MyLaptopGPS » Dan Yost

Tip of the Week: Research

Dan Yost — Tue, 07 Jun 2011 19:50:35 +0000

This latest tip is an oldie but a goody: do your research. The latest Ponemon Cost of a Data Breach Study has many helpful pieces of information, summarized, which help emphasize some of the damage vectors that are actually affecting businesses–not in theory, but in practice. There are many guides and tools available (try a quick Google search) that help organizations take account of what devices are present in the enterprise, each of which could be carrying sensitive data (though governing these many devices is becoming more difficult by the day). But, overall, DO SOMETHING. Don’t wait, and don’t assume it won’t happen to your organization.

Rip of the Week: South Carolina Hospital Breached by Laptop Theft

Dan Yost — Tue, 07 Jun 2011 19:41:46 +0000

Another hospital has suffered a costly and dangerous data breach. This one, it turns out, actually happened a few months ago. WSPA reports that Spartanburg Regional Hospital in Spartanburg, SC, has warned “potentially thousands” of patients that their personal information could be at risk thanks to a stolen laptop. An employee’s work laptop was stolen from a car, and that machine contained Social Security Numbers, addresses “and more,” though what other information was present has not been revealed. It’s another dangerous situation caused by an unsecured laptop, for certain. Thanks to Redemtech for the tip.

Annual Cost of a Data Breach Study: Malicious Attacks Gaining Prominence

Dan Yost — Tue, 07 Jun 2011 19:26:12 +0000

We continue to look at highlights from the annual Ponemon Cost of a Data Breach Study, sponsored by Symantec. Be sure to visit Symantec’s Press Release and the download page to get the full report. A couple more highlights are worth mentioning this time around:

For the first time, malicious or criminal attacks are the most expensive cause of data breaches and not the least common one
Organizations are more proactively protecting themselves from malicious attacks

Perhaps we would call this some bad news, and some good news. A summary of these points is found on page 5 of the study. In the past, directly malicious or criminal attacks were the least common cause of breach. This is not to say that they were not potent and very damaging, but merely that they were relatively uncommon. Not true anymore. Incidents of direct, malicious attack are on the rise.

Thankfully, this is at least somewhat tempered by some good news: there seems to be an increase in organizations proactively protecting themselves from malicious attack. Clearly, some are “getting it” and starting to take action before the breach, rather than merely reacting after it. Remember, an ounce of prevention is worth a pound of cure.

Don’t forget to dig in and take a look at the study using the links above.

Tip of the Week: Calculate Potential Costs

Dan Yost — Tue, 15 Mar 2011 16:14:56 +0000

This week’s tip follows the release of the Ponemon Institute’s 2010 Annual Cost of a Data Breach Study, another fantastic summary of key issues in the data security world. In conjunction with that study, Symantec, the study sponsor, also released information about a new online calculator they have released, which helps organizations gather some data and “connect the dots” in relation to the study, specifically to estimate the costs said organizations would be facing if a data breach occurred.

The calculator can be found at DataBreachCalculator.com. Our tip: give it a try, then consider the cost of non-action.

Rip of the Week: Cord Blood Registry Notifies 300,000 After Unencrypted Tapes and Laptop Stolen

Dan Yost — Tue, 15 Mar 2011 16:02:05 +0000

Unencrypted data storage tapes and a laptop were stolen from an employee’s car, leading the Cord Blood Registry to notify 300,000 people that their data may be at risk. Paul McNamara summarizes at NetworkWorld, with thanks to Redemtech for the tip. The break-in occurred on December 13, 2010 and CBR, based in San Francisco, mailed 300,000 letters dated February 14. A copy of the letter can be found here.

CBR maintains that while the lost data did contain personally identifiable information (PII), medical details were not included. Said CBR’s director of corporate communications, Kathy Engle, “The tapes may have contained personal client data of adults (credit card numbers, driver’s license numbers or social security numbers); nothing on children and no health information at all.”

It costs a lot of money to mail 300,000 letters. As the new Ponemon Cost of a Data Breach Study confirms yet again, the costs may be only beginning.

Annual Cost of a Data Breach Study Released: $7.2 Million Per Breach

Dan Yost — Tue, 15 Mar 2011 15:44:26 +0000

The Ponemon Institute has released their annual Cost of a Data Breach Study. As usual, it’s a nice, concise trove of useful information. Symantec completed their acquisition of PGP over the past year, so the formerly PGP-sponsored study is now Symantec-sponsored. Symantec’s press release and study download page, as well as a blog post by Dr. Larry Ponemon help get the ball rolling with some summary of the study.

We plan to spend the next several posts digesting the new study. For now, some interesting key findings (please be sure to visit the links above and download the full study):

The average organizational cost of a data breach rose to $7.2 million.
The average cost per breached data record rose to $214 from $204 in 2009.
Rapid response to data breaches is costing companies 54 percent more per record that a slower response.

