May 22 2020

Security executives succeeding in the chaotic coronavirus world

Category: CISODISC @ 5:29 pm

What a crazy world we live in – employees working from home, “dirty” personal devices being used to access corporate data, furloughed employees still maintaining corporate IT assets and access – all while the quantity and variety of cyberattacks and fraud is drastically increasing. Corporate security executives have never had a harder set of challenges to deal with.

Source: Security executives succeeding in the chaotic coronavirus world

 

What is your greatest security concern right now?

The collective response to this question is that security executives are most worried about the increase in phishing campaigns and fraud, especially with distracted employees who aren’t as diligent with security hygiene while working from home. As one executive stated, “My greatest concern right now is social engineering resulting from cyberattacks on people wherever they are. High stress means reduced cognitive functions, so attackers may find it easier to do social engineering, which opens the door to everything else.”

Other major concerns include mitigating the impact of an increased attack surface and the need to enhance remote access controls to make certain organizational security levels are met despite a large majority of employees working remotely. For example, one executive further explained that she was most focused on mitigating the impact of this increased attack surface, particularly enhancing remote access controls such that the organization would be secure even if 100% of the employees were now remote. Enhancements to firewall, NAC, DLP and other solutions were required. Vendor risk also was a much greater concern for this executive, with third parties potentially now more vulnerable.

Virtual CISO and Security Advisory – Download a #vCISO template!

 

Virtual CISO and CISO – Checkout a vCISO/CISO latest titles

 

10 Tenets of CISO Success

httpv://youtu.be/L0uQplBNTt4

Aug 22 2019

‘2019 is the year of enforcement’: GDPR fines have begun

Category: GDPRDISC @ 2:57 pm

The Information Commissioner’s Office levied fines against British Airways and Marriott International for violating the GDPR.

Source: ‘2019 is the year of enforcement’: GDPR fines have begun – Digiday

British Airways faces $230 million fine over GDPR breach
httpv://www.youtube.com/watch?v=CUVrcuIvBOY

Marriott Faces GDPR Fines: A DPO and CISO Discussion
httpv://www.youtube.com/watch?v=5KKXLSnW9Zc

Steps to GDPR Compliance




Archived GDPR posts

Subscribe to DISC InfoSec blog by Email

Feb 17 2017

Fragmented cybersecurity regulation threatens organizations

Category: ISO 27k,IT GovernanceDISC @ 11:10 am

Fragmented cybersecurity regulation threatens organizations

Melanie Watson

Organizations across the United States have a number of cybersecurity regulations to comply with, and need to show that they take protection of sensitive data seriously.

Consumer data in the US is currently protected by a patchwork of industry-specific, federal, and state laws, the scope and jurisdiction of which vary. The challenge of compliance for organizations that conduct business across all 50 states is considerable.

Forbes summarizes the issue:

“Increased regulatory fragmentation unduly diverts focus and resources, and ultimately threatens to make us more vulnerable to cyber attacks. Instead of a fractured approach by state, we need a coordinated national strategy for regulating cybersecurity.”

For example, NY financial institutions will be required to implement security measures in order to protect themselves against cyber attacks from March 1, 2017. They will need to not only maintain a cybersecurity policy and program, appoint a CISO, and implement risk assessment controls and an incident response plan, they will also have to provide regular cybersecurity awareness training, conduct penetration testing, and identify vulnerabilities.

Organizations also have the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST SP 800-53) for guidance on helping reduce cybersecurity risks, and many organizations are required by contract or by law to implement the framework.

Complying with multiple cybersecurity regulations

ISO 27001 Cybersecurity Documentation Toolkit

Fulfil multiple cybersecurity obligations and benefit from international information security best practice to produce a solid framework with the ISO 27001 Cybersecurity Documentation Toolkit.

Covering state, national, and international cybersecurity frameworks, this toolkit will enable you to produce a robust management system that complies with:

  • NIST SP 800-53
  • New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
  • Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
  • ISO 27001, the internationally-recognized cybersecurity framework

Comply with multiple cybersecurity regulations

Pre-order now >>

Top Rated ISO 27001 Books

Nov 08 2016

Six steps to reboot your cyber security strategy

Category: cyber securityDISC @ 2:49 pm

Cyber Security Strategy

By Marika Samarati

SecurityStrategy

The High Performance Security Report 2016 published by Accenture Security unearthed a clear disconnection between how companies perceive cyber threats and the reality of the situation. According to the report, 75% of security executives surveyed said they were confident in their cyber security strategies, and 70% reported that their organisations have successfully adopted a culture of cyber security fully supported by their top executives – yet one in three targeted attacks succeeded, resulting in a breach.

