PGP Blogs

Protecting Shared Files from Compromise
Wednesday, April 28th, 2010

Andrew Klein – Senior Product Marketing Manager

According to the folks at Privacy Rights Clearinghouse, since 2005 there have been over a thousand data breaches leading to over 320 million compromised records in the United States alone.  These records contained personal, financial and corporate information – none of which was encrypted.

The term “record” might imply a database record, but a majority of the breached records were not stored in a database, but instead were stored in “files” such as spreadsheets, documents and log files.  These files were stored on laptops, desktops, CDs and USB drives, which were stolen, lost or compromised. Some were files transferred in-the-clear over unprotected networks.  There were also breaches which occurred when personal financial information was posted on a web site, Social Security Account Numbers were printed on envelopes, and credit card numbers were faxed to Congress.  Such physical (mental?) errors were thankfully a minority of the cases.

Encryption technology can be used to protect individual systems such as laptops and devices such as USB drives.   But what about protecting files on a file server where multiple people share a given file?  Using file permissions (per user read and write) to protect the file doesn’t protect the contents of the file itself, providing little protection if the file system is compromised.   Even the simple act of dragging a file to the wrong folder, a public folder perhaps, increases the risk of data loss.  In short, the file needs to be encrypted, but the encryption of the file must allow multiple people to share it without getting in the way of the collaboration process and protect it even if it is moved or copied elsewhere.

How about if the person who owns the file is able to encrypt it and also specify who can use that file once it’s encrypted?  For files on a server, multiple people could access and share the file as allowed by the owner, but to everyone else the file is encrypted.  This is what PGP NetShare does.  The file owner, who could be the IT administrator or someone else, decides which shared files to encrypt and who can use them.  To the allowed users, the experience of using the file doesn’t change, except for the little lock icon on the file.  In addition, the encryption protection stays with the file.  This way, if the file is moved to another location, it is still encrypted.  So if the file is ever stolen, lost, hacked, or just accidentally copied, it remains protected. In summary, don’t rely on “permissions” to protect files – secure their contents using encryption so even if your systems are breached, your data is safe.

For more information, view our webcast on “The Day in the Life of a File” where we present the challenges of protecting files and how encryption technology can be utilized to best protect the files in your organization.

Filed under: Perspectives
Tags: Data Breach, file security, PGP Netshare
Comments: No Comments

The First Data Breach
Wednesday, March 31st, 2010

Tim Matthews – Sr. Director of Product Marketing At the recent RSA Conference in San Francisco, I had the pleasure of moderating a panel on the topic of data breaches and how to handle them.  Along with Larry Ponemon, Founder and Chairman of the Ponemon Institute, and Jerry Archer, SVP and CSO at Sallie Mae, was David Shettler from the Open Security Foundation (OSF), publishers of DataLossDB. Post-panel, as we were walking back through Moscone, David answered a question I had been wondering about: When was the first reported data breach?  Turns out that it happened over a century ago, in 1896, where the dispensary records for the Southern California Hospital for the Insane went missing, and were thought to be stolen.  So protection of PHI has been a long time coming… For more of the history of data breaches – including a  1984 TRW incident, where computer hackers gained access to a system holding credit histories of some 90 million people – check out the OSF’s writeup.

Filed under: Perspectives
Tags: Data Breach, PHI, PII, Ponemon
Comments: No Comments

Data Security Is Not Just for the Big Guys
Tuesday, March 23rd, 2010

I recently had an interaction that reminded me  how much more work we have ahead of us in making people aware of the security risks associated with data breaches. My son is a member of well known youth group. Recently during an event, one of the volunteers came snapped a photo of his face. She informed me that this was for their local database to “make it easier to know who is who”. I asked her how they had planned to secure this data and if I could get a copy of their privacy policy as well as some information on their data destruction policy.

I forgot that not everyone who manages data even begins to understand the risks. It’s one thing to maintain contact information for members, it is another thing to add photos to it, especially when children are involved. I tried to explain that I was concerned that without any privacy policy in place (not to mention security process) that there was no way to ensure that this data would not spread to anyone who had nefarious intent, either through negligence or simple lack of education. Neither she nor her boss had a clue what I was talking about. I immediately asked her to delete the photo from her camera. In fact I suggested that I was willing to help formulate a security policy to help decrease their exposure.