That last point will yield some further discussion over the coming weeks. It’s been said many times that a very slow response will cost an organization dearly. But it has also been said, and is now becoming clearer, that responding too rapidly is also more damaging. There’s a fine line to walk, but walking it correctly makes a very large financial difference to a breaching organization. Preparedness is a key.

Tip of the Week: If You Don’t Want the Advice, Don’t Ask (or Pay) for It

Dan Yost — Tue, 15 Feb 2011 18:34:52 +0000

The Wall Street Journal recently ran a very interesting article about Kevin Mitnick. Do you remember Kevin Mitnick? He’s a famous engineer. Not the sort your likely thinking of.

He’s a social engineer.

And no, that doesn’t mean he’s a really savvy developer for Facebook.

Mitnick caused an estimated $300 million in damage through the better part of two decades spent hacking into some very large institutions. How did he do it? He asked. That is, he simply used “social engineering” to trick people into giving him access, kind of like that email that is still circulating on the Internet that convinces you to delete certain files off your computer because they’re a virus (when in fact they’re standard Java files).

He’s a fascinating case study in how to break into the Big Guys using some remarkably simple methods, without abundant, nor sophisticated, technical attacks. This isn’t Stuxnet. This is earning the sympathy of the receptionist who lets you use her computer for “just a moment.”

Mitnick, who is out of prison now and works as a consultant, mentioned in the article that he has a nearly 100% success rate, still today, for his consulting clients, breaking into their systems using good old social engineering.

But the kicker here is that he has a 90% success rate on the SECOND attempt…because his clients typically do not implement the corrections he advised in the first place. This experience mirrors our own experiences at Tri-8, Inc. (makers of MyLaptopGPS), particularly in our longer software automation history. It’s remarkable how many organizations will ask for, and pay for, key technical or business advice, and then essentially ignore it–and fall victim to the very same problems they started with.

Thus, our Tip of the Week is very simple, yet very powerful: if you ask for, and pay for, advice, consider following that advice.

Fool me once, shame on you. Fool me twice…

Rip of the Week: Salvation Army Stolen Laptop Contains Information About Mercy Recipients

Dan Yost — Fri, 11 Feb 2011 18:10:31 +0000

This Rip of the Week has good news and bad news. First, the bad news. The Salvation Army in Union, SC was broken into. Three times. In two months. In the latest burglary, a laptop was stolen, which contained information about the people the Salvation Army was helping. News Channel 7 reports, and thanks to Redemtech for the tip.

But there is good news. According to officials at the Salvation Army, “We’re password protected and then we have two more layers of protection… Their information, I feel very confident that it’s secure. It’s very difficult to break into our systems that we’ve been using.”

Of course, the “password protection” part doesn’t inspire confidence, as usual. But multi-layered security? That’s a very good sign. Let’s hope it holds, indeed.

New Survey: 9 out of 10 Security-Related Employees Have “No Idea” of Breach Costs

Dan Yost — Fri, 11 Feb 2011 17:58:38 +0000

Computerworld has published an interesting article by Jaikumar Vijayan regarding yet another survey with disturbing findings. The survey polled 430 members of the Oracle Application Users Group (OAUG) and was conducted by Unisphere Research and sponsored by Application Security, Inc. It included “developers and programmers, database and systems administrators, systems architects and analysts and professionals from the HR and financial functions.”

82% of respondents claimed to be extensively involved in security functions, or involved in a limited/supporting role. Overall, the survey showed a “surprising lack of awareness of security issues.”

For example:

Only 4% admitted to being fully informed about security breaches within their organizations
80% of those who said their organizations had suffered a recent data breach were unable to tell which IT components might have been impacted
90% of those who had been breached had “no idea” of the resulting costs to their companies
53% said they had no idea what the security budget was, or weren’t privy to it
33% expressed a lack of understanding of security threats
50% expressed the belief that security efforts were being constrained by low budgets

The article mentions the OAUG’s response:

Mark Clark, president of the OAUG, expressed surprise at the broad takeaway from the survey results. “While OAUG members may not be the primary points of contact for IT security in their organizations, it is a bit surprising that many of the respondents to the survey indicate they are unaware or unsure of the security efforts taking place in their organizations,” he said.

“The opportunity to provide its members information and education in this area is something the OAUG will explore,” Clark added.

Indeed, this survey reveals another example of a very pervasive lack of security/risk knowledge in IT organizations, which highlights the danger of personal data in the hands of many stewards. Many thanks to Redemtech for the tip.

Rip of the Week: Laptop with Secret Super Bowl XLV Content Stolen

Dan Yost — Fri, 21 Jan 2011 16:15:17 +0000

Arlington, TX police are investigating the theft of a laptop that contained information related to Super Bowl security, MSNBC.com reports. The laptop contained artwork that was to be used for part of security credential process, and it was stolen outside a Joe’s Crab Shack near Interstate 30. However, police indicate that security for the Super Bowl has not been compromised in any way. The credentials had not yet been issued.

KENS 5 reports that arrests have been made, but no charges have been filed. Thanks to Redemtech for the tip.