Townsend Security Data Privacy Blog

2012 Data Security in Review

Posted by Jacob Ewing on Feb 15, 2013 8:06:00 AM

Podcast: Data Privacy for the Non-Technical Person

LinkedIn Podcast

Download the podcast "Data Privacy for the Non-Technical Person"

Click Here to Download Now

2012 was a big year; we survived an apocalypse, screamed our lungs out at the Olympics, and watched another big election year come and go.  However, in the midst of all the hullabaloo people’s lives were being wrecked, computers stolen, and governments attacked.  With each new cyber attack, security breach, and internet scam the world of tech got a bit more scary for all of us.

Below are five stories that I feel best capture the state of data security in 2012.

#1 - Apple+Amazon Personal Information Protocol

In the early part of August, Mat Honan, a well-known tech writer, released an article on Wired that detailed how in 1 hour his entire digital life was taken over and erased.  His information was stolen through a hack, rather the two perpetrators tricked Apple and Amazon customer service representatives (CSR) into believing that they were Mr. Honan and then giving them access to his personal information.  The thieves were then able to access, control, and wipe his iPhone, Macbook, and many of his online accounts.  His tech and online life had been hijacked from just a few calls to two companies.

I won’t detail the specifics here, but I will point out that this was a relatively easy loophole to exploit.  Honan explained that he was also able to do it multiple times with other peoples’ accounts (in a controlled environment).

With the publication of the story both Amazon and Apple have since changed how they handle phone access to personal information.  Amazon CSRs will no longer be able to change the settings on credit cards and email addresses over the phone.  Apple is now pointing customers to use its online ‘iforgot’ system to recover passwords.  This system requires much more personal information than their previous solution.

In the end Honan was able to recover a majority of his personal data that had been erased

#2 - South Carolina Department of Revenue (DoR) Breach

On August 13th an employee at the South Carolina DoR opened and clicked a malicious phishing email.  The link then executed malware that infected the employee’s computer giving the hacker access to their username and password.  Two weeks later, the hacker entered the system remotely by using the credentials that they had previously obtained.

During the following month the hacker was able to access the entire DoR system without being detected.  To do this the hacker used 4 legitimate username and passwords and 33 pieces of malicious code.  The hacker, among other things, was able to access 44 DoR systems and create 7-zip files that contained 74.7 GB of uncompressed data.  That data included almost 3.8 million Social Security numbers and 387,000 credit and debit card numbers.

When administration of South Carolina broke the news about the breach, they defended their actions by saying they were following industry standards and there was nothing they could have done to prevent the breach.  This, however, was later proved to be a false claim.  If the state had used proper encryption and key management practices, they could have most likely avoided the breach.

The total cost of the breach to the State is around $14 million (a $20 million bailout was approved to help the State cover additional costs).  The total cost to taxpayers both directly and indirectly is yet unknown.

#3 - NASA’s Halloween Trick

Halloween is usually a night where kids can go around the neighborhood getting free candy at nearly every door.  This past Halloween, however, a NASA employee received a nasty surprise in return; somebody had broken into his car in the night, and stole an unencrypted laptop containing personal information of at least 10,000 employees, contractors, and others.  This was the second published breach in 2012 and the third known breach in the past two years.

The director of NASA has offered 1 year of credit monitoring and identity protection to all affected persons.  On top of that he has mandated that all laptops containing personal information must be encrypted by December 21, 2012.

#4 - Nortel’s Hacking Demise

In February a news report was released by the Wall Street Journal detailing how hackers gained access to (the now defunct Canadian corporation) Nortel top-level executives’ usernames and passwords in early 2000.  The hackers had access to business reports, internal communications, and employee information.  The hacks didn’t go unnoticed by employees.  In 2004, one employee noticed monthly downloads being made using China IP addresses and the credentials of an executive.  He made numerous recommendations regarding Nortel’s database security, but a decision was later made to only change the compromised passwords.

In 2009 Nortel went bankrupt, and sold off its assets to various other companies.  When the report was released in early 2012 the former CEO of Nortel insisted that the vulnerabilities could not have been passed onto those other companies.

A former senior security advisor at Nortel, Brian Shields, said that he was certain that being hacked played a role in the demise of the company, “When they see what your business plans are, that's a huge advantage. It's unfair business practices that really bring down a company of this size."