Unfortunately my concerns were misconstrued to being “negative and overbearing”. I was reminded that they all agreed that this was a useful thing to do. I am sure that was a time when the introduction of seat-belts were considered just as intrusive, or maybe people had more sense then. Such is life, when you deal with bad guys all the time, it’s sometimes hard to remember that not everyone has the same perception and awareness of risks.

My real concern is not so much that the data would be misused but that without proper safeguards that it could be misused. It is not hard to imagine the database being picked up in a theft and getting ultimately getting used by a child abductor to shop their victims. Now understand, I am not trying to come across as a paranoid parent, but rather looking for sensible safeguards.

While my concerns fell in deaf ears, the lesson to me was clear. Small organizations share many of the same risks common with enterprises, but are typically unaware of any the exposure until it is too late. They can, however,  benefit from all the work done to protect the big guys. In this case, a little policy writing and possibly some off the shelf encryption technology would probably suffice.

Filed under: Vinnie's Views
Tags: Data Breach, Privacy Policy
Comments: No Comments

PGP Acquisition of TC Trust Center and Chosen Security
Friday, February 5th, 2010

We are, of course, very pleased to announce the acquisition of TC TrustCenter and its US parent company, Chosen Security. You can read the details and view a short presentation describing the reasons for this acquisition here. I didn’t want to let the week pass, however, without offering a personal perspective on why PGP Corporation needs to have a position in the trust services market and why we chose TC TrustCenter as our way of providing these services.

When we started PGP Corporation seven years ago we were focused on building the most robust and easiest to use encryption solutions in the world. We had watched the first generation of PKI companies approach this problem from the direction of offering “trusted communications” and concluded the market and users in particular weren’t ready for that approach.

In 2002, enterprises and individuals had data privacy issues they needed resolved, but they needed them resolved quickly and within the context of the then existent communications infrastructure. That infrastructure was not yet ready to support a new, heavy-duty layer of security infrastructure. It would have been similar to building a 100-floor steel and glass skyscraper directly atop a three-story brownstone.  So, instead PGP Corporation focused on applications that protect data in motion and at rest and integrated them into a single, comprehensive management platform.

Fast forward to 2010 and the world and the approach to data protection has evolved. While enterprises are now spending more than ever to protect their networks, it’s commonly understood that network security technology is not keeping pace with the threats now aimed at those networks. The cost of data breaches continues rise even though most forms of electronic communication have some form of security either built in or layered atop them. Nearly all of these security approaches depend upon keys and certificates that are used either to encrypt the content or guarantee the identity of the sender and/or receiver.

The problem is that there are now so many of these certificates in use for so many different purposes that it has become nearly impossible for an enterprise to effectively manage them all, let alone determine which are current and valid.  This problem will only get worse as the world’s hacker community begins to exploit the weaknesses in the current certificate generation, distribution and management systems. We’ve already seen attempts to insert “bandit keys” into corporate key chains to allow hackers to read encrypted email. We can expect exploits such as this one to multiply in the coming years.  For this reason, we decided last year that PGP Corporation would need to extend its encryption and security product line to include trust services so that our customers can use our products with confidence while communicating with the broadest range of customers, partners, and regulators globally.

We chose TC Trust Center as our path to market for two reasons. First, they bring unprecedented breadth and depth of experience to the trust services market. Their executive team has dozens of years of experience in the space and a proven track record of building successful security businesses.

Second, the way they have designed and built their products is completely consistent with PGP Corporation’s worldview. TC TrustCenter’s platform enables secure electronic transactions across individuals, servers, and mobile devices.

