Dec 29

Report Said Most Enterprises Don’t Correctly Protect Sensitive Data

Trustwave found surprising data security trend in its 2014 risk status reports, which included the fact that most companies don’t have mature approach to control and track sensitive data.

 

For data security issues, enterprises have high degree of awareness of legal responsibility but they don’t figure out how to control risks by tracking sensitive data. The report interviewed 476 IT professionals in more than 50 countries, most of which were in the United States and the United Kingdom. According to the report, 63% of enterprises don’t have mature approach to control and track sensitive data.

 

“This means that many enterprises don’t know what their sensitive data is and where it is, who can access it and its mobile location,” senior vice president of Trustwave, Phil Smith, said, “This type of information is the first step of building security strategy.”

 

If enterprises don’t know what their sensitive data is and where the data is, then how do enterprises protect the data? Smith said the first part of risk assessment is to identify the location of enterprise’s sensitive data. Enterprises should know what sensitive data is, where it is and its movement and who has right to access it.

 

The report also found that while 58% of enterprises use third party program to manage sensitive data, but 48% of enterprises actually don’t deploy third party management program.

 

“Many companies (especially retail) outsource payment process to third party vendors, letting them access sensitive payment information,” Smith said, “however, they don’t know how these providers protect their data.”

 

Secure payment processing issue is particularly important, especially in 2014 so many retail data leak issues occurred. Smith recommends enterprises to communicate with their third party providers, so that each party knows what their responsibilities are in data protection. In addition, he recommends that enterprise should build secure requirements in the contract with third party provider.

 

Although enterprises may not protect all data, but Trustwave’s survey found that enterprises had high degree of awareness of the legal responsibilities. 60% of enterprises said they knew their legal responsibility of protecting sensitive data. The survey found that only 21% of enterprises didn’t have any training in secure awareness, which means that most enterprises actually had some forms of security training programs.

 

In addition, most respondents indicated that the deployment of control over BYOD was already in place. Only 38% of respondents indicated that their companies didn’t have any control on BYOD.

 

Smith said: “There are still a lot of companies do not have security policies and procedures foucus on BYOD.”

 

Patch management is an important part of corporate security, but the study found that 58% of enterprises didn’t have mature patch management process. Smith pointed out that in many cases, enterprises focus on deploying more strict access control, intrusion prevention/detection equipment and other perimeter security, but put patch repair and existing system maintenance on lower priority.

 

Another important finding of the survey is that the board of directors highly involves in enterprise security. 45% of enterprises have the board of directors or executive-level management involving in security affairs. Security is a top-down problem.

 

“All sectors of enterprises should consider security as an important issue, from IT professionals to non-technical staff and management,” Smith said, “C-level executives should not only ask their IT team whether our data is safe? It should also be asked how our data is protected? What control measures is deployed? “

Dec 15

Nearly one-third SMEs don’t emphasize on data secure backup

According to the survey conducted by the Internet and Mobile Security Organization AVGTechnologies, most companies hadn’t noted real value of their data. The result of the test showed that 37% of small business manager spent more time on tidying up desks and ordering new business cards rather than doing backup for data. This survey was give to 500 U.S. small businesses managers, and the result showed that although most (75%) businesses relied on automatic backup system, about a quarter (24%) of businesses didn’t require employees to back up data at least every week. However, 30% of respondents thought that more than half of their data were critical data.

 

Given that small business claimed that more than half of the data were sensitive data, the loss of employees’ mobile devices should attract more attention. In fact, about half of small businesses said they had experienced the loss of mobile devices. Interestingly, the survey showed that many small businesses management staff didn’t think employees’ mobile devices contained a lot of sensitive data. They cared more about the security of data transferred to cloud. When asked about cloud-based backup, 64% of small and middle enterprise said security was the issue they cared about most.

 

And the results of the survey can be concluded as below:

 

1. Compared with backup data in UK (22%) and US (21%), a substantial proportion of small and middle businesses often spend more time on tidying up desks and ordering new business cards, which is not even the most conventional computer-related work. 43% of UL companies and 53% of US companies said they spent more time changing passwords.

 

2. When it comes to cloud backup, security is still a most concerned issue. Other key issues include the cost, data recovery and lack of control.

 

3. Most small businesses have not experienced mobile device data loss, but they are approaching (51% in UK, 53% in US).

 

4. Most SMEs (62% in UK, 66% in United States) are confident that they can prevent data loss when employees leave the company.

