Full disk encryption (or whole disk encryption) is a kind of disk encryption software or hardware which encrypts every bit of data that goes on a disk. The term “full disk encryption” is often used to signify that everything on a disk, including the operating system, is encrypted. There are also programs capable of encrypting an entire disk fully but not capable of directly encrypting the system partition or boot partition of the operating system (e.g. FreeOTFE, GBDE and TrueCrypt which can fully encrypt an entire secondary hard disk). To boot from a fully encrypted disk on a standard personal computer requires hardware assistance as there is otherwise no other way for the BIOS to decrypt and transfer program control to an encrypted master boot record (MBR). There are software programs that can encrypt bootable operating system partitions but they must still leave the MBR, and thus part of the disk, unencrypted.

Why Do I Need Whole Disk Encryption

Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of full disk encryption:

1. Everything including the swap space and the temporary files are encrypted. Encrypting these files is important, as they can reveal important confidential data.
2. With full disk encryption, the decision of which files to encrypt is not left up to users.
3. Support for pre-boot authentication.
4. Immediate data destruction, as simply destroying the cryptography keys renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised.

What To Look For In A Solution

* Powerful full-disk, file, and folder encryption
Rest assured that data is securely encrypted whenever it’s stored on desktops, laptops, tablets, and other mobile devices, and that files and folders remain encrypted wherever they travel thanks to industry-standard strong encryption algorithms such as RC5-1024 and AES-256
* Strong access control
Prevent unauthorized access and subsequent data loss with two- and three-factor preboot authentication, which supports many different smart cards and USB tokens; supports single sign-on to minimize hassles for authorized users and password synchronization with Windows
* Synchronized password changes
Propagate password changes that a user makes on one machine to all other machines that the user is assigned
* Centralized management
Centrally define, deploy, manage, and update security policies; maintain central control over user credentials, including synchronization, recovery, and revocation; and generate reports to meet compliance requirements
* Invaluable reporting and auditing capabilities
Support compliance with company, industry, and government regulations using the solution’s capable auditing and reporting features
* Seamless integration with existing infrastructure
Synchronize this solution with Active Directory, LDAP, PKI, and others; supports all Windows operating systems (full 32- and 64-bit Vista support), common languages, and various keyboards; next to that, endpoint encryption supports automatic language detection in preboot based on Microsoft Windows language settings

source:wikipedia.com;safeboot.com

SMB Antivirus

It used to be that antivirus software was all you needed to be relatively safe and all the bad guys wanted was to make a statement. Well, that is no longer the case, they want your money now or worse yet, your customers money. The good thing about this, is that when someone is predictable you can guard against them.

If all the bad guys just tried to deface websites or shut down systems or do other ‘vandal’ actions, then it would be hard to guard against them and even harder to justify spending money on it. Now, if their goal is to steal from you, steal your customers data, steal credit card or sensitive data or anything they can exploit for money, well it is pretty easy to know what you have that meets that need and justify spending money on it.

Cyber Vandal vs. Cyber Thief

Here are two scenarios:

1. A cyber vandal likes to take over websites and post his cyber name and a picture of some punk rock band or something like that and shut down your website for a day or so. Well, that would really stink, but the real damage is hard to calculate. We all know the media and tech communities like to post huge dollar amounts lost to hackers because systems were down, etc. Well, is that real…probably not.

2. A cyber theif likes to steal customer information so we can sell it on the black market to people that know how to make money with customer data or employee data or credit card data or just about anything. Do you think you can calculate a real damage there? Imagine notifying all your customers or employees their data was stolen! Imagine the money that will cost in actual damages and loss of reputation with them?

These days it is all about crime! So, what happened to me saying it was a good year for SMB IT Security, well like I said, once the threats become predictable it is easy to guard against them. Just ask yourself what data needs to be protected and what is the downside if it is not. In my opinion, once you know your risk, you can decide to take it or mitigate against it, but you have knowledge and that is power.

Michael Rowles

SMB IT Security & Antivirus

CopiaTECH

Gartner’s Magic Quadrant for Endpoint Protection Platforms is based on an assessment of a company’s ability to execute and completeness of vision.

• “The stand-alone antivirus market has been replaced with a broader suite of defensive technologies supported by an extensible management platform that can subsume horizontal products, such as data protection and device management capabilities.”
• A modular architecture that enables selective configuration based on security requirements and device location is also critical.”

