IronKey

Mobile Data Security Blog

Home  »  Archive by category "Uncategorized"

by

LATEST DATA BREACH: EVERY U.S. FEDERAL EMPLOYEE AFFECTED

 

Our special guest blogger is Tav Venia, an IronKey sales engineer, who is based in the Washington DC area and serves our Federal and Enterprise clients. 

Unfortunately, we’ve all heard about the hack on the personnel records and social security numbers for more than 4 Million+ Federal Employees at a U.S. Government Agency.  Data lost, stolen, or hacked:  it just represents another failure to protect our federal data.  For this, and many other reasons, now more than ever it’s imperative that all types of data is securely protected— federal, classified, FOUO (For Official Use Only), defense, employee, personal, etc.   Now is the time to get out in front of any and all possible threats and attacks to assure ourselves that our data is safe and secure from what can turn into “Tomorrow’s Headline”.   

Government employees are more mobile— working in the office, in the field and from home— which increases the potential for even more data exposure risks.  The ability to securely store and transport data while on the move is a necessity.  As the Federal Team Sales Engineer, I see how our U.S. Government and Agency customers are using the IronKey™ line of hardware encrypted hard drives to securely store and protect their sensitive information, among many, many other reasons.  But with the release of our newest hard drive, the IronKey H350, government agencies can enjoy the speed and performance advantages of USB 3.0 technology while realizing the benefits of the world’s most secure USB devices including FIPS 140-2 Level 3 certification, AES-XTS 256-bit hardware encryption and centralized management.    

Our customers can now save, backup and move data wherever they may be much more rapidly taking advantage of the USB 3.0 speeds.  As technology advances, data files are exponentially growing in size, the ability to securely store and move data quickly and efficiently from the field back to the government or agency office is of even greater importance.  Forgotten password?  No worries. On managed enterprise hard drives, IronKey provides the only secure password reset mechanism that allows users to recover data without erasing the contents on the drive or using a backdoor to reset the password.  Additionally, when data is not being access or used, the IronKey H350 can protect and secure Data At Rest (DAR), another use case of importance to our U.S. Government and Agency customers.  

Personally, with my job, I am constantly on the move traveling from place to place.  I use the IronKey H350 to back up all of my laptop data because we have all been there when Windows crashes and/or becomes corrupted giving us the Blue Screen of Death (BSOD) rendering our data lost and unrecoverable.  This can be a result of a Windows error or a simple drop of your laptop which damages the hard drive.  I don’t ever want to be caught in a situation where I don’t have a backup of my data.  Thanks to my IronKey H350 USB 3.0 hard drive, it now takes less than an hour to back up all of my data, a process that used to take many hours using a USB 2.0 Hard Drive.

by

Whistleblowers: Data Theft or Public Service?

A Perspective from the UK

Over the past few years there have been a number of high profile cases where whistleblowers have leaked information to the public, highlighting wrong-doing, corruption and malpractice amongst trusted institutions. Whilst some of these cases have clearly disclosed information that is in the public interest – for example the recent inquiry into the fatalities at Morecambe Bay Furness Hospital – other whistleblowers have disclosed sensitive corporate data leading some to question whether the information is truly in the public interest, or is in fact a data breach.  

What is clear, is that whistleblowing can have huge financial repercussions – in fact, The Pentagon has recently said that it may cost billions of dollars to overcome the damage to military security by Edward Snowden’s release of classified intelligence documents.

From a corporate perspective, unfounded whistleblowing is essentially another type of ‘insider threat’, and we know that this issue is climbing higher on the risk agenda for IT departments worldwide. Organisations must assess the threat that this form of data leakage can have on their business and put measures in place to protect their businesses.

Firstly, businesses can use an array of solutions to protect corporate data on computers, laptops, wireless networks and in the workplace. For organisations seeking extra security, an Enterprise Management System, with a command centre whereby device activity can be viewed from all over the world, provides a robust and highly secure solution. Data can be securely stored and if an employee fails to return to work, a device can be destroyed remotely.

There are however, many other complex regulations to consider when it comes to the issue of whistleblowing.

Under the Enterprise and Regulatory Reform Act 2013, whistleblowers have to show that they “reasonably believe” that the disclosure they are making is in the “public interest”. Unfortunately, what amounts to “public interest” is not defined in the legislation and it will be left to the courts and tribunals to lead the way with their interpretation.

The law states that an individual is permitted to declare information/whistleblow if someone’s health and safety is in danger, if there is damage to the environment, if the employer is committing a criminal offence, if the company is failing to honour legal obligations or if the company is covering up a wrongdoing.

