The Data Security Experts' Blog

UnDead Data

In honor of National Zombie awareness month, and my office’s obsession with AMC’s The Walking Dead, we thought it might be fun to discuss the similarities between zombies and data.

A zombie is (paraphrasing dictionary.com) the body of a dead person given the semblance of life, usually for some evil purpose (eg, eating your brains). The key for our purposes here is that something we thought was gone and never to be heard from again, has come back to haunt and/or devour us.

There are myriad instances where data that was thought to have been properly disposed of has come back to cause all sorts of problems to organizations and individuals, and these incidents get very expensive, very quickly. So how do we prevent this zombie that is our data from coming back and devouring our profits?

Many organizations think it is enough to simply delete files or reformat drives. This is the equivalent of a shot to the kneecap or chest. While it may slow it down, its not going to kill the undead. The only sure, bullet-in-the-head solution, is to use a professional zombie killer, like Reclamere, who will offer you a 100% guarantee that you will never see that data again.

To learn more about Reclamere and our zombie killing – or – data destruction services, visit our website at www.reclamere.com.

 

Posted in Uncategorized | Tagged , , , | Leave a comment

HIPAA Data Breach Response Requirements Continue To Evolve

HIPAA has a variety of requirements that healthcare providers should be aware regarding data security and data breach response. Below are some common questions and responses:

What are HIPAA requirements with regard to plans for data loss & recovery?

Providers are required to establish a contingency plan to deal with emergencies or events that impact EHR systems, as detailed in HIPAA Part 164.308(a)(7)(i). The disaster recovery requirements are demanding and challenging for most companies, but compliance is attainable.

What considerations are relevant when providers are developing data backup plans and disaster recovery plans?

Essentially, HIPAA requires the use of regularly scheduled, updated living documents.  This is to ensure that as requirements and methodologies evolve, contingency plans are reviewed and updated accordingly.

Contingency plan documents structured simply to comply with HIPAA is inadequate. Specifics must be outlined with regards to responsible parties, possible vendors, software, and hardware. Collectively, all efforts must yield a fully comprehensive strategy for disaster recovery.

How have data management backup services evolved and changed over the past decade?

HIPAA mandates are becoming more complex in order to move providers toward respected data management companies. The days of merely duplicating and archiving data are over.  Providers are now expected to comply with expert data management processes and procedures.

What should providers avoid doing when selecting data management expertise?

The most important aspect to consider is that full responsibility for data security can NOT be transferred to a service. Under HIPAA, healthcare providers are ultimately responsible for the security of patient medical data. However, in a contractual relationship, a data security provider does carry some responsibility.

For further assistance in finding efficient and reliable means for meeting HIPAA requirements, please contact us.

Posted in data breach, Uncategorized | Tagged , , , , , | Leave a comment

HIPAA Business Associates Security Requirements

Can your company afford to lose up to $1.5 million a year? That’s what a company can potentially be fined by the government for violating HIPAA Business Associates security requirements. That’s a big dent in your wallet. So, how do you know if you could be affected, and if so, what can you do about it?

HIPAA stands for Health Insurance Portability and Accountability Act. Despite its name, it actually deals with more than just insurance. Basically, this is the law that governs the protection of health information. It is this law that prevents just anyone off the street from walking into your doctor’s office and getting the details of your last prostate exam. It is also the law that fines an insurance company for tossing sensitive information into the trash rather than disposing of it appropriately.

And just because you are not an actual healthcare provider or insurance company, doesn’t mean you can breathe a sigh of relief. The law was recently expanded to include organizations that are business associates of healthcare providers and even subcontractors of that business associate. Any downstream vendors that have any contact with private health information are now affected by this law, including the potentially hefty fines mentioned.

No business can afford to have their bottom line affected like that. Even if the financial impact is not enough to sink your company, the lack of trust from customers due to loss of such sensitive and private information will. That’s why it is so important to do everything in your power to protect data and properly dispose information.  The most effective way to do this is by enlisting the help of a qualified data security expert.

For more information on how HIPAA can impact your company, how you can protect yourself, and perhaps most importantly, protect the private data of innocent consumers.  Please contact us.

Posted in Staying Safe | Tagged , , , , , , , , , | Leave a comment

Hacker Group Compromises Major Corporation

A hacker compromises a major corporation and hides in the shadows for months, silently reading e-mails and monitoring traffic. The hackers notify the company and make demands. The FBI infiltrates the hacker group until the mole is exposed and expunged.

