In a July 15 memo to all Federal Agencies, OMB Director Jack Lew sent a reminder that Telework solutions must comply with security guidelines and protect sensitive government information. Federal Computer Week highlights a few of the requirements, including data security and protection from systems that are not under direct agency control.
The Telework initiative is meant to improve worker productivity, while reducing government overhead and costs. It also adds business continuity in the event of an emergency or other event when employees can not reach the office. The downside is that Administrators lose some control over the hardware and software being used by their workers. Fears about security have resulted in slower than expected implementation of Telework policies.
To meet these security requirements, Kanguru and Absolute ID have designed the RocIT Defender Elite “Virtual System on a Stick” to enable Telework while still maintaining control over hardware and software. The device is a bootable, encrypted USB flash drive that launches a secure virtual OS completely isolated from the host system. The Administrator can lock down the OS and application settings with a golden image, and monitor the devices remotely using Kanguru Remote Management Console. All data is hardware encrypted with FIPS 140-2 certified cryptography. Contact Kanguru for more info on how RocIT Defender Elite can meet your Telework challenges.
Data Security, Government
US Government technology professionals are invited to visit Kanguru at FOSE 2011 next week at the Washington Convention Center (Booth # 800). Come learn more about the Kanguru RocIT Defender Elite - our bootable, virtual PC on a flash drive. The device features FIPS 140-2 encryption and DoD-tested virtual runtime environment.
We’ll also be displaying our Hard Drive, DVD and USB Duplication Equipment, as well as our next generation Secure USB storage products. While you’re there, join our email list and receive a FOSE discount.
Register for an Expo Pass here.
Events, Government
From the Register:
Leicester City Council has misplaced a USB stick containing personal details of 4,000 vulnerable and often elderly users of its care service.
The data has disappeared from LeicesterCare, the council’s vulnerable residents’ support service. Along with personal information, the stick also has key codes for 2,000 people, which are used to open boxes outside users’ houses which contain their front door keys…
This is just one example of the type of sensitive information that users tend to store on their USB sticks. Then the sticks get lost on the bus, in the car park, or at the dry cleaners. The safest course of action is to use mandatory encryption that employees can’t turn off or bypass.
Data Security
Don’t let an unsecure flash drive cause business disruption, productivity loss, revenue loss, and fines.
Recent events in the news have demonstrated the ease with which portable devices can be used to steal confidential data.
Avoid your own personal Wikileaks by securing your USB flash drives. Kanguru’s secure flash drives and remote management capabilities provide excellent protection against data leaks.
The Kanguru Defender Elite coupled with Kanguru Remote Management Console (KRMC) give CIO’s and CISO’s an unprecedented level of control over their flash drives. Data breaches can be prevented with features such as:
Remote Disable/Delete - Remotely disable or delete devices compromised by rogue employees to protect sensitive information and prevent data breaches.
Domain/IP Control - Restrict drive usage to approved domains & IP ranges and prevent unauthorized use in external networks.
Offline Restrictions - Control whether devices can be used offline. Prevent unauthorized use in external networks.
Auditing and Reporting - KRMC enforces a full audit trail with detailed graphical reporting and the ability to export both customizable audit logs and graphs for external analysis to ensure proper compliance.
Data Security, Financial, Government, Portable Storage
Recently there have been a lot of stories involving the security flaws of some high profile encrypted flash drives. Some follow up articles have claimed the initial news to be nothing more than FUD (Fear, Uncertainty, Doubt) stories, an attempt to influence public perception with negative information on what is essentially a nonstory.
We, however, disagree. If there is a security flaw in what is supposed to be a secure flash drive, one certified by the U.S. government and used for sensitive data, this is extremely newsworthy. The fact that they are FIPS certified only increases its newsworthiness.