 

5. Most small businesses (59% in UK, 54% in the US) still don’t require employees to back up daily. A considerable number of backup data (68% UK, 75% of the United States) is operated by IT automation systems.

 

6. When it comes to mobile device data, only 1-10% of employees of about one-third of SMEs (32% in UK, 34% in the US) go out of office at least once a week. On the other hand, mobile devices are increasingly used to work, and only a small number of companies said 80% -100% of their staff go out of office one day a week.

 

7. When the device is lost or stolen, 39% of UK businesses and 41% of US companies priority is to ensure that data cannot be viewed by an unauthorized third party. That’s why you need to protect files in drive with password and configure different users’ permission to content in the drive.

Dec 01

Ten measures to protect small and middle business data security(1)

Ensure recoverability of data

To do backup of existing data has been one of the key tasks of every business organization, only stupid administrators will take this kind of things as something superfluous. However, according to our experience, many enterprises don’t adopt extra measures to regularly check backup content.

Data disaster prevention mechanism

One reason why small and middle enterprises always suffer loss is the lack of forward-looking. Most of small and middle enterprises never make up adequate precautions for fires, floods and other natural disasters. Here what I must emphasize is that it’s necessary for all enterprises to store backup data in separate locations that is far from infrastructure.

Judge enterprise tolerance to data loss

Although in theory, it’s certainly more scientific to do full backup for all data. However, from the actual operations, all the information is often not necessary to be strictly protected. Companies should first determine themselves what type of data or which level of data loss can be tolerable. After a thorough understanding of their situation, we can begin modifying the backup system, letting data that is not needed disappears from backup list.

Estimate how long the daily data persists after losing data support

How long does your business persist when the enterprise doesn’t access specific data? Making sure this point can help enterprise determine how to make up restore time object (RTO). At the same time, it can help you easier establish suitable data maintenance system and hardware architectures。

Ensure that the backup system is secure and complies with regulations

The backup copy should be placed in specific location, the entire process must strictly follow relevant management system. Under possible circumstances, try to use data encryption technology to protect enterprise business information.

Nov 10

Three methods of data backup

Every company now highly emphasize on data security, for example, company establish information management department to better manage company internal data security.

To protect data, one of key factors you need to consider is data backup. Backup can be divided into three levels:

Hardware-level backup: hardware-level backup refers to using hardware redundancy to protect system’s continuous operations, for example, disk mirror and Dual Fault-Tolerant. If the main hardware gets damaged, backup hardware can immediately take over the work, this approach can effectively prevent hardware failure.

But this solution also has flaws; it can’t prevent data logical corruption. When logical corruption occurs, hardware backup will copy the error again, it can’t really protect data. The goal of hardware backup is actually to ensure system continue running when failure occurs, which is more likely hardware fault tolerance.

Software-level backup: software-level backup refers to saving system data in other software, so that when error occurs you can restore system to backup status. Since this backup solution should be fulfilled with software, it’s called software-level backup.

But this solution takes much time on backup and restore. This solution can prevent logical corruption, because backup media is separate from computer system, error won’t be rewrote in backup media, which means it will help restore data as long as it can save enough history data. But this is not suitable to companies that need to quickly restore data.

Manual backup: Manual backup is the most initial but also the most simple and effective method.

But if you use manual mode to restore data, it will spend more time than using software-level backup.

When choosing backup solution, you need to consider the importance level of the data first. For more important data, choose multiple solutions to back up. In addition, use data protection software to encrypt important data.

Oct 27

JPMorgan confirmed releasing 8.3 million users information, hackers want data rather than money

In early September, the JPMorgan data leak even was found; FBI and NSA were both involved in the investigation. At that time, according to Bloomberg reports, data leak occurred in early August, hacker used 0day vulnerability in bank website to launch attacks, FBI considered this is an attack launched by a national hacker organization according to the complexity of the attack.

CISO is a “temporary” worker

In HomeDepot event, we noted that HomeDepot hired a security manager with criminal record; and in this JPMorgan data leak event, the “temporary worker” – its chief information security officer (CISO) is deeply associated with this event.

When hacker invaded the network of JPMorgan, the CISO of JPMorgan – Greg Rattray just took office, he even wasn’t familiar with his parking space; before coming to JPMorgan Rattray assumed the Air Force Information Warfare commander, and before Rattray taking office, JPMorgan former CSIO Anthony Belfiore had resigned earlier this year, during the period, Anish Bhimani served concurrently as CSIO.

