Mobile Data Security Blog

Home  »  Archive by category "Data Breaches"


Death, Taxes, And Being Hacked


There are some things in life that are inevitable – death and taxes at the top of the list.  To this list, I’m adding another modern day inevitability – being hacked!

You can be phished, clickjacked, spied on or attacked by a worm – the list of deadly attacks goes on. The types of malware and new attack vectors are growing at a frightening pace and trying to fight them off has become a daily concern.

Defending against cyber attacks and repairing the damage caused by hackers who break into security systems costs UK businesses a whopping £34 billion a year, according to the Centre for Economics and Business Research.  Around £18 billion of this comes from lost revenues, whilst the IT department spends the remaining £16 billion on trying to shore up defenses.

Then there are the fines.  In 2014, for example, holiday firm Think W3 suffered a serious hack in which 1,163,996 credit and debit card records were stolen. The ICO described the incident as a “staggering lapse” and issued a fine of £150,000.

And earlier this year, Barclays had to compensate 2,000 customers when their personal details were discovered on a stolen USB device – highlighting that data.

There is no escaping it – data breaches are on the increase and fines are only going to get bigger under sweeping changes to EU legislation. But all it takes is some common sense and a robust security strategy to ensure you aren’t in the firing line.


Don’t leave the doors open

When it comes to securing devices, the obvious option is encrypting and password protecting data. IT needs to install tamper-proof encryption software at the endpoint so that all data on the devices is encrypted by default. Solid security policies, when paired with advanced device management features such as remote lock and remote wipe, go a long way in protecting sensitive business data from falling into the wrong hands.


Act now

The clear message is that businesses need to get their houses in order when it comes to security. When the EU data protection regulation comes into force next year, businesses will not only need to be confident in their file transfer policies, but they will also need to be able to show a very clear audit trail.

It is not if you are going to be hacked, but when. And unlike death and taxes, this is something you can actively work to avoid.



Windows To Go Devices: Upgrading Your Windows OS and Windows as a Service


Wipe and Replace to Update Your Devices

With the release of Windows 10, many IronKey Windows To Go customers are upgrading their Workspace devices to the latest Windows 10 Enterprise build.  The reasons why?  Many are doing it for their main Windows To Go devices— like me— and many others are doing it for the ability to do trial deployments of Windows To Go in their offices. Here at IronKey, we wipe and replace to update our devices. To do this, back up your Windows data and any information you require to rebuild your device, replace the Windows OS using either Microsoft’s Windows To Go Creator or IronKey’s Provisioning Tool or Scripts (if you are mass provisioning), and simply recreate. To the best of our knowledge no Microsoft upgrade tools will permit an in-place upgrade of Windows To Go devices from Windows 8 or Windows 8.1 so this is the best option.


Windows as a Service: When in-place upgrades may be important for Windows To Go

As Microsoft moves to a Windows as a Service model, they’ve introduced new update rings – Current Branch, Current Branch for Business (CBB), and the Long Term Servicing Branch (LTSB). I won’t go in to what license model allows you access to which path, but instead focus on the philosophy. Microsoft’s intention of a single Windows as a Service model with on-going updates is to build an OS ecosystem in which most customers will, by following along, be on an identical or very recent version of Windows 10. So here’s the advantage.  If you have a Windows app or application, compatibility will be improved because a majority of PCs (WTG, desktops and laptops) will be on a recent Windows 10 version. This is a huge benefit to development and should alleviate a major headache for the deployment of apps and applications as you can expect a much more homogenous set of OS versions in the field.


The Challenges of Windows as a Service

As with anything new, there are challenges. The first is deciding on which branch is right for you and/or your organization. The Current Branch is the one consumers will use and is available for Home, Pro, Enterprise, and Education W10 editions. In this branch you get all the updates through Windows Update and receive all security and feature updates. The next ring out is Current Branch for Business (CBB) which allows for organizations on Pro, Enterprise or Education Editions to (1) delay feature update until testing is completed, and (2) use a wider variety of delivery options (adding Windows Update for Business and Windows Server Update Services (WSUS)). The delay allows for testing, and includes a bit of a stick that Microsoft will stop support if you delay too long and do not update Windows. Mary Jo Foley notes in an article that “Business customers on the Current Business Branch are going to have 12 months before they are required to deploy fixes and new features,” so Microsoft is providing a fair amount of lag time before nagging customers.  Long-term Servicing Branch (LTSB) (available to Enterprise Edition only) allows for more stability for a longer time period (think ATM), but may require some IT calculus around decisions to take if there are features that look attractive.  IT must then decide to move to a different update branch, like CBB, or wait for a newer LTSB.


