Townsend Security Data Privacy Blog

Signs Your IBM i May Have Been Hacked - part 2

Posted by Michelle Larson on Oct 3, 2013 9:20:00 AM

As we discovered in the blog Signs Your IBM i May Have Been Hacked, the combination of secure system logging on the IBM i and log monitoring with a SIEM will help you secure sensitive data and minimize the impact of security breaches. Signs Your IBM i may have been Hacked  Hopefully you were able to watch the webinar resource provided (if not, you can request it HERE).  After the webinar, we had a number of questions asked by attendees and answered by industry experts from Townsend Security and Integrity.  Here is a recap of that Q&A session:

Q: Do compliance regulations require system logging?

A: Most regulatory compliance standards such as PCI-DSS, FISMA, GLBA, and HIPAA/HITECH require organizations to monitor their network in real-time and provide audit reports. For the Payment Card Industry Data Security Standard (PCI-DSS), there are numerous logging requirements to be PCI compliant. Auditors want to look at how the logs are generated, whether it’s systematic or whether an operator can access/edit them, go in and pull them off and move them somewhere else. They want to look at if there’s mirrored events, where they go off the system through an automated process without any potential human intervention. It also details if people have the right privileges. Logs will show user events as well as what individuals are accessing libraries, files, or other areas outside of their designations. Logging is not only an industry best practice, it is a critical control to understanding access to a system.

Q: We have some custom applications that run our core business. Can a SIEM solution analyze the log files that come from these applications?

A: Dave Nelson from Integrity answers “Some SIEM applications are able to analyze log files from custom applications, others are not. Integrity’s SIEM can create a custom parser that can take just about any log that you can provide. Integrity can analyze that, we’ll work with your internal application development staff to identify what different error codes or security event log codes or whatever it is that you’re creating to identify a specific event. We can map that then into the parser then we can map those to either standard alerts or we can create new custom alerts, we can customize thresholds and a lot of different things. That’s one of the reasons that our customers choose us most frequently is because they have those internal applications that are custom that a lot of the other SIEM tools can’t handle, but we can handle and we can give them a lot of information about something that’s very unique to their business.”

Q: You mentioned File Integrity Monitoring (FIM), can you further explain how an organization would use it?

A:  It’s not every field that you’re going to want to alert and log and monitor on, but there might be ones with credit card numbers or store order authorization codes that you want to monitor and make sure the data hasn’t been altered or accessed without consent. The point to stress with logging and file integrity monitoring is ultimately it helps the individual system operator. You can have mirror alerts go to multiple people in the company, security officers as well as system operators. With FIM you take responsibility off of any one person having to follow up and do it all and you can create more of a collective team that analyzes this data to help the business.

Q: How can we distinguish a false alarm from a successful attack?

A: Sometimes it can be very difficult to determine a false alarm from a successful attack until you have done an entire investigation.  People that do this day in and day out and can begin to identify the patterns and trends of what makes an attack successful or not.  In our experience, the easiest way to do it is to look for key data points or key events that should have happened. One of the things you can do is jump right to the end if you know that a specific attack is successful, and work your way back through the system to determine the file name and creation date.  This really only comes with experience and practice of identifying the missing pieces.

Please post any additional questions you may have here on the blog!

For a much deeper and more detailed discussion on secure system logging and monitoring as essential controls to detect and mitigate the risk of a data breach, please request a download of the entire webinar:

Learn the importance of system logging and monitoring

Topics: System Logging, File Integrity Monitoring (FIM), IBM i, Alliance LogAgent, Data Breach, Integrity

4 Things a Point of Sale (POS) Vendor Can Do to Avoid a Data Breach

Posted by Luke Probasco on May 20, 2013 2:19:00 PM

It was revealed earlier this month that the St. Louis-based supermarket chain, Schnucks, had a data breach that exposed at least 2.4 million customer credit and debit card numbers to an outside hacker. Schnucks is currently involved in a class action lawsuit over the breach and possible leak of credit card info by its card processing company.

encrytion key manageament simplified ebook

Currently the news reports that this breach occured because:

  1. Leaders in the company don’t think that anything is wrong with their data security. According to a survey by CORE Security only 15% of CEOs are very concerned about network vulnerability; however, 65% of security officers “admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk.”
  2. The point of sale (POS) and retail management software that retail companies use to process their customer’s card information often use inadequate security tools and minimal security best practices.

