IronKey

Mobile Data Security Blog


by

California Cracks Down: Companies Must Encrypt Personal Data

The California Attorney General has issued a major data breach report, finding that more than 2.5 million people were affected by 131 reported data breaches within the state, with 56% of the breaches including disclosure of Social Security numbers.

California Attorney General Kamala Harris is calling for wider use of encryption and increased training for employees and contractors on handling personal information. InfoWorld reports that, “her office “will make it an enforcement priority to investigate breaches involving unencrypted personal information” and will “encourage … law-enforcement agencies to similarly prioritize these investigations.”  She also recommends employee and contractor training on how to handle personal information.

Imation did its own review of U.S. data breach laws in 2012, and created the “heat map” graphic below, based on the strictness of those laws. California was a forerunner in data breach laws; while most state laws are similar, requirements and penalties vary widely.

As we’ve noted before, encryption is the foundation for protecting personal data. 

Having data encrypted at the time of the breach means, under most (but not all) of these laws, (because the data is unreadable) that loss or theft of a USB device or laptop doesn’t require reporting. Also, as the California report notes, keep security awareness campaigns active so workers stay alert to the risks.

By taking a few pragmatic precautions, the majority of risks can be greatly mitigated. So the next time an employee loses a notebook or an encrypted flash drive that held protected data, if it’s been properly encrypted and managed you’ll have may well have endured a non-event.

Compliance Heat Map

Imation Compliance Heat Map. Click to view full-sized image.

by

The Thumb Drive Conundrum: Managed USB and Encrypted Flash Drives Attack the Insider Threat

The revelation that Edward Snowden absconded from NSA with secret files on a thumb drive has generated predictable gnashing of teeth about the use of portable USB drives in secure organizations. At the same time, government and business organizations are successfully implementing secure deployments of portable USB drives so that employees can transport data they need to be productive.

The technology issue is one of competing needs: To be productive, mobile employees need the mobility, offline storage and security afforded by USB drives. To secure data, IT needs control of how employees move information and what information is moved.

The fact is that today, IT can take control without blocking USB ports. We’re not sure what safeguards the NSA had in place, but there are technologies that could prevent or mitigate this kind of insider threat. For example, secure enterprise device management software can offer:

Device Location – with managed USB drives, software can show the locations of every managed device when they connect to the Internet on a map. This allows tracking of a device that has “gone rogue” and could aid in recovery.

The “Silver Bullet” – the ability to either password-disable or perform a remote kill to completely disable the device if it goes missing or someone is suspected of copying data they should not have on the drive.

Geofencing, IP Blocking – It is possible to add rule features so that unless the device meets certain conditions, the data is automatically wiped. For example, IT could enable “geofencing” so that if device is outside the country, the data is wiped – or if it is on an unapproved network, or outside a certain IP range.

Have a Consistent Data Security Policy

It’s really a matter of having a consistent policy for your data at rest.  Many organizations require their PCs and Macs to have full disk encryption enabled.  But that policy is not enforced when it comes to removable media like a USB drive.  By using a manageable and encrypted storage device you can maintain a secure policy for your data no matter where it goes.

If we look at the SANS Top 20 Security Controls, Critical Control #17 – Data Loss Prevention specifically addresses how best to handle sensitive data and prevent it from leaving your organization without permission.  The advice from SANS is to, “deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data,” and that “enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices.”

For workers who travel, teleworkers shifting between work and home, or contractors working with your data, a secure, managed USB thumb drive is more secure than online file sharing, and certainly better than unencrypted and unmanaged notebook computers, USB devices and smartphones. And management adds an extra layer of security against both external and insider threats.  IT can address a number of potential security threats by implementing policies that require uses to use encrypted flash drives.

by

The Security You Need

Organizations have different security needs, and different departments require different levels of security. When we brought together portable USB security leaders MXI Security, IronKey, and Imation’s Defender collection to form the Imation Mobile Security group, our opportunity was to bring together the best of these technology leaders, so we could have a portfolio of products to satisfy all security levels.

Today, we are announcing that we have unified these powerful technologies under the IronKey brand, one of the most trusted and recognized in the security business. Beyond the iconic IronKey secure flash drives, the Imation Defender Collection is now included under the IronKey brand.

The overall result of this rebranding is a simpler, more streamlined product set.  Customers now can turn to the IronKey portfolio for hardware encrypted USB flash and hard disk drives with biometric authentication, manage drives with the IronKey ACCESS on-premise device management system, and find encrypted USB drives compatible with McAfee ePO software. All this in addition to the iconic IronKey 250 drives – called The World’s Most Secure Flash Drive™ — and the new IronKey Workspace family for Windows To Go.

secure-portable-storage-products-large (2)

IronKey Secure Portable Storage Products

Visit www.ironkey.com to view the full portfolio, and find the right solution for your organization.

by

Bring out the heavy hardware to protect passwords

Use strong passwords, un-guessable security codes and hardware encryption to defeat advanced threats

As long as you have a password in place, your data is protected, right? The number and types of breaches we saw in 2012 challenge this notion. From LinkedIn to eHarmony to Twitter, cyber thieves have been on the hunt to break the barriers of thousands of simple passwords. And what is most chilling? it’s not going to stop.