Here is a table that shows the different servicing options, the supported OS editions, and delivery options:



The In-Place Upgrade Dilemma

The catch is that some updates will require not just a patch, but an in-place upgrade! It is unclear what features or functions, and on what cadence, an in-place upgrade will be required. But until Microsoft deploys an updater to work with Windows To Go devices, you may need to hold updates or be prepared to wipe and replace when Microsoft pushes an update that requires an in-place upgrade (something larger than a security patch). For IronKey Windows To Go customers who are leveraging WTG as a secure endpoint—  for example by providing a VDI Citrix or VMWare client on a secure workspace to bypass potential host PC malware issues— this may not be a big issue. In these cases minimal OS functionality may be required, or a very locked down OS is sufficient and IT does not expect to adopt many new Windows 10 features. On the other side, for organizations leveraging Windows To Go for broader OS deployments (like IronKey!) where many of us are interested in the latest OS features for testing, security and convenience; any time an in-place upgrade is required, we will need to recreate our Windows image and wipe and replace our devices.

And there is the dilemma:  As we wait for Microsoft to update their tools we’ll be in a pinch whenever an in-place update of the OS is required for new functionality.

We’re looking at some other options on how to do this— PowerShell scripts is one thing we’re investigating— so we’ll keep you informed as we learn new information from Microsoft and any insights our team discovers.



Microsoft Licensing for Windows To Go – You Can Deploy It Now!



In my last blog post Ready for Windows 10? IronKey Windows To Go is Windows 10 Ready, I mentioned that I would cover Windows To Go licensing.  In this blog post, I’ll review three key points that I often cover for our customers when asked about Microsoft Licensing.

The key takeaway is that if you have a Volume License, you probably are already able to deploy Windows To Go today.  Now lets’ review those three key points: 


1.   Windows To Go is a “benefit” of Software Assurance

When you purchase a Microsoft Volume License, which most companies do for the cost savings over time, you either receive Software Assurance by default with all Enterprise Agreements (EA) or may purchase it as an addition. What I’ve learned after many conversations is that most SMBs and Enterprises already have a Volume License and more often than not have Software Assurance associated with it.

If you fall in to this category, then you’re all set. You can use the Windows To Go Creator included with your Enterprise Windows 10 or Windows 8 OS, or take advantage of IronKey’s mass provisioning tool or scripting capabilities for provisioning many devices.


2.   Not sure if you have a Volume License? It is easy to check.

You may be part of a company where you do not purchase your Microsoft licenses so here is what you can do. The first stop is to just check the operating system on your current PC by going to Control Panel, System and Security, and looking at the System details. If you have Windows 8/8.1 Enterprise, Windows 7 Enterprise, or Windows Vista Enterprise your company probably has an EA and therefore Software Assurance so you can go ahead and create IronKey Windows To Go devices today.

If you have other OS types like Pro, Professional, Ultimate or Business you may have a Volume License that allows it but you’ll want to ask. Your first stop is to ask your IT folks if they know, and if not, you can always track back to your reseller and ask for your companies Microsoft Licensing Agreement which will include what you need to know.


3.   Did anything change in Windows 10?

In terms of Windows To Go as a benefit of Software Assurance (and EAs)—  no change. The change that is coming with Windows 10 and Enterprise agreements is that Microsoft is making a new selection of features available only to purchasers of EAs and so I expect that we’ll see more people purchasing it over time. Some of the new Enterprise features will be fairly desirable—such as Long Term Servicing Branch will allow some PCs to remain on a stable OS for long periods of time (think kiosk) as is covered in Windows 10 for Enterprise blog post by Jim Alkove. Additionally there are a lot of new benefits to Software Assurance (as covered well by ZDNet here) such as the inclusion of Microsoft Desktop Optimization Pack (MDOP) and the of App-V functionality. As you’d expect, more features equal a higher price (making up for all the free Windows 10 upgrades Microsoft is providing to consumers) so we’ll see how it all shakes out.