Today’s announcement, of course, is just the beginning. In the coming months we’ll be telling you about our vision of how combining trust services with the PGP® Encryption Platform will allow us to build solutions to address threats that are just now emerging. With hackers stockpiling Zero Day threats, and more applications and data moving into the cloud, these new security solutions will be required business enablers of the cloud migration plans for many enterprises. With the combined offerings of PGP Corporation, Chosen Security and TC TrustCenter, we will address threats aimed directly at IT infrastructure as well as the increasing number of threats now targeting endpoint devices . These trusted offerings will not only build confidence in the infrastructure of an organization, they will build confidence to withstand threats to data as it moves in and out of an organization.

We are very excited by the opportunities that combining our two companies and technologies offers us. I extend my welcome to my new TC TrustCenter and Chosen Security colleagues to the PGP Corporation family.

Filed under: CEO Blog
Tags: CA, Chosen Security, Data Breach, PKI, TC Trust Center, zero day threat
Comments: No Comments

U.S. House Passes DATA Act
Tuesday, January 12th, 2010

The U.S. House of Representatives delivered an early Christmas present last month when it passed the Data Accountability and Trust Act (DATA). HR 2221, sponsored by Representative Bobby Rush (D-Il), is just about everything you’d want in a well-considered piece of legislation on such a complex topic. The bill not only protects consumers in that it requires nearly all businesses to take steps to protect personally identifiable information at rest and in motion, it also requires companies to publicly disclose any breaches of that data. HR 2221 singles out data brokers as a special class and requires they put processes in place to protect the information they maintain and submit to periodic audits to ensure they comply.

The DATA act also addresses a growing concern on the part of consumers by requiring that data brokers provide a method for individuals to prevent their personal information from being used for certain marketing purposes. Responsible consumer brand companies have long had access to far more information about us than they were comfortable using and adopted an informal code of conduct that constrained their use of that data. HR 2221 gives that code of conduct the force of law and applies to all companies involved in interstate commerce.

Besides providing extensive consumer protection, the DATA act also provides businesses a reasonable “safe harbor” by declaring loss of data that is “unusable, unreadable, or indecipherable” by the use of encryption or other technology not subject to the breach disclosure requirements. This bill also, of course, will unify the existing 47 state data breach bills now in effect. The fact that the DATA act has passed doesn’t make it law, however, as it now needs to be modified in committee to make it consistent with whatever bill the Senate passes (there are two under consideration).

Even when a federal bill does become law, it will not completely end the debate over various state laws that address issues on topics where the federal bill is silent. The primary example of this is the Massachusetts data protection act (201 CMR 17).  The Massachusetts law, set to take effect next March, specifies exactly what classes of data must be protected based on physical attributes, not just content.  It also specifies exactly what types of technology must be used to protect them. While the diligence of the Massachusetts legislators is laudable, history demonstrates that this type of prescriptive legislation that involves rapidly evolving technologies, generally creates as many problems as it solves. An excellent example of the issues being raised by 201 CMR 17 can be found on TechTarget’s SearchCompliance site.

The passage of HR 2221 will also have important implications internationally as it is likely to form the basis upon which the Federal Trade Commission will commence negotiations to create consistency in breach regulations with the European Union. As I’ve noted before, the EU continues to lead the way in enforcing some of the most stringent privacy regulations on the Internet. Continuing this trend, the UK’s Information Commissioner last week published a draft policy that, if adopted, will severely limit the ability of web sites to track user behavior. With regulators in the Euro zone moving ahead on their plans to provide even more privacy safeguards for their citizens, it’s critical that U.S. regulators finalize the data breach requirements so they can focus on some of the more current issues.

It will take some time to work out how the pending federal bill will impact some of regulations imposed by state regulators and how enterprises can best comply with the new requirements. Overall though, it was a very good month on the data protection front and we can only hope the Senate acts quickly to deliver the final bill for which Americans have been waiting so patiently.