This sounds like a movie, but this is real life. The latest release by the hacker collective Hack the Planet (or HTP) details their Internet (mis)adventures of smashing and pillaging servers in order to get ahold of data for nothing more than sheer enjoyment.  MIT, EDUCAUSE, Linode, Nmap, Sucuri, NIST, Wireshark, Sourceforge, Debian, Python, Mercurial, MoinMoin, and Wget are some of the targets most recently compromised.  The scariest part is nobody would ever know about these high-level security breaches if not for HTP releasing a zine bragging about these accomplishments.

As somebody who lurks in the Internet underground, monitors activity, and frequently interacts with some of the HTP hackers, these are the hackers that corporations need to fear. The hackers that can infiltrate a network, camp out for months, and then leave without anybody ever batting an eye; the skilled hackers that steal data, but NEVER brag about it.

Today, it is no longer about if your corporation is going to get hacked; it’s about when will it be hacked. Eventually, you will be compromised. So what can you do?

- Implement a “least privilege” policy where users are only granted the minimal access needed.

- Apply access controls and keep systems updated so that an attacker cannot escalate privileges to administrator-level access.

- Develop an Incident Response Plan to follow when the breach happens to quickly, efficiently expunge the hackers and lock down the network with minimal collateral damage.

- Test your own networks by conducting simulated attacks on your network so that you can patch up your weak points before the “bad guys” get there.

Contact Reclamere today and let us design and/or refine your Incident Response Plan. And if you’re brave enough, let our ethical hackers attempt to infiltrate your network.

Posted in data breach, Data Security | Tagged , , , , | Leave a comment

Small Business Cyber Security Threat Protection Should be a Top Priority

During a recent State of the Union Address, President Obama announced he had signed a new cyber security executive order. The President stated, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

Recent cyber-attacks against news outlets, major banks, the Department of Energy and the Federal Reserve have shown how critical it is to strengthen the nation’s cyber security.  Some analysts have praised the President’s sensible solutions, but individual businesses remain responsible to secure the protection of the organization.

Certain types of businesses are more likely to be victims of a major cyber attack.  The industries most at risk of cyber attacks are those who compete with the Chinese.  This includes businesses in the telecommunications, aerospace, finance and energy sectors, as well as any businesses related to these industries.  Other organizations and industries that focus on controversial China-related issues and information, such as human rights, may also be at risk.  However, a common misconception is that small businesses are less likely targets to international hackers due to the size of the organization.  On the contrary, protection against small business cyber security threats should be a top priority.

Not only are certain types of businesses likely targets of cybercrimes, but associates and consultants engaged with those types of businesses are also high risk targets.  Small businesses can be used as a portal to gain access to the larger corporation, who is the real target.  For example, in 2009 Lockheed-Martin was targeted by Chinese hackers looking for information on the Joint Strike Fighter.  Hackers targeted information available on the computers of Lockheed contractors and used those systems to bridge the way into Lockheed-Martin.  In today’s global marketplace, it is critical that a small business assesses the likelihood of being a direct target, as well as a catalyst target of affiliated companies, in order to maintain top-level security.

International cybercrime is a growing threat and any small business connected to the Internet is vulnerable to the run-of-the-mill type of cyber criminal looking to steal either information and/or money.  Basic tools like encryption, employee education, and maintaining secure devices are only the beginning.  If you are concerned about the cyber security of your small business, our data security programs can help ensure information security and data breach prevention. Contact us for more information.

Posted in Cybersecurity | Tagged , , , , | Leave a comment

Workplace Computer Misconduct Jeopardizes Your Data Security

Could the combination of computer technology and employee misconduct jeopardize your data security?  The answer is yes. Workplace computer misconduct threatens the security of important, sensitive company data every day.

Insider fraud perpetrated by employees and contractors has become a common menace that could result in malicious attacks or data theft.  Typically, organizations focus on preventing outside attacks, but neglect to realize that tomorrow’s hacker could be sitting in today’s weekly meeting.  Meanwhile, departing employees or current personnel with low job satisfaction levels could hijack your company’s social media account.  Not only could this prove embarrassing, but such activity could pose a security threat by the use of an internal account to import or harass social media connections or make statements under the company name.  It is essential to make sure someone in a high-level management position maintains control of all social media and that passwords never leave with departing employees.

Employee access of harmful sites or sites containing illegal material could also prove disastrous.  Company policies prohibiting access of certain types of sites must be explicitly spelled out to employees, as well as the consequences, in order to protect against potential data breach.