Data breaches caused by faulty security in credit card processing machines and software are surprising to most people because we expect credit card processing companies to protect our card information and personal data. In fact, credit card processing companies are mandated by the Payment Card Industry Data Security Standards (PCI-DSS) council to use encryption and encryption key management in order to sell their point of sales (POS) devices and retail management software to businesses such as Schnucks.

Despite the regulations, however, many POS and retail management vendors pass PCI-DSS audits by the skin of their teeth with data security solutions that have been cobbled together with the bare minimum requirements. If asked if they still felt exposed with their current data security solution, many database administrators will respond with a resounding, “YES.”  As we have seen over and over again, these piecemeal solutions are not good enough to prevent a data breach!

This has revealed a truth that is becoming more and more evident:

Just because a merchant or a POS vendor has passed a PCI-DSS audit does not necessarily mean they are protected from a data breach! Even though PCI-DSS is supposed to protect customers and prevent data breaches of this kind, loose interpretations by auditors of PCI-DSS and poor encryption and key management techniques leave businesses open and exposed to hackers.

Schnucks could have most likely prevented this data breach by having chosen a POS vendor and retail management software ISV who offered these guarantees:

  1. Encryption - Always use industry standard encryption such as AES encryption.
  2. Encryption key management - Companies encrypting data should always protect their encryption keys using an encryption key management hardware security module (HSM). This is a critical component to securing sensitive data.
  3. System logging - A good system logging solution can help you catch and prevent changes to your network in real-time in order to prevent a data breach.
  4. Certifications - Your POS and retail management software provider should have encryption and key management with NIST and FIPS certifications. These certifications ensure that your encryption and key management solution are up-to-date with the highest standards.

Unfortunately, these days passing a PCI-DSS audit is not enough. Merchants and retail software vendors need to stay ahead of the game by using data security tools that are going to protect their customers and protect themselves in the event of a data breach. The bare minimum will not cut it.

Townsend Security is a leading provider of encryption, key management, and system logging solutions. We partner with POS and retail management ISVs to help these companies protect and secure sensitive data fast, easily, and at a competative price. Here at Townsend Security our team works with our partners by providing hardware, training, marketing materials, and thorough back end support to help our partners and their customers achieve peace of mind.

Topics: Point of Sale (POS), Data Breach

How LivingSocial Could Have Avoided a Data Breach

Posted by Liz Townsend on May 1, 2013 3:15:00 PM

Lack of security around passwords, emails, usernames, and other personal information leads to another easily preventable, massive data breach.

LinkedIn Data Breach Last week we saw another major data breach of personal information due to a hacker who gained access to names, email addresses, dates of birth, and passwords protected using hashes and salt. When this story started to pop up in the news we were pretty surprised by what happened. Didn’t this exact same breach happen to LinkedIn nine months ago?

In June of last year LinkedIn suffered a similarly huge data breach and lost 6.5 million hashed passwords. The passwords were posted online and within a few hours over 60% of the passwords had been exposed. Why were these passwords so easy to crack? Because LinkedIn had been “protecting” user passwords using the hash algorithm SHA-1. SHA-1 is a known weak algorithm that is no longer recommended by the National Institute of Standards and Technology (NIST). Today it is a basic industry standard to use the stronger hash algorithm SHA-256 or SHA-512.

In the end, however, LinkedIn’s breach was really more of a headache than a disaster. A class action lawsuit brought against LinkedIn was thrown out due to lack of clear evidence that any real damage was caused by the breach. Where many consumers and data security experts had probably hoped that their breach had been a wake-up call to the e-commerce community, and anyone still using SHA-1 should have upgraded their data security practices immediately, it seems that many organizations have done nothing.