IronKey’s Windows To Licensing Guide

I made a  WTG licensing reference guide that our team has found useful in addressing the many questions that arise out in the field.  Check out the licensing guide and feel free to email me with any questions you might have or alternatively you can reach out to your local Microsoft reseller for details specific to your situation.


In summary – you’re Windows To Go ready!

You’ve probably have the license you need so there is no reason to not try it out today. We’ve got a large number of customers providing Windows 10 to a portion of their workforce today using IronKey’s Microsoft Certified Windows To Go devices.




Hillary’s Lawyer’s “Thumb Drive is Secure” – Really?


So says Politico and others about the thumb drive, that Hillary Clinton’s lawyer has, containing 30,000 files off of her private email server.

By “secure”, they probably mean encrypted. That and $4 buys a latte at Starbucks.

To be secure, the drive must not only be encrypted, but have signed firmware. Most encrypted drives don’t.

Why does it matter? Malware like that created by Equation Group and others, can enter via a USB port, take up residence in a laptop or PC and phone home anything of interest to whomever put it there – ISIS, Russia, China, Kim DotCom….pick your poison.

How to be sure it’s really secure? You don’t need to ask the FBI, like Senate Judiciary Committee Chairman Chuck Grassley (R-Iowa) is doing.

Just ask the simple question of the manufacturer: Is your firmware signed? If it’s an IronKey™ drive, it is. And if it’s signed, it’s secure. For most other manufacturers’ drives, they will not have signed firmware. But ask, a few will.

If the answer is no, then the information is as public as tweets from Kim Kardashian.


Ready for Windows 10? IronKey Windows To Go is Windows 10 Ready


Windows 10 is just around the corner— with Terry Myerson announcing on Blogging Windows that Windows 10 Enterprise will be available to Volume Licensing customers beginning August 1st. The release of Windows 10 appears to be one of the most exciting releases for enterprise customers with a long list of compelling new features for security, update, and management flexibility. There are lots of good posts out there detailing predictions on what will be delivered in Windows 10 Enterprise, but in tandem with end user experience updates like the return of the Start Menu, this is the version of Windows we’ll all standardize on over time.

Windows 10: Go Ahead and Give it a Try!

Windows To Go remains a bright spot and as a key benefit of Software Assurance (and VDA licenses), the momentum will continue. As we announced at Microsoft Ignite, IronKey Windows To Go devices are now fully ready for Windows 10!  So what exactly does that mean?  If you have an IronKey Windows To Go device, you can install Windows 10 now.  Whether you’re testing builds from the Windows Insider Program or waiting for the first releases on August 1, IronKey’s Windows To Go devices can be deployed straightaway. We’re using our IronKey W300 and W500 devices to explore and test Windows 10 functionality for ourselves so feel free to give it a try.


If you’ve purchased our Mass Provisioning Tool and our scriptable Command Line Utility to produce many devices simultaneously, we are currently testing in this environment and will provide more information as we learn more. To date, the only restriction we’re seeing is that you’ll need to build Windows 8.1 devices from a Windows 8.1 PC, and Windows 10 devices from a Windows 10 PC.   From our testing efforts, and as we make use of the Windows DISM for some operations, we are seeing a need for version consistency with the current version of our tools. We’ll continue to investigate in order to make any updates as our testing proceeds. 

In short, IronKey Windows To Go is ready for Windows 10.

Haven’t Experienced Windows To Go? 

For those who haven’t yet experienced Windows To Go and want to give it a try, we’re offering a Windows To Go Intro Kit on our eStore.   Each Windows To Go Intro Kit features a 32GB IronKey Workspace W300 device with a 90-day trial version of Windows 8.1 pre-loaded, a right-angle USB adapter, and an IronKey lanyard for $89.00.  To purchase, visit IronKey eStore.  The kits will soon be available with Windows 10. 