#5 - Lieberman, Collins Cybersecurity Bill Shutdown

On November 14, 2012 a piece of cybersecurity legislation was rejected by the Senate in a vote of 51-47.  This was the second piece of cybersecurity legislation rejected in 2012.  Senator Lieberman and Senator Collins proposed the bill to the Senate because of the increasing number of attacks on critical infrastructure in the United States (i.e. banks, utilities, transportation).

Lieberman wrote an op-ed comparing the the threat of cyber attacks on America to the surprise attack on Pearl Harbor in 1941.  In his article he quoted defense secretary Leon Panetta saying, “The collective result of these kinds of attacks could be a cyber-Pearl Harbor, an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation.”

Such attacks have already taken place in the US.  Early last year a Texas water pump was hacked and taken over remotely in 10 minutes.  Several websites of major banks were barraged by a denial of service attack that either knocked them off-line or crippled their performance.  These attacks aren’t exclusive to the US either; a Saudi Arabian oil company had 30,000 of its computers hacked, hindering the company’s operations.

With this latest cybersecurity bill being rejected by the Senate, the US government is shirking implementing security measures to prevent widespread attacks.

Data security breaches affect all of us whether we are the Average Joe or a C-Suite level executive.  What can be done individually, as a company, or as a government agency to make sure that 2013 won’t be like 2012 for personal information?

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

 

Click me

 

Topics: Data Privacy, Security News

Data Security – Why Should the CEO Care?

Posted by Todd Ostrander on Jan 31, 2013 1:22:00 PM

AES Encryption Strategies - For the IT Executive

aes encryption strategies

Download the white paper "AES Encryption Strategies - For the IT Executive"

Click Here to Download Now

In any organization, the CEO has many jobs.  At the macro level, a CEO’s job is to instill confidence in his stakeholders, which include customers, investors, employees, suppliers and partners.  To accomplish this, a CEO must be able to establish a level of trust with these stakeholders in order to Inspire, Encourage, and Engage the stakeholders in the vision to which the entity is in pursuit of.  This trust ultimately is used to create value for the entity through the confidence that the market has in the ability of the CEO and his team to execute.

Every business has inherent risks in its execution and as part of the CEO’s ability to instill confidence that ultimately results in value, he/she must be able to identify and address each of the risks in the business.  Therefore, risk mitigation, by nature, becomes a core component of a CEO’s job.

In a pre-internet world, the risk of data loss was limited to a physical breach of the “four walls” of the entity.  Security guards, fences, and access control systems were established to keep people away for sensitive information.  However, as today’s world has become connected at virtually every level, the protection of data needs to be equally focused on the data itself rather than simply blocking someone from getting at the data.

Most CEO’s are well aware that encryption methodologies were created for their CIO’s to be able to protect data in their networks.  However, this is such a new phenomenon that few CEO’s understand the inherent risks to ALL there data and the changes in the regulatory industry that they must comply with in order to maintain the confidence and the resulting value in their entity.

As you’ve already read, the cost of a data breach isn’t just the cost to the owner of the data whose data has been compromised, it’s to the entity entrusted with the protection of the data as well and it comes in the form of fines and the time necessary to recover from the breach.  This is measured in $millions per incident in many cases.

A CEO loses confidence when he/she doesn’t adequately ensure that policies are in place to protect ALL data from breach.  Here are some examples of data that needs protection:

  • Employee records – anything that includes name, address, phone number, e-mail address, SSN number, insurance information etc.
  • Customer records – anything that includes name, address, phone number, e-mail address, EIN number, financial information etc.
  • Supplier records – same as above
  • Health information records
  • Credit Card information
  • Password information, even if stored separately
  • Confidential information about company strategy / plans
  • Confidential information about customer strategy / plans
  • Confidential information about vendor strategy / plans

Many CEO’s would answer – my data is encrypted, what’s the problem?  The problem is that you’ve probably pasted the key to the encryption on the front door and don’t even know it.  “Hey hacker, come on in, here’s the key, take what you want”.

Now lets look at the cost.  If you were to have a data breach, the cost may be different depending on what’s been lost.  However, that’s a dangerous game to play.  The data that isn’t “regulated” may have the greatest impact on your value.