This is so surprising to us, not only because today using better data security such as strong hashing algorithms is considered to be trivially simple, but because in many states personal information such as first and last names, birthdates, and email addresses are considered to be personally identifiable information (PII) under state data security law. Most of these laws provide safe-harbor from data breach notification if a companies protect this information using industry standard tools.

In the end we hope that other businesses take note from this series of data breaches and update their data security.

How can you prevent a data breach of passwords and emails from happening to you?

  1. Use only an up-to-date hash method such as SHA-256 or SHA-512
  2. Use a hash based on industry standards - NIST publishes recommendations and standards. Always follow the most up-to-date standards.
  3. Use salt for an additional layer of security
  4. Protect the salt from loss or disclosure
  5. Use two-factor authentication

How can you prevent a data breach that compromises your customers very sensitive data such as credit card information, social security numbers, and private health information (PHI)?

  1. Use AES Standard Encryption to protect critical sensitive data such as credit card information and social security numbers.
  2. Use a FIPS 140-2 compliant key management system that implements key management best practices such as dual control, split knowledge, and separation of duties.
  3. Use a system monitoring tool that will alert you to important changes in your database such as unauthorized access in real time in order to stop suspicious activity before it’s too late.

To learn more about how companies such as LivingSocial and LinkedIn could have avoided a data breach, download the Podcast: How LinkedIn Could Have Avoided a Data Breach.

Click me

Topics: Data Privacy, Data Breach

Did I Do That? Many Data Breaches are Caused by Employee Mistakes

Posted by Liz Townsend on Mar 29, 2013 8:39:00 AM

I recently read about a data breach that came into public light a few weeks ago in South Carolina at the Savannah River Site (SRS), a nuclear reservation owned by the U.S. Department of Energy. This breach exposed personal information of over 12,000 employees. The state of South Carolina has been in the news over the past few months because of a massive governmental data breach caused by an international hacker that exposed millions of credit card and social security numbers. Key Management Kit

At first I thought the SRS breach might be similar or related to the other breach, but I quickly realized there was something different about this one. According to Carla Caldwell of the Atlanta Business Chronicle, officials at the site say that the breach wasn't caused by a cyber attack. However, despite the fact that there was no hacking involved, employees are still being told “to be vigilant in monitoring financial transactions and emails or phone calls relating to such personal transactions.”

What does this mean? It means that:

  1. Despite the absence of a malicious hacker, a data breach still occurred, and
  2. Because the breach had to be reported, it likely exposed employee financial data such as credit card information or social security numbers.

Many people think that all breaches are caused by vigilante hackers, and while cyber attacks are a real threat, the truth is that a HUGE proportion of data breaches are caused by simple employee mistakes and theft of devices such as disk drives, backup tapes and personal devices such as laptops and smartphones.

According to the PricewaterhouseCoopers 2012 Information Security Survey, over 80% of enterprise data breaches are caused by employee errors. Many of these breaches occur on unencrypted mobile devices. In the healthcare industry, the Ponemon Institute found that nearly 40% of data breaches were caused  by employee negligence.

Serious breaches occur inside companies simply because mistakes are made, thefts happen, and the right technology is not in place to protect sensitive data.  Some of these events include:

  • Backup tapes and disk drives are stolen out of cars
  • Laptops and other personal devices such as iPads and phones are stolen out of cars
  • Tapes, drives, and personal devices are lost (Think lost luggage, leaving items on a train)
  • Employees email files containing sensitive data to their home devices
  • Unauthorized employees view sensitive data at work because the right protocols are not in place to protect that data.

However there's a way to protect data even if it gets into the wrong hands: Encryption. If the data is encrypted it will be completely unreadable if it is stolen or mishandled. Protecting your encryption keys is also a critical piece in protecting sensitive data. If your encrypted backup tapes get stolen out of your car, but you've stored your encryption keys on those tapes, the thief will be able to use the keys to access the information.

To learn more about protecting encrypted data with encryption key management, download our resources package, “Encryption Key Management Simplified.”

