Blog

Category: Mobile security

PrivacyTo think about stronger data security and privacy protection! But first, I want you to think about the millions of heroes who have served our country.

As we approach the 4th of July, I wanted to take a moment to recognize the heroes in the many branches of the U.S. Military.  From myself, and on behalf of the entire team at Fasoo, THANK YOU for your service!

And while thinking about those who have put themselves at the first line of defense, defending our country and fighting for our freedom, we are still fighting for privacy and stronger data security.  As individuals, we are required to provide tons of personally identifiable information to our doctors, lawyers, employers and financial institutions – trusting that they will safeguard our information.  But data leaks still happen!  So we know we need to take data security and privacy seriously.

Now, I don’t want this discussion to turn political, but it was brought to my attention (thanks, Rick), in an article published by ZDNet that “The US State Department will now require new visitors to the United States to hand over their social media account names as well as email addresses and phone numbers used over the past five years.”

I remember when I was a kid, the USA was referred to as “The Great American Melting Pot” where people were welcomed from all over the world to come here and live their dream!  Freedom.  In fact, my own family migrated from Hungary and settled in Pennsylvania in the early 1900s.  Of course, this was long before the digital age.  Back then, the information collected, while personally identifiable in nature, was not nearly as much in terms of “volume”.  So while people are still coming to this country to live their dreams, the data requirement to do so is a magnitude far above what it used to be, exacerbating the amount of data that needs to be protected.   So what I am saying here is that these visitors’ dreams should NOT include the fear of identity theft and/or exposure of personal data.

In the digital age, our thirst for knowledge and expression has us willing to give information in exchange for merchandise, a whitepaper, maybe even recognition.   And we should be able, with trust and the freedom to do so, without fear.  So at the risk of misquoting one of our Founding Fathers, those who would give up personal data for essential freedom, deserve both privacy and security.

So fire up the grill, add another hot dog or hamburger, tofu for my vegan friends, crack open a beer or have some wine.  Enjoy your friends, family and freedom and by all means, please have a safe holiday!

By Deborah Kish – EVP Research & Marketing

document kill switchBetween the alleged hacks from the Russian government in the news and the constant barrage of data breach headlines, it is obvious that the loss or theft of confidential data is a top priority for most organizations.  With the proliferation of mobile devices this is becoming even worse.

While reports from numerous analysts predict a slow down in growth of mobile devices, the number of business users that use phones and tablets to share information is at an all-time high.  Considering that thousands of mobile devices are lost or stolen each month, companies need to understand the issue of exposing confidential information.  Phone manufacturers have long employed the ability to remotely kill a lost cell phone or application that may cause issues on the device.  Numerous MDM (mobile device management) applications can also do a remote wipe and help to protect devices.  So you think that you have all the bases covered – think again!

Information security departments need to adjust to the new threat landscape, where managing the vulnerabilities inside the company is less about plugging software holes and more about protecting data. Consider for a moment when someone sends a classified document to a colleague with a privately owned cell phone or iPad.  Without proper security the file may be accessible to anyone who gains access to the device.  Even more troubling is the ability to forward an unprotected file to any number of people – either intentionally or by mistake.

So how do you protect your company’s confidential data without becoming overly restrictive?  Consider implementing a “remote kill switch” for confidential files.  Persistent policy security requires the file to “call home” each time it is opened.  If the policy is removed or changed, the file is not accessible.  Files may be restricted to specific mobile devices so that if they are deliberately or unintentionally sent to someone through email, the file cannot be opened.  With one revoke access command, files can be totally disabled!

With the release of millions of confidential documents from the US government and many corporations, you have to ask the question, “Why don’t people have “remote kill switches” for these TOP SECRET documents?” At some point they may figure this out!

 

Photo credit chrischappelear

Healthcare Data Breach - Unauthorized Access for Seven YearsUnityPoint Health-Allen Hospital has made the news very recently as one of the latest healthcare environments that had a data breach. While on the surface this news appears to be just another healthcare data breach, there is something very different about it; the breach occurred over a span of seven years and was only recently discovered and reported.

A “former employee” accessed 1,620 patient records that contained personal information and may have seen patients’ names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to their treatments.

The Allen Hospital compliance team detected inappropriate access that started in September 2009 and ended in March 2016.  They started a review that resulted in the notification of the breach to the U.S. Department of Health and Human Services and impacted patients.

Why was this inappropriate access not immediately detected with all the technology in place to ensure HIPAA compliance?  What was missing?