Many of these exceptions will pose no threat to the everyday corporation, therefore the key threat is the possibility of an ex-employee sharing sensitive information.

Although the Data Protection Act gives businesses additional protection when private data is at stake, there is still a concern that ex-employees will speak out about historic events such as previous data breaches experienced whilst employed.

A ‘Compromise Agreement’ is becoming a common solution to the problem around employee trust. Organisations are adding a clause in contracts to ensure that all confidential information remains confidential, and employees are then prevented from making defamatory comments or disclosing sensitive information, even after they have left a company.

This month, Sir Robert Francis QC announced a ban on the ‘Compromise Agreement’ for hospital staff. In the health sector, where lives are at stake, it is clear that the act of whistleblowing must be protected.  Some incredibly shocking stories have been revealed highlighting horrendously poor care and unacceptably high mortality rates. This has of course had a positive outcome and forced trusts to introduce new regulations to improve patient care.

For the corporate world, however, whistleblowing poses quite a different risk and can cost organisations hundreds of thousands, or even millions of pounds to repair. Businesses must reduce this risk by protecting their data, which lives both inside the building and outside on employee mobile devices and in the cloud.  This way, they can put themselves one step ahead of the game.

Organisations need to ensure that they have permissions and privileged access in place to protect sensitive information to avoid the potential for these to be breached.

Businesses need to keep account of and collect any devices that may have been issued such as mobile phones; tablet, laptops, proprietary software or data, failing to do so could have detrimental repercussions.

Ensuring intellectual property and sensitive data remain secure is an on going challenge, and if businesses are failing to protect this information, the threat from whistleblowers will endure.

by

Majority of Healthcare Breaches Are Due to Loss or Theft, Not Hackers

I just recently read an article about how a healthcare organization lost backup hard drives containing personal information on nearly 40,000 of its clients. To make matters worse, the article stated that there was “no mention of strong encryption being applied to the records, implying that they were stored relatively insecurely.” WHAT?  I shake my head in frustration because there is a simple solution. Why don’t more healthcare companies deploy secure USB?

You might be surprised to know that the majority of breaches come from lost or stolen devices, not hackers. In fact, sixty-eight percent of all healthcare breaches are from loss and theft. This leads me to conclude that most healthcare companies insecurely store, and therefore risk losing their clients protected health information (PHI) such as birth dates, medical records, and Social Security numbers.

Sadly, it looks like this trend won’t be ending anytime soon.  A recent healthcare data breach forecast predicted that employees (not hackers) will continue to be the greatest threat to securing healthcare data including PHI.  The forecast goes on to say that despite all signs pointing to employees as the largest threat to a company’s security, business leaders will continue to neglect the issue in favor of buying more “appealing” security technologies aimed at preventing intrusions from outsiders in 2015. (sigh)

So here’s the good news – there is a workable solution that’s easy for healthcare organizations to implement. One simple, affordable option is to store PHI and other confidential data on a portable, encrypted external hard drive or USB instead of storing data directly on the laptop.  There’s a class of readily available hardware encrypted devices that are virtually unhackable and can be remotely wiped should they be lost or stolen.  And, these drives deploy the highest standards of protection with AES-256 encryption.   These highly secure drives even protect data and applications from malware like BadUSB. And their rugged design makes them nearly indestructible.  They’ve even been known to survive an autoclave! 

IronKey™ offers the most secure storage solutions and mobile workspaces available.  So, don’t be tomorrow’s headline.  Check out our healthcare security solutions today.

by

Could You Pass a Privacy Audit? Healthcare and Australia’s Privacy Regulations

 

Our special guest blogger, Elizabeth Parsons, is based in Melbourne and is responsible for growing the Imation Mobile Security business in Australia and New Zealand.  

Last year the Australian Federal Government ushered in a new set of Australian Privacy Principles (APPs) and in the process, dramatically overhauled the obligations of organisations regarding the collection, use, storage and security of personal data.  The changes were expected to have a big impact on data handling within the healthcare industry, as the regulations particularly targeted all Australian Government agencies, businesses with a turnover of more than $3 million or trade in personal information, and private health service providers.

Twelve months on, it’s timely to consider how well your organisation has responded to the new requirements, and to ask yourself:  Would your organisation pass a privacy audit if one was held tomorrow?

The Basics

One of the first changes that should have been introduced by every facility or institution is an updated, accessible privacy policy. This should advise individuals of your obligations, the kind of personal information collected, how it is collected, the purpose for collection, how an individual can access that information, and how they can make a complaint about any breaches of the APPs.