Key Management Resources

Topics: Data Privacy, Data Breach

Healthcare Data Breaches - 4 Major Factors of a $7 Billion Problem

Posted by Liz Townsend on Dec 12, 2012 8:30:00 AM

Webinar: Protecting PHI and Managing Risk - HIPAA Compliance

HIPAA Compliance

View our Webinar "Protecting PHI and Managing Risk - HIPAA Compliance"

Click Here to View Webinar Now

If you knew that something was going to happen to your business that would cost you not only your clients' trust but also $13 million (the average cost of a healthcare data breach), would you try to prevent that thing from happening?

According to the Ponemon Institute study, Third Annual Benchmark Study on Patient Privacy & Data Security, healthcare data breaches cost the industry $7 billion dollars annually. Unfortunately, that's not the most shocking number of the study. As it turns out, 94% of healthcare organizations have experienced at least one data breach over the past two years. Almost half of all healthcare organizations have experience at least five data breaches each over the past two years. This means that almost 100% of healthcare organizations have lost patient data such as private health information, names and addresses, credit card information, and social security numbers. If you're wondering how identity theft happens, this is it!

In a recent article published by Forbes, Rick Kam of ID Experts and Larry Ponemon of the Ponemon Institute pointed four major issues around data security in the healthcare industry:

1. Cost of a data breach: "Data breaches cost the U.S. healthcare industry nearly $7 Billion annually."

The cost to the industry includes losing patient trust, providing patients with credit monitoring services, as well as paying out hefty fines to HHS. The cost to patients often comes in the form of identity theft.

2. Electronic records: "The rise of electronic health records (EHRs) is putting patient privacy at risk."

Using computers to store and organize patient data is a blessing to most healthcare providers. However, maintaining electronic records not only causes healthcare organizations to fall under state and industry data privacy regulations, it also opens up the door to data breaches caused not only by external hackers looking to make a buck, but also employee mistakes which account for about one third of all data breaches.

3. Mobile devices and the cloud: "The rise of mobile and cloud technology threaten the security of patient data."

These days many doctors and healthcare providers use personal mobile devices to access patient data. How are these devices protected? Often they are not. Since many organizations include healthcare are now using cloud providers to store data, cloud security has also become a hot topic. How do you secure your data stored in the cloud, when it may be accessed by other users? Encryption and encryption key management is the best place to start. [Blog: 3 ways to manage encryption keys in the cloud]

4. "Little time, even less money"

Budget is one of the biggest factors that goes in an organization's data security plan. The tools needed for a comprehensive data security plan such as encryption and encryption key management may seem expensive and complicated, but the solutions out there today are in fact cost-effective and easier than ever. In the end, a company's security posture really comes down to priorities. Is preventing a multi-million dollar data breach a priority? Or will you leave it up to chance?  

Encrypting your data at rest and data in motion is the first critical step to protecting your database. Always look for NIST and FIPS certifications to ensure you are using the best encryption and key management tools available.

View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.

Click me

Topics: HITECH, Data Privacy, Best Practices, HIPAA, Healthcare, Data Breach

Stolen Secret Service Tapes - Is 2008 Encryption Still Secure?

Posted by Patrick Townsend on Dec 10, 2012 9:39:00 AM

AES Encryption & Related Concepts

AES White Paper

Download the white paper "AES Encryption & Related Concepts"

Click Here to Download Now

Over the weekend a news report surfaced describing lost Secret Service tapes that contained extremely sensitive information such as personnel and investigative information. The loss was both typical and mundane: a carry bag with the tapes was left on a metro train. This kind of thing happens all of the time - a couple of years ago I left a laptop on a plane when I arrived in San Francisco (luckily recovered). Something similar has probably happened to you.

But one commentator said something that was shocking:

"... this is 2008 encryption. And years later, our abilities to break encryption, our algorithms to do that, are much, much better. If those tapes were found, I'm sure they could be cracked in moments."

Excuse me ???

In 2008 the new NIST Advanced Encryption standard (AES) had been in place for several years, and many of us were shipping products that were certified by NIST to meet that standard. Triple DES was in use at that time, and might also may have been used to encrypt those tapes. The article did not identify which algorithm, if any, was used.