Data is more valuable than money

It’s reported that hackers found vulnerabilities in JPMorgan bank computer software and exploited them, attacking over 90 servers, but the survey showed that hackers are more interested in personal information than money. Although bank account password and other crucial information didn’t leak, but just like the impacts caused by other large-scale personal information leak events, users of JPMorgan now are facing the threats of spear phishing and social engineering attacks, for hackers mastered detailed private data of a enormous number of users.

Chief Technology Officer of RedSeal Ph.D. Mik Lioyd believes that in JPMorgan data leak event, hackers were busy stealing users’ information and even had no time to steal money, which indicates that today’s cybercrime group fancy the value of users’ data (user data exchange market and underground processing industry chain have been matured). Just like the army commander is more emphasized on Battlefield intelligence than weaponry.

Difficult to remedy

Relevant officials involved in the investigation said JP Morgan need to take at least several months to ferret out thousands of software applications and confer with technology providers about authorization contract. New York pointed out that this would give hackers a long time window through which they can further attack JPMorgan internal system undetected vulnerabilities.

JPMorgan data leak event also sent by far the most serious security warning to global enterprises: although the most high-edged security response technology and processes are inadequate to deal with automatic coordinated attacks. Enterprises need to do automatic analysis on entire end to end network access path and use security tools to timely detect any wrong configuration and anomalies caused by network complexity.

JPMorgan said they would continue to focus on detection and financial fraud events related to this data leak event, and if customers could timely detect and inform account unauthorized transaction, JPMorgan would bear the loss of customers.

You can’t stop focusing on the security of your account information and other private information stored in your service providers as well as on your own computer. Information and data leak issues occur in anytime anywhere, timely and comprehensive data and file protection is necessary and imperative.

Oct 13

Shortcomings of weak password highlight, encryption software makes data in lost device secure

For documents, enterprise data, design drawing and other important information store in computer, we usually set the boot password to avoid unrelated persons’ view or steal, enterprise will also launch related training to enhance employees’ awareness of data protection. However, under many irresistible impacts, this part of risks of information security needs more attention. Since the crisis of weak password has been gradually occurred, when facing more mature hacker techniques and increasing leak phenomenon, to use file encryption software to add a secure lock to enterprise equipment can make classified data secure in any cases.

Security experts said that for the majority of ordinary laptop users, the most common-used information security defense method may be setting boot password, and they will set longer and more complex password if they need stronger safety, while in this situation, the thieves can dissemble the hard drive and read its original data in another computer. This is virtually easy.

For users having some computer knowledge, he may adopt some advanced security measures, for example, setting a password to lock computer hard drive so that you will be required for correct password every time you start the computer; and even some one dissemble the hard drive, and it’s difficult to read the original data. But with the continuous development of hacker attacks, only depending on password can’t prevent experienced thieves erasing system configuration information to break into the system to obtain classified information.

There a very important point which is often overlooked by enterprises, that is, setting password can’t completely avoid initiative leak. As both setting boot password and hard drive locking password are defense means, no matter how strong or complex the passwords are, they are useless to initiative leakers. To effectively prevent various leak events including employees leak, data leak caused by laptop loss or stolen devices, one of the best methods is to encrypt the valuable files. Classifying the users’ permission and copying protect files on LAN can avoid employees copy the company files away; besides, employees should be forced to add protection to working files store in laptop and other devices to avoid data loss caused by device loss.

Sep 09

Strife openly and secretly behind data encryption

In the information age, the U.S. National Security Council (NSA) almost becomes popular in the whole Internet. Not because they are credited with maintaining American security but because they rip off information, which makes them become enemy of users who strike to maintain network and freedom of network information security.

NSA has the world’s leading IT and personnel, meanwhile they are supported by U.S. government, which make them unscrupulous in the information world and the Internet.

According to “New York Times” online edition reports, a few years ago, the United States National Security Agency (hereinafter referred to as” NSA “) had implanted back door system into a International encryption technology that allows the United States federal to breach any data that was protected by this encryption technology.

There were reports that in 2006 the National Bureau of Standards and Technology helped develop an international encryption technology to assist countries and all walks of life to prevent their computer systems were hacked. But another United States federal agency — NSA—had stealthily implanted a backdoor system into the technology without many users knowing it, so that federal agents can decipher any data encrypted by this technology.

According to the documents leaked by former NSA contractor Edward Snowden, NSA has attempted to infiltrate each set of encryption systems, and often try to use the easiest means to achieve this goal. As modern encryption technology is extremely difficult to decipher, even with powerful supercomputers of the institution, it often failed to decipher. Therefore, NSA prefers to cooperate with major software developers and encryption technology licensors to secretly gain access permission to the system.