Filed under: CEO Blog
Tags: DATA Act, Data Breach, HR 2221, Massachusetts 201 CMR 17, Representative Bobby Rush
Comments: No Comments

Sharing Data in an Unsecure World-Portable Encryption for Microsoft Windows 7
Wednesday, December 16th, 2009

These days you don’t need to wait for holiday sales to buy the tiniest, highest capacity USB thumb drive you can find. A 2GB USB drive sells for under $10 in the US, and works great to put family pictures, your favorite music (yes, the 80s were a good era) and oh yeah, the customer files you need to share with Bob at the audit firm. There’s only one problem: these drives tend to get lost easily, or as what often happens with most people, you just can’t remember where you put it. If that happens, you have now put out confidential company data (and possibly personal data) free for all to see, out into the world. This can very quickly turn into an organizational nightmare when it turns out that the drive was indeed lost, and now your organization has to inform investors, its customers, and just about everybody else about this loss. A look at the latest data breach headlines show that loss of USB drives and CDs/DVDs is unfortunately, still very much a reality. From the financial damage to the emotional damage data loss can cause, it’s no wonder Information Technology (IT) security officers lay awake at night wondering how to secure data that is entering, residing, and leaving USB drives and CDs/DVDs.

As you get ready with your Windows 7 upgrades, it is essential to think about your device and media protection strategy.

The good news is, with PGP Portable, you can instantly secure any removable device or optical media, and we mean any. No need to invest in costly encrypted USB drives with their own asset management consoles, and no need to worry about cross-platform issues with native Windows solutions.

Simply right click, and convert any USB drive (or folder) into an encrypted container, drag and drop files, and share the drive. With PGP Portable, there’s no need to install any software to access data on the PGP Portable-enabled drive. So now you can encrypt the USB drive lying in your office drawer, drop files into it (just like a regular drive), and drop it in the office mail for Bob at the audit firm.

Call Bob and give him the passphrase you used (using a secure method). Bob then inserts the drive into his Windows PC (or a Mac!), enters the passphrase you gave him, and reads or modifies the files as he wishes.

Yes, it is just that easy.

1. Insert any USB drive. Select the USB drive, right-click, and create a PGP Portable Disk

2. Create a passphrase. The image below shows creation of PGP Portable-protected folders (which can then be burned onto optical media for sharing)

3. To access the encrypted data, simply insert the USB drive or CD/DVD into any Windows or Mac OS X system. Enter the correct passphrase, and access the data!

Although there are some hardware and native software solutions that protect removable devices, they don’t always offer a complete solution. What’s nice about PGP Portable is that:

i)              Unlike the native BitLocker-To-Go on Windows 7, it protects USB drives and CDs/DVDs (yes, Blu-Ray too!!). So next time you’re distributing the latest revision of documents to partners or your field force, rest assured the data stays protected.

ii)             PGP Portable-enabled devices can be shared with Windows and Apple® Mac OS X users, without requiring any software installation to access the data.

iii)            There are no application windows you need to work with, or additional steps you need to take to access or modify these files. You work within the secure container just as you would with a regular USB drive, using your operating system’s native file explorer. You can also change the passphrase (provide you know the old one, of course).

iv)            It can be centrally managed. This ensures IT officers can enforce their corporate security policy automatically and easily.

v)             My favorite: it is software based. Which means you can secure any USB drive. Personally, I find carrying and using a specialized encrypted USB drive to be expensive and cumbersome.

Filed under: Perspectives
Tags: Data Breach, Data sharing, PGP Portable, Windows 7
Comments: No Comments

The Critical Need For Encrypted Email
Monday, August 17th, 2009

Robin Witty-Senior Product Marketing Manager

Are your company’s emails really secure? Do you know for sure when most email sent over the Internet is in clear text and can be read by anyone with simple tools and know-how. Similar to the old party line telephone systems where neighbors could listen in on your phone calls, unauthorized parties can obtain confidential information from unencrypted corporate emails including valuable intellectual property or third party data that may require protection regulated by law.

If you think email breaches can’t happen to your company, consider a couple of high profile email breaches. Sarah Palin’s personal emails were posted to the web and her password was changed by a hacker. A Twitter executive’s confidential business emails and documents were hacked, read and posted to the web. Twitter had to reassure their users that customer’s personal information was not compromised.