If someone steals confidential customer information, what is the affect on your brand?  Can you recover from the market impact of being labeled as not having the safeguards in place to protect your customer data?  DropBox is dealing with this question as you read this.  They blamed their customers.  Who are you going to blame?

The only viable solution to this risk is to ensure that you have an adequate “encryption key management” solution in place that meets ALL requirements of safe data protection methods.  You must not only protect the data, you must also protect the keys to the data.

The inability to address this issue may just cost you your company.

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.

Click me

Topics: Data Privacy, Executive Leadership

Top 10 Encryption and Key Management Pitfalls

Posted by Liz Townsend on Jan 29, 2013 11:23:00 AM

Webinar: Top 10 Encryption and Key Management Pitfalls

encryption key management pitfalls

View our Webinar "Top 10 Encryption and Key Management Pitfalls"

Click Here to View Webinar Now

We’ve heard a lot of different excuses and reasons for a company to decide not to encrypt sensitive data — ”it’s not in our budget”, “a data breach won’t happen to us”, etc. For the companies out there who are taking responsibility to protect their customers’ sensitive information with encryption, we also often see these companies fall prey to a few common pitfalls that make their encryption strategy weak. A weak encryption strategy isn’t much better than having no encryption strategy at all. Here are the top 10 encryption pitfalls to avoid in order to implement strong encryption:

1. Failure to Asses Risk

We are still finding today a lot of organizations and companies that have not implemented any type of data protection at all. When we talk to a company taking credit cards and not encrypting that credit card information, we know that they've not properly done risk assessment on what it  means to fail a PCI-DSS audit or have a breach when you're not meeting PCI-DSS standards. The risks associated with a data breach not only include fines paid to the government, but also the cost of credit monitoring for your customers with compromised data, loss of trust from stakeholders, and damage to your brand name.

2. Encryption Key Management

Once you start an encryption project you’ll be faced with the one, core technical requirement: protecting the encryption keys. One of the biggest causes of audit failure for encryption is not adequately protecting those keys. Getting a secure, FIPS 140-2 compliant key management device in place to protect your encryption keys will help you avoid having to go back and re-do your encryption project using proper key management.

3. Client Side Support

Does your vendor supply you with all of the tools you need to implement encryption and key management? Choosing a vendor the provides poor client-side support can be a huge detriment to your encryption project. That is why it’s important to choose a vendor that will provide sample code and applications that snap into client-side environments to make your encryption project faster and easier.

4. Virtual and Cloud Environments

Today, security is the number one concern for companies migrating to the cloud. The principles of encryption and key management remain largely the same, but the question of how to manage keys for encrypted data in the cloud is still debated. Hosting encryption keys “in-house” is currently the most common model. Even if you’re managing your encrypted data in-house, be aware that you may choose to move to a virtual cloud environments in the future, and you will want to make sure that your encryption strategy and key management strategy can migrate with you to the cloud

5. NIST and FIPS Certifications

Industries that deal with sensitive client information such as credit card numbers, social security numbers, and private health information must adhere to regulations (some of them governmental) in order to protect individuals’ personal and sensitive information. These regulations follow recommendations by the National Institute of Standards and Technology (NIST). When protecting data at rest, you should be using Advanced Encryption Standard (AES) encryption, which is a standard put forth by NIST. You should also look for a key management device with FIPS 140-2 validation, also a NIST standard.

6. Performance - What are the Performance Impacts?

It’s possible to encounter serious performance impacts when you implement encryption. That’s why we not only recommend you use only AES and NIST certified solutions, but that if you’re the IT person dealing with the encryption, that you do some preliminary testing of the encryption on a sample database the same size as the actual database you will be encrypting. Your encryption and key management vendor should be able to help you do this with ease.

7. Ease of Use

An encryption and key management solution that is difficult to use can lead to a slowed project, unexpected costs, and delays. This can be a huge roadblock, especially if you are struggling to address a data protection problem or meet deadlines imposed by compliance regulations. To avoid ease-of-use problems, look for a solution with a GUI interface designed to run on your platform and allows you the necessary points of access to your encrypted data and encryption keys.

8. Data Leakage to Quality Assurance (QA) and Test Environments

Segmenting your critical data apart from non-critical data is an important step in preventing leakage of the critical data onto unprotected environments such as testing and development environments. Simple employee mistakes make up a large portion of data breaches that occur every year. Knowing which servers your sensitive data is located on and making sure that data doesn’t accidentally get moved to and unsecured location is critical.