A common pattern in healthcare today is that most healthcare organizations are more interested in simply putting a check mark in their HIPAA compliance mandates for encryption rather that doing what is necessary to truly secure PHI and PII. Today’s common practice is to protect information when it’s stored or when sent via email. The moment an application or a user has to use that data, sensitive information gets decrypted. The data is now in the clear.  Anyone can print it, copy it, take a screen capture of it or even download it into a report.  All control is lost regardless of the various perimeter based solutions that are in place for compliance.

A data-centric approach to confidential information security combined with people-centric attributes not only can keep healthcare environments compliant, but make them compliant in a way that is truly secure and compliments traditional perimeter security.  Combining data-centric security would ensure that data is protected as it travels both within the organizational perimeter and beyond. It would limit access to sensitive data according to policies that cover both users and activities. It would open up techniques to determine where sensitive data exists throughout the enterprise, to monitor such data by analyzing the ways in which users copy, move, and access it over time. This approach would incorporate identity management systems to correlate specific users with activity on sensitive data and provide a means to prevent unauthorized activity automatically, detect suspicious behavior patterns and offer specific actions in real time on a continual basis. It can go as far as render breached data useless with the click of a button.

Healthcare organizations need to understand that the data they are entrusted with and maintain is extremely valuable, and highly sought after by cyber criminals. They also need to take a proactive and not a reactive approach when it comes to securing patient information.  Simply put, healthcare organizations must catch up to other industries like financial services and bring data security to the data itself using a data-centric and people-centric approach.

Boardroom Data Security starts by protecting board communications and documentsWith so many high profile data breaches in the public eye recently, cyber security is now front and center in many organizations.  Globally cyber attacks and data leaks are daily threats to organizations, reminding everyone that we are all potential targets. Attorneys are warning about potential individual liability for corporate directors who do not take appropriate responsibility for oversight of cyber security while investors and regulators are pushing boards to step up their oversight.  As a result, corporate boards have woken up to the call that they must address cyber security issues on their front lines, as it is no longer just an Information Technology issue.

A “belt and braces” approach to security must stop at the top – boards must start by focusing their own communications and materials as part of their comprehensive cyber risk management. Communications through insecure means, loss or theft of board computing devices, lack or occasional encryption of board communications, and printed copies of board documents can result in loss of intellectual property, client lists or commercially sensitive business data, legal expenses, loss of reputation and time loss.

In this digital age boards must have structures in place to safeguard their information from cyber security threats. Data-centric security can be a sure way to help boardroom materials and communications. By encrypting sensitive board files and applying persistent security policies to protect them regardless of where they are or their format. Below are some of the advantages to data-centric security:

•   Encryption and policy based control of board files

•   Ability to securely share files

•   Granular control of who can View, Edit, Print and take a Screen Capture

•   Ability to limit access time and number of devices

•   Ability to revoke access to sensitive files immediately regardless of location

•   Ability to trace and control user and file activities in real-time

Considering the significant impact posed by a potential cyber breach, boardroom engagement with cyber risk management must be a top priority starting with the securing of the board’s own communications and board materials.

Is the FBIs Request to Unlock an iPhone a Good IdeaOn February 16, 2016, a US judge ordered Apple to help the FBI search an iPhone belonging to the man responsible for the recent mass shooting in San Bernardino, California.  The shooting, which the FBI has classified as a terrorist attack, is under investigation and the agency is trying to understand details that they are hoping to find on the shooter’s iPhone.

The phone is protected by Apple encryption and user credentials, and the FBI hasn’t been able to hack into it.  The judge ordered Apple to disable or bypass the functions that protect the phone by erasing data after a number of failed attempts to access it.  This, according to the order, will assist the FBI in its investigation.

Apple CEO Tim Cook has refused to comply saying that if Apple does this, then any government agency could ask them to do the same thing and violate personal privacy and security.  Currently Apple does not have a way to hack into the phone, according to Cook, which is one of the reasons that consumers consider iPhones to be very secure.  If I lose my phone or someone steals it, after failed access attempts, my personal information will be wiped or erased.

There is a lot of dialog in the tech and security industries about this topic with people weighing in on both sides of the issue.  While law enforcement needs to do their job, the privacy and security of personal information is a critical underpinning of current data privacy and breach notification legislation both in the US and abroad.