It’s time to face reality rethink-cyber-security-strategy

To close the gap between perception and reality, the report invited companies to “reboot their approaches to cybersecurity”. Here is the report’s six-steps to help you rethink your cyber security strategy:

1. Define cyber security success

One reason perceptions don’t match reality comes from the misalignment of cyber security strategies and business imperatives. Identify the best cyber security strategy for your company based on your assets and capabilities, which cyber threats it should secure your company from, and how you can measure its success or its failure in business terms.

2. Pressure-test security capabilities the way adversaries do

Get into the criminals’ shoes: engage ethical hackers to run attack simulations and realistically assess your ability to defend your company from external threats. IT Governance is a CREST member and its suite of penetration tests have been verified as meeting the high standards mandated by CREST. Moreover, all of our penetration testers hold the Certified Ethical Hacker (CEH) qualification.

3. Protect from the inside out

The only difference between internal and external attackers is that the first know where key assets are located. Prioritize securing your key assets from insider threats, which usually have the greatest impact. If you want to know more about insider threat, read the bestselling Insider Threat – A Guide to Understanding, Detecting, and Defending Against the Enemy from Within.

4. Invest to innovate and outmaneuver

The wider and more diversified your strategy is, the easier it is to stay ahead of cyber criminals. Instead of spending money in existing programs, widen your suite of programs by investing in seven key cyber security domains: business alignment, strategic threat context, extended ecosystem, governance and leadership, cyber resilience, cyber response readiness, and investment efficiency.

5. Make security everyone’s job

According to the report, “Fully 98 percent of survey respondents said that for breaches not detected by the security team, the company learned about them most frequently from employees.”. Consequently, a staff that is up to date with the latest cyber threats and cyber security best practices improves your threat detection capabilities and reduces the chances of staff-related security incidents. Implement a staff awareness program based on e-learning courses to empower your staff and make it part of your cyber security strategy.

6. Lead from the top

Cyber security should be discussed in the C-suite on a daily basis, not confined to the IT room. The CISO needs to proactively engage with enterprise leadership and make cyber security a top priority.


Tags: cyber security strategy

Jun 19 2015

Cyber Resilience Best Practices

Category: Cyber Insurance,cyber security,CybercrimeDISC @ 11:07 am
Cyber Resilience

Cyber Resilience

RESILIA™ Cyber Resilience Best Practices

AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIA™ Cyber Resilience Best Practices

Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.

RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.

 

Target market

 

  • Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.

 

Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIA™ Cyber Resilience Best Practices

Related articles


Tags: Chief Information Security Officer, CISO, Computer security, CSO, cyber crime, Cyber Defence, Cyber Insurance, Cyber protection, Cyber Resilience, cyber security, Cyber Security countermeasures, Cyber Security Safeguards, cyber threats, data security, Information Security, Information Technology Infrastructure Library, ISO, iso 27001, iso 27002

May 27 2015

10 Facts Every Cyber Security Professional Should Know

Category: Security ProfessionalDISC @ 5:04 pm

Top10

If you hold any job related to security operations analysis and reporting, you’ve likely been inundated with news stories about data breaches and attacks by hackers on businesses of all sizes across numerous verticals. But with all that noise, it can be difficult to sort out the information that truly matters, like the hard data that helps you decide which solutions to adopt, gives you a powerful case to bring to your executive team for a larger cyber security budget next quarter, or simply reassures you that your peers are facing similar challenges.