Gartner gauges a company’s completeness of vision by considering its market understanding, sales and marketing strategy, offering or product strategy, business model, and innovation. Our position in the Magic Quadrant validates our market leadership in security risk management.

When it comes to endpoint security, McAfee has achieved many industry firsts:

• First to deliver a single agent and a single console for endpoint security
• First to manage a broad range of security products—endpoint, network, data, and web and messaging security—all from a single, centralized console
• First to combine security and compliance processes—management and reporting—from one console
• First to unify security and compliance management for physical and virtual environments
• First to deliver an industry standard security software development kit to enable full interoperability and management across McAfee and non-McAfee security products

read more | digg story

McAfee Buys SafeBoot Encryption

Interesting acquisition from McAfee for the data integrity market. Here is their website blurb on SafeBoot. It will be interesting to see exactly how this fits into the McAfee scheme. How will they convert this Executive move and marketing hype into sales and solution to end-users from Enterprise to the SMB space. I have said for a while now that companies are going to probably need a major class-action lawsuit and somebody get crucified by a jury before a majority take data integrity heart-attack serious. Maybe McAfee is betting on that inevitability…or they actually think Corporate America will do it themselves.

Big Acquisitions Nothing New

The acquisition game in IT Security is as new as a boot sector virus. I have seen a lot of them and wonder who the real winner ever is. I would like to see if anyone can remind me of one that was really additive and explosive in value for the SHAREHOLDER! I know the little company being bought always wins out big. The founders, financiers and lawyers make out huge. Management of the buyer are spending OPM (Other People’s Money), so what do they care? And when I say that what I mean is, when you pay $350,000,000 for a Dutch company, how and when is there a ROI? How much revenue and earnings does this company have and how many times revenues or earning are you paying?

What about your money?

McAfee is not the only one, Symantec, Cisco and many other big IT Companies do this. If you or I spent $350M of our own money we would probably want to know how and when we are going to see some returns, right? It will be interesting to see if this is a strategic win for McAfee and Corp America get serious about data and encryption or another windfall for the buyee.

read more | digg story

Why you need Double Authentication

Jeff Atwood at Coding Horror writes an extremely interesting article about cracking passwords. And this is exactly why businesses, small and large, need double authentication security to make passwords uncrackable.

What is Double Authentication?

Double authentication is when a user proves who they are with a password and another source such as tokens, biometrics or validating questions. The key is that the validation in addition to the password is something that is unbeatable by programs like Jeff talked about. One of the best is a token system that generates random long numbers that only your authentication software know. A program like Ophcrack would never ever be able to guess this 8 digit number. And, these numbers change every so many minutes, that the intruding hacker is never ever ever going to get into your system.

Why haven’t I heard of this?

Well, the big boys know all about tokens and double authentication. It has been the solution and price tag of the large Enterprise customer. Not so anymore. Many new security companies, like Entrust, are making iron clad security affordable and easy to use for all sizes of businesses.

Michael Rowles

Double Authenticated

Why do businesses not have an encryption plan?

We all know that when you fail to plan, you plan to fail. This is the case for the overwhelming majority of businesses. Encryption is treated as this great mystery and either not approached at all or bought and added to the ’shelfware’ all IT Folks have in their office. A box is checked that software is purchased, but many do not incorporate into their Corporate Security Policy. Mike Fratto of Network Computing writes that there is a ‘lack of compelling business driver’.

Encrypt what data?

Forrester Consulting says that one of the most important initial steps is to put together a Data Governance Plan which includes the classification of your data. You surely do not want to encrypt every scrap of data a business has, this is where security becomes an annoyance. Knowing your risk by taking the time to own what is classified and own what you decide to encrypt makes the future more clear. You can know that if all procedures are followed, what is at risk and what is not. You then take your Risk Management into your own hands, instead of the hands of the fates as to what you lose.

Now you can sleep at night

Taking action instead of reacting to disaster will give IT, Executives and Ownership a lot more REM sleep than the alternative. The alternative is head in the sand like an ostrich or moving to N Africa and living in Denial!

Michael Rowles

Denial Travel Agent

No Problem Justifying Return on Investment

The potential liability exposure resulting from a breach in data security, such as what happened with the data security breaches at TJX that involved the undetected theft of sensitive customer information over an 18-month period is mind-boggling. Although TXJ estimates liability payouts to reach “only” $107 million – which analysts say is highly optimistic since the potential exposure is more likely over $1 billion – such risks clearly justify planning and expenditures to beef up the security of sensitive information. The company also estimates it will spend about $11 million in security consulting fees necessitated to study the causes for the breach and prevent their reoccurence. It doesn’t take a rocket scientist to quickly calculate that had the $11 million been spent up front to avoid even the overly optimistic figure of $107 million in payouts, that the return on investment would have been more than $9 for every dollar spent.