Need to Learn More About Microsoft Licensing?

On an additional note, I’m often asked about licensing Windows for Windows To Go so I will be covering that in my next blog post. Here’s the simple summary— most Volume License holders have Software Assurance so they’re ready to deploy. If you’re not sure, I’ll be covering licensing in detail next month so please check back with us.  




Our special guest blogger is Tav Venia, an IronKey sales engineer, who is based in the Washington DC area and serves our Federal and Enterprise clients. 

Unfortunately, we’ve all heard about the hack on the personnel records and social security numbers for more than 4 Million+ Federal Employees at a U.S. Government Agency.  Data lost, stolen, or hacked:  it just represents another failure to protect our federal data.  For this, and many other reasons, now more than ever it’s imperative that all types of data is securely protected— federal, classified, FOUO (For Official Use Only), defense, employee, personal, etc.   Now is the time to get out in front of any and all possible threats and attacks to assure ourselves that our data is safe and secure from what can turn into “Tomorrow’s Headline”.   

Government employees are more mobile— working in the office, in the field and from home— which increases the potential for even more data exposure risks.  The ability to securely store and transport data while on the move is a necessity.  As the Federal Team Sales Engineer, I see how our U.S. Government and Agency customers are using the IronKey™ line of hardware encrypted hard drives to securely store and protect their sensitive information, among many, many other reasons.  But with the release of our newest hard drive, the IronKey H350, government agencies can enjoy the speed and performance advantages of USB 3.0 technology while realizing the benefits of the world’s most secure USB devices including FIPS 140-2 Level 3 certification, AES-XTS 256-bit hardware encryption and centralized management.    

Our customers can now save, backup and move data wherever they may be much more rapidly taking advantage of the USB 3.0 speeds.  As technology advances, data files are exponentially growing in size, the ability to securely store and move data quickly and efficiently from the field back to the government or agency office is of even greater importance.  Forgotten password?  No worries. On managed enterprise hard drives, IronKey provides the only secure password reset mechanism that allows users to recover data without erasing the contents on the drive or using a backdoor to reset the password.  Additionally, when data is not being access or used, the IronKey H350 can protect and secure Data At Rest (DAR), another use case of importance to our U.S. Government and Agency customers.  

Personally, with my job, I am constantly on the move traveling from place to place.  I use the IronKey H350 to back up all of my laptop data because we have all been there when Windows crashes and/or becomes corrupted giving us the Blue Screen of Death (BSOD) rendering our data lost and unrecoverable.  This can be a result of a Windows error or a simple drop of your laptop which damages the hard drive.  I don’t ever want to be caught in a situation where I don’t have a backup of my data.  Thanks to my IronKey H350 USB 3.0 hard drive, it now takes less than an hour to back up all of my data, a process that used to take many hours using a USB 2.0 Hard Drive.


Keeping Patient and Hospital Information Safe

In September 2014, Forrester Research published a brief titled “Stolen and Lost Devices Are Putting Personal Healthcare Information at Risk”. Amongst the findings were two important trends:

Healthcare is becoming more mobile – approximately one-third of healthcare employees now work outside the office or clinic at least once a week.

Healthcare records are five times more likely to be lost due to device theft or accidental loss.

Today, personal healthcare information (PHI) records are more accessible than ever before. These PHI records contain important personal information such as social security numbers, medical history, and insurance information. Technological progression in the medical world is giving us advancements such as real time medical data on our smartphones and mobile messaging systems so hospital staff can get to patients faster. Although this progression is exciting, with all of this patient information floating around in technology, it makes it harder to keep our data safe.

With so much mobility, it’s not surprising that data protection has become a big problem. Mobile devices are simple to carry from one workplace to the next, but they can be easy to lose. To protect our data, we need a way to prevent unauthorized people from accessing the content of a lost or stolen device.

The solution is to use encrypted USB or external hard drives, such as the new IronKey™ S1000 3.0 USB. These secure storage devices combine encryption, which encodes data, making it unreadable to all but authorized users, with cloud-based management functionality that enables an organization to remotely wipe data from a device even if it is no longer in their possession.