For that reason, SwinLane.com have assembled some of the most impactful, telling statistics related to information security in one place

1. Cyber attacks cost businesses $400 billion every year—Lloyd’s of London, 2015

2. Some 42 percent of survey respondents said security education and awareness for new employees played a role in deterring a potential criminal. — “US cybercrime: Rising risks, reduced readiness; Key findings from the 2014 US State of Cybercrime Survey,” PwC

3. There are more than 1 million unfilled information security jobs globally; by 2017 that number may be as high as 2 million — “2014 Annual Security Report,” Cisco; UK Parliament Lords’ Digital Skills Committee witness interview

4. The malware used in the Sony hack would have slipped past 90 percent of defenses today. — Joseph Demarest, assistant director of the FBI’s cyber division, during a U.S. Senate hearing

5. The average U.S. business deals with 10,000 security alerts per day. — “State of Infections Report Q1 2014,” Damballa

6. A significant 90 percent of CISOs cite salary as the top barrier to proper staffing. — “State governments at risk: time to move forward,” Deloitte/NASCIO

7. About 43 percent of businesses experienced a data breach in 2014. — “Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness,” Experian/Ponemon Institute

8. Just 21 percent of IT professionals are confident that their information security technologies can mitigate risk. — “2015 Vulnerability Study,” EiQ Networks

9. As many as 75 percent of breaches go undiscovered for weeks or months. — Michael Siegel, research scientist at MIT, at a recent cyber security conference

10. In an effort to combat the growing threat of cybercrime, the U.S. Department of Homeland Security increased its cyber security budget 500 percent during the past two years; and President Obama included $14 billion for cyber security spending in his 2016 budget. GCN.com, 2015

Related articles

Nov 09 2014

When to use tools for ISO 27001/ISO 22301 and when to avoid them

Category: ISO 27kDISC @ 8:54 pm

ISO 27001 2013

If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.

So, you start looking for some tool to help you with these information security and business continuity standards, but beware – not every tool will help you: you might end up with a truck wheel that doesn’t fit the car you’re driving.

Types of tools

Let’s start first with what types of tools you’ll find in the market that are made specifically for ISO 27001 and ISO 22301:

a) Automation tools – these tools help you semi-automate part of your processes – e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.

b) Tools for writing documentation – these tools help you develop policies and procedures – usually, they include documentation templates, tutorials for writing documentation, etc.

Pros and cons of automation tools

Automation tools are generally useful for larger companies – for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.

However, applying such automation tools to smaller companies can prove to be very expensive – most of these tools are not priced with smaller companies in mind, and even worse – training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.

There are some tools for which I personally see no purpose – for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights – it doesn’t have to be any more sophisticated than that.

Can you automate everything?

One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy – to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.

Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly – this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.

What to watch out for when looking for documentation writing tools

You won’t need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 – e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).

In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones – here are a couple of tips:

  • Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
  • Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
  • Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.

So, to conclude: yes – in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.

Author: Dejan Kosutic, Expert at 27001Academy, is the author of a documentation tool aimed at small and mid-sized companies: ISO 27001 & ISO 22301 Documentation Toolkit .

Related articles

Tags: Acceptable use policy, Access Control, BCMS, isms, ISO/IEC 27001, ISO22301, Risk Assessment

May 25 2010

Tips for building security organization

Category: Security organizationDISC @ 5:54 pm

Image representing Forrester Research as depic...
Image via CrunchBase

By: Brian Prince

Businesses have increased expectations on the security team in recent years, sometimes producing a disconnect between what is expected and what the security team can deliver. In a new report, Forrester Research lays out some advice for building an effective security organization.

As IT security has become a bigger part of business discussions, security teams have increasingly shifted their focus from operations to strategic business objectives.

For businesses building their security groups, there needs to be a balance between fulfilling operational and strategic goals, and a new report from Forrester Research offers advice on how businesses can find it.

“In a few cases we found that the strategic aspect of security was so important or was so highlighted in terms of the CISO [chief information security officer] role that the CISO was sometimes moved outside the IT organization, [and] sometimes wasn’t as connected with the operation [of] the IT…[but] much more connected with the business side and the strategy side,” explained Forrester analyst Khalid Kark. “What that does is basically creates an ivory tower for the chief security officers, and then they are not able to operate.”

To avoid that, there are several steps Forrester recommends organizations take. Here are a few of them.

— New Roles: To make your security practice more strategic, add these three positions: a business liaison to advocate for the business unit within the security team and communicate the security perspective to business; the third-party security coordinator to address outsourcing, assessments and cloud computing; and a security engineer focused on working with the enterprise architecture team to build security into the architecture and integrate specific infrastructure security components into the architecture.

— Understand IT security vs. information risk: “Many security organizations fail to get management attention because they’re always focused on the IT security activities, which the business doesn’t understand,” according to the report. “On the other hand, the business understands risk well, and if you articulate those same problems in the risk context, the business is much more likely to react and respond to them.”