Both of these algorithms are still considered strong today (see reference below). They are not broken, they are not weak, and they can't be "cracked in moments." And encryption does not have a shelf life like cottage cheese - encryption methods do not get stale just because some time goes by. [Fore more information download our white paper AES Encryption and Related Concepts]

There are a lot of things that could have been wrong about how the tapes were protected. They:

  • Might not have been encrypted
  • Might have been encrypted with a weak algorithm
  • Might have been encrypted with a weak key
  • The key might have been stored on the tape
  • The implementation might leak information
  • And so forth.

People get the implementation details wrong all of the time, which leads to weak protection. But, again, good encryption does not spoil like milk, and data protected properly in 2008 would still be just as strong today.

Misconceptions like this have a bad knock-on effect. When there are still so many organizations who've done nothing to protect data, this type of false information creates a sense of despair, and re-enforces the belief that nothing can or should be done. I just recently heard someone say,

"If the NSA can't prevent a break-in, what chance do we have?".

Substitute Secret Service, NSA, DOD, RSA Security, McAfee, and others, and you get another excuse for doing nothing to protect the organization's key assets. That's a sad and unnecessary result of bad information.

For the record: If you were using a NIST-approved encryption method in 2008 such as 128-bit AES, and you were using best practices for encryption and key management, that information is still protected today. You can find NIST guidance about encryption algorithms here (see Section 2 about Encryption):

Patrick

For more information on encryption and key management, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and key management work together to secure your data.

Click me

Topics: Encryption, Data Privacy, Data Breach

5 Data Security Myths Debunked: Part 2

Posted by Liz Townsend on Dec 7, 2012 11:46:00 AM

Podcast: The Data Protection Trifecta - Encryption, Key Management, and Tokenization

university encryption

Learn more how encryption, key management, and tokenization can keep your data secure.

Click Here to Listen Now

These are the last two myths in our installment “5 Data Security Myths Debunked.” With the rise of data breaches occurring all over the world, we’ve been watching closely to see how company leaders are responding to these incidents. To say the least, we have been shocked by what some government leaders and CEOs have said surrounding data security in their own organizations. We believe that some of these sentiments are highly misleading, if not downright false. That is why we have decided to compile these statements into five "myths" of data security. These myths come from direct quotes by CEOs and government leaders.

Myth #4: There is nothing you can do to prevent your company from being hacked

Fact:
There are many actions a company can take to protect its network and prevent a data breach:

  • Know which parts of your data is considered “sensitive”, and know where all of your sensitive data is stored. Is it on one server or many servers? Is it stored in applications or databases? Do you have multiple data centers that store sensitive information?
  • Use file integrity monitoring (FIM) or system logging to be alerted to changes in system configuration, sensitive data, or unauthorized access in real time.
  • Develop and enforce a unified, proactive data security policy to protect data at rest and in transit across your company’s entire network.
  • Use AES standard encryption to encrypt sensitive data at rest and FIPS 140-2 compliant key management to protect your encryption keys.
  • Automate updates to firewall configurations, password changes, and system patches.
  • Restrict employee access to sensitive data.

Myth #5: CEOs do not need to be concerned about data security.

Fact:
Data security isn’t just the Chief Information Security Officer’s (CISO) problem, it’s a business problem that affects both the C-level and the IT level of an organization. IT security is often not made a priority due to the disconnect of perceived vulnerability and actual vulnerability within a company’s IT infrastructure. A recent survey by CORE Security found that approximately 75% of CEOs surveyed didn’t believe their networks were under attack or already compromised, while 60% of CISOs felt very concerned about attacks and believed their systems were already breached.

Poor data security is a business risk. The consequences of a data breach include loss of reputation, loss of customer trust, and hefty fines. In 2011, the average data breach cost an organization $5.5 million. Despite these often highly publicized repercussions, 65% of CEOs surveyed by CORE Security reported that they did not have the information they need to translate IT risk into business risk.

