According to TechEye, another NHS Trust has exposed confidential patient information by storing it on an unencrypted USB drive, which promptly disappeared.  This is a continuing issue for NHS.

The Surrey and Sussex Healthcare NHS Trust patient records were lost in September 2010. Shockingly, the details were on an unencrypted memory stick and worse, the 800 affected patients were never told. Leaked details include full name, date of birth and operation details.

Kanguru strongly recommends that all healthcare organizations protect patient data by using mandatory hardware encryption on all portable devices.  The Kanguru Defender Elite secure flash drive is completing Common Criteria certification and is now available in the UK and throughout Europe.  It’s an ideal solution for healthcare data protection.

Data Security, Healthcare

Kanguru is pleased to announce that it’s Kanguru Defender family of secure USB flash drives is now available through local distributors and resellers throughout the Asia-Pacific region.  Kanguru works with local partners to ensure that the security and manageability meet the requirements of a diverse user base.  Both government and private sector organizations in this region are turning to Kanguru to protect their mobile data from unauthorized use.

In Australia, Sydney-based distributor Bellridge Pty Limited can provide the full range of Kanguru Defender flash drives and the Kanguru Remote Management Console for central provisioning and control of remote devices.  Bellridge also has representatives in New Zealand.

Halodata International has launched the Kanguru product line in Singapore and Malaysia, as well as Indonesia through it’s PT Halodata Indonesia subsidiary.  Halodata is a security specialist that supplies a full range of hardware and software products for protecting your network and portable devices.

Data Security

A new study from the Digital Forensics Association, called The Leaking Vault 2011, covers 3,765 publicly disclosed data breach incidents over the past six years.  The estimated cost of these data breaches totaled more than $156 Billion.  “Hacking” exposed the largest number of records, while “Drive/Media” exposures were the second leading cause.

The study also shows the breakdown of incidents among business, education, government and medical sectors.  It clearly shows that data breaches can happen to a wide variety of institutions, not just those that handle “classified” information.  State data breach laws and industry regulations like HIPAA have increased the spotlight on data security outside of traditional national security organizations.  In fact, medical data breaches were the fastest growing segment from 2005-2010.

Read the full report for conclusions and recommendations.

Data Security, Financial, Government, Healthcare, Malware, Portable Storage

InformationWeek highlights a new study showing that malware on USB sticks is wreaking havoc on information security.  The new survey by the Ponemon Institute found:

In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB flash memory sticks. While such losses can obviously occur when the devices get lost or stolen, 55% of those incidents are likely related to malware-infected devices that introduced malicious code onto corporate networks.

Most of the respondents do not have any form of endpoint security in place, or don’t enforce their own USB security policies.  Cost may be an important factor as “75% of respondents said they wouldn’t pay a premium to ensure that USB drives are safe and secure.”

Setting aside the fact that this is short-sighted given the cost of a data breach, you don’t need to break the bank to secure your USB drives.  The Kanguru Defender Basic features automatically enforced military-grade encryption, plus an onboard anti-virus scanner to prevent malicious code from entering your network.  Best of all, it’s available at a mainstream price.

Data Security

Electronic medical records are the future, and the government is encouraging their adoption through the HITECH act.  InfoSecurity.com has analysis of the first phase of HITECH:

Phase I implementation (2011–2014) provides a graduated series of financial incentives to physicians and hospitals. At the same time, certain information security measures must be implemented along with the expanded use of electronic health records and information exchanges.

For healthcare facilities, these security measures include implementation of access control; data integrity; emergency management; encryption of data at rest, in motion, and removable media; identity proofing; log analysis and management; and system timeout.

Healthcare organizations are advised to use an encryption algorithm that meets FIPS 197 standards or better.  It’s important to ask your vendor about their encryption certifications, as not all password-protected devices are truly secure.

Data Security, Healthcare

The Boston Herald has details on a bank executive who resigned and then left with thousands of documents belonging to his former employer, Boston Private Bank & Trust Co.

In a suit filed in U.S. District Court on Monday, Boston Private Bank & Trust accuses former lending executive Todd Rassiger of stealing proprietary information that benefits his new employer, First Republic Bank.

The 24-page lawsuit alleges that before his resignation from Boston Private Bank & Trust Co., Rassiger attached personal USB flash drives to his bank-issued computer and downloaded more than 1,500 documents, many of which included highly confidential and proprietary information.

These days, companies need to be concerned with both external cyberattacks as well as the threat posed by insiders who have access to sensitive data.  Our recent post highlights the need for endpoint security, which can block personal flash drives and keep an audit log of which files are downloaded. 