9. System and Compliance Logging

Most compliance regulations including PCI-DSS recommend if not require some sort of system logging of your critical data. Whether it is file integrity monitoring or system logging to collect and store security events, these tools help you to catch changes to your database in real time. This is actually one of the most important parts of data security, and many data breaches can be immediately detected with system logging.

10. Budget Should Not Be a Barrier

When implementing encryption and key management, trying to save money by skipping steps will cause you a great deal of grief. Conversely, your encryption and key management vendor should be able to offer you a NIST certified,  scalable solution at an affordable price.

Webinar: Top 10 Encryption Pitfalls

Topics: Encryption, Data Privacy, Encryption Key Management

CEOs and the Unseen IT Security Risk

Posted by Patrick Townsend on Jan 24, 2013 8:48:00 AM

AES Encryption Strategies - For the IT Executive

aes encryption strategies

Download the white paper "AES Encryption Strategies - For the IT Executive"

Click Here to Download Now

CEOs swim in a sea of risk, and become very adept at identifying, assessing, and managing the risks they know. These risks include financial, regulatory, reputational, physical, and many others. The CEO has many other tasks besides addressing risk, of course, but assessing, monitoring, and mitigating risk is a critical part of the job.

With the rise of data breaches worldwide, IT security has become a new risk that seems to be the most ignored. Even though technologies exist to prevent the majority of these breaches, little is ever done to take preventative steps.

Since the fallout cost of a data breach is on average in the millions, why are CEOs so bad at assessing IT security risk?

Here are some answers I’ve gathered based on my discussions with CEOs who have experienced a data breach:

It’s a new threat
It’s human nature to mis-understand the potential damage of newly emerging threats. When DDT was first discovered, it was treated as a miracle pesticide. It took many years to understand the threat to human health and natural systems from the use of DDT. In many ways the situation is the same today in relation to Internet commerce and data security. Many CEOs just don’t see the potential damage a data breach will have on their organizations.

CEOs don’t have the tools to assess the risk
With our financial systems we have many tools that help us assess risk. Expense ratios, profit and loss statements, retained earnings, asset ratios, and many other tools allow the CEO to assess the changing nature of the financial status. It’s easy to see this risk as it develops. It is not yet a common practice to do the same with IT security risks.

Although there are many tools available to monitor IT security risk such as system logging and file integrity monitoring (FIM), few of these tools are made to be easily interpreted by a CEO, and many CIOs are not in charge of these tools. In many cases the CEO turns to the CIO and asks “Are we OK,” and often gets an equally soft answer: “Everything is OK. Our consultants and vendors tell us that we are fine.” Real information is hard to come by, and thus everyone is surprised when the data breach happens.

A persistent state of denial
Many CEOs engage in a common form of magical thinking. They tell themselves that “It hasn’t happened to us yet, so it probably won’t.” But security professionals know that a data breach is a matter of When, not If. Assuming something won’t happen to you because it hasn’t happened so far is not a form of risk assessment.

Underestimating the damage potential
Another common risk assessment failure among CEOs is the failure to understand the full impacts of a data breach. I’ve heard many executives say things like, “If it happens to us, we’ll just pay the fine.” The problem with this thinking is that the fine, if there is one, is a tiny fraction of the damage to the organization. Data breaches often lead to expensive litigation, years of on-premise security audits, shareholder lawsuits, credit monitoring services, lost goodwill, and lost revenue through customer defections. The impacts are often much larger than the CEO was ever expecting.

The danger to the CEO’s job from inadequately assessing IT security risk is real. Few CEOs survive long after a large and embarrassing data breach. And a stellar career history is tarnished by the painful public exposure that follows the data breach.

Real change will take place when CEOs fully come to understand the nature of IT security risks, and begin to hold the organization, and themselves, fully accountable.

Patrick

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.

Click me

Topics: Data Privacy, Executive Leadership

Your IBM i PHP Data Security Project Just Got a Lot Easier

Posted by Patrick Townsend on Jan 21, 2013 9:34:00 AM

Download Podcast: Extending the Life of Your IBM i with PHP

university encryption

Listen to this podcast with Patrick Townsend and Eric Nies to learn about PHP and data security on the IBM i.

