Measure and control IT security

To protect your organization’s employees and clients, you need to evaluate how well your company protects its PII. Here are seven common mistakes to avoid.

Keep users in the dark

If your users don’t know how to identify and handle PII, it’s only a matter of time before one of them discloses this data to the wrong source.

Partner with the wrong businesses

If your company collects and shares PII with insecure partners, who do you think will end up in the paper and explaining to law enforcement about how a breach occurred? Your company will.

Keep data around past its prime

What do you do with data once it’s served its purpose? If you aren’t destroying PII when it’s no longer required, then you’re not doing your job. That doesn’t mean throwing it away either — that means destroying it.

Don’t worry about physical security

It’s imperative that you implement physical access controls to prevent unauthorized people — including employees — from gaining access to PII. Get a door lock and a badge reader, and start controlling access.

Don’t lock up your records

If you don’t have specific storage areas on your network (as well as file cabinets) for PII, then how can your properly protect it?

Ignore activity on your network

If you’re not going to actively monitor your network for suspicious activity or incidents, then stop collecting the data. Develop a method that’s within your capabilities and budget to monitor your network for suspicious activity or incidents. And while you’re at it, develop a response and mitigation strategy for security incidents.

Audits? Who needs audits?

A lot of businesses either don’t know what security events to audit or don’t read their security logs — or both. If you’re not sure which events to audit, find out. Set up security auditing, and start reviewing your logs today.

From the article by Mike Mullins.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

AKS-Labs has released a version 1.0 of RecentCleaner, a personal privacy tool designed to browse and clean recently accessed files list. The program supports WinZip, WinRar, Word, Excel, PowerPoint, Windows recent files.

Learn more about clearing recent files.

- Consider investing in a records-management software system to ensure the secure preservation of records electronically.

There are very reputable companies that make software for legal records management. Most of these software systems are licensed per work station, so it can be a costly investment. So whoever is in charge of this should shop carefully.

- Do not consider an e-mail In Box as a tool with which to manage records.

The e-mail systems like Outlook were never meant to be records-management systems. When e-mail files get really large, they tend to get corrupted…

When it’s e-mail, you probably have all kinds of things in there and don’t separate the wheat from the chaff because it takes too much time. So you get sloppy.

If you are going to use your e-mail as a client file, think about what you want in there and what you’d want someone else not to see. Delete it, and then delete the deletion.

- Store records in a location outside the offices of your law firm.

Even in small and midsize firms, there’s so much data it’s hard to back it all up on one tape, and it becomes harder to recover that much data. So some firms are turning to business continuity systems [with which] they send their data electronically off-site so it can be easily retrieved.

- Leave the records-management responsibility to an expert in the field rather than rely on an in-house policy.

Most large firms have had a director of records or a manager of records, which was mostly a paper-pushing position. But what has happened is that 80 percent of records now are electronic, and so it’s an entirely different process to manage electronic records. That’s where an information officer [comes in and] works closely with a records manager to do the overall management of the electronic records.

- Follow the lead of publicly traded business clients, which have had to pay close attention to their record-management practices as federal regulation of those practices has tightened.

Regulation that’s now affecting publicly traded companies, such as Sarbanes-Oxley [a 2002 federal law that established strict standards for corporate governance], will probably come to affect private industries like law firms, and that will mean lawyers will have to be much more careful about how their firms keep their records.

(c) HENRY CHACE

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

We always get the user’s feedback with questions concerning the usage of the background file wiping feature of our Shred Agent, asking whenever it is reasonable or not, and whenever analogous programs have this feature or not. That is why AKS-Labs has asked the independent software expert to review and compare 10 most popular shredders, including the Shred Agent itself.

Click to read the comparative review of 10 file shredders.

In today’s workplace, it’s impossible to eliminate mobile computing devices — laptops, thumb drives, mobile phones, PDAs and iPods. However, “since California enacted a data breach notification law in 2002 (followed by 32 other states), there have been a host of embarrassing disclosures about missing computers”.

About half of the states’ breach-reporting laws give companies a way to avoid disclosing such breaches: the use of encryption on the mobile devices.

But encrypting data on mobile systems isn’t a simple task. CIOs and CISOs have found that while the technology to encrypt laptop hard drives is pretty straightforward and simple to deploy, there are several aspects of mobile security for which technology is not yet solid, particularly for protecting data on removable media and handheld devices. That’s why security leaders who have adopted encryption make sure to use other techniques — both technological and managerial — to protect their mobile data.

The first decision when implementing an encryption strategy is whether to use full-disk encryption or file-based encryption. Although most operating systems have built-in file encryption tools, this approach has a significant security flaw: It relies on users putting files in the encrypted folders.

The other option is full-disk encryption, which protects everything on the hard drive. The latest disk-encryption solutions are easy to use and are not likely to slow down performance. “Several companies — including PGP, Pointsec and GuardianEdge Technologies — provide enterprise-class full-disk encryption software that can be installed and managed using standard tools, and that works with backup software and password management systems.”

See full story.

Data encryption is important for the security of stored data. However, it is also important to use secure file removal applications. If the sensitive data was deleted from laptop or PC using unsecure operations, it can still be recovered. To protect your deleted data, you need to use specific file wiping tools.

This blog is run by authors of Shred Agent and QuickWiper.

Junk mail is more than irritating. In fact, it’s increasing your risk of identity theft.