We also highly recommend remote management capabilities for all portable devices like smartphones and storage devices.  Kanguru’s Remote Management Console can be used to instantly revoke device access from employees who are leaving the organization.  Their company-issued USB drive will be remotely disabled or deleted the next time it’s plugged in.

Data Security, Financial, Portable Storage

According to a new study by the Ponemon Institute, 75% of the energy and utility companies that were surveyed experienced a data breach within the last year.

“We were surprised that utility companies didn’t put a higher priority on issues like smart grid and smart meters, where there’s been a lot of concern about cyberthreats,” says Larry Ponemon, chairman and founder of Ponemon Institute. “Many of the people we talked to are still more focused on physical security than on cybersecurity.”

One possible attack vector being used against power companies is unsecured USB flash drives.  This was reported to be a big factor in the spread of Stuxnet last year.  Energy, utility and manufacturing companies should be taking extra measures to be sure only secure devices are plugging into industrial control equipment.

Malware, Portable Storage

Dark Reading highlights the growing number of cyber-attacks against law firms.  The law firms themselves may not always be the primary target in these attacks.  Rather, the thieves are often going after all the data pertaining to the firm’s corporate clients.  A law firm may collect massive amounts of data during the e-discovery process and the data is not always well protected.

Firms sometimes use thumb drives to gather this information. “I attended a program on e-discovery where someone from a law firm was talking about … how [people] were collecting information on thumb drives and then taking it back to the law firm. It was very insecure … a very informal kind of ad hoc process, with really no security built in,” Thomson says.

Kanguru has first-hand experience securing flash drives for legal firms.  Our encrypted devices and remote management software ensure that all data stored on thumb drives is locked down automatically, both within the firm’s network and out at client sites.  In addition, Kanguru’s USB Device Control software prevents users from bringing in unsecure flash drives and using them on the network.  Built-in Anti-virus scanners protect each thumb drive in real-time so that no trojans or other malware can infiltrate the firm’s database.

Find out more at: https://www.kanguru.com/index.php/flash-management/krmc

Data Security

You might not know the answer to that question until it’s too late.  Unfortunately, the most common response to finding a USB drive is to plug it in.  Virus-writers count on that response when they design the latest malware threats.

Network World discusses the way the Stuxnet worm has exploited this vulnerability.

Many companies have focused on the worm’s ability to spread via USB flash drives. Malicious programs spreading through infected such devices have become a major problem for corporations, because of employee curiosity. In penetration tests conducted by Leviathan Security, 8 out of 10 employees that found a USB drive plugged it into a computer. All of those workers then went on to open up a spreadsheet labeled “LayoffNotice.xls,” says Frank Heidt, CEO of Leviathan.

“You can tell your people, ‘Hey, don’t plug in USB sticks into your network,’ but that is antithetical to human nature,” Heidt says.

One way to combat this problem is to restrict unknown USB devices from your network and only allow devices with built-in antivirus protection.  Kanguru includes integrated malware protection as a standard feature on all new secure flash drives.  The network restrictions can be easily managed with Group Policy or one of the many Endpoint Security products now on the market.

Data Security, Malware, Portable Storage

Here at Kanguru we frequently talk about encrypting and securing your mobile data, but sometimes don’t stress enough the importance of tracking and monitoring data usage.  As important as it is to secure your data, it is equally important to know where it is going. 

When an employee leaves the office for the day, taking his work with him on a flash drive, where is that data going?  A quick stop by the local coffee shop and opened up on one of their unsecure wireless networks?  To an unsecure home computer? 

These possibilities along with the risks associated with them are why Kanguru emphasizes a total security solution.  This can be especially advantageous to organizations that are required to meet security regulations like HIPAA, the Hitech Act or any one of the many state-level data breach laws. 

Tracking and monitoring can be done via Kanguru’s Remote Management Console and USB Device Control, a tandem of products designed specifically to allow organizations to keep tabs on and secure their portable data. 

It’s time to look beyond encryption and recognize the importance of end point security as a key element to the overall big picture of securing your data.  Some options to look for in endpoint security and remote management:

1.) Device Control - Control what, when and how USB devices are allowed to access your computers

2.) IP and Domain Control - Manage which IP addresses and/or domains are allowable for devices to access via whitelist and blacklist methodology.

3.) Auditing and Reporting - Get a full audit trail with detailed graphical reporting and the ability to export both customizable audit logs and graphs for external analysis to ensure proper compliance.

4.) Remote Provisioning - Remotely manage security policy changes from a single location. Control password complexity, password expiration, software updates, patches, A/V definitions, online and offline access, and more.

Data Security