Subscribe: AlertBoot Endpoint Security : FACTA
http://www.alertboot.com/blog/blogs/endpoint_security/rss.aspx?Tags=FACTA&AndTags=1
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
card  company  computer  credit card  credit  data  drive  encryption  hard drive  hard  information  it’s  restaurant  security 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: AlertBoot Endpoint Security : FACTA

AlertBoot Endpoint Security : FACTA



Tags: FACTA



 



Hard Drive Encryption Vs. Hard Drive Pulverization: It’s A Matter Of Data At Rest

Fri, 06 Jun 2008 05:02:00 GMT

And what type of resting you’re looking for your data: eternal or not.  (What a terrible play on words.  Thank God I wasn’t an English major; they might rescind my diploma.)  Anyhow, this may be a good time to explore some alternatives to data protection solutions like full disk encryption.  The montereyherald.com has an article describing how certain businesses have decided to pulverize their computers’ hard drives in order to comply with HIPAA, SarbOx, and FACTA, as well as any other federal regulations governing privacy regulations.  The companies in question literally pulverize the hard drives, and generally takes them less than thirty seconds per drive to crush them.  In fact, the “pulverizers” (I like the sound of this) will bring their equipment around and ground the disks to a fine powder right in front of you.  I imagine the reason would be two‑fold for this: It’s a great show, I’ll bet, which helps to spread the service’s availability via word‑of‑mouth (ever watch Letterman in the old days when he would crush stuff on a hydraulic press?  Look it up in YouTube…you won’t be disappointed).  Second, and more important from a security standpoint, it ensures that one of those drives doesn’t go missing prior to getting decimated.  There’s no question that the above service is a good idea.  I’ve covered plenty of stories where the owner of a business or an unthinking civil worker tossed old computers without further thought to what’s actually contained in those machines.  Even if someone had taken the time to “delete” files from the computer, and reformatted the hard drive, this does not mean that the data has been erased.  Indeed, the term “erasing data” is very misleading, since there is no real way to erase data on a computer.  It’s more akin to “replacing data.”  That is, in order to get rid of existing data, you have to supply it with something else—anything else.  It’s like one of those horror stories where, in order to escape, someone else must be brought in.  However, as a data security measure, one has to keep in mind that pulverizing drives is the perfect solution when you’re going to toss that computer—or if you’re going to toss the hard drive.  What about protecting the data when you’re not planning on throwing anything away?  After all, the federal regulations mentioned above are not expressly for when you’re about to dispose of data and data retention devices.  The spirit of these regulations is to ensure that data security remains in effect during and after one’s done with the data.  Grounding up drives only achieves the latter.  If your physical security measures—such as doors, locks, and security guards—are not up to snuff, and you deal with sensitive data, you still need something to ensure data security while you’re using that computer.  Enter full disk encryption solutions like AlertBoot, for hard drives, flash drives, CDs, and other type of device on which data is retained.  Encryption will safeguard your data while the computer is still useful—and beyond, if necessary.  If you have an encrypted drive, you can just toss it, and it’s still protected.  Granted, it’s not as satisfying as seeing a block of plastic and metal go in one way, and come out as sparkly confetti on the other.[...]