— Develop a cross-functional security council: “Focus on ‘who’ not ‘how.’ Forrester has long professed the benefits of a security council, but one thing that is absolutely essential for the success of this council is its composition,” the report continues. “The trick is not to aim for the highest ranking businessperson but the one most interested in security and risk issues who has a reasonable level of visibility in the business. When you have a passionate team working on the security issues, the ‘how’ will be easy to determine.”

— Equip the business to perform risk assessments: “To meet the security and risk obligations effectively, you have to delegate, and risk assessments are ideal for this,” Forrester said. “Provide the checklists and basic training to the business to perform the basic risk assessment tasks so that it takes the pressure off your resources. Make it easy and seamless for the business to incorporate these into its existing processes.”

Complicating things is today’s economic environment in which businesses may be forced to reshuffle or even cut their security personnel. When that happens, organizations may have to refocus their attention from strategic projects and get back to basics, the report noted.

“As security organizations get leaner, delegation, formalized and documented processes, and good monitoring and metrics become key,” said Forrester analyst Rachel Dines, who worked on the report with Kark. “Security organizations don’t need to have direct ownership of all security-related processes, but they do need to monitor and control them.”

How to create a security culture in your organization: a recent study reveals the importance of assessment, incident response procedures, and social engineering … article from: Information Management Journal

Tags: Business, Chief Information Security Officer, Cloud computing, Consultants, Forrester Research, General and Freelance, Information Security, Security

Nov 03 2009

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges

Category: hipaaDISC @ 6:22 pm

medical-symbol
Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
HIMSS News
The Healthcare Information and Management Systems Society releases its 2nd Annual Security Survey, sponsored by Symantec

CHICAGO (November 3, 2009) – With the American Recovery and Reinvestment Act underway, healthcare organizations face new challenges to maintain privacy and security of patient health data. However, data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges, according to the results of the 2009 HIMSS Security Survey, sponsored by Symantec Corp. (Nasdaq: SYMC).

While healthcare organizations recognize that patient data must be protected, the survey results show that:

  • Security budgets remain low
  • Organizations often don’t have a response plan for threats or a security breach
  • A designated Chief Security Officer or Chief Information Security Officer is not in place

    • In addition, the survey reveals that healthcare organizations are not using the current security technologies available to keep patient data safe. Respondents to this survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. Yet, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data. Respondents indicate they are using firewalls and user access controls, but are not implementing all available technologies to secure data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.

    “Healthcare organizations are continually looking for ways to save money,” said David Finn, health IT officer, Symantec Corp. “One of the best ways to accomplish these goals is through investing in technologies that will automate and reduce the risks of a security incident and lower the chances of a compliance issue. Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns.”

    Other key survey results include:

    Security Budget: Approximately 60 percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security. This is consistent to the level of spending identified in the 2008 study.

    Maturity of Environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.

    Formal Security Position: Fewer than half of respondents indicated that their organization has either a formally designated CISO (Chief Information Security Officer) or CSO (Chief Security Officer).

    Patient Data Access: Surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information. Patients/surrogates are most likely to be granted access to high level clinical information, such as diagnosis or lab results.

    Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. However, only half have a plan in place for responding to threats or incidents related to a security breach.

    Security Controls: Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization. About 85 percent of respondents reported that they monitor the success of these controls and two-thirds of these respondents measure the success of these controls.

    Risk Analysis: Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Conducting this analysis positions organizations to identify gaps in their security controls and/or policies and procedures.

    Security in a Networked Environment: Nearly all respondents reported that their organizations share patient data in electronic format. Respondents are most likely to report that they share data with state government entities. Respondents also reported that the area in which they are most likely to share data in the future is with Health Information Exchanges (HIEs)/Regional Health Information Organizations (RHIOs). Approximately half of these organizations (41 percent) indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is consistent with the data reported in the 2008 survey.

    Future Use of Security Technologies: E-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

    Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. However, only a handful of these organizations experienced direct consequences from the breach.

    “Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies,” said Lisa Gallagher, HIMSS Senior Director, Privacy and Security. “IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery.”

    Targeting Chief Information Officers and Chief Security Officers and other Information Technology (IT) executives, the 2009 HIMSS Security Survey focused on an assessment of 196 information technology (IT) and security professionals in the healthcare field of their own readiness for today’s risks and security challenges.