Topics: Data Privacy, Best Practices, Data Breach, Security News

5 Data Security Myths Debunked: Part 1

Posted by Liz Townsend on Dec 3, 2012 3:18:00 PM

Webcast: Four Solutions for Data Privacy Compliance

4 solutions for data privacy compliance

Learn what regulations say about data protection and how encryption, tokenization, key management, and system logging can help keep your company in compliance.

Click Here to View Webinar Now

With the rise of data breaches occurring all over the world, we’ve been watching closely to see how company leaders are responding to these incidents. To say the least, we have been shocked by what some government leaders and CEOs have said surrounding data security in their own organizations. We believe that some of these sentiments are highly misleading, if not downright false. That is why we have decided to compile these statements into five "myths" of data security. These myths come from direct quotes by CEOs and government leaders.

Myth #1: Encrypting social security numbers is not a standard in most industries, including banks. 

Fact:
Most banks and financial institutions adhere to state laws and industry regulations (such as FFIEC and GLBA) regarding the protection of social security numbers.


For example, California data privacy laws identify Social Security numbers as a critical piece of personally identifiable information (PII) that must be protected using “reasonable security procedures and practices appropriate to the nature of the information” such as encryption or redaction (1798.81.5) . The law upholds businesses within the state, financial or otherwise, to the same data security laws that the state itself must adhere to which state that any business owning or licensing computerized data containing personally identifiable information (PII) such as names and Social Security numbers must protect that data using encryption, redaction, or other methods that render the data unusable in order to avoid data breach notification (1798.29). The average cost of a data breach is $5.5 million (Ponemon, 2012).

The FFIEC IT Handbook action summary states that “Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include: Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk, effective key management practices, robust reliability, and appropriate protection of the encrypted communication endpoints” (ithandbook.ffiec.gov).

Myth #2: Encryption is too complicated for my IT and database administrators.

Fact:
Most database platforms such as SQL Server, Oracle, and IBM i are designed to easily implement encryption and encryption key management solutions. SQL Server and Oracle, for example, use Transparent Data Encryption (TDE) and Extensible Key Management (EKM) to easily encrypt data. IT professionals agree that these tools make encryption easier. “TDE is relatively straightforward” - Michael Otey, SQL Server professional (www.sqlmag.com). Encryption with TDE on SQL is “Easy to Implement and administer” -Brad M. McGehee, SQL Server professional, MCTS, MCSE+I, MCSD (https://www.bradmcgehee.com).

Learn how to set up TDE and EKM on SQL Server 2008/2012 in 10 minutes or less here.

Myth #3: Data breaches are usually caused by highly sophisticated hackers.

Fact:
The top four mechanisms for a hacker to break into a company’s network are: exploiting system vulnerabilities, default password violations, SQL injections, and targeted malware attacks (Symantec, 2009). These techniques are not considered highly sophisticated. They are used often to penetrate networks with inadequate security.

Curious what the final two data security myths are? View "5 Data Security Myths Debunked: Part 2" to find out if there is really nothing you can do to prevent your company from being hacked and whether or not CEOs should be concerned about data security.

 

Topics: Data Privacy, Best Practices, Data Breach, Security News

Are Colleges and Universities Under Attack? Four Things to Do Now

Posted by Patrick Townsend on Aug 28, 2012 6:52:00 AM

Download Podcast: Higher Education Under Attack - Data Privacy 101

university encryption

Listen to our podcast to learn why colleges are a top target for data thieves and what they can do today.

Click Here to View Now

We’ve seen some high profile data breaches at colleges and universities lately. People have been asking if there is any reason why these organizations are experiencing a higher level of attack, and why this is happening now. Are they more susceptible in some way?

There is some good evidence that higher education institutions are experiencing data breaches at a higher rate than other organizations.  Just based on the reported number of reported breaches, number of records stolen, and the number of colleges in the general population of targets, you can conclude that they are, in fact, experiencing a higher rate of loss.

Are college students responsible for the higher levels of breaches?

In spite of the fact that college students are far more knowledgeable about technology, and have a high curiosity index, there is no evidence that students are the source of these breaches. If you look at insider threats and include students in this category, the data doesn’t support this idea. And students don’t want to put their academic opportunities on the line over a break-in, they are way too smart to put that much at risk.