Healthcare facilities need to address the realities of mobile work practices but they also need to protect the information in their care. The task is made a lot easier with a good device policy and the right tools.


The Age of Hacking

In today’s digital age, teaching children to code seems like a fantastic idea. Children are already spending huge amounts of time using technology, whether it’s a laptop, smartphone or tablet device and these IT skills can be essential in their future careers. However, whilst we must help a new generation of competent workers prepare for the digital world, how can we make sure that children will use their coding and programming skills for good and not evil?

Over the past years we’ve seen a number of technological innovations aimed at equipping children with basic programming and coding skills – from the Raspberry Pi to the recently launched Hackaball, a programmable ball aimed towards 6-10 year-old children. This demographic has been a key target for the UK government who have dominated the primary computing curriculum since September 2014.

However, with these skills being so easily transferrable to illegal activities such as hacking and cybercrime, how can we ensure that the lure of mischief, malice and money won’t sway children to ‘the dark side’? In January of this year, a seven-year-old girl hacked a public Wi-Fi network in just over ten minutes by learning how to set up a rogue access point to activate what is known as a ‘man in the middle’ attack. We know that this is already happening – hackers as young as 16 years old have been arrested for cybercrime, and the Home Office has warned that young video game hackers could be the next generation of cybercriminals.

So how can we tackle this? When it comes to children and young adults, the first place to start is at school and at home. Responsible adults, teachers and parents have a duty to ensure that their children, or pupils, are not engaging in criminal activity, and this is no different in the cyber world.

However, the problem we encounter here is the massive gulf between adults and children when it comes to understanding technology. An Ofcom survey released in August last year found that younger people have a far more advanced understanding of technology devices than adults – with 6 year olds having the same level of knowledge as the average 45 year old. In fact, teenagers aged between 14-19 years old are the most digitally confident in the UK.

If teachers and parents are to monitor and guide young people’s use of technology and make sure they’re not becoming involved in cybercrime, they must first be able to understand the technology themselves.

Secondly, we must consider the types of devices and technology that young people are using and put appropriate security measures in place to limit the possibility of malicious use. Technology like the Windows To Go USB Flash Drive would give young coders a replica desktop, just like the one they have at school, that they can take home and use on any device, without affecting or accessing the data and operating system sitting on that device. With a Windows To Go device it’s very easy to manage activity. The school can control the transfer of information and wipe, delete, monitor actions on the device, this way, the youngsters can hone their coding skills without being able to get in trouble by conducting activities outside the school’s remit.

What is clear is that we must not discourage children from learning these skills – they are absolutely essential for future employment and also play an important role in their everyday socialising with their peers. We must also accept that we cannot stop this evolution. Children are already learning these skills, with or without your knowledge and input, so the best we can do is to help shape that knowledge and put them on a good path.


Whistleblowers: Data Theft or Public Service?

A Perspective from the UK

Over the past few years there have been a number of high profile cases where whistleblowers have leaked information to the public, highlighting wrong-doing, corruption and malpractice amongst trusted institutions. Whilst some of these cases have clearly disclosed information that is in the public interest – for example the recent inquiry into the fatalities at Morecambe Bay Furness Hospital – other whistleblowers have disclosed sensitive corporate data leading some to question whether the information is truly in the public interest, or is in fact a data breach.  

What is clear, is that whistleblowing can have huge financial repercussions – in fact, The Pentagon has recently said that it may cost billions of dollars to overcome the damage to military security by Edward Snowden’s release of classified intelligence documents.

From a corporate perspective, unfounded whistleblowing is essentially another type of ‘insider threat’, and we know that this issue is climbing higher on the risk agenda for IT departments worldwide. Organisations must assess the threat that this form of data leakage can have on their business and put measures in place to protect their businesses.

Firstly, businesses can use an array of solutions to protect corporate data on computers, laptops, wireless networks and in the workplace. For organisations seeking extra security, an Enterprise Management System, with a command centre whereby device activity can be viewed from all over the world, provides a robust and highly secure solution. Data can be securely stored and if an employee fails to return to work, a device can be destroyed remotely.