Bill Blake, President of Fasoo, Inc., was quoted in an article in Security Week by Eduard Kovacs as supporting Apple’s position.  This is the entirety of Bill’s statement:

“As a company whose primary business is the encryption and protection of confidential data we support Apple’s position to resist the government request to provide a back door to encrypted data on the iPhone. Should Apple be forced to comply with the government request there is no guarantee that the back door won’t be used in any circumstance that the government deems necessary. All you need is another Edward Snowden in the right place to expose the code necessary to unlock data and our entire way of life will be at risk.

If the government invokes the All Writs Act of 1789 to justify an expansion of its authority we will all evidently be at risk of exposing our personal information and communications. Unfortunately, I believe that is where this is heading.”

You can read the entire article here.

What is your opinion on this case?

 

Photo credit Declan TM

Protect Against R&D Data TheftRecently I was in a meeting with a global pharmaceutical client in New Jersey who told me of the importance they place on their highly secure, centrally managed and monitored persistent security platform to protect against data theft and ensure that their valuable R&D information cannot be lost or inadvertently sent to a competitor.

As the meeting ended, I was informed of the news about the charges brought against five people in the Untied States around trade secret theft inside another global pharmaceutical company. Allegedly a senior level manager at the company was involved in this theft.

Given the global state of business competition, there is a special appeal to the cyber thugs with high-priced or high-demand items. There is an alarming interest in stealing intellectual property, trade secrets and exactly how these items are produced.

A recent Verizon Data Breach Report 2015 identified Manufacturing as the most commonly attacked industry sector for cyber espionage.

Another recent worldwide study by consulting firm PwC and CIO and CSO magazines, “The Global State of Information Security Survey 2016”, provides some alarming indicators of the security threat landscape:

  • Theft of “hard” intellectual property increased 56% in 2015
  • Employees remain the most cited source of compromise
  • Incidents attributed to partners climbed 22%

It is time that organizations with high value data shift their security focus from the perimeter to insider threats to lock down R&D data, intellectual property and trade secrets. Today technology advancements afford a variety of methods for an employee, contractor or a partner to take critical data electronically from an organization. There are many ways for a trusted insider to steal or inadvertently share sensitive data – printing paper documents, copying files to hard drives, downloading information onto a CD or a USB memory stick, and screen captures are a few such methods as examples.

When we add mobility adoption in the workforce and how this adds to the complexity of securing high value data, this task seems almost insurmountable. Targeting and protecting critical value data ensures that a company maintains its intellectual property, R&D work and its competitive edge in the market.

Protecting this data need not be such a daunting task. A data-centric persistent security approach can effectively help you protect and lock down your data.

Fasoo Monthly Newsletter - January 2016
 
Fasoo Announcement

Fasoo Vice President and CTO TJ Kwon Speaks to KOCSEA Technical Symposium on Data Security
TJ Kwon showed KOCSEA Technical Symposium attendees how to use the Fasoo Security Framework to protect sensitive data from insider threats and hackers. >> Read More >>
Ron Arden Shows Rochester IIA ISACA IT Event How to Protect Sensitive Data
Ron Arden showed the Institute of Internal Auditors how to meet compliance & audit requirements and protect sensitive data from insider threats and hackers. >> Read More >>

Click here to join Fasoo's social networks

Recommend our Newsletter

Product Inquiry

Market Trend
Protect Your Privacy and Data During Online Holiday Shopping
Make sure you protect your privacy and personal data when shopping online by only going to websites you trust and you know to be safe.
Time to Shift the Security Focus From the Perimeter to Insider Threats
Mitigate the risk of insider threats by encrypting critical value data and assigning dynamic permission controls to it.
Cloud Services That You Might Blacklist
Click here to read about 10 Cloud Services that you might blacklist because they can compromise document security.
Mobility and Prevention of Employee Data Theft
How to prevent deliberate or accidental employee data theft in a world of mobility by implementing data-centric security.
Industry News
Industry News

[Forbes]
Data Breaches In Healthcare Totaled Over 112 Million Records In 2015
[InfoWorld]
The most innovative and damaging hacks of 2015
[IT Business Edge]
Better Security Habits Started During Holidays Should Continue All Year Long
[Infosecurity Magazine]
Corporate Security Focus Deepens, Shifts to Insider Threats
[Silicon Republic]
Protect the data, forget the perimeter, says PwC security chief

Contact Fasoo
Follow Fasoo on Twitter
Follow Fasoo on Facebook
Follow Fasoo blog
Follow Fasoo on LinkedIn

 

Use persistent data security to prevent data theft in a mobile worldGone are the days when everyone came into the office everyday for work.  Changes in work habits have brought substantial growth in mobility adoption within the workforce and security challenges have followed.

