“Encryption for all”

April 3rd, 2006

According to the article published recently at tmcnet.com, to prevent the information from being compromised from poorly protected servers, stolen laptops, or misplaced portable media, it is essential to encrypt all sensitive information stored on portable computers and media, including backup media.

“Although no federal laws or guidelines require encryption to protect confidential information, disk or data encryption is the easiest way to prevent unauthorized access.”

Here are some rules for protecting confidential data:

1. Create a data encryption information policy and educate employees.
2. Use a proven and secure software product.
3. Enable automatic encryption of data or the media it resides on.
4. Ensure that the password, passphrase, or secret key used to protect the data is nontrivial and stored securely.
5. Create and maintain a key escrow program so that encrypted data can be recovered if the main user loses the key.

“The hardest choices will be what to encrypt and what product to use. You can encrypt the entire media or just the data. Encrypting the entire media is a better choice because application software often leaves plain-text remnants of crypto-text in unprotected areas. An attacker using a bit-level analysis tool could extract the plain-text remnants.”

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files containing sensitive data on your network and relocate them if necessary.

2005 Storage Year In Review

March 26th, 2006

WWPI.com has published “2005 Storage Year In Review”.

If information is the lifeblood of business, then preserving data is the lifeblood of storage. In 2005, stored information was subject to more threats than ever: mayhem, viruses, worms, human error, natural disasters (think Katrina) and infrastructure failure (think the entire East Coast going dark.) Along with compliance, litigation discovery, and business value pressures, real storage costs are going through the roof.

“These pressures are threatening the existence and recovery of fast-growing data volumes. Stored data used to grow at the rate of 30 to 50 percent per year, and is now reaching levels of 60 to 80 percent per year. Some industries are experiencing 100 percent growth”.

Some of the most important and interesting of the storage technologies include “backup and recovery, archiving, tiered storage, storage networking, interconnects, CDP, NAS, iSCSI SANs, virtualization, security and encryption, and virtual tape”.

Backup and recovery have been with us since the beginning of the written word. However, once a piece of data is recorded, how do you protect it so it can be recovered and consulted as needed? “The threat runs through all sizes of business. Enterprise and mid-market are particularly affected because of their volume of data and pressures of compliance, governance, and litigation pressures”.

“Unstructured data is complicating the issue. Structured data volumes are growing, but the number of emails and unstructured files are exploding. Meanwhile, backup windows are shrinking to nothing while customer service demands and expectations are strong and getting stronger. All of these pressures strongly impact backup and recovery – with an emphasis on recovery. A major trend in 2005 was the growing reliance and demand on recovery. Backup doesn’t go away, but the only real reason to backup is being able to get the data back again. This means being able to search more powerfully and being able to restore much faster, in response to data loss, increased regulation and legal discovery”.

“Archiving remains a separate technology from backup, although there is still some confusion in the marketplace and it is possible to use backup as an archiving engine”.

“The move to intelligent archiving requires use of disk in archiving schemes… Businesses can use disk in long-term archives where it can be categorized and indexed for data recovery operations. Along with disk-based data replication to different locations, business can protect its information better than ever before.”

Glenn Groshans, a Director of Product Marketing at Symantec, peered into his crystal ball. “What we see over the long haul is that backup and archiving are merging so you have a single policy for data protection over time. It is true that today they’re separate applications for separate things, but ultimately they’ll be in one storage management policy including replication, SRM, backup and recovery, and archiving. These are four separate operations now, but they will be singly managed.”

The full review is available at wwpi.com.


This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

New Kingston flash drive erases data after failed login attempts

March 26th, 2006

USB flash drive manufacturer Kingston seems to have made a significant step toward making its portable devices more secure. Its new USB flash drive, which will come in various capacities from 256 MB all the way up to 4 GB, features on-board encryption and password protection that causes the device to wipe itself after 25 failed attempts.

The new USB flash drive is like the company’s previous USB flash drives, but has on-the-fly 128-bit AES encryption. In addition, users can set a password, which if guess incorrectly will basically nuke the data portion of the drive.

According to TGDaily.com.


This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

IT managers see portable storage device security risk

March 26th, 2006

The article at ComputerWorld.com says that user-owned plug-and-play USB port drives pose a security risk to sensitive company data.

Now that it is hard to copy much data to a floppy disk, and CD writers are not allowed in many organizations, here comes the USB flash drive with enormous capacity, zero installation, etc. Very handy, very risky—risky both as a way for data to leave, and a way for malware to arrive.

“With more than 42 million of Apple Computer Inc.’s iPods sold so far in the U.S. alone, the threat of data theft or loss from downloading information on a USB-port device is growing exponentially, according to analysts… “An iPod is just storage at the end of a wire,” said John Webster, a senior analyst and founder of Data Mobility Group in Nashua, N.H. “You already see people running around with iPods, using them as backup devices. USB storage devices are a potential source of data leakage”.