Encrypting email is a smart way to prevent email breaches. An important read for IT and business managers alike, Osterman Research delves into this topic with their “The Critical Need for Encrypted Email and File Transfer Solutions” white paper. From the white paper: “An email sent across the Internet is … like a message on a postcard that anyone can read along the way. However, an email or file sent in clear text offers much more exposure than a postcard because of the nature of transmission itself. … Hackers or others with malicious intent can intercept email messages and read them simply by placing packet sniffers on the network.” While email in transit is certainly at risk, it’s even more vulnerable while at rest on the internal, external recipient, and Internet mail servers where it resides before, during, and after delivery. You just don’t know where in the world that email goes before it reaches its destination but you can be pretty sure it’s not a straight line to the recipient.

When email is encrypted from end-to-end, the email and attachments are always protected – while stored and in transit, as well as both inside and outside the company. Encryption at the gateway protects email mainly from external threats. Other encryption solutions for disk, file, server, databases, etc. can also protect the data throughout its lifecycle. Some email encryption solutions can also interoperate or function alongside other email hygiene systems like antivirus so corporate email systems can be protected from other threats as well.

Encryption is quickly becoming a best practice to protect against unauthorized access to email contents and new email threats that you may not even know about yet. To learn more about protecting your email and email attachments, click here to download the Osterman Research, “The Critical Need for Encrypted Email and File Transfer Solutions”, July 2009 white paper.

Filed under: Perspectives
Tags: breach, Data Breach, email, Email Breach, Encryption, Osterman, Protection
Comments: No Comments

The Insider Threat
Tuesday, May 19th, 2009

A recent data breach at Johns Hopkins Hospital was announced that resulted from a single employee working in patient registration who accessed more than 10,000 pieces of personally identifying information. Reports of fraud started back in January and have been traced to records at Johns Hopkins.

The employee in question has been linked to a larger driver’s license fraud scheme in nearby Virginia. These types of incidents have been appearing more and more; while we protect against attacks coming across the internet with firewalls, and malware threats with endpoint protection, it’s getting easier to go after the valuable personally identifiable information directly, by planting an employee inside the organization or simply coercing an employee already in the system with a pay-off, especially low-paid administrative staff.

The employee in question is expected to be indicted, but this still begs some questions: who has access to your businesses sensitive data and why? While administrative staff need to have appropriate access rights in order to fulfill their job functions, access to all patient records containing personally identifiable information is likely excessive. Of note, this is not the first incident at Johns Hopkins Hospital as there were reports in 2007 of a contractor stealing backup tapes with over 135,000 patient and employee records. In neither case was the data encrypted.

The hospital, in an attempt to put the public at ease, has stressed that this was not part of a hacking incident, but simply theft by one of their own employees. Whew, well that’s a relief. While we have become smarter at securing the borders of our businesses we cannot forget the potential threat that comes from within; we must ensure that only those who need access to the data have it, and that the access is logged, and the rest is fully-encrypted.

Filed under: Perspectives
Tags: Data Breach, Identity Theft, insider threat, Johns Hopkins, malware, Personally Identifying Information, PII
Comments: No Comments

Laid Off Employees Admit to Stealing Data
Saturday, February 28th, 2009

Our old friend Larry Ponemon released a disturbing report this week that described the extent to which laid off employees take confidential corporate data with them. According to the report nearly 60 percent of those surveyed admitted to stealing company data when they were terminated. In addition, almost 2/3 of those surveyed conceded they’d leveraged confidential corporate data to find subsequent new employment.

I frequently see reports that measure how much CIOs and CISOs worry about this type of insider threat, but this is the first research I’ve seen that attempts to measure the problem from the other side. While these numbers are somewhat higher than I expected, I’m not at all surprised at just how “leaky” companies seem to be given how long I think we’ve understood this problem. What this new Ponenmon study highlights is just how much work we have yet to do to achieve an acceptable level of protection not only for our own confidential information, but the data all businesses protect for their customers, suppliers and partners.

As we reported last month, the cost of data breaches continues to rise and given the state of the economy, I believe the frequency of breaches will only rise as well. To be clear, there are no easy or cheap answers to this problem . It’s going to take development and deployment of new policies, technologies, and educational programs to even address it, let alone solve it.