Today’s employees increasingly work from outside the office and they use a number of mobile (often personal) devices to complete their daily business tasks.  Gallup’s Work and Education Poll from August 2015 points out that telecommuting for work has climbed up to 37 percent in the United States.

A June 2014 survey by Gartner points out that approximately 40 percent of U.S. consumers who work for large organizations said they use their personally owned smartphone, tablet, desktop or laptop daily for some form of work.  Mingling business and personal data can and does cause major security problems, since all of us may inadvertently share sensitive company information with the wrong person.

Employers need control and visibility to data security now, more than ever before, beyond what traditional solutions offer. In order to protect sensitive data, employers are looking to persistent data-centric security to tether their sensitive data all the time and anywhere.

Employers thinking about implementing a persistent data security approach to deal with today’s mobility challenges may want to consider the following key points:

  • Sensitive data must be protected at the point of origin and through its life-cycle
    Highly sensitive data critical to core business functions must be protected at the source and not at the perimeter. Companies must protect data while in use whether someone is creating it or accessing it from file shares or repositories  Controlling the life span of sensitive information, including disabling access dynamically is key to protecting it on mobile devices and cloud repositories.
  • Encryption alone is not sufficient
    Protection of confidential, private or highly sensitive information should combine encryption with persistent usage policies to ensure that businesses control under what conditions a user can have access and what an authorized user can do with this information once access is granted.
  • Sensitive data will be localized at places you don’t know, control or trust
    In the daily course of business, whether through user error, complacency or malicious activity, companies lose control of sensitive data. Because the places data goes may be untrusted, one cannot rely on the security of the network, device or application to protect that data. Data must be protected all the time regardless of location or devices.
  • You need visibility into who accesses the protected data, when, and how many times
    Detailed visibility ensures auditability and insight into usage patterns and potential issues, which in turn significantly improves control.

 

Since we live in a mobile and digital work environment, organizations must secure business documents that are portable, easy to copy and more prone to data breaches. Although many organizations have made large investments in perimeter based security, they are still getting breached. Insider threats and employee data theft are a top concern to every business as this type of breach, which often are the most damaging, can mean the end of business.

You can continue putting all of your resources into perimeter based security or you can look to persistent data-centric security for your data protection – all the time and anywhere.

10 Tips To Make You A Cyber Smart Holiday ShopperAs we move into the week of Thanksgiving in the US, some of us start thinking about eating, family and football; not necessarily in that order.  Others start thinking about shopping for the holidays.

Next week is Cyber Monday and I think it’s a little easier on the feet and constitution than Black Friday.  I would rather go online and go after all the bargains, rather than waiting in line and fighting all the crazy people out there trying to get $50 off a television.  But to each his or her own.

As with anything online, you need to take the good with the bad.  There will be a lot of great deals from reputable sites, but watch out for scams.  Online scammers try to game the search engines with “legitimate” bargains.  You search for a bargain and the link takes you to a site that looks legitimate. Check to see that it is a legitimate merchant before you buy anything.  Some are just sites with malware that could wreak havoc on your computer.

Also look out for social media, text and email scams.  Facebook, Twitter and LinkedIn are popular targets.  A seemingly great offer for a discounted service or product will first ask for personal information.  This is a basic phishing scam to get you to give up personal information that results in targeted attacks. If you see something that looks too good to be true, it probably is.  It may have come from a hacked account, so beware.  As usual, the goal is to get you to part with your money.

Here are 10 tips to keep you safe while online shopping:

  • Conduct research: When using a new website for purchases, read reviews and see if other consumers have had a positive or negative experience with the site.
  • When in doubt, throw it out: Links in emails, posts and texts are often how cyber criminals try to steal your information or infect your devices.
  • Personal information is like money: value it and protect it: When making a purchase online, only provide information required to complete the transaction. You only need to fill out required fields at checkout.
  • Use safe payment options: Credit cards are generally the safest option because they allow you to seek a credit from the issuer if there is a problem.  Your liability is also limited if someone steals your credit card information.
  • Protect your $$: When shopping, check to be sure the site is security enabled. Look for URLs with https:// to help secure your information.
  • Now you see me, now you don’t: Some stores and other locations look for devices with Wi-Fi or Bluetooth turned on to track your movements while you are within range. Disable Wi-Fi and Bluetooth when not in use.
  • Get savvy about Wi-Fi hotspots: Limit the type of business you conduct over open public Wi-Fi connections, including logging on to key accounts, such as email and banking. Adjust the security settings on your device to limit who can access your phone.
  • Keep a clean machine: Keep all web-connected devices, including PCs, smartphones and tablets, free from malware and infections by running only the most current versions of software and apps.
  • Get two steps ahead: Turn on two-factor authentication on accounts where available. It adds a layer of protection beyond login ID and password.
  • Create better passwords: If your passwords are weak, improve them by adding capital letters, numbers and symbols and using different passwords for every account.