There are however, many other complex regulations to consider when it comes to the issue of whistleblowing.

Under the Enterprise and Regulatory Reform Act 2013, whistleblowers have to show that they “reasonably believe” that the disclosure they are making is in the “public interest”. Unfortunately, what amounts to “public interest” is not defined in the legislation and it will be left to the courts and tribunals to lead the way with their interpretation.

The law states that an individual is permitted to declare information/whistleblow if someone’s health and safety is in danger, if there is damage to the environment, if the employer is committing a criminal offence, if the company is failing to honour legal obligations or if the company is covering up a wrongdoing.

Many of these exceptions will pose no threat to the everyday corporation, therefore the key threat is the possibility of an ex-employee sharing sensitive information.

Although the Data Protection Act gives businesses additional protection when private data is at stake, there is still a concern that ex-employees will speak out about historic events such as previous data breaches experienced whilst employed.

A ‘Compromise Agreement’ is becoming a common solution to the problem around employee trust. Organisations are adding a clause in contracts to ensure that all confidential information remains confidential, and employees are then prevented from making defamatory comments or disclosing sensitive information, even after they have left a company.

This month, Sir Robert Francis QC announced a ban on the ‘Compromise Agreement’ for hospital staff. In the health sector, where lives are at stake, it is clear that the act of whistleblowing must be protected.  Some incredibly shocking stories have been revealed highlighting horrendously poor care and unacceptably high mortality rates. This has of course had a positive outcome and forced trusts to introduce new regulations to improve patient care.

For the corporate world, however, whistleblowing poses quite a different risk and can cost organisations hundreds of thousands, or even millions of pounds to repair. Businesses must reduce this risk by protecting their data, which lives both inside the building and outside on employee mobile devices and in the cloud.  This way, they can put themselves one step ahead of the game.

Organisations need to ensure that they have permissions and privileged access in place to protect sensitive information to avoid the potential for these to be breached.

Businesses need to keep account of and collect any devices that may have been issued such as mobile phones; tablet, laptops, proprietary software or data, failing to do so could have detrimental repercussions.

Ensuring intellectual property and sensitive data remain secure is an on going challenge, and if businesses are failing to protect this information, the threat from whistleblowers will endure.


Majority of Healthcare Breaches Are Due to Loss or Theft, Not Hackers

I just recently read an article about how a healthcare organization lost backup hard drives containing personal information on nearly 40,000 of its clients. To make matters worse, the article stated that there was “no mention of strong encryption being applied to the records, implying that they were stored relatively insecurely.” WHAT?  I shake my head in frustration because there is a simple solution. Why don’t more healthcare companies deploy secure USB?

You might be surprised to know that the majority of breaches come from lost or stolen devices, not hackers. In fact, sixty-eight percent of all healthcare breaches are from loss and theft. This leads me to conclude that most healthcare companies insecurely store, and therefore risk losing their clients protected health information (PHI) such as birth dates, medical records, and Social Security numbers.

Sadly, it looks like this trend won’t be ending anytime soon.  A recent healthcare data breach forecast predicted that employees (not hackers) will continue to be the greatest threat to securing healthcare data including PHI.  The forecast goes on to say that despite all signs pointing to employees as the largest threat to a company’s security, business leaders will continue to neglect the issue in favor of buying more “appealing” security technologies aimed at preventing intrusions from outsiders in 2015. (sigh)

So here’s the good news – there is a workable solution that’s easy for healthcare organizations to implement. One simple, affordable option is to store PHI and other confidential data on a portable, encrypted external hard drive or USB instead of storing data directly on the laptop.  There’s a class of readily available hardware encrypted devices that are virtually unhackable and can be remotely wiped should they be lost or stolen.  And, these drives deploy the highest standards of protection with AES-256 encryption.   These highly secure drives even protect data and applications from malware like BadUSB. And their rugged design makes them nearly indestructible.  They’ve even been known to survive an autoclave! 

IronKey™ offers the most secure storage solutions and mobile workspaces available.  So, don’t be tomorrow’s headline.  Check out our healthcare security solutions today.