Following on from this, every organisation should also now have an internal guide to privacy compliance.  The aim of this is to ensure that the staff will understand the legal requirements when dealing with personal data. It should also articulate the organisation’s own rules and processes relating to collection and storage of data.

The Problem of Security

One of the most critical obligations under the APPs is security.  The eleventh privacy principle states:

“If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

(a) from misuse, interference and loss; and

(b) from unauthorised access, modification or disclosure.”

And it’s here that, even today, many healthcare organisations find their privacy efforts falling short, because keeping data safe from accidental loss or malicious activity such as viruses, worms and hackers isn’t always straightforward or easy.

While most organisations have measures in place to secure data on the network, the main area of vulnerability is mobile data.  When a clinician carries patient data on their laptop from their consulting rooms to the hospital, what happens if the laptop is stolen?  Or when a USB stick is used to send information from one facility to another, what is the outcome if the USB is dropped and lost?

No matter whether confidential information is breached due to theft, malware, spyware, or just a simple accidental loss, there are serious consequences. Since 2014, failure to comply with Australia’s new privacy laws can leave an organisation liable for a fine of up to $1.7 million.

Doing away with mobility is not the answer.  The efficiencies and improvements to health outcomes arising from a more mobile health force are too great to ignore. Therefore, it’s clear healthcare facilities have to find a way to keep mobile data safe.

A Two-pronged Response

The solution is to adopt a two-pronged approach to mobile data security by only using drives that offer encryption supported by data management.

Encryption involves coding data on the drive so it remains unreadable to anyone who doesn’t have the right “key”.  If the USB or hard drive is lost or stolen, the contents remain obscured and inaccessible. One of the most appealing aspects of encryption is there are no technology barriers to its adoption, and compared to the cost of a data breach, the investment required is relatively insignificant.

The second part of the approach is a management capability that brings control to the data on the device.  For example, at some stage an employee will forget their password, rendering them unable to access the corporate network. With the right management capabilities, IT can not only reset the password but when the user logs on, they can cross-reference the IP address of their machine against a map in order to ascertain if the person is indeed who they say they are. If IT has any suspicions, they can remotely wipe the hardware device that the employee is working from and kill all encrypted data.  Management functions also enable IT to force a device to be in read-only mode, remotely make password changes and re-commission devices that are no longer in use.

Together, encryption and management ensure confidential and private information on USB and external drives to remain protected, even if the drive is lost or stolen and lands in someone else’s hands.

The 2014 changes to Australia’s privacy regulations have put the data management practices of Australia’s government agencies and private sector organisations under the spotlight. For the healthcare industry, securing confidential patient data has never been more important with the increasing amount of records being transferred to electronic records. Achieving the necessary degree of security requires more than good intentions. It demands a comprehensive mobile security solution built around strong encryption, robust identity management, and policy-based data management.

 

by

Equation Group Attack on Hard Drives – What Can Your Organization Do?

 

This week Moscow-based Kaspersky Lab published a report that examines a group of hackers, the Equation group, and the depths they have gone to for many years to spy.  The report outlines the attacks in detail and highlights, “the group’s attack technologies exceed anything we have ever seen before.  This is the ability to infect the hard drive firmware.”

As you consider your options, keep in mind there are a number of approaches to prevent the Equation group’s attack against hard drives.  

 A fundamental feature that every enterprise bound hard drive should have is preventing its firmware from being altered by an unauthorized agent.  The best protection against this vulnerability is to use code signing for firmware updates. Such devices will not allow unsigned firmware to be loaded onto the device.  As a further level of protection if somehow unsigned firmware was present on the device, it simply will not operate.

For your external hard drives I suggest these be replaced as soon as possible with drives that support firmware signing.

Protecting your internal hard drives is more difficult.  These drives could be infected at any time by self-replicating code such as “Fanny”, physical media (e.g. CD-ROMS), USB devices susceptible to BadUSB, and Web-based exploits. Swapping out internal hard drives is an expensive and time consuming proposition.  One option is to immediately switch to a Windows To Go flash drive that supports firmware signing for all of your critical systems as a hard drive replacement. 

Windows To Go equips users with a portable Windows corporate image.  It uses the flash drive as the system disk, completely insulating the user from the risk of any hard drive infections on the onboard hard drive. This is significantly less costly than replacing the computer’s internal hard drive with a FIPS-approved hard drive and can be easily done in the field without having to pull apart the computer. And, as an added benefit, Windows To Go drives can be centrally managed enabling organizations to track the devices and disable them if lost or stolen.

IronKey™ secure USB hard drive, flash storage and Windows To Go devices are not vulnerable to the Equation group’s malware or the BadUSB attack. IronKey’s leadership in security, including its use of digital signatures in all controller firmware, makes its products immune to these threats.