Shopping online is a great way to get some bargains and save time.  Enjoy yourself, but keep safe.  You worked hard for your money, so don’t let scammers and cyber criminals get you to part with it.

 

Photo credit Kevin Galens

Patriots Losing Unstructured DataWe create mountains of data everyday and about 80 percent of it is unstructured.  That means it’s not stored in a database.  It’s documents, text messages, emails, videos and everything we create on desktops, laptops and mobile devices that we store locally, remotely or share.

One of the problems of all this unstructured data is most of us don’t know what it is, where it is or who has access to it.  Just ask the New England Patriots about text messages that may have started the so-called Deflategate mess.  Unless this data is protected, it can and will go anywhere.  Fortunately Tom Brady and the Patriots were exonerated, but losing sensitive data caused them a lot of problems.

Unstructured data is on our local devices, on social media sites, in cloud repositories and all over your internal networks and systems.  Finding it is hard.  Classifying and controlling it is even harder.  Making sure that only authorized people can access it, is the hardest.

Byron Acohido, from ThirdCertainty, wrote an article entitled “It’s time to give unstructured data some structured protection” where he discusses some of the problems the New England Patriots and others have with losing unstructured data.  Whether it’s a trusted insider stealing sensitive information for profit, like at Morgan Stanley, or a hacker stealing intellectual property, the consequences to your business are the same.  If you can’t control access to the data, you will suffer the consequences.

The best way to protect yourself is to classify any newly generated unstructured data that could be sensitive and encrypt it with a dynamic security policy to lock it.  Whether you are the New England Patriots or a small business, protecting your sensitive data is critical.  That ensures only authorized people can access it, no matter where it is and who is trying to look at it.

 

Photo credit Steve Baker

Securely Share Financial InformationYour employees regularly share sensitive financial information internally and with vendors, partners, external agencies, contractors, advisors, and other outsourcers. Once this information leaves your control, third parties can share it with anyone, possibly compromising your and your customer’s confidentially. This also becomes a problem if a trusted insider accidentally shares sensitive information with an unauthorized person.

Financial service providers must comply with FINRA, SEC, CFPB and numerous other regulatory agency rules that require institutions to protect consumer and financial information.  How the institution protects this information is left to the institution and is not always effective.  If you lose sensitive customer information you may be subject to fines for violating regulations, not to mention losing customers because they can’t trust you to maintain their confidentiality.

Since financial information is the lifeblood of most businesses, it’s important to share it with those authorized to access it.  At the same time, you need to ensure that it isn’t accessible by someone not authorized to see it.  When sharing information outside your organization you need to extend your internal security to your partners so that customer information is protected regardless of where it goes and who has it.

Protect customer information as you share it externally by encrypting the files and applying persistent security policies that protect them regardless of where they are or their format. You can share sensitive files through email, USB drive, external portal or any cloud file sharing site and ensure they are always protected.

You can verify a recipient’s identity through a simple and secure email authentication process that can also tie access to a specific device. File access is tracked in real time for precise auditing.  For anyone that deals with regulations, you know you must show an audit to prove you are in complete control of your information.  Protecting your customer’s information ensures you meet financial regulations and safeguard customer confidentiality.

Here are some advantages of providing a data-centric security approach to sharing your sensitive information:

clip_image001 Encrypt customer information to meet consumer and new data protection legislation

clip_image001[1] Securely share files with credit analysts and collection agencies

clip_image001[2] Control who can View, Edit, Print and take a Screen Capture of the file content

clip_image001[3] Limit access time and the number of devices, including mobile

clip_image001[4] Revoke access to shared files immediately

clip_image001[5] Trace and control user/file activities in real-time

Protecting your customer’s information as you share it with external organizations ensures you meet consumer and financial regulations and safeguard customer confidentiality. Reduce your risk of violations and give your customers the piece of mind that you can maintain their personal information securely.

 

Photo credit GotCredit

Categories
Book a meeting