Employees access of company data from personal devices, whether downloading or emailing files, always carries the risk of data loss.  Often, data is not deleted from the personal device, rendering it vulnerable and susceptible to inappropriate use.  Personal devices may not be well-protected or a departing employee could keep the data and potentially use it at another place of employment.  Strict policies with equally firm consequences need to be implemented with regards to when and how an employee can access and transfer data.

Beware of cloud storage!  Cloud computing has made it incredibly easy to transfer and store large quantities of data that could be shared with competitors.  It is important to make sure your systems are secure against contact with unauthorized clouds.

Data security courses, well-written nondisclosure agreements and service level agreements, and monitoring employee computer conduct will ensure the security of company data.  However, it is important to consult with a Data Security Expert, such as those at Reclamere, to provide invaluable insight and solutions to all of your data security concerns and needs.  Contact us for more information on preventing workplace computer misconduct.

Posted in Cybersecurity, data breach, Data Security, Staying Safe | Tagged , , , , | Leave a comment

What IT Asset Chain of Custody Means for You

Imagine one of your company’s computers, data intact, is discovered at the local dump, or worse, for sale on eBay. This truly is the information age, when a truckload of information-rich hardware is practically worth more than the same truck full of cash. In fact, data breaches involving electronic assets can result in fines and even more serious legal consequences. So how can you protect yourself, your company, and untold numbers of innocent others? A vital part of the security of your IT disposal program is chain of custody.

Understanding the importance of IT asset chain of custody and your role in it is the basis of its effectiveness. No company can afford to leave it solely in the hands of your disposal company, taking no active role in it yourselves. It’s this type of thinking that leads to insider crimes potentially being your biggest threat.

You can have the most effective IT asset disposal company, but if disposal inventory is being manipulated just prior to delivery, then all other security efforts are for naught – chain of custody starts at home, so to speak.

Organizations must create a formal IT asset disposal chain of custody policy. All staff must be clearly informed of these policies, preventing common excuses that insiders use to justify their theft. Also, it’s important that your chain of custody program is verifiable by a third, independent party, minimizing conflicts of interest and document accountability.

It is only by beginning the chain of custody process behind your own doors that you can effectively coordinate with your data disposal company. Inquire as to their own chain of custody process, ensuring that they provide documentation of each hand-off and stage of disposal for audit purposes.

Prevention is the most effective process. To find out more about how to secure your IT assets, including chain of custody, please contact us. Don’t let your organization be responsible for the wrong equipment, or worse, the wrong data, ending up in the wrong place.

Posted in Data Security, E-Waste | Tagged , , | Leave a comment

Techniques for Solid-State Hard Drive Sanitization Not the Same for Magnetic Drives

Solid-state hard drives (SSDs) provide excellent performance and a stable platform. They are a great addition to any computer system, but SSDs should not be confused with their magnetic counterparts. Because the technology used is different from standard hard disk drives, other techniques are needed to securely sanitize the data stored on solid-state drives.

How do SSDs work?

An SSD is composed of many memory chips similar to those in USB flash cards. These kinds of memory write data in pages and blocks. The problem for securing data arises in the method that these pages and blocks are accessed and written. New data is mapped through a “flash translation layer” (FTL) to a new position in the memory, and the “logical block address” (LBA) assigned by the ATA or SCSI controller for this new data is replaced with the memory location. For detailed findings from the Non-Volatile Systems Laboratory at the University of California San Diego, please visit this link. Their publications are in PDF format.

Why is this read-write method a problem?

When new data is written to these drives, only the LBA respective to that data is overwritten. The LBA informs the internal hardware of the drive as to which chip, which block, and which page to access. Since the actual data is untouched, it was never really replaced; instead, there is an appearance that data had been erased.

Are there methods to erase data on SSDs?

Yes there are. One known method is called crypto-erasure.

ComputerWorld describes crypto-erasure in this summary:

“Crypto-erasure involves first encrypting an SSD so that only users holding passwords can access its data. When the SSD is at end of life, the user can delete the encryption keys on the drive, eliminating the possibility of unencrypting or accessing the data.”

As SSDs are still a new technology, it should be remembered that with research new techniques will come about that can more effectively erase data so that users are certain their data is secure.

Solid-state drives make a great improvement in performance for computer systems and are incredibly stable. You should make a decision for your sensitive data as to when performance outweighs security. In cases where performance is not vital, using standard magnetic hard disk drives may provide a better solution.