 

 

by

Thwarting the Insider Threat

 

Autumn is returning, reluctantly we’re turning our back on summer, and we are looking forward to the Holiday season. Undoubtedly, this comes with increased people taking vacations, working remotely, and the unlucky few taking their laptops on holidays. For many organizations, this is pretty risky business because the sensitive corporate information is now travelling along with their employees. Although many organizations rarely expect their loyal employees to steal company data, many are prepared for security attacks.

Following the Edward Snowden revelations in 2013, IT departments are now tasked with monitoring potential insider threats. Snowden’s work with US intelligence agencies put him in the position of a highly trusted employee, providing him with everything he needed to accomplish what he set out to do. There were no measures in place to prevent what was possibly the biggest information leak in the history of the US.

The risks come from those who intentionally misuse their access to data to cause a detrimental impact on the confidentiality and integrity of sensitive information.

Although there are a number of routes to secure intellectual property, if the authorities, from whom Snowden was stealing from, had a manageable and encrypted flash drive, such as an IronKey™ Windows To Go drive, they could have tracked the information from anywhere. Any activity on the drive could have been monitored from an on-premise or cloud-based management service. This would have ensured them the ability to restrict where the device could be used, or resort to remotely locking it down, so no one could access the data.

If data isn’t encrypted, its integrity can easily and quickly be compromised, and therefore it is essential to know where, and who, is accessing information. This can be difficult across a fragmented IT environment, however, companies need to be confident that if a device is considered to be compromised, they can remotely lock it down, wipe it, or initiate a self-destruct sequence to remove the data, to protect themselves and their stakeholders.

Protecting intellectual property should be a priority for all organizations. Disabling outdated user accounts when employees exit an organization, implementing policies with privileged account passwords, updating them regularly and limiting access to corporate systems, are all crucial to keeping data secure. That’s where the Windows to Go Drive comes in:  a secure, IT-managed, Microsoft certified USB drive that contains a fully functional corporate Windows desktop. Employees insert the Microsoft certified USB drives into their home computers, hot desks, or tablets that feature USB ports, and receive a secure desktop  as well as secure access to all applications they use in an office setting.

Unlike a virtualized or online remote access solution, this portable workspace offers full host computer isolation, which means documents cannot be saved to the host machine, but are saved to the USB drive.

This way, all data will remain secure without the threat of a potential data breach ensuring safety for all!

 

IronKey Workspace W700

by

Perspective on BadUSB

 

We recently learned that security researchers Karsten Nohl and Jakob Lell of Security Research Labs plan to present their research at Black Hat next week which consists of proof-of-concept malicious software called BadUSB. The premise of the BadUSB attack appears to be that you can change the firmware of the USB device. A fundamental feature of IronKey high security products is that changing the customized firmware is not possible. IronKey devices have digitally signed firmware with verification on start-up. If the firmware is tampered with, the device won’t function. This countermeasure has been validated by NIST in IronKey FIPS 140-2 Level 3 devices

Once the research is released we will carefully review to ensure there are no potential risks. We will then issue a statement. In the meantime if you have any questions please email securitysales@imation.com.

 

by

Heartbleed – Don’t Be the Next Victim

 

Heartbleed, the recently uncovered security bug in the open-source OpenSSL cryptography library, is yet another example of a serious security weakness. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. When information is stored where it can be accessed publicly and the secret keys are compromised— as in this case— confidential information such as the names and passwords of website users and the actual content and information are easily revealed to hackers. Fortunately for users of IronKey™, our products have NEVER contained the vulnerable version of OpenSSL, so your data remains IronKey strong.

 

Security vulnerabilities, like Heartbleed, remind enterprises just how dangerous it is to trust storing critical information in a publicly accessible location. Passwords, encryption keys and data are all at risk in these systems. If data must be stored publicly, then it should be encrypted using a security key that is fully protected from unauthorized access. Using a hardware-based secure storage technology, such as a secure USB flash drive, to store the key and encrypt the data is the only way to be sure no outside hacker will gain access to your data. And with centralized device management, enterprises can further enhance their security measures by administering usage, password and encryption policies; even remotely destroying a compromised device erasing every block of data and initiating its self-destruct sequence, rendering it unusable.

 

IronKey makes the world’s strongest, most secure storage devices, used by the most demanding enterprises and government agencies to protect their data. Don’t become the next victim. Think IronKey.