Added to the financial risks are the potential risks of embarrassment. Take, for example, the recent news story that candidate information stored on Monster.com was infiltrated successfully by a Trojan and it’s easy to understand the potential for public fallout that can arise from inadequately protected data. How this will impact the number of candidates who are willing to share their personal contact data with online job sites – critical to the success of any job site – remains to be scene. To date, Monster seems to be quiet on the issue and to be taking the stance that “it was no big deal”.

The potential for financial loss and public embarrassment is also a concern for small and medium sized businesses, perhaps to an even greater degree, since similar events could result in the complete bankruptcy and discontinuation of the business.

An Increasingly Mobile Workforce Adds Fuel to the Fire

As the work force becomes increasingly mobile and road warriors abound, the number of data devices that support mobile workers is also increasing and those devices are becoming more and more affordable, putting them into reach for deployment by an increasing number of small and medium sized businesses as well as large enterprises. Unfortunately, in spite of the great conveniences these mobile devices offer, they can also create a security nightmare for the small and medium sized businesses that mistakenly believe the devices are inherently secure enough without any increased cause for concern.

The main problem with data stored on devices that are getting smaller and smaller is that the devices themselves get easier and easier to lose, especially on the road and they are also getting easier to steal because they conceal easily. When properly put in place, encryption, especially when combined with access control and port management, is an effective means of protecting the important enterprise data contained on such devices.

A survey of attendees at the 2007 InfoSec security conference in London indicated that almost 40 percent of middle and senior-level IT managers felt these portable tools for the road warrior represented their top security concern, 80 percent of those surveyed indicated they have not yet implemented effective security policies for them. And, 76 percent of IT professionals surveyed in a 2006 study by Check Point Software in Belgium, Luxembourg, and the Netherlands, said that they never use any data security to protect information stored on USB devices.

Traditional Network Security is Insufficient

Obviously, network security measures were insufficient to protect the data of TJX customers and Monster candidates. This is obvious in both cases, especially since the Monster Trojan was released through a legitimate employer account log in to access candidate information.

In the case of mobile devices, because users may roam between multiple networks and because users may also take advantage of non-network communications, such as Blue Tooth, network security alone is not sufficient protection for mobile devices either. While networks can provide some degree of protection, such as anti-virus, or anti-spam protection, even to mobile devices, there is still an important need for the device-level “data-at-rest” protection that encryption can provide. All the network security in the world won’t protect sensitive data if the mobile device is stolen or lost.

Why Encryption Makes Sense

Encrypting data makes sense on both mobile devices and for “data-at-rest” on larger storage systems because it makes the data worthless to unauthorized users. Encryption software converts data into “ciphertext”, which must then be decrypted or “un-encrypted” in order for it to be usable. Only users with the proper credentials are able to access the stored data and read it. While the initial indication is that a valid log-on account was used to steal the information stored on Monster, it may be possible that additional encryption measures would have prevented the use of any of the stolen data.

Finding the Perfect Encryption Solution

Whether you’ve been thinking about putting encryption in place to enhance your IT security measures or you’re thinking about replacing an existing solution that’s not meeting your needs, every product is unique. It’s important to understand your specific needs and potential vulnerabilities before you commit to any encryption solution. For example, Pointsec Mobile from Check Point provides one encryption solution for mobile devices running Symbian, Pocket PC, Windows Mobile SmartPhone and Palm by encrypting files on the devices as well as their related memory cards. In doing so, encryption is performed automatically without user intervention, and it allows easy transfer of encrypted data between Pointsec protected devices. Many other top IT security software companies, including McAfee and RSA also offer wireless versions of their encryption software.

These are not necessarily one-size-fits-all solutions. That’s why we suggest that you Contact a security encryption pro from CopiaTECH to help sort out your encryption needs, find the solution that best meets those needs and your budget, and get to work on protecting sensitive data and reducing your exposure to financial risk and your potential for public embarrassment: Before it’s too late.

Related:

Monster.com Data Compromised by Trojan
TJX Sets Aside $2.60 For Each Breached Customer Credit File
Portable Devices Pose Growing IT Security Threat
Wireless Encryption Software – What You Need to Know