According to the news from “New York Times”, “The Guardian” and news site ProPublica, NSA can now access the code that’s originally used to protect commercial banking system, trade secrets, medical records and e-mail and Internet chat. Sometimes, NSA has forced some companies to give them access permissions.

These backdoors and particular access permissions are another evidence of the United States intelligence community’s ultra vires. Today, more and more businesses and individuals store most secret data on the cloud storage service, hence they need to be assured that their data is secure, but this relationship is mostly based on trust. Once users know the encryption system is sabotage, they will shake their confidence in these systems, which may have adverse impact on business activities.

People were originally thought that individuals, businesses and government agencies’ privacy in the general communications will be protected, but the fact that NSA implanted backdoor backdoor system might make such illusions shattered.

NSA tends to assure the U.S. government that they would decipher the communication or data that is suspected of illegal individuals or businesses. But weakening citizens’ ability of using encryption technology is obvious a practice of ultra vires.

New Jersey Democratic Congressman Rush Holt has proposed a bill, banning the government requiring software developers to implant backdoor in encryption software system. Outsiders believe that the bill should receive the unanimous support of the U.S. Congress. At the same time, a number of Internet companies including Google and Facebook are developing a new encryption system that is difficult for NSA to penetrate. These companies attempt to show an attitude that they are not secret partner of intelligence agency.

Jun 30

Best Defense is Equal to Attack

Speaking of BYOD, the best defense is attack, namely, making strategies in advance to achieve your desired results and to avoid potential risks.

BYOD (Bring Your Own Device) has stirred all walks of business processes. Some companies are fully enjoying the convenience brought by BYOD, yet some companies shy away from them. On the bright side, BYOD can potentially help companies save operating costs, help employees maintain a happy mood and improve office efficiency. But on the other hand, BYOD may also bring a series of problems and pitfalls in the various aspects of security, compatibility and so on. But through some planning and education, most of these problems and pitfalls can be avoided. We can have a look at the troubles brought by BYOD and corresponding resolutions to these problems.

Data leakage: Companies sensitive data leakage is always one of most concerned problems for companies. Employees bringing their own devices to company makes enterprise more worried. Employees may lose their smart phone or tablet; for these devices can easily be eyeing by thief. When the devices containing companies’ sensitive data get lost, the data may fall into wrong hands. One way to avoid this situation is to use file password protection program to lock sensitive data with password, and the other way is to use a remote deletion policy, namely when the employee’s mobile device is stolen, company can remotely delete the sensitive data on the remote device.

Password Leak: just like we usually carry several keys, employees’ mobile devices will store various passwords that are used to log in company’s network and applications. These passwords may exist in mobile applications, or may also be stored directly in the mobile device’s memory. Enterprises must establish a strategy to ensure that companies’ passwords won’t be stored in cache or any application in mobile device. An alternative strategy is that if employees want to save the password on the mobile device business (even login information), they need to use information/password saving application to properly encrypt them.

Productivity decline: When employees start BYOD, they will spend a lot of time on social network, chatting with friends or do other things unrelated to work. How to solve this problem? Since many devices are connected to operator’s mobile communication network, in which case the employees feel that their equipment is not bound by corporate policy. In order to avoid this situation, you should require employees’ mobile devices switch into WiFi network provided by the enterprise when entering company. 

Insufficient bandwidth: Many companies have been concerned about this problem. Most companies believe that the enterprise network bandwidth demands will be dropped after the use of BYOD, which is a big mistake. One of the advantages of BYOD is that employees also can use the mobile operator’s network networking to work when going out, but when they returned to the office, they are likely to connect desktop and their mobile devices to the corporate network, thereby increasing the burden on the enterprise network access bandwidth. Therefore, companies need to ensure that their network access bandwidth has sufficient load-bearing capacity.

Device Management: Many companies are asking how to manage a large number of mobile devices. Because of the many types of equipment, as well as different operators, companies is difficult to centrally manage all mobile devices. But what companies can do is to establish a set of network access control mechanism (NAC), and to control these devices via MAC address for each mobile device.

Over Autonomy: Once a company implemented a BYOD strategy, which’s equivalent to tell employees and users that businesses gives them a very high autonomy. Of course, this autonomy is likely to be abused by employees or network users. Therefore, even if the enterprises implement BYOD, they should let employees know that it doesn’t mean that they can use their own equipment in any activity. If necessary, you can also require employees to sign BYOD agreement confirming that they understand their mobile devices use behaviors in the enterprise are limited.