According to Eric Ouellet, vice president of research for security at Gartner Inc. in Stamford, Conn., “only about 10% of enterprises have any policies dealing with removable storage devices”.

However, some companies has found the way to protect their data by standardizing on USB memory sticks that have native encryption and password protection. Besides, in reaction to IT managers’ concerns about data loss threats, IT vendors are offering security for flash memory devices.

Baptist Memorial Health Care Corp., in Memphis, took a four-pronged approach to securing data that could be leaked through portable devices:

1. Conduct executive and administrative awareness programs and develop an administrative policy that was enforceable.

2. Audit the IT environment and find all attached devices (USB, serial, Fire Wire, wireless and infrared).

3. Implement port control technology and turn off specific devices that did not have a legitimate business justification and approval.

4. Provide a corporate standard device for approved data transport purposes.


This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

When Data Retention Is a Bad Idea

March 18th, 2006

An article by Russ Cooper has recently appeared on mcpmag.com: “Companies keep more and more business data in electronic form as the cost of storage drops and regulations like Sarbanes-Oxley require companies to preserve data for legal and accounting purposes”.

E-discovery services are not limited to law firms: Many companies contract such services to proactively find regulatory problems in their archives. E-discovery services examine company archives to find relevant files, preserve them for use in court and give access to lawyers who need to analyze the data as evidence. As companies seek to reduce discovery costs, discovery features may be added to storage solutions.

One of the major concerns about e-discovery is that, “with the dramatic drop in storage media costs, IT departments may become lax about determining what data they should be storing and what should be trashed. In so doing, the more data they have stored, the more vulnerable that company will be to such problems and costs”.

“In the U.K., it’s no longer a question of whether or not data must be retained, but how long it must be retained for. Consideration regarding the unintended consequences of insisting on retention seems not to have been given”.

To further illustrate the potential problems, Brian Sartin of Cybertrust’s Forensic Investigations organization said in a recent discussion that in a considerable number of the credit card number loss cases the team has worked on, the company in question was unaware that the credit card numbers were in the data at all. Companies might be aware of some files that would or should contain such details, but were unaware that other files were storing it also. As such, it may well believe the company has done a good job of protecting such sensitive information, yet still have it compromised. Extending this thought to e-discovery, if the files that are being archived contain information the company is unaware of, then that data may be discoverable in the future when it might otherwise not have to be.

“How data is stored makes a significant difference to what can be retrieved. For example, if archiving is automatic and deletion of archives happens after it has been transferred, then it may be possible to recover deleted items from the physical media the archive is created upon”.


This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. With FindProtected, it is way much easier to discover electronic evidence that may be used in litigation.

Cost of e-discovery

March 18th, 2006

There’s an article by John Sterlicchi at accountancyage.com called “E-trail leads straight to court”. According to the article, “the cost of e-discovery ­ revealing documents in the run up to a trial ­ may also have chief financial officers worried as evidence emerges that the process can rack up fees in the hundreds of thousands of dollars.There are numerous examples where electronic documents are in evidence. At present, emails involving Enron’s former CEO Jeffrey Skilling are being used by the prosecution at the fraud trial taking place in Houston”.

“Besides the costs associated with litigation, corporate CFOs are beginning to baulk at the actual cost of the e-discovery process. Anecdotally, one case is said to have rattled up e-discovery expenses in eight figures, and researchers say $140,000 is the minimum per suit.”

“With those kind of fees on tap, it is not surprising that a whole industry has appeared, consisting of dozens of companies that have developed a variety of technologies to either find and analyse documents needed in litigation or, better still, help businesses keep a handle on their electronic documents before a lawsuit is filed.”

EDDix research company has recently published a survey, which estimates that the e-discovery industry will generate $2bn in revenues for vendors this year and it has compound growth of 35%.

However, although nearly every civil court case in the developed world now involves e-discovery, “still more than half of IT organisations and in-house legal teams are not geared up to handle requests for electronic evidence,” according to Gartner research.

“Even more alarming, 65% of corporations do not include electronic documents in their document retention schemes, according to consultancy Cohasset Associates. ”

One of the proactive action that companies can take is to “archive their e-documents in such a way that those most likely to be subject to compliance or litigation reporting and disclosure are put in near-line storage and not hidden away on tape drives in a back room somewhere”.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. With FindProtected, it is way much easier to discover electronic evidence that may be used in litigation.

Information security requires high levels of “task interdependence”

March 14th, 2006

According to the recent article at Net-Security.org, “obtaining senior management support is one of the most critical issues influencing information security effectiveness in organizations today”.