Passwords have been around since the dawn of the digital age, but they are not well understood. Simple, overused passwords can’t protect data from even low-skilled hackers. And people are people, and even when they are outfitted with The World’s Most Secure Flash Drive, need a reminder that making your password “password” is no longer (if ever) considered clever or safe.

With rising attention to data privacy and increasing risk of data breaches, there will be more encryption across all devices and platforms in 2013. Which means that it is never too soon to revisit the password. Here are four best practices organizations should follow to improve password strength their organization:

  1. Passwords must be longer, stronger and un-guessable
    Passwords protected in software are subject to offline brute force attacks, which is why web service hacks can be so devastating. Attackers can go through a database of passwords they have obtained and crack them at their leisure.  It is remarkable the number of individuals who use the password “password” or “123456”. These passwords are often the first ones breached by cyber-thieves, as can be noted in last years LinkedIn and Twitter breaches.

    • Instead, choose a unique password, with character complexity and a combination of both letters and numbers. A strong password should be at least 12 characters long. The rule is that the longer the password, the longer it will protect you. A good hacker can breach an 8-character password in a few days; a 15 character password might take a year.
    • To make the password even stronger, the character complexity should be at random, as complexity alone is not enough to stop a hacker in today’s digital age. Having a strong password makes offline attacks much more difficult for hackers.
  2. Remember Personal Information is Out There
    With today’s heavy social media presence, the names of your dog or your mother’s maiden name are no longer confidential information. The public has access to the information you post on your social media site, and unwittingly offer clues to clever hackers. When choosing security questions for password recovery, be mindful of the information that is public, and create passwords that revolve around something actually “private.”
  3. Use Hardware Encryption to Combat Advanced Software Threads
    Avoiding the threat of brute force attacks on passwords requires heavier hardware – hardware encryption, that is. A password protected in the right kind of hardware makes security simpler, because this kind of brute force attack to decrypt the password is not possible. The hardware will lock up after a low number of attempts (set by policy), and then the attack stops.

And finally, a bonus point: Remember to set strong policies and educate employees. Cyber-thieves are becoming more sophisticated, and strong passwords are the best defense. Organizations must create stricter guidelines for employee password security in order to keep their employee’s personal and the company’s corporate data secure.

by

The 4 Benefits of USB 3.0—Are You Ready For This?

The USB flash drive is back. Often an afterthought in the buzz about BYOD, USB flash drives is once again becoming increasingly indispensable tools for the mobile worker.

What’s driving the resurgence of the USB stick?

  1. Windows To Go – Windows 8 Enterprise features Windows To Go, which lets you create a bootable, full featured Windows 8 desktop that runs securely from a certified USB drive. The solution is ideal for teleworkers and contractors who might want to use their own compatible computer setup but in a secure corporate environment. 
  2. Speed – Compared to the 12 Mbps speed of USB 1.1 and the 450 Mbps of USB 2.0, the “SuperSpeed” interface of USB 3.0 tries to live up to its name with a theoretical 5.0 Gbps (5,120Mbps) of bandwidth.
  3. Power – With a constantly expanding list of accessories and portable devices, bus-powered hardware has been pushing the limits of what USB 2.0 could handle. First, the 3.0 specification allows up to 80% more power consumption for devices running at “SuperSpeed.” Second, USB 3.0 includes an enhanced version of the USB-B connector called Powered-B, which allows USB accessories to draw power from peripheral devices, as well as hosts.
  4. Crossover Connection – In trying to establish a more robust ecosystem of USB devices, new features are implemented in the USB 3.0 to allow for cross-communication between hardware. USB 3.0 includes an established method of host-to-host communication through a crossover USB A to USB A cable. Additionally, USB 3.0 builds on the “USB On-The-Go” principles of allowing portable devices, such as smartphones, to act as either a USB device or a USB host, increasing their feature set and usability with existing USB devices.

It is this speed and power that make USB 3.0 drives the platform for USB drives certified for Windows To Go. Using USB 3.0 drives like our IronKey Workspace deliver a seamless experience booting and running Windows and productivity applications from a USB drive rather than the internal hard drive. This next iteration of the USB is really exciting as increased speeds, power and connection will prove beneficial to the mobile workforce.

by

Obama’s Executive Order and Critical Infrastructure Protection

The big news this week in cybersecurity was the Executive Order from President Obama regarding our nation’s critical infrastructure, a catch-all term that includes power plants, water treatment plants and a lot of other utilities and services that, if impeded, could impact our lives in significant ways.

Reading through the text, the Order mainly allows for information exchange between government entities tracking nefarious interests and the private organizations running the critical infrastructure those nefarious interests would aim to sabotage. Certainly, this sharing of data can only help. By learning what the government is hearing, the companies will no doubt be better armed to know where an attack might be coming from.