Jun 16

It’s time for you to abandon TrueCrypt

A series of aftermath of WindowXP end of support is gradually revealing. Currently open source TrueCrypt warn users of the tool’s security vulnerability on SourceForge official site; meanwhile, TrueCrypt also announced the termination of TrueCrypt development.

TrueCrypt warned on the official page with striking red font:

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”

TrueCrypt’s warning and development suspension caused uproar on social media, since in the past decade, TrueCrypt had always been a very popular cross-platform open-source encryption program, so it’d been first choice for users who had needs of data encryption.

For a long time, TrueCrypt are famous for excellent encryption performance and good safety record, TrueCrypt could create a virtual disk on your hard drive without needing to generate any file, the user can access in accordance with the drive, all files on virtual disk are automatically encrypted, which need password to be accessed. TrueCrypt offers a variety of encryption algorithms, including: AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish, other features support FAT32 and NTFS partitions, hide labels, hot start and so on.

In 2009, the Brazilian Federal Police confiscated five hard drives in banker Daniel Dantas’s Rio de Janeiro apartment in the Satyagraha action launched in July 2008. These drives used two types of encryption programs, one of which is TrueCrypt, the other is unknown 256 AES encryption software. After the expert failed to crack the password, the Brazilian government asked the U.S. for help in the beginning of 2009, however, the United States federal police also failed to crack the encryption after one-year attempt, and returned the hard drive. This incident makes TrueCrypt famous.

In 2013, Snowden exposure NSA can decrypt most Internet encryption technology; TrueCrypt supporters raised a lot of money to audit TrueCrypt security. From the first phase of audit results, there has not been found security backdoors.

Johns Hopkins University professor Matthew Green participated in the TrueCrypt security audit, he said TrueCrypt official warning looks really, unlike the hacker’s prank, and he also contacted the TrueCrypt secret private developers, trying to get more details.

Whatever the truth, TrueCrypt users should enhance viligance, TrueCrypt is no longer the indestructible who should begin vigilant, TrueCrypt encryption is no longer the indestructible encryption software. And it’s time for you to consider using other file encryption software as an alternative. There’re many file encryption solutions on Google, you can try and choose most suitable one. If you need file/folder encryption solution for Windows computer, you can try Folder Protector.

Jun 03

TrueCrypt’s “Sudden Death” Results in Chaos

Recently, open source encryption software TrueCrypt warn users in the official page of the SourceForge that there’s a security risk on this tool, meanwhile, it also announced the termination of TrueCrypt development.

As the most popular free and open source cross-platform encryption software over the past decade, TrueCrypt’s “sudden death” makes information security industry that has been tortured by NSA and OpenSSL fall into chaos again. On Twitter and Facebook and other social media, “conspiracy theory” begins circulating among the security professionals. Many people believe that TrueCrypt’s “sudden death” is similar to Lavabit, which is likely to be forced to close by government departments. Some people also think that the reason is the conflict among core staffs of TrueCrypt.

Since TrueCrypt is widely used, there is a lot of individuals and businesses around the world adopt this software to encrypt sensitive data, so the “sudden death” caused by security problems also led to the close attention of the user. TrueCrypt’s supporters raised $ 70,000 for the TrueCrypt security audits.

TrueCrypt has announced to stop product development, and its official website to jump to the SourceForge page and persuade the users to select other encryption software.

To choose what kind of products to replace TrueCrypt has become a sharp topic among security experts. In addition to BitLocker recommended by TrueCrypt, the master of cryptography – Burce Schneier recently revealed on blog that he personally has switched to use Symantec’s PGPDisk encryption software.

Schneier points out, there are two reasons why he chose full-disk encryption tool PGPDisk: one of which is easy to use, the other is that he trusts Symantec Developer (Schneier himself is a member of the Technical Advisory Committee PGP Corporation). Schneier believes the advantages of full disk encryption are that you don’t need to worry about various hibernation files, swap files, temporary files, browser Cookies and deleted files in disk. If you lose the hard drive or laptop, you just need to tell the boss: “Don’t worry, the entire disk has been locked.”

Now you have many choices about file encryption, now you have very few choices about file encryption. Since nowadays the data theft and data leak accidents frequently happen, individuals and groups including commercial companies all focus on data security. If you want to protect important and sensitive files, you’d better adopt encryption technology to encrypt these files with password. It’s important for you to choose an effective and easy-to-use file encryption program, for which is directly related to your file security.