    About Symantec
    Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

    About HIMSS
    The Healthcare Information and Management Systems Society (HIMSS) is a comprehensive healthcare-stakeholder membership organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded in 1961 with offices in Chicago, Washington D.C., Brussels, Singapore, and other locations across the United States, HIMSS represents more than 23,000 individual members, of which 73% work in patient care delivery settings. HIMSS also includes over 380 corporate members and nearly 30 not-for-profit organizations that share our mission of transforming healthcare through the effective use of information technology and management systems. HIMSS frames and leads healthcare public policy and industry practices through its educational, professional development, and advocacy initiatives designed to promote information and management systems’ contributions to ensuring quality patient care. Visit www.himss.org for more information.

    For more information, contact:
    Joyce Lofstrom/HIMSS
    312-915-9237 – jlofstrom@himss.org

    Pamela Reese/Symantec
    424-750-7858 – pamela_reese@symantec.com

    Reblog this post [with Zemanta]

    Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", Chief Information Security Officer, Chief security officer, Computer security, Health care, Healthcare Information and Management Systems Society, hipaa laws, Information Technology, Security, status of arra and hitech, Symantec

    Oct 29 2008

    Laptop and traveling precautions

    Category: Laptop SecurityDISC @ 12:58 am

    Laptop security

    Best practice emphasize the fact to backup the data if you can’t live without it, in the same way a traveler must avoid taking sensitive data on the road unless it’s absolutely necessary to do so. If you do plan to take sensitive data with you on the laptop, the necessary security controls must be implemented and go with the sensitive data. The data protection controls should be based on your information security policy data classification.

    The laptop hardware itself is only worth few hundred dollars these days, but on the other hand it’s hard to put a price tag on the exposed data which may have a drastic impact on your organization, especially these days when most of the organizations are at the edge due to financial chaos.
    Frequent travelers know it’s possible to lose a laptop or lose data because laptop may become inoperable due to hardware malfunction. Planning an important business trip should include encrypting sensitive data and backup on a remote website (Carbonite). So in case you lose your laptop or it’s is inoperable for some reason, you can remotely recover backed up files from site within reasonable time.

    [TABLE=8]

    Here is how you can encrypt your data on Windows laptop with built-in utility EFS

    1. Create a new folder, and name the folder Private.
    2. Right click the new folder and choose properties
    3. Click advanced button
    4. Check encrypt contents to secure data box and then click OK, Apply and OK again.

    You have created a secure area where you can put your sensitive documents. Any file or subfolder you add to this folder (Private) will be encrypted automatically. Basically any type of file except Windows system file will be encrypted in this folder. Now if the attacker steal your laptop and remove your hard drive and mount on a system where the attacker has administrative privileges, the attacker will not be able to access the contents of the folder Private. On the other hand 256-bit AES encryption key is stored in encrypted form as a file attribute called the data decryption field (DDF). The EFS private key, needed to decrypt the DDF and extract the file encryption key, is also stored in encrypted form in the registry. The master key, which is used to obtain the key needed to access the EFS private key, is encrypted by the systems key and also stored locally. So the attacker will be able to decrypt the EFS protected files if he can somehow get possession of the system key.

    Luckily we do have a choice whether to store the system key locally on your laptop. If you click start, then Run and then launch syskey.exe utility, you can choose how and where the system key will be stored. The dialogue box will present three options.

    1. Store the startup key locally
    2. Store the startup key on the floppy disk
    3. Generate the startup key from a password

    With the two non default options, you will be requiring to either insert the floppy or enter the password whenever the laptop is BOOTED. The floppy option is highly inconvenient for laptop users but the password options seem sufficient to protect the laptop data. On the laptop which doesn’t have a floppy drive, don’t try to click the floppy option because when you boot next time the laptop will be looking for the system key on a floppy before booting.

    Survey: CISOs worried about mobile data security

    **The real Hustle – Laptop Theft Scam
    httpv://www.youtube.com/watch?v=Gb3ZiTJkCaA


    Reblog this post [with Zemanta]

    Tags: aes, Backup, Booting, carbonite, Cryptography, data classification, data ptotection, ddf, efs, encryption, exposed data, financial chaos, Hardware, Notebooks and Laptops, private key, Security, security controls, sensitive data, system key, threats, Windows

    « Previous Page