So, why are colleges experiencing higher rates of loss?

Asked why he robbed banks, Willie Sutton supposedly said “Because that’s where the money is.”  A typical college runs retail operations through book stores and cafes, collects critical financial information about students and their families, and may operate a student health service. They are complex modern operations with very large amounts of sensitive data that is often retained for many years. I believe that colleges and universities are considered high value targets because they have a lot of valuable information. 

Here are some things that higher education organizations can do right away:

1) Know where your sensitive data lives.

You should have a good inventory of all of the systems that collect and store credit card numbers, social security numbers, financial information, and student patient information. Having a good map of your data assets is crucial to your data protection strategy.

2) Purge the data you no longer need.

We sometimes forget to take out the trash in our IT systems, and that historical data can be the target of a data breach. Now that you know where your data lives, purge the historical data that you don’t need.

3) Prioritize your attack plan.

We all tend to do the easy things first. There is some satisfaction in getting some points on the score board early in the game. Resist this tendency and protect the most valuable assets first.

4) Protect your data with strong encryption and key management.

There is a lingering belief that encryption is difficult and expensive, especially when it comes to encryption key management systems. That is no longer true! Be sure to include encryption and proper key management in your data protection strategy. If front-line defenses fail, and they will, be sure that the data that is stolen is unusable because it is encrypted.

There are reasons for colleges and universities to be optimistic about improving their data protection posture. Security professionals have learned a lot over the last few years, and there is better guidance and best practices on how to tackle this problem. And security vendors now offer more affordable and easier to use encryption and key management solutions. Download our podcast "Higher Education Under Attack - Data Privacy 101" for more information on what universities can do to prevent data breaches and how to easily get started today.

Patrick

Download Podcast: Higher Education Under Attack

Topics: security, Higher Education, Data Privacy, Data Breach

Protecting PII - Passwords, Bank Accounts, and Email Addresses?

Posted by Patrick Townsend on Aug 8, 2012 9:22:00 AM

state privacy lawsAbout 5 years ago I set myself the task of reading every state's data privacy law. There were 44 states that had passed some form of data privacy law, and several were in the process of updating them. I also created a spreadsheet and cross-referenced information what each state considered Personally Identifiable Information (PII) that needed to be protected. The State of California had led the way with SB-1386, and many states followed.

I learned a few interesting things from the process:

A significant number of states just lifted verbatim what other states had written into law. A rough guess is that about one third of the states had almost identical data privacy laws.

But the remaining two thirds of the regulations varied greatly, even in defining what PII is. It was common to consider the First Name and Last Name in combination with a Social Security number, bank account number, or driver's license number as information that constituted PII that needed to be protected. But after reading and collating all 45 states, there were some states that had a list of up to 41 data items that were considered PII! In addition to the standard data items, I found passport numbers, military IDs, medical numbers, email addresses, and much else. I even found definitions of PII that went something like this: "Any information in aggregate that can identify an individual must be protected." It was a lot of ground to cover.

Shortly after this exercise I remember having a conversation with a mid-western CIO about that information. She said "Really, email addresses? But what do I do about Outlook?"

It was a good question then, and it is even more cogent today. When an email address is lost with other information about an individual, it can lead to big problems.

Just look at the news today about Amazon and Apple. Information routinely exposed by Amazon was used to gain access to sensitive data on Apple's services. And the email address was an important piece of the information used in this attack.

So, should you be protecting email addresses? Absolutely!

As many of the recent data breaches demonstrate, an email address combined with a password or other information can lead directly to a data breach. Just think of eHarmony, LinkedIn, Yahoo, and many others recently in the news. It is common to store email addresses in business databases used for Customer Relationship Management (CRM), Enterprise Resource Management (ERP), and similar types of systems. If you store email addresses, you should start working now to place them under encryption control with good encryption key management. And you should start bugging your software and cloud vendors to provide you with this capability. For more information on how you should be encrypting your PII, download our white paper "AES Encryption and Related Concepts."

Patrick


Click me

Topics: Data Privacy, Data Breach