponemon Institute pointed four major issues around data security in the healthcare industry:

1. Cost of a data breach: "Data breaches cost the U.S. healthcare industry nearly $7 Billion annually."

The cost to the industry includes losing patient trust, providing patients with credit monitoring services, as well as paying out hefty fines to HHS. The cost to patients often comes in the form of identity theft.

2. Electronic records: "The rise of electronic health records (EHRs) is putting patient privacy at risk."

Using computers to store and organize patient data is a blessing to most healthcare providers. However, maintaining electronic records not only causes healthcare organizations to fall under state and industry data privacy regulations, it also opens up the door to data breaches caused not only by external hackers looking to make a buck, but also employee mistakes which account for about one third of all data breaches.

3. Mobile devices and the cloud: "The rise of mobile and cloud technology threaten the security of patient data."

These days many doctors and healthcare providers use personal mobile devices to access patient data. How are these devices protected? Often they are not. Since many organizations include healthcare are now using cloud providers to store data, cloud security has also become a hot topic. How do you secure your data stored in the cloud, when it may be accessed by other users? Encryption and encryption key management is the best place to start. [Blog: 3 ways to manage encryption keys in the cloud]

4. "Little time, even less money"

Budget is one of the biggest factors that goes in an organization's data security plan. The tools needed for a comprehensive data security plan such as encryption and encryption key management may seem expensive and complicated, but the solutions out there today are in fact cost-effective and easier than ever. In the end, a company's security posture really comes down to priorities. Is preventing a multi-million dollar data breach a priority? Or will you leave it up to chance?  

Encrypting your data at rest and data in motion is the first critical step to protecting your database. Always look for NIST and FIPS certifications to ensure you are using the best encryption and key management tools available.

View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.

Over the weekend a news report surfaced describing lost Secret Service tapes that contained extremely sensitive information such as personnel and investigative information. The loss was both typical and mundane: a carry bag with the tapes was left on a metro train. This kind of thing happens all of the time - a couple of years ago I left a laptop on a plane when I arrived in San Francisco (luckily recovered). Something similar has probably happened to you.

But one commentator said something that was shocking:

"... this is 2008 encryption. And years later, our abilities to break encryption, our algorithms to do that, are much, much better. If those tapes were found, I'm sure they could be cracked in moments."

Excuse me ???

In 2008 the new NIST Advanced Encryption standard (AES) had been in place for several years, and many of us were shipping products that were certified by NIST to meet that standard. Triple DES was in use at that time, and might also may have been used to encrypt those tapes. The article did not identify which algorithm, if any, was used.

Both of these algorithms are still considered strong today (see reference below). They are not broken, they are not weak, and they can't be "cracked in moments." And encryption does not have a shelf life like cottage cheese - encryption methods do not get stale just because some time goes by. [Fore more information download our white paper AES Encryption and Related Concepts]

There are a lot of things that could have been wrong about how the tapes were protected. They:

• Might not have been encrypted
• Might have been encrypted with a weak algorithm
• Might have been encrypted with a weak key
• The key might have been stored on the tape
• The implementation might leak information
• And so forth.

People get the implementation details wrong all of the time, which leads to weak protection. But, again, good encryption does not spoil like milk, and data protected properly in 2008 would still be just as strong today.

Misconceptions like this have a bad knock-on effect. When there are still so many organizations who've done nothing to protect data, this type of false information creates a sense of despair, and re-enforces the belief that nothing can or should be done. I just recently heard someone say,

"If the NSA can't prevent a break-in, what chance do we have?".

Substitute Secret Service, NSA, DOD, RSA Security, McAfee, and others, and you get another excuse for doing nothing to protect the organization's key assets. That's a sad and unnecessary result of bad information.

For the record: If you were using a NIST-approved encryption method in 2008 such as 128-bit AES, and you were using best practices for encryption and key management, that information is still protected today. You can find NIST guidance about encryption algorithms here (see Section 2 about Encryption):

Patrick

For more information on encryption and key management, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and key management work together to secure your data.

These are the last two myths in our installment “5 Data Security Myths Debunked.” With the rise of data breaches occurring all over the world, we’ve been watching closely to see how company leaders are responding to these incidents. To say the least, we have been shocked by what some government leaders and CEOs have said surrounding data security in their own organizations. We believe that some of these sentiments are highly misleading, if not downright false. That is why we have decided to compile these statements into five "myths" of data security. These myths come from direct quotes by CEOs and government leaders.

Myth #4: There is nothing you can do to prevent your company from being hacked

Fact:
There are many actions a company can take to protect its network and prevent a data breach:

• Know which parts of your data is considered “sensitive”, and know where all of your sensitive data is stored. Is it on one server or many servers? Is it stored in applications or databases? Do you have multiple data centers that store sensitive information?
• Use file integrity monitoring (FIM) or system logging to be alerted to changes in system configuration, sensitive data, or unauthorized access in real time.
• Develop and enforce a unified, proactive data security policy to protect data at rest and in transit across your company’s entire network.
• Use AES standard encryption to encrypt sensitive data at rest and FIPS 140-2 compliant key management to protect your encryption keys.
• Automate updates to firewall configurations, password changes, and system patches.
• Restrict employee access to sensitive data.