Perhaps the biggest positive result of the President’s move is that the spotlight is now on the issue of critical infrastructure protection, at least for the time being. And I think it’s easy for anyone to conclude that the executive order does not go nearly far enough in providing guidance or dictating rules so that the infrastructure can be best protected.

Critical infrastructure protection is a complicated beast, made ever the more complicated because of the changing nature of the workplace. As an example, we live in a world that is more and more mobile. Even the U.S. government is encouraging its agencies to support mobile work environments. But a mobile world introduces new attack vectors for those who wish to do harm, let alone the vectors that already exist in our interconnected computing environments.

It can be a daunting challenge to secure these environments. Organizations are being targeted through remote attacks and their employees are also being targeted as travelers so they bring back malicious threats into the organization. As we’ve seen on more than one occasion, employees at many organizations have inadvertently carried malware and other malicious software into their work areas and have accidentally installed that software onto IT infrastructure.

The security industry needs to give organizations an advantage over malicious software.  A comprehensive approach to cybersecurity will address these and other scenarios.

One place to start is where our IronKey solutions sit– providing secure, mobile workspaces that are centrally managed. This allows employees at any company, let alone those operating our critical infrastructure, to work in any environment without risking a security compromise.

Solutions that involve hardware encryption, encryption key management, and strong administrative and access management controls should be incorporated into any government-driven requirements for critical infrastructure IT systems.

by

The Mobile Worker – A Look Back and a Look Ahead

In 2011, there were approximately 1.3 billion mobile workers and this number is expected to grow to 1.6 billion by 2015, according to IDC.  And as the breadth of our mobile workforce expands, the opportunity for targeted data breaches is increasing exponentially as well.

The rise of the teleworker is a boon to business and government organizations. At the same time, the expanding mobile workforce is fueling the evolving threat landscape — Symantec’s 2012 Norton Cybercrime Report notes that cybercriminals targeting mobile devices and mobile vulnerabilities doubled from 2010 to 2011.  IT departments must find new ways to protect corporate data at risk of malicious penetration from the outside, and malicious or careless insiders as well.

So what does this mean for the IT department? A new generation of mobile workers needs secure, portable workspace environments, and secure mobile device control systems.

Here’s another look at our advice for IT departments managing a worker-on-the-go:

  • Staff need to be educated on the responsibilities of handling mobile devices and the data security risks
    Proper training has to be a major part of educating staff on how to use mobile technology in order to do their jobs without risking a data breach.
  • Implement secure computing solutions that allow employees secure access to what they need
    Teleworkers need to be able to conduct their daily business from any location and must therefore be equipped with hardware encrypted solutions with strong user authentication.
  • Provide a secure platform that locks down the host-computer
    As organizations continue to accept that mobile workspaces are extremely convenient and flexible, advanced centralized deployment and management are key elements of maintaining and controlling a secure environment.
  • Make it easy and convenient enough to avoid workarounds
    Mobile devices must act like the desktop an employee has left at their office otherwise users will inevitably break security protocols.

Employees and IT organizations should learn from the security-related mistakes of the past. Technological advancements to the ways in which we work will continue to evolve and while it is not something that we want to stop but we must leverage the lessons learned and be smarter about mobile safety.

by

Welcome to the New IronKey

IronKey is back, and bigger than ever.

Last October, I wrote about what it means for the IronKey brand to be a part of Imation. We’ve been working hard to retell the story of IronKey, and to expand our IronKey line to meet a wider array of secure storage needs.

You can see the first phase of the results in living color on the new IronKey.com, launched this week, where you’ll find the latest on our IronKey Workspace and latest high-security IronKey X250 flash drives.

Over the next 90 days, you’ll see us further extending the IronKey brand to our Defender line of secure flash drives and hard disk drives. With their origins at Imation and MXI Security, these are some of the highest security drives available, and offer unique features such as biometric authentication. And look for new -products from us in the coming months to help you secure  your mobile workforce.

We hope you’ll find the new IronKey.com a richer experience that informs and inspires – and helps you more quickly get to the tools you need to safeguard your organization.  Let me know what you think of our new online home at imsblog@imation.com.

by

Secure Working can’t be Optional

Data Security Holes Shown In Global IT

Recently Imation released the results of a study which reveal some important home truths about the current attitude of workforces across Europe towards remote working. The survey, conducted across the UK, France and Germany, also highlighted worrying shortcomings in Europe’s major IT markets around secure remote working in terms of both technology and policy.
Read More

by

Imation and the IronKey Brand

A Powerful Platform for Secure USB Storage

I hope you’ve seen our announcement today, that Imation will unify its Mobile Security portfolio around the IronKey brand.

Of course, some of you might be thinking: What’s the big deal about a brand?  Well, it actually is a big deal, for us and for you, too.  Here’s some background.
Read More