 

by

Windows XP Users – Have No Fear – Windows To Go is Here

 

It doesn’t have to be doomsday for the Enterprise hold outs looking to migrate off Windows XP.   With security and cost considerations heavily weighing on the decision to upgrade, the time to make the move is now.  And the good news is that there is a viable way to more easily transition off Windows XP to the latest Windows OS: the path is Windows To Go.  Microsoft Windows To Go is Windows 8.1 on a USB flash drive that you can boot on any compatible PC.  Simply put, it’s a PC on a Stick™.  Now you may be asking yourself questions such as “How do I get Windows To Go,”  “How much does it cost,” and “How secure is it?”

Windows To Go, one of the most exciting enterprise features of Windows 8.1, enables workers to be productive from any location using a compatible PC of their choice. This solution is ideal for mobile workers, teleworkers, contractors and organizations that want to extend the life of their old computing machines.   Now, just imagine how easily you can manage the XP end of life issue. Instead of re-imaging all of your machines, just hand out Windows 8.1 desktops on USB sticks for use on your employees’ existing machines.  Thanks to Windows To Go, your employees can now use the latest Microsoft 8.1 OS while your organization realizes significant cost savings.

How do I get Windows To Go?  First let’s address the licensing aspect.  Organizations can get Windows To Go licenses for free if they have a Microsoft Software Assurance Agreement.  This means that with the Windows To Go rights under Software Assurance, an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC.    If there is not an agreement in place, contact your local Microsoft representative.  Also, organizations don’t necessarily need to outfit their entire organization with the license; only those employees who need it.

Microsoft only supports Microsoft-certified Windows To Go USB drives. Certified drives are optimized to meet the necessary requirements for booting and running Windows 8.1 from a USB drive.  Enter IronKey™ USB drives, which have earned a reputation for being the world’s most secure storage flash drives.

With IronKey Workspace ™ drives, workers can be equipped with a fully manageable corporate Windows 8.1 OS image complete with all their applications and security policies— all provisioned on a Microsoft-certified USB 3.0 drive.   You don’t even need to worry about malware or other security risks as the Windows To Go device boots directly off the workspace device— and not the potentially unsecured host machine.  Once the drive is installed into a compatible computer, the user can access the host PC’s hardware and resources such as monitors, CPUs and network connections.  With our advanced options including centralized device management and provisioning, IronKey Workspace can transform any compatible computer into an IT-provisioned, IT-managed and IT-secured workstation for a fraction of the price of issuing a laptop.

How much does it cost?  In the last year, several IronKey Workspace devices with various features in different capacities have become available.  The products start at US $129 with the hardware encrypted drives starting at US $175.

How secure is it?  The IronKey Workspace product line offers different levels of security– ranging from Bitlocker encryption to AES 256-bit hardware encryption.  The newest product, the IronKey Workspace 700™, is currently undergoing FIPS Level-140-2 Level 3 certification, which will make this the most secure Windows To Go drive on the market.

So if you’re looking to move off of Windows XP, consider Windows To Go and IronKey Workspace a secure and cost-efficient way to make this a smooth transition.

 

by

Encryption and Management are the Keys to Securing the Mobile Workforce: Secure Mobility Face-off, Part 2

 

I’m perplexed. Why don’t more companies encrypt their employees’ sensitive data? There is no technology barrier and the cost is insignificant compared to the cost of a data breach.

In a world where a data breach can cause tens or hundreds of thousands of dollars in fines that are only magnified by negative publicity, why wouldn’t every organization simply enforce encryption on data at rest – in servers, on laptops, and on USB drives – as a basic standard for doing business?

The need for encryption everywhere is further magnified by BYOD. IT leaders are waking up to the opportunity to extend BYOD strategies to PCs using technology like Windows To Go to reduce costs and improve productivity.

With Windows To Go, users can now put their entire Windows 8.1 operating system with their applications on a certified Microsoft USB drive, e.g., your whole PC on a Stick ™. The drive should be encrypted and ideally hardware encrypted to protect your private files from both brute force and physical attacks.

Strong Mobile Device Security – Encryption + Management

But encryption only gets you so far. What if a formerly trusted employee walks off with their drive, or what if their password is compromised? As an IT customer at a university recently told us:

“An unmanaged USB is like a time bomb.”

Encryption and management go hand in hand. Management improves the user experience by automating authentication for lost passwords. Systems like IronKey Enterprise Management ™ allow devices to be tracked whenever they are plugged into an Internet-connected PC, and even enable remote kill commands, so that a lost device can be completely disabled from afar.

This capability means that in a BYOD scenario, a hardware encrypted, IT managed Windows To Go PC on a Stick actually offers greater security than the typical PC deployment!

If you want to learn more, see our latest whitepaper for an in-depth look at how organizations can use Windows To Go to empower and secure their mobile workforce.