Filed under: CEO Blog
Tags: Data Breach, insider threat
Comments: No Comments

Just Who Should Pay for Data Breaches…and How?
Saturday, October 4th, 2008

As a lifelong resident of California I’d be the first to admit that state politics on the left coast can sometimes be a little peculiar.

Last month with the Governor and the Legislature at their traditional impasse over the state budget, the Governor was threatening to veto the budget AND more than 900 other bills if the Legislature voted to over-ride his budget veto. Finally, on September 18 the governor and the legislature agreed on a budget (80 days late). With this piece of business out of the way, Governor Schwarzenegger turned his attention to processing the 896 bills passed by the legislature in the wake of the budget deal.

Unfortunately, this didn’t leave the governor enough time to do the standard due diligence on which bills to sign or veto. In California the governor must do one or other as we have a sort of “reverse pocket veto” law that means that any bill not proactively vetoed becomes law. So, last week saw our governor vetoing bills at a rate that was projected to surpass his own record of more than 300 for the year. The governor was vetoing so many bills that he didn’t have time to explain his reasoning for most of them. Presumably he’ll have a chance and explain to the California electorate his reasoning for negating the work of both houses of the state legislature on more than 1/3 of the bills they sent to him last month.

One of the vetoes Governor Schwarzenegger DID explain was AB 1656 known as the Consumer Data Protection Act. This is actually the second time the governor has vetoed essentially the same bill having done so last year as well. In explaining the veto, the governor explained, “As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.” The governor also explained that he believed current industry “best practices” were both adequate and would be able to evolve more quickly if merchants were not required by statute to protect confidential information in specific ways. Finally, the governor asserted his belief that the bill would saddle merchants (and the state) with unacceptable costs in the event of a data breach.

On the face of it this seems like a credible explanation, but the more I looked into the bill and its supporters, I think there’s actually a more subtle issue at stake here that neither the bill’s supporters nor opponents wish to debate directly. Essentially there are two lobbying groups promoting their constituencies commercial interests on either side of AB 1656.

On one side we have the state’s Credit Unions represented by the California Credit Union League (CCUL). The CCUL member institutions (like many commercial banks) issue credit cards to their members and under the federal Gramm-Leach-Bliley Act bear most of the cost of notifying card holders in the event of a breach, reissuing new cards, and providing restitution to card holders that lose assets due to the breach. The problem with this model is that data breaches are rarely caused by the card issuing banks and credit unions. Many breaches occur because of security lapses on the part of the merchants that accept credit cards. What the CCUL and other supporters of AB 1656 are actually trying to do is to shift the costs of dealing with data breaches upstream to the retailers frequently responsible for them.

On the other side of the AB 1656 debate we have the California Retailers Association (CRA) and a host of other merchant advocacy groups. The retailer’s position is that they already paying their fare share of breach remediation in the processing fees they pay to the card issuers on each transaction and there’s some logic to their argument. What bothers me about this is that it still leaves the issuers with ultimate liability for events over which they have only indirect control. Issuers typically have the right to cancel a merchant if their fraud rate exceeds a negotiated threshold or the merchant fails to comply with other contractual terms. So the CRA’s position is that this issue is better dealt with contractually than via legislation.

I’m guessing the reason this issue is being led by the CCUL (and not the leading card issuing banks) is that they have much less leverage with the merchant community, particularly the big chains that make up the majority of transactions. They are, therefore, more exposed to big losses and less able to absorb them in the event of a large breach.

I don’t honestly know what the best way of assigning liability in these cases is, but as I noted above, the status quo doesn’t seem entirely just, nor does it appear to provide sufficient motivation for the merchants to do everything required to protect their customer’s confidential information. Fortunately, we’ll have a relatively clean set of test data available soon as Minnesota passed a very similar bill known as the Plastic Card Security Act. So hopefully we’ll be able to revisit this topic in a year or so and objectively assess whether legislation or negotiation leads to the best solution.

Filed under: Cybercrime Grit & Grime
Tags: AB 1656, cost, Data Breach, plastic card security act
Comments: No Comments