Click Here to Listen Now

IBM i users have been reaping the benefits of IBM’s modernization efforts for some years now. The IBM i platform now has a number of new web and open source technologies including the PHP web development platform. With partner Zend Technologies, IBM has brought an industrial strength web development platform to the IBM i.

If you are using PHP on the IBM i, or if you are starting a new project with PHP, I would like to introduce you to NSC Software Solutions, Inc. headquartered in Brillion, Wisconsin. Started in 1981 by Larry Nies, NSC specializes in helping companies develop and deploy PHP web applications on the IBM i platform. They are specialists in PHP design and development, and create cross-platform PHP solutions for companies around the globe.

Web applications and data security? Yes, a big concern for companies of all sizes.

We turned to NSC for advice on how to help IBM i PHP customers do encryption and key management the right way. Wow, we got way more than advice!

Under the direction of Eric Nies, NSC created a professional PHP module to make it easy for IBM i customers to use our Alliance Key Manager for encryption key management in a PHP application. They also create a GUI application to make configuration easy to do.  So IBM i customers who need to meet PCI, HIPAA, GLBA, FISMA and other data security compliance regulations can now do this quickly and easily. For IBM i customers new to PHP, NSC can provide professional services to get that first project off the ground quickly.

If you are a PHP developer you might like to know that the NSC solution works well for both IBM’s DB2 database and for MySQL. The code that NSC developed for encryption key retrieval is a module that is easy to add to your PHP project. And applications can move from the IBM i platform to other platforms that support PHP.

Customers who develop PHP applications on the IBM i are also running legacy RPG and COBOL applications in the same environment. The same Alliance Key Manager appliance that protects data in the PHP environment can protect data in your legacy IBM i applications, and across the complete set of non-IBM technologies that you use including Microsoft SQL Server, Oracle Database, MySQL, and many other platforms.

PHP web application security? It’s a piece of cake - talk to NSC.

Disclaimer: We don't have any financial relationship with NSC Software Solutions, Inc.  They are just a great company that we think our readers should know about.

Patrick

Topics: Encryption, Data Privacy

Are Emails and Passwords Personally Identifiable Information (PII)?

Posted by Liz Townsend on Jan 17, 2013 1:52:00 PM

AES Encryption & Related Concepts

AES White Paper

Download the white paper "AES Encryption & Related Concepts"

Click Here to Download Now

In 2012, we saw several large data breaches occurring to website-based companies such as LinkedIn, eHarmony, and Last.fm. These breaches exposed millions of passwords and led us to ask the question, are emails and passwords personally identifiable information (PII)? Because people tend to use email addresses and passwords across multiple website accounts that might contain information such as first and last names, physical addresses, and credit card information, we suspect that if email addresses and passwords aren’t considered PII by everyone today, they soon will be.

Last year I wrote a blog article on the states that had passed some sort of data privacy law, and how widely each state’s definition of PII varies:

(Aug. 8th, 2012) “A significant number of states just lifted verbatim what other states had written into law. A rough guess is that about one third of the states had almost identical data privacy laws.

But the remaining two thirds of the regulations varied greatly, even in defining what PII is. It was common to consider the First Name and Last Name in combination with a Social Security number, bank account number, or driver's license number as information that constituted PII that needed to be protected. But after reading and collating all 45 states, I found 41 data items that were considered PII! In addition to the standard data items, I found passport numbers, military IDs, medical numbers, email addresses, and much else. I even found definitions of PII that went something like this: ‘Any information in aggregate that can identify an individual must be protected.’ It was a lot of ground to cover.

So, should you be protecting email addresses? Absolutely!”

This is something I believe not only still holds true, but will become even more important in the future. Using encryption to protect log-in information and passwords is the best way any one company can protect that information. Of course, using good encryption key management is also a critical part of that process. Even if a hacker gets hold of encrypted data, they cannot get access to that data unless they also find the encryption keys.

For more information, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and encryption key management work together to secure your data.

Click me

Topics: security, privacy laws, Data Privacy

What is Enterprise Key Management?