Myth #5: CEOs do not need to be concerned about data security.

Fact:
Data security isn’t just the Chief Information Security Officer’s (CISO) problem, it’s a business problem that affects both the C-level and the IT level of an organization. IT security is often not made a priority due to the disconnect of perceived vulnerability and actual vulnerability within a company’s IT infrastructure. A recent survey by CORE Security found that approximately 75% of CEOs surveyed didn’t believe their networks were under attack or already compromised, while 60% of CISOs felt very concerned about attacks and believed their systems were already breached.

Poor data security is a business risk. The consequences of a data breach include loss of reputation, loss of customer trust, and hefty fines. In 2011, the average data breach cost an organization $5.5 million. Despite these often highly publicized repercussions, 65% of CEOs surveyed by CORE Security reported that they did not have the information they need to translate IT risk into business risk.

With the rise of data breaches occurring all over the world, we’ve been watching closely to see how company leaders are responding to these incidents. To say the least, we have been shocked by what some government leaders and CEOs have said surrounding data security in their own organizations. We believe that some of these sentiments are highly misleading, if not downright false. That is why we have decided to compile these statements into five "myths" of data security. These myths come from direct quotes by CEOs and government leaders.

Myth #1: Encrypting social security numbers is not a standard in most industries, including banks. 

Fact:
Most banks and financial institutions adhere to state laws and industry regulations (such as FFIEC and GLBA) regarding the protection of social security numbers.

For example, California data privacy laws identify Social Security numbers as a critical piece of personally identifiable information (PII) that must be protected using “reasonable security procedures and practices appropriate to the nature of the information” such as encryption or redaction (1798.81.5) . The law upholds businesses within the state, financial or otherwise, to the same data security laws that the state itself must adhere to which state that any business owning or licensing computerized data containing personally identifiable information (PII) such as names and Social Security numbers must protect that data using encryption, redaction, or other methods that render the data unusable in order to avoid data breach notification (1798.29). The average cost of a data breach is $5.5 million (Ponemon, 2012).

The FFIEC IT Handbook action summary states that “Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include: Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk, effective key management practices, robust reliability, and appropriate protection of the encrypted communication endpoints” (ithandbook.ffiec.gov).

Myth #2: Encryption is too complicated for my IT and database administrators.

Fact:
Most database platforms such as SQL Server, Oracle, and IBM i are designed to easily implement encryption and encryption key management solutions. SQL Server and Oracle, for example, use Transparent Data Encryption (TDE) and Extensible Key Management (EKM) to easily encrypt data. IT professionals agree that these tools make encryption easier. “TDE is relatively straightforward” - Michael Otey, SQL Server professional (www.sqlmag.com). Encryption with TDE on SQL is “Easy to Implement and administer” -Brad M. McGehee, SQL Server professional, MCTS, MCSE+I, MCSD (https://www.bradmcgehee.com).

Learn how to set up TDE and EKM on SQL Server 2008/2012 in 10 minutes or less here.

Myth #3: Data breaches are usually caused by highly sophisticated hackers.

Fact:
The top four mechanisms for a hacker to break into a company’s network are: exploiting system vulnerabilities, default password violations, SQL injections, and targeted malware attacks (Symantec, 2009). These techniques are not considered highly sophisticated. They are used often to penetrate networks with inadequate security.

Curious what the final two data security myths are? View "5 Data Security Myths Debunked: Part 2" to find out if there is really nothing you can do to prevent your company from being hacked and whether or not CEOs should be concerned about data security.

I dropped a tomato and it rolled away under the table.  I picked up a bag of pears and the pears skittered across the floor as the wet bottom gave away.  I juggled the eggplants as they slipped through my hands.  All of these nervous first steps were right in front of the seasoned verterans who were showing me the ropes the morning before the Thurston County Food Bank opened.  With all of this, I thought the Food Bank might not really want me helping in the produce section if I was going to cause so much vegetable trauma.  But the other volunteers were kind and patient; and I persisted through that embarrassing start.  By the end of the day, I ended up sorting several boxes of fall produce – apples, kale, squash, pears and lettuce.  If anything was found too ripe during final inspection, we set it aside to give to local farmers to feed their livestock. Once the food bank opened, I helped staff the dry goods aisle, helping customers select their allotted items.

During my time volunteering, I had the pleasure of working with other kind volunteers, as well as meeting friendly customers.  One customer personally thanked me for my time volunteering, making my day with his cheer and smile.  As I continue to volunteer at the Food Bank, I am finding that the rewards and joy come back in much greater volumes than the small portion of my time that I contribute. 

Townsend Security encourages and supports volunteering for all employees by providing four hours of paid time per month.  This has inspired me to just schedule a day and time to volunteer, even though I always have plenty of competing tasks to do at work and home.  

The Volunteer Policy is part of a broader commitment by the company to support our local community.  Townsend Security also donates financial resources to our local United Way, and matches employee donations to 501(c)3 organizations.  Many of us here at Townsend Security believe that we have resources we can and should share, and that we can make a difference by acting locally.

We invite you to take a look at all of our community sponsorships that we are a part of.  You can also follow us on Facebook, Twitter, and LinkedIn to see what we are up to next.