Reclamere, Inc. specializes in services to recover lost data as well securing the erasure of sensitive data. If our services are needed by your business or organization, please contact us so we can provide you more detailed information that meet your needs.

Posted in E-Waste, Staying Safe | Tagged , , , , , | Leave a comment

Small Business Security Threats Increase During Tax Season

As tax season approaches, of course you know it’s time to gather your paperwork and make sure your accounting is up to date. But what you might not realize is that this is also prime time for small business security threats. In the chaos of preparing for tax season while still running your business, it’s easy to get so busy that you neglect your data security needs.

Cyber attacks targeting small to mid-sized businesses are becoming more common, and tax time is an ideal opportunity for hackers to intercept all of the personal financial information making its way around the internet. Why are SMBs such an easy target? Without a dedicated IT staff or a hefty budget, they often don’t have the kinds of resources dedicated to security that larger enterprises do.

So what can you do?

First, play it safe when sending or responding to email. Phishing has become more sophisticated and isn’t always easy to identify. In general the IRS or your bank isn’t going to send you an email asking you for sensitive information. Never respond to any suspicious email or log in from a link sent to you via email. Instead, always log into the site securely from the organization’s website.

Next, be sure your firewall is secure and that you have security software in place before you input any sensitive financial data on your computer. Also make sure that you have up-to-date anti-malware software installed and that your wireless network is secure.

Is your company’s data safe from scammers and hackers? If you’re not certain, our Data Breach Risk Assessment (DBRA) is a great tool to figure it out. We can analyze and evaluate your current situation and help you determine the best plan of action to secure your information. From there, we can assist you in the implementation of security measures to make sure that your data is safe going forward.

For a quick assessment on your data security, take our Security Survey. To learn more about our services and how we can help keep your important data secure, contact us.

Posted in Data Security, Staying Safe | Tagged , , , , | Leave a comment

Leprechauns as Computer Hackers? Hey, You Never Know…

With St. Patrick’s Day just around the corner, here’s a little something to ponder with your green beer: Have you ever considered that some computer hackers might just be leprechauns?

What—leprechauns as computer hackers? Sure, it sounds a little crazy, but think about it for a moment. Hackers and leprechauns have quite a few common traits:

Leprechauns are solitary creatures who enjoy practical jokes. Many hackers tend to spend time alone rather than interacting socially with others. Because of their intense focus on programming, they may spend most of their days sitting at the computer. As for practical jokes, many hackers are really just pranksters with advanced technology on their side.

Leprechauns are smart—and devious. They’re generally harmless, but the tricks they play can lead to problems. There’s no doubt most hackers are intensely curious and highly intelligent individuals. It takes brains to infiltrate a secure network or create a zombie computer. But their clever ways can cause trouble, even if the consequences are unintended.

Leprechauns remain well hidden and are hard to find. They will do anything to escape capture.  Legend has it that in the rare instance a leprechaun does get captured, it will use magical powers to escape, such as granting three wishes, or simply vanishing into thin air. Hackers are hard to catch, too. Because of the nature of their work, they do sometimes seem to disappear. Prosecuting a hacker can be even more complicated than finding them in the first place. A hacker can commit a crime from the opposite side of the globe, and the ensuing extradition and prosecution process can go on for years.

Leprechauns are neither fully good nor fully evil. According to The Project Gutenberg EBook of Irish Wonders by D. R. McAnally, Jr., a leprechaun is the son of an “evil spirit” and a “degenerate fairy” who is “not wholly good nor wholly evil.” It’s generally the same with hackers. Many of them don’t set out to hurt anyone, but they sure can cause all sorts of trouble, from governmental security issues to financial ruin. Then again, some hackers are good guys or “white hats” who use their knowledge and experience to improve security measures to keep out the “black hats” trying to break in.

Is there a pot of gold at the end of that rainbow? Hackers who do work on the good side of the law can do very well for themselves. Companies and governments employ hackers to test and improve network security systems. Other hackers create programs, applications, and software to make networks more secure.

Maybe there aren’t really any leprechaun hackers, but they might as well be magical creatures when they infiltrate your network and then proceed to vanish into thin air. Even if you have the luck o’ the Irish on your side, it won’t be enough to protect you from sophisticated security breaches. Contact us to learn more about our security risk management services, including our comprehensive Data Breach Risk Assessment (DBRA) program.

Posted in data breach, Data Security | Tagged , , , , | Leave a comment