Posted by Liz Townsend on Jan 15, 2013 8:16:00 AM

Q: What is enterprise key management? What questions should I ask an enteprise key management vendor?

eBook: Definitive Guide to Encryption Key Management When it comes to protecting sensitive data, it’s fairly common knowledge today that the best way to protect that data is to encrypt it. Companies of all sizes must do this whether they’re taking credit card information, names and addresses, or protected health information. These days encrypting your data is pretty easy. Some operating systems even do it for you, automatically. And if you have a fairly small database of sensitive data that’s stored all in one place, then the key management for your encrypted data is also pretty straightforward.

However, not all networks are so simple. Many times I run into companies who not only store their data on several different operating systems, but they also use several different versions of each system. With such a highly complex network, it can be difficult for IT administrators to easily encrypt all of their sensitive data. They might not even know where their sensitive data is! The complexity of the database infrastructure might be so overwhelming, that implementing an encryption key management system doesn’t even seem feasible.

That’s because these companies don’t just need a key management solution, they need an enterprise key management solution.

Enterprise key management is term being used to today to refer to professional key management systems that provide encryption keys across a variety of operating systems and databases. A network, for example, might be comprised of several different versions of Microsoft SQL Server as well as IBM i, Linux, UNIX, or Oracle servers, as well as backup tapes and data stored in the cloud. The encryption key manager needs to be able to communicate simultaneously with all of these locations in order to provide encryption keys, decrypt, and rotate keys.

Your enterprise key manager (not to be confused with Extensible Key Management, or EKM for Microsoft SQL server) should have high availability and be located centrally in the network, typically in a protected hardware security module (HSM). When looking for an enterprise key management solution, make sure you ask your key management vendor these important questions when assessing their solutions:

  1. Is your key manager FIPS 140-2 certified?  What is the certificate number?
  2. How would you describe the encryption key payload as retrieved from the key server?  Is it simple or complex?
  3. Is there a common key retrieval application interface on all platforms?  What are the differences?
  4. What platforms do you support for key retrieval?  (Note any gaps in platform coverage for your company)
  5. Do you provide working sample code for the platforms I need? (Windows, Linux, UNIX, IBM i, IBM z)
  6. Do you supply binary libraries for all enterprise servers?
  7. Do you have a Java key retrieval class and examples? Is it standard Java or JNI?
  8. Do you charge separate license fees for each client operating system?
  9. Do you require that we purchase consulting services from you?  Why?
  10. I am an independent software vendor (ISV), can you brand the solution and certify the solution for us?

For more information on the importance of encryption key management, download our ebook "Definitive Guide to Encryption Key Management Fundamentals" and learn how to overcome the challenges of deploying encryption key management in business applications.

eBook: Definitive Guide to Encryption Key Management

Topics: Encryption, Data Privacy, Encryption Key Management

Top Security Blogs of 2012

Posted by Luke Probasco on Jan 11, 2013 8:29:00 AM

Webinar: Top IBM i Security Tips for 2013

Top Security Tips

Register for our Webinar "Top 3 IBM i Security Tips for 2013"

Click Here to Register for Webinar Now

2012 was a big blogging year for Townsend Security.  By the close of December we published a grand total of 285 blogs!  Wondering what data security compliance regulations your organization faces?  We covered it.  Do you need to learn more about securing your SharePoint server with encryption and key management?   We’ve got 490 words on it.  Did you know email addresses can be considered Personally Identifiable Information (PII) and need to be encrypted?  Patrick Townsend, Founder and CEO, wrote about that in “Protecting PII – Passwords, Bank Accounts, and Email Addresses?

With all the great blogs on protecting sensitive information, examining data breaches, and how to meet data privacy compliance regulations, our bloggers created some great content that we hope you found valuable. Without further ado, here the three top read blogs from 2012:

#1 Skip V6R1 on IBM i and Upgrade to V7R1 – A Security Note

IBM provides a new automatic encryption facility in V7R1 for DB2/400 called FIELDPROC.  This new facility gives IBM i customers their first shot at making encryption of sensitive data really easy to do. With the right software support you can implement column level encryption without any programming.  The earlier trigger and SQL View options were very unsatisfactory, and the new FIELDPROC is strategically important for users who need to protect sensitive data. [More]

#2 How LinkedIn Could Have Avoided a Breach – And Things You Should Do

The loss of passwords by LinkedIn, eHarmony, and Last.FM should be a wakeup call for CIOs, security auditors, and IT security professionals everywhere.  Let’s take a look at what probably happened, what you can do, and why you need to look beyond passwords on your own systems. [More]

#3 What is the Difference Between AES and PGP Encryption?

