A new study from the Digital Forensics Association, called The Leaking Vault 2011, covers 3,765 publicly disclosed data breach incidents over the past six years.  The estimated cost of these data breaches totaled more than $156 Billion.  “Hacking” exposed the largest number of records, while “Drive/Media” exposures were the second leading cause.

The study also shows the breakdown of incidents among business, education, government and medical sectors.  It clearly shows that data breaches can happen to a wide variety of institutions, not just those that handle “classified” information.  State data breach laws and industry regulations like HIPAA have increased the spotlight on data security outside of traditional national security organizations.  In fact, medical data breaches were the fastest growing segment from 2005-2010.

Read the full report for conclusions and recommendations.

Data Security, Financial, Government, Healthcare, Malware, Portable Storage

The Boston Herald has details on a bank executive who resigned and then left with thousands of documents belonging to his former employer, Boston Private Bank & Trust Co.

In a suit filed in U.S. District Court on Monday, Boston Private Bank & Trust accuses former lending executive Todd Rassiger of stealing proprietary information that benefits his new employer, First Republic Bank.

The 24-page lawsuit alleges that before his resignation from Boston Private Bank & Trust Co., Rassiger attached personal USB flash drives to his bank-issued computer and downloaded more than 1,500 documents, many of which included highly confidential and proprietary information.

These days, companies need to be concerned with both external cyberattacks as well as the threat posed by insiders who have access to sensitive data.  Our recent post highlights the need for endpoint security, which can block personal flash drives and keep an audit log of which files are downloaded. 

We also highly recommend remote management capabilities for all portable devices like smartphones and storage devices.  Kanguru’s Remote Management Console can be used to instantly revoke device access from employees who are leaving the organization.  Their company-issued USB drive will be remotely disabled or deleted the next time it’s plugged in.

Data Security, Financial, Portable Storage

USB Flash drives: Petite, portable storage devices capable of storing gigabytes of data.  They’ve revolutionized the business world with their convenience and portability; however, there is a darker side to the revered little flash drive.

Their tiny size often makes them easy to lose and their storage capacity allows huge amounts of potentially sensitive data to be stored on them. If lost or stolen a single, tiny, insecure flash drive has the potential to cause a massive data breach.

As state, federal and business regulations tighten on information security and impose fines and sanctions for data breaches, the question arises:  Should flash drives be banned from work environments, as the Department of Defense did in the fall of 2008[i]?  Or can they be used in a safe manner without limiting the very attributes that make them so popular?

The answer to this will vary greatly depending on your organizational policies and security standards; however, there are options for using flash drives securely.

A good starting point is encrypted flash drives.  While encryption is important, there are many more factors to take into consideration in the overall security of flash drives.

In order to cover some of the new security developments surrounding flash drives and to figure out the best solutions for your needs I’ve come up with 11 basic questions to ask when buying a secure flash drive.

Question #1: What is the overall level of security and has it been certified by an independent, accredited entity?

Why it is important: Generally, the higher the encryption level (128-bit, 256-bit), the more difficult it is for a hacker to break.  However, it is also very important that the device be tested for other relevant factors such as encryption tunnels, a true random number generator, physical security features, hashing, and the security of the device’s firmware. Read more…

Data Security, Financial, Government, Healthcare, Malware

Don’t let an unsecure flash drive cause business disruption, productivity loss, revenue loss, and fines.

Recent events in the news have demonstrated the ease with which portable devices can be used to steal confidential data.

Avoid your own personal Wikileaks by securing your USB flash drives.  Kanguru’s secure flash drives and remote management capabilities provide excellent protection against data leaks.

The Kanguru Defender Elite coupled with Kanguru Remote Management Console (KRMC) give CIO’s and CISO’s an unprecedented level of control over their flash drives.  Data breaches can be prevented with features such as:

Remote Disable/Delete - Remotely disable or delete devices compromised by rogue employees to protect sensitive information and prevent data breaches.

Domain/IP Control - Restrict drive usage to approved domains & IP ranges and prevent unauthorized use in external networks.

Offline Restrictions - Control whether devices can be used offline. Prevent unauthorized use in external networks.

Auditing and Reporting - KRMC enforces a full audit trail with detailed graphical reporting and the ability to export both customizable audit logs and graphs for external analysis to ensure proper compliance.

Data Security, Financial, Government, Portable Storage

Online banking sessions are becoming lucrative targets for hackers and thieves.  Dark Reading highlights a recent M86 Security report on attacks at a large UK bank.  These sophisticated thieves use malware to hijack the browser on the banking customer’s PC. 

Once the victims logged onto their online banking accounts, the attackers captured account numbers and user credentials. They employed a man-in-the-browser attack that intercepted the victim’s money transactions.

One way to prevent such attacks is by ensuring that all online banking is done from a trusted machine.  New advances in technology allow trusted virtual machines to boot from a Secure USB stick.  The online banking session can be conducted with a hardened browser and multi-factor authentication can be implemented to prevent unauthorized users.

With over $1 million stolen from this one banking institution alone, you can bet that similar attacks are targeting banking customers around the world.

Data Security, Financial

GovInfoSecurity.com has a timeline of data breaches affecting US Financial Institutions in 2009.  “Stolen or Missing Hardware” was cited in a number of the incidents, along with “Insider Theft”.

These data breaches could lead to penalties under a number of state laws.  The FTC could also impose fines under the Gramm Leach Bliley Act (GLBA), which requires financial institutions to protect consumer data.

Data Security, Financial

HSBC has been fined over £3 million ($5 million) for data security procedures that fail to meet Financial Services Authority (FSA) requirements.

The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders - also in the post.

Costly data breaches can be avoided by remotely managing portable data.  Not only is the data encrypted, but the device can be programmed to remotely delete the next time it is plugged in.  The company has a log file to show the date, time and location where the data was destroyed.

Data Security, Financial, Portable Storage

Last month the FTC cracked down on a mortgage company for violating the privacy rules in the Gramm Leach Bliley Act (GLBA).  A lack of information security measures is going to cost the company 10 years of audits.

Agent Genius has a good rundown on how GLBA affects financial institutions like banks, insurance companies, brokers, lenders and so on.  As the author notes, “financial institution” can be broadly interpreted.

Data encryption with the ability to log and audit should be a key part of any GLBA compliance plan.  Regulators want to see clear proof that information security policies are in place and are being enforced.

Data Security, Financial

Nate Cote, VP of Product Management, chats with BankInfoSecurity.com at RSA Conference 2009.  Nate discusses how Kanguru’s encryption and management solutions fit into the broader security and compliance architecture.

Direct link to audio.

Data Security, Events, Financial

Government entities are leading the way in data breaches so far this year.

According to ITRC, a nonprofit organization whose work is supported by a Justice Department grant, the government and military sector were the chief offenders, accounting for 78 percent of all exposed records with just 22 breaches.

To be fair, the bulk of those records were lost in a single incident at the Arkansas Dept of Information Services.  Among other sectors, banking and financial companies did the least amount of damage, with 12 breaches and 288 records exposed.

Data Security, Financial, Government, Healthcare