For instance, you have a check from Household Bank in your junk email and it’s probably not a check for anything you’re actually participating in. This is more of a solicitation, and if you cash it they hold you responsible. The problem is what happens if you don’t get it and somebody else does.

If that happens, it would be very easy for a criminal to cash the check, and you’d be on the hook for the money until you cleared up the problem with the bank. And speaking of banks, most of us are inundated with pre-approved credit card offers. Even without your Social Security number, a crook could use these applications to obtain a credit card in your name.

All they really have to do it get this fill those in and use them and you’re going to be on the hook for whatever amount they wrote the check for. You could also face legal trouble if the checks bounce and the vendors file a complaint with the local prosecutor.

To protect yourself, you can contact the credit bureaus and tell them to stop the pre-approved credit offers, and you can contact the Direct Marketing Association and have them put you on their no junk mail list.

But it is much more important to use secure email deletion to reduce the risk of identity theft. Shredding your junk email allows you to save a lot of time and money by ensuring your email will not be used for malicious goals.

See full story.

This blog is run by authors of Shred Agent and QuickWiper.

If you watched a “Prison Break” movie then you might remember scene when hard disk was taken from the river and 60% of data was recovered. Let’s list some ideas about how to secure your hard disk:

1) Don’t give out (through away) a hard disk with valuable data;
2) The best way to destroy data is to drill your hard disk or break it completely;
3) If you don’t have a drill or you want to use something safer… then you should use file shredder;

File shredders
You will need two functions in file shredder - wiping free space and wiping files; Wiping free disk space is necessary to make previously deleted data irrecoverable, wiping files makes it impossible to recover files that you delete.

What is good file shredder? It’s secure, it don’t need you action, it wipes even temporary and cached files. In this case consider using background mode file shredder.

Finally, keep your files in secure place!

This blog is run by authors of Shred Agent and QuickWiper

Raleigh, NC (AKS-Labs) September 25, 2006 — AKS-Labs, has release a version 1.1 of Shred Agent, a file shredder utility that works in background mode and does secure deletion of all deleted files.

With the wider use of encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One way to attack is the recovery of supposedly erased data from hard disk or random-access memory.

Shred Agent is designed to protect your privacy. When you delete files in Windows it is possible to undelete or recover them using different file recovery utilities. If you want to make sure that the file you delete cannot be restored by any means, Shred Agent is the right tool for you.

To make sure nobody else has access to your private files, you might use some encryption software. But encryption is useless if the original plaintext can be recovered. Wiping is the process of writing some information directly into the space where the old file was located.

Shred Agent works on hardware level, thus wiping the files completely, eliminating the possibility of ever recovering them. What makes it different from most file wiping utilities currently available on the market is the capability to control the wiping of files in the background. For example you can configure the corresponding filters to wipe temporary file created by office programs.

If Shred Agent is installed on a server and a remote user is trying to delete a file from the “Include” list, Shred Agent will wipe the file via network.

Shred Agent can be customized to suit just your needs. Configure filters to wipe only the files with certain extensions or belonging to a specific directory. Make sure Shred Agent is launched every time you switch on your computer. Record all the information about the files being wiped to a log file.

Read more at www.shredagent.com

A fifth of secondhand PCs finding their way onto the resale market in the UK, Australia, North America and Germany still contain sensitive data on their hard discs: Research by BT, the University of Glamorgan in Wales and Edith Cowan University in Australia, has found that while 41% of the disks were unreadable, 20% contained sufficient information to identify individuals.

The research, based on the acquisition of 300 PCs from auctions, computer fairs and on-line purchases, also found that 5% of the machines held commercial information on organisations, and that 5% held “illicit data”.

Some of the information contained on the disks included payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, and financial details including bank and credit card accounts.

Although the research results show that there has been an improvement in the number of owners properly erasing data, a large number of the discs examined still contained significant volumes of sensitive information. Despite widening security awareness, more regulations and significant publicity, organisations are still not modifying their procedures to ensure that information is effectively removed before disposing of computer discs.

See full article at ComputerWeekly.com.

This blog is run by the authors of QuickWiper, a Windows security program. QuickWiper allows you to delete files with simplicity and ease. When deleting files with QuickWiper, you can choose a fast single pass, or the most secure NSA erasure algorithm.

According to the article by Clive Akass, there has been a series of incidents when sensitive data was found in computers on sale in developing-world markets. A recent BBC report has revealed hard disks containing personal data, and even banking details.

However, Computer Aid and Digital Links International (DLI) both said they wipe hard disks as part of their refurbishment process. A DLI statement said it provided a data-destruction certificate to all donors. Chief executive David Sogan said: “We work in partnership with professional refurbishment companies to ensure absolute security and environmental excellence for our donors.”

The problem of sensitive information on hard disks is not restricted to developing-world countries. A lot of data can be retrieved from PC if Windows delete function is used. When selling a laptop, for instance, it is usually necessary to reformat the hard drive and reinstall the operating system. However, it could not be enough.

“The only way to be 100 percent sure that nobody with computer talents can ferret out some stuff from a hard drive is to use software that writes a 0 or a 1 to each spot on the drive. Even then, Pentagon standards call for repeating the write-over several times” (by James Coates).

This blog is run by the authors of QuickWiper, a Windows security program. QuickWiper allows you to delete files with simplicity and ease. When deleting files with QuickWiper, you can choose a fast single pass, or the most secure NSA erasure algorithm.