Full Disk Encryption A Perfect Companion for Home Cooked Meals

Fri, 11 Apr 2008 05:40:00 GMT

The Home Restaurant in Canada has been a victim of a computer data breach.  From what I can find on the Internet, the Home Restaurant is a small chain that specializes in providing homemade‑like meals in a homey atmosphere.  The problem is that such idyllic establishments can’t shelter themselves from the ugly aspects of life.  Like a break in.  According to The Vancouver Sun, a computer was stolen between two and four in the morning this past Wednesday.  And according to the RCMP’s report, the stolen computer contained credit card and bank card information.  The fact that the restaurant was broken into is not surprising.  Neither is the fact that something got stolen.  What is surprising, though, is that a restaurant was keeping an electronic record of customer credit cards.  Why would a restaurant need to do this?  A phone company, I can see it happening; you’ve got recurring monthly charges.  But a restaurant?  Most business keep the data in redacted form.  In the US, as I understand it, retailers are unauthorized from having this data stored electronically.  In fact, if I recollect correctly, certain retailers are currently facing a lawsuit with class action status because they showed too much redacted information on receipts: if a retailer displayed more than four numbers of the credit card that was charged, as well as the expiration date, on a receipt slip, this is deemed as “too much info,” with the potential to lead to credit card fraud if someone picks up a discarded receipt.  If this type of information is considered illegal (barring an actual judgment to the contrary), imagine the consequences of keeping entire credit card numbers.  If this incident proves anything, it is that small and medium businesses are sitting ducks when it comes to crime in the digital era.  The Home Restaurant has a total of five locations.  Combine the relatively small size of this particular firm, as compared to a global giant like McDonald’s, and the slim margins of the industry, and it’s not a wild guess to assume that they can’t afford a dedicated IT staff or lawyer.  Their lawyer would have, hopefully, pointed out that what they were doing with the credit card numbers was potentially illegal.  The IT staff could have come up with certain solutions to ensure that the effects of a disaster are mitigated.  For example, knowing that credit card numbers were being stored, he could have set up the computers in the restaurant with a full disk encryption solution like AlertBoot.  While it may take a lawyer or someone in the credit card industry to point out the legality of what Home Restaurants was doing, it doesn’t take too much grey matter to realize the potential mischief if a computer gets stolen under such circumstances, and a good computer guru would have realized the importance of a solid hard drive encryption strategy.[...]



Can Data Breaches Be Expected From Bankrupt Mortgage Lenders?

Sat, 08 Mar 2008 06:20:00 GMT

The stock market is in a tumult.  Actually, it has been for about a year, ever since the subprime fiasco (anyone take a look at Moody’s performance over the past year?)  Now that that particular issue has been beaten to death, other mortgage‑related issues are cropping up.  Most of the stuff covered in the media is financial in nature, but some of those mortgage‑related issues do concern information security.  It’s no secret that there are plenty of companies in the US that discard sensitive documents by dumping them unceremoniously: leave it by the curb, drive it to a dumpster, heave it over the walls of abandoned property, and other assorted mind‑boggling insecure practices.  In fact, MSNBC has an article on this issue, and names numerous bankrupt mortgage companies whose borrowers’ records were found in dumpsters and recycling centers.  The information on those documents include credit card numbers and SSNs, as well as addresses, names, and other information needed to secure a mortgage.  Since the companies have filed for bankruptcy and are no more, the potential victims involved have no legal recourse, and are left to fend for themselves.  In a way, it makes sense that companies that have filed for bankruptcy are behaving this way. (Not that I’m saying this is proper procedure.)  For starters, if a company does wrong, one goes after the company; however, the company has filed for bankruptcy, it is no more, so there’s no one to “go after.”  In light of the company status, this means that the actual person remaining behind to dispose of things, be they desks or credit applications, can opt to do whatever he feels like.  He could shred the applications.  He could dump them nearby.  He could walk away and let the building’s owner take care of them.  What does he care?  It’s not as if he’s gonna get fired.  Also, proper disposal requires either time, money, or both.  A bankrupt company doesn’t have money.  It may have time, assuming people are going to stick around, but chances are their shredder has been seized by creditors.  People are not going to stick around to shred things by hand, literally.  Aren’t there any laws regulating this?  Apparently, such issues are covered by FACTA, the Fair and Accurate Credit Transactions Act, and although its guidelines require that “businesses to dispose of sensitive financial documents in a way that protects against ‘unauthorized access to or use of the information’” [msnbc.com], it stops short of requiring the physical destruction of data.  I’m not a lawyer, but perhaps there’s enough leeway in the language for one to go around dropping sensitive documents in dumpsters?  Like I mentioned before, inappropriate disposal of sensitive documents has been going on forever; I’m pretty sure this has been a problem since the very first mortgage was issued.  My personal belief is that most companies would act responsibly and try to properly dispose of such information.  But, this may prove to be a point of concern as well because of wide‑spread misconceptions of what it means to protect data against unauthorized access.  What happens if a company that files for bankruptcy decides to sell their company computers to pay off creditors?  Most people would delete the information found in the computer, and that’s that—end of story.  Except, it’s not.  When files are deleted, the actual data still resides in the hard disks; it’s just that the computer’s operating system doesn’t have a way to find the information anymore.  Indeed, this is how retail data restoration applications such as Norton are able to recover accidentally deleted files.  Some may be aware of this and decide to format the entire computer before sending it off to the new owners.  The problem with this approach is the same as deleting files: data recovery i[...]