AES encryption is the standard when it comes to encrypting data in a database.  Advanced Encryption Standard (AES) has been adopted as a standard by the US government and many state and local agencies.  AES is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations.  AES encryption uses an encryption key to encrypt the data. [More]

As compliance regulations get tighter, data breaches get more sophisticated, and security best practices advance, Townsend Security will be here to blog on what is new and what you need to know about.  Here is to 2013 being the most secure year yet!

Are you free on January 30th at 10:00am Pacific?  We will be presenting a webinar titled “Top IBM i Security Tips for 2013” with Patrick Botz, former Lead Security Architect and founder of the IBM Lab Services security consulting practice and discuss:

  • Using FIELDPROC for automatic encryption
  • Key Management best practices – and what to look out for
  • A practical way to  implement Single Sign On (SSO)
  • How to easily collect IBM i logs and transmit them to ANY SIEM

Topics: Data Privacy, Best Practices

How Secure are Your Passwords?

Posted by Robbn Miller on Jan 8, 2013 9:42:00 AM

Data Privacy for the Non-Technical Person

LinkedIn Podcast

Download the podcast "Data Privacy for the Non-Technical Person"

Click Here to Download Now

Password: (noun) a variable length combination of characters, numbers and special characters, that gives their user a false sense of security.

We hear it all the time: a business was hacked, a database compromised, accounts ransacked, notification and liability, password cracked, blah blah blah. “How can this happen?” “Why didn’t they create a stronger password?” Well before you get too indignant, how well are you protecting your own data?

Is your password sufficient to stop the minions of organized crime, bored fifteen year olds killing time, or other ne’er do-wells intent on accessing your data?

It is difficult to remember different passwords, which is why 60-65% of people use the same password or similar passwords.  This translates into it being more convenient to use your cat's name plus the month number and something about the website itself, then just change it every month.  And that would look like this:

Amazon: (Puddy06Amaz) then (Puddy07Amaz) then (Puddy08Amaz)
Comcast (Puddy09Com) then (Puddy10Com) then (Puddy11Com)

And before you blame the cat for having an insufficiently difficult name, just think how silly it would be standing outside and calling “Here BH-jk!nhb#$@$n_8.”

So you can see it's just a matter of time before they get to your bank. How do they figure out the pattern? Look at your Facebook page, your Twitter, How often do you post about your favorite sports team, your pets, your kids, your hobbies? After they look at that, it's just a matter of time before they figure you out, and they have all the patience in the world.

You might slow the attackers down by using a passphrase instead of a password. Use a phrase from your favorite book, movie, or song. (1 phrase will rule them all!!) (I ain't never birthed no babies b4) (8 Days a Week)

Alternatively, have a password pattern for general accounts and a very different pattern for more sensitive accounts. Preferably one that you don’t plaster all over Facebook!

Then of course there are the other attacks, such as dictionary, malware, phishing and brute-force.

One way to help protect yourself is to get a password vault. With these you only have to remember one password or passphrase to unlock the vault and have access to your passwords. 

Once you set it up, these vaults will randomly generate unique passwords for each website or account making it easier for you to reset passwords on a regular basis (a good practice to get into) and you don't have to make them up or remember them!

I'm not saying that businesses don't have responsibility in this; they need to get on board as well. How many sites do you go to where the passwords are restricted and:

  • Has to be between 6 and 10 characters long
  • Has to start with a letter
  • Has to have at least 1 number
  • No spaces or symbols

Really? That limits you so much and, again, just a matter of time with the right computer program to figure that one out.

And then you forget your password anyway, so you call them.  Customer service tries to be as helpful as they can be: "Well, your password is a word and number." And when you still don't quite get it: "It's a place you might like to vacation and it starts with H" and by feigning forgetfulness, injected with humor, chatting up the Help Desk, you can get it narrowed down even more.

For the most part, people like you and me understand we are taking a risk, but we are still not willing to give up convenience.

How do you respond when your bank or other account calls you? Sometimes they ask for your zip code, date of birth, or address maybe to confirm they are indeed speaking with the owner of the account. But how do you know with whom YOU are speaking? You could call them back but that's inconvenient. Simon Davies of Privacy International suggests putting a nonsense word in the special instructions field on your account. Then when they call you, you ask them to read you that word. If they indeed are the bank, they have that word and can confirm it.