Many government agencies are required to purchase FIPS validated/certified products. This requirement is based on the belief that if a device is FIPS certified, it is secure enough for sensitive government information. While FIPS only validates cryptographic functionality of products, there may be additional security aspects reviewed in the future (Common Criteria for example). NIST’s stance, that they are “actively investigating whether any changes in the NIST certification process should be made in light of this issue” may indicate that they need to also review items that have traditionally been treated as out-of-scope from a FIPS standpoint, but are certainly security relevant. One example would be a review of the cryptographic boundaries of security products.
Data Security, Government
Bart Porter at (re)blog compiled a list of data breach greatest hits of 2009. Many of the incidents have been noted on the Kanguru Blog including the MP3 Player containing US Army data, local school district mishaps and hospitals that lose USB thumbdrives.
The conclusion:
There are many interesting details to note in this dubious line-up of data security breaches, including how many health care, government and education organizations are represented. Even more significant is how few business enterprises show up on the list. This may be a clear indication of what many in the data security industry realize and fear – that most businesses suffering a significant data security breach do not publicly acknowledge incidents as they occur.
We expect this to change as more and more data breach notification laws are enforced at the state level. The landmark Massachusetts law will take effect in March, 2010. Data encryption will become mandatory for portable devices that store customer or employee information.
Data Security
London Evening Standard: A computer virus crippled a London council for weeks after a worker accidentally plugged an infected memory stick into a computer. The emergency recovery has cost £501,000 (~ $820,000) thus far.
Lib-Dem councillor Gary Malcolm, who is also an IT specialist, said: “I will be calling for heads to roll. Half a million pounds is a hell of a lot of money to throw away at a time the council says it is strapped for cash. If this had happened in a private company, people would be sacked.”
USB flash drives are a popular vehicle for delivering malware onto computer networks and the threat needs to be taken seriously. This incident is similar in nature to last week’s mysterious laptops that the FBI is now investigating.
Defender Elite, the next generation secure drive from Kanguru, will feature onboard anti-virus scanning to prevent malware from getting anywhere near your USB ports.
Data Security, Government, Malware, Portable Storage
Kanguru Solutions will be an exhibitor next week at Army LandWarNet 2009. Please visit us at Booth #1411.
Last fall, the DOD banned USB flash drives and other removable media devices after a worm infiltrated their networks. Kanguru Solutions has just announced the release of the Kanguru Defender Elite. This drive has been designed with the Army IA security requirements in mind. Defender Elite will eliminate malware attacks and viruses, allowing users to confidently deploy this device in the field. FIPS 140-2 and Army IA certifications are pending.
The Kanguru Defender Elite features include:
- Military Grade, 256-bit AES Hardware Encryption
- Antivirus & Malware Protection
- Tamper and Brute Force Resistance
- Rugged Aluminum Housing
- Limited Number of Invalid Login Attempts
- Physical Write Protect Switch
- FIPS 140-2 Level 2 Pre-validated
- Can be used with the Kanguru Remote Management Console (KRMC)
Data Backup, Data Security, Events, Government, Portable Storage
Via Federal Computer Week, the US DOE inspector general recently performed an IT security audit and found that “the department hadn’t ensured that sensitive data stored on mobile devices, sent in e-mail messages, or sent to off-site backup storage is sufficiently protected by encryption, as appropriate.”
The DOE partially agreed with the findings but added:
…taking adequate steps to ensure that there is no sensitive information on laptops or mobile devices should be sufficient without requiring encryption of all data on all devices.
This seems to rely a great deal on user behavior and will be vulnerable to malicious actions or just poor judgment by employees.
Data Security, Government, Portable Storage
Lost memory sticks continue to be a problem for organizations in the UK including MI6, which had to abandon a major drug operation.
“Our February 2009 industry survey showed that less than 50 per cent of UK public and private sector organisations use any form of data encryption.”
Other recent headlines:
Welsh Council loses children’s data
Loss of patient details prompts warning for five NHS trusts
Data Security, Government, Healthcare, Portable Storage
Follow us on Twitter