According to an Auburn University study, “implementing information security programs requires exceptionally high levels of “task interdependence,” with respondents reporting that 62 percent of their daily tasks require the exchange of information or cooperation with others. This is a key finding in determining the correlation between top management support and effective information security programs, as previous studies have shown that organizational work high in “task interdependence” requires greater levels of executive support to be successful”.

“Senior management must act like a coach to promote teamwork in order to keep the business moving forward so it can achieve its security goals”, said Kenneth J. Knapp, Ph.D., professor of management at the U.S. Air Force Academy.

“The study results also suggest that information security effectiveness can best be achieved by focusing on four crucial areas: promoting strong user training programs, building a security-friendly culture, creating and updating security policies that are relevant to the mission, and adequately enforcing those policies”.

“Researchers developed a theory illustrating the relationships among the higher-ranked, managerial-oriented issues, showing the relationship between top management support and security effectiveness, which was strongly supported by the results of this phase of the survey, according to the 740 CISSPs who responded”. A copy of the report can befound here.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Some Surprising Findings About Identity Theft

March 7th, 2006

Caroline Mayer (blog.washingtonpost.com) posted some surprising results of the recent survey by Better Business Bureau and Javelin Strategy and Research, regarding identity theft, conducted among 5000 Americans.

First off, according to the survey, “most of the compromised data is not taken through the Internet. In fact, the traditional offline channels, such as lost or stolen wallets, checkbooks or credit cards, continue to be the primary source of ID theft”.

“The average fraud amount per case is now $6,383, up from $5,249 two years ago. But the average out-of-pocket cost for consumer is down to $422, compared to $657 last year. That means businesses are bearing the bulk of the costs”.

The most susceptible targets of identity theft are 25 to 34 year olds, not seniors, “most likely because they conduct more transactions and are therefore at the greatest risk”. However, the 35-44 year olds have “the highest average fraud amount–$9,435″.

“As a percent of the U.S. adult population, the study shows the number of fraud victims has dropped from 4.7 percent to 4 percent between 2003 and 2006… As the survey noted, consumers detect almost half the fraud cases, with 11 percent of the victims caught by monitoring credit reports”.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Can Legislation Stop Identity Theft?

March 7th, 2006

There’s an article at technewsworld.com called “Can Legislation Stop Identity Theft?”. According to the article, “the recent US$15 million settlement between ChoicePoint and the Federal Trade Commission Latest News about Federal Trade Commission (FTC) signals regulators have cranked up the heat on companies that allow personal customer data in their possession fall victim to breach or exposure”.

ChoicePoint, a broker of consumer data, acknowledged that information on 163,000 consumers was exposed when its database was infiltrated. It agreed to pay a $10 million fine imposed by the FTC and to set up a $5 million account to help those who fell victim to identity theft as a result.

However, “as much as the FTC had hoped to send a message, it seems that get-tough approaches from regulators and even promises from lawmakers to address identity theft with tougher legislation are not likely to provide enough protection for consumers”.

“Many believe legislative efforts will fall short of the mark. While lawmakers recognize the urgency of addressing the ID theft trend, the laws they are likely to pass will often be softened on their way through the legislative process thanks to heavy lobbying from corporations, trade groups and others, Todd Davis, the chief executive officer of LifeLock, which offers a proactive anti-identity theft service, told the E-Commerce Times…

Companies are often reluctant to admit fault, and some may feel that offering to help prevent identity theft based on a data breach may be the equivalent of admitting wrongdoing — and opening the door to hefty legal claims.”

In many instances, companies are not genuinely concerned about the data protection. “Companies are turning over control of data to third parties for processing or storage, often without first ensuring they can keep it safe, noted Privacy Rights Clearinghouse Director Beth Givens.

“The easier it gets to transfer billions of bits of confidential data by pushing a button, the more difficult it is to safeguard our private records”.

A major part of legislators and a lot of privacy groups beleive that the identity theft legislation may be difficult to come by, however, it may be necessary, “since existing regulations haven’t had the desired impact”.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Integrate Find Protected in your security suite

March 2nd, 2006

Now it’s easy to integrate Find Protected in your security system of your company as we designed a Find Protected COM server, and it will not take much programming. Adding Find Protected to your security tools will address some important identity theft problems. Please, find details below.

How to use COM Server

Download COM Server version: http://www.findprotected.com/fp_com.exe

After installation in C:\Program Files\Find Protected you will find:

1) findprotected.exe — it’s a COM server, you should install it with regsvr32 or just run once so the sever will be installed.
2) FP_COM_test.exe — the sample program written in Delphi, that shows how to use FP as a COM server. You will find sources in Delphi in FP_COM_Test_src.zip
3) findprotected_com.hlp – small help file for COM server procedures;

Let us know if you have some questions.