Technology is moving away from passwords and towards those things easier for us to remember and recognize on a personal level. We've seen pictures, for example, used with a pattern swipe, or face recognition. Right now that is still tied to a password or PIN and those are used as back up - so still hackable. But it's a move in the right direction.

Fingerprint recognition is accepted as highly secure and practically impossible to fool.  But a Japanese cryptographer got past such a device by using Gummi Bears.

Kevin Mitnick, a famous hacker turned good guy, got around a voice authentication by using a program that fakes his phone number on caller ID. He then made sure that each number was represented, and, calling the CEO of the company he was testing with, asked the CEO if he had the "new" phone number and would he read it off to confirm it displayed properly. Now he had the CEO's voice with every number and broke in.

As data thieves get smarter and your one-size-fits-all password becomes less secure, it is important to routinely change your passwords and not use the same password on multiple sites. Being in the security industry, we see plenty of preventable data losses. While there isn't much you can do to prevent the next big breach, you can at least make it hard for data thieves to take your lost information and use it to access your other accounts.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CEO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

Click me

Topics: Data Privacy, password

Data Protection - What Today's Security Admins are Up Against

Posted by Victor Oprescu on Dec 17, 2012 4:16:00 PM

View Webinar: Four Solutions for Data Privacy Compliance

Compliance Webinar

View this webinar to learn what compliance regulations (PCI DSS, HIPAA, FFIEC, etc.) say about data protection.

Click Here to View Now

Data breaches happen all the time and we do what we can to prevent that, still cyber crimes are on the rise. Verizon Business Data Breach Investigations Report for 2012 counts as many as 174 million records compromised that year. Verizon compiles the 2012 report with data collected in 2011. You can find the full report here, but I'm going to summarize just a few of the highlights.

  • 98% stemmed from external agents, meaning one way or another, cyber criminals gained access to systems storing sensitive data and compromised them.
  • 81% used some form of hacking, in many cases in conjunction with malware.
  • The statistic that hits home hardest, 96% of victims subject to PCI DSS had not achieved compliance at the time of the breach.

That is really hard to palate because here at Townsend Security we work so hard to spread the word about the importance of merchants being PCI DSS compliant. It's not just about appeasing the auditors or passing an Annual Self-Assessment Questionnaire, it's about protecting everyone's sensitive personal information. These are our credit card numbers that are being stolen, our dates of birth, social security numbers, and a myriad of other information criminals can use to their gain, and our fault. The report lists that 48% of data compromised was payment card data, like credit card numbers.

According to the report from the 855 incidents recorded, 54% of companies affected by that year's data breaches were in Accommodation and Food Services, 20% were Retail Trade, and 10% Finance and Insurance fields. And it's not just companies in the US that are affected, in 2011 data breaches were reported in as many as 36 countries worldwide.

And as if all this information wasn't already scary enough, apparently as many as 55% of data breaches remained undiscovered for months or longer. And the majority of data breaches are discovered by external parties; meaning that the companies experiencing the data breach end up learning about it from someone else, causing bad publicity and damage to the company's reputation.

This report did not talk about the cost experienced by companies or consumers as an effect of these data breaches, however Symantec took the time to compile those numbers for 2011 and in September of 2011 extrapolated the costs over the 12 months that year to $144 Billion in cost. Obviously this has become a very lucrative business for cyber criminals and it's not surprising why they expend so much effort on their endeavors.

The Verizon Business report has one more piece of information worth sharing - their recommendations. Implementing sound security policies around system credentials, like using strong passphrases and changing them on a regular basis, as well as ensuring essential controls on data are met, like encrypting sensitive data and using recommended encryption key management practices like separation of duties and encryption key storage. Especially for larger organizations, monitoring and mining event logs is recommended to aid in discovering active data breaches quickly and internally.

A new report should be published soon and although there has been a lot of attention on these subjects in 2012, the trends in the past have been an increase in data breaches, rather than a decrease. However, knowledge is power, and we have a lot of knowledge for you. Empower yourself and your company by reading some of our white papers on encryption, logging, and data security.

View Data Privacy Compliance Webinar

Topics: Data Privacy, encryption strategies