Data Security FAQ

Some frequently asked questions about how to safeguard your computer data on a personal and business level. It assumes that you DO NOT have gigabytes of music and movies that require extensive security measures to protect.

1.) How should I begin to secure important data on my desktop computer or laptop?

First, it makes sense to designate 1 or 2 specific folders on your computer as the main folder for confidential file back-ups for several reasons. If you have to do a quick back-up, all you do is copy that folder to an external drive for an instant back-up.

Second, It provides a centralized location for all important data. Instead of having to hunt down the menu, sub-menu, sub-sub-menu of where you normally download company financial spreadsheets, you can set your browser and programs (such as Quickbooks, etc.) to save/download all important files to this folder.

Third, let’s say you only save ALL important files on a flash drive/external hard drive. If your notebook gets lost/stolen, the thieves only have the programs and not the actual confidential files which are on the cheap flash drive.

2.) Great, now how do I actually back-up my designated BACK UP folder(s)?

Here’s where it gets tricky. You have several back-up options such as:

A.) Cloud – Services such as Carbonite and Mozy offer low-priced back-up solutions. You basically upload all your confidential files to their cloud servers and are able to access them anywhere in the world where there is Internet access. The main issue is that, from a business security perspective, you have no idea where your data is stored.If, for example, it’s stored in a server farm in China which gets hacked, then you’re in trouble.

B.) External Hard Drives – These nifty devices come in portable 2.5” and larger 3.5” flavors and offer more than generous dumping grounds for all things important. Once you plug it in, your OS recognizes it and pops you up with a folder showing it as a (giant) external drive with a letter (i.e. G:) Some even feature OTB (One Touch Backup) so you press one button and it backs up either your entire system or certain portions of it. Some external hard drives offer plug-in encryption that prevents unauthorized access. The issue with this solution is that you have to lug it around, which means it has a chance of getting lost/stolen and the formality of performing a back-up might become time-consuming to some.

C.) Flash Drive – These little drives are more nimble, have zero moving parts and are highly portable. Unfortunately, this is also its Achilles’ Heel as its relatively small size makes it prone to becoming misplaced or stolen. Also it does not have the capacity of a larger external drive. The good news is that some flash drives have built-in encryption which can be useful if it lands in the wrong hands.

D.) Home/Office Network Attached Storage Drive – Also called NAS, this is an excellent solution for comprehensive back-up protection as these hard drives function as dumping grounds for an entire home or office network. It provides a centralized location for files, folders and documents which any connected computer can access and come in large drive sizes. However, security precautions should be utilized if the NAS has built-in measures as an unsecured NAS may be prone to prying eyes. For example, a NAS without security protocols activated while connected to a home Wi-Fi network is prone to being breached. Because of this, it’s crucial to configure the NAS security as well as the router/network security for optimal protection.

E.) Backing up to CD/DVD/Blu-Ray – Optical media back-up is actually a very cost-effective solution because CDs and DVDs are very cheap nowadays. Furthermore, if you’re looking to close the books for a certain month on your business, burning to a CD-R or DVD+R sets the data in stone so it can’t be manipulated on the disc. The problem is that if you have lots of data to back-up, the formality of using several CD-R or DVD-R discs to save might also become time consuming. In addition, you would have to make sure said back-up discs are placed in a safe place where the chance of it getting stolen is minimized.

3.) Which back-up method should I pick?

While the above solutions offer many ways to back up your confidential data, the best way to minimize a data breach/loss is to follow a combination of multiple back-up solutions and proactive behavior. For example, it would be a good idea to store important sensitive data on your flash drive and encrypting it with TRUE Crypt while also saving duplicate file copies on your home NAS drive via secure VPN connection. If your flash drive is lost/stolen, True Crypt prevents the drive from being used without proper credentials and you can still access the very same duplicate files on your NAS server.

Regarding proactive behavior, you should be mindful of back-ups so you don’t lose something you wish you saved 2 weeks ago.

There are also programs out there that can help secure data such as:

• Folder Lock – Locks and can hide any folder you wish from prying eyes.
• True Crypt– secures drives with extensive hardware encryption.
• Acronis Drive Cleaner – Completely erases all drive data with several methods (DoD, Gutmann method, etc.) – works great if you’re planning to get ride of old computer hardware.

Remember, it’s all about being proactive and being mindful of what back-up security solutions to use for your personal or business needs!

Recover Dead Drive

One of the most dreadful feelings that you can have is having a pc computer or laptop die that hadn’t been backed up recently; especially if you have valuable pictures, music, videos, documents or other files on it.

In this Tech Tip we’ll take a look at how to recover your valuable pictures from a dead computer.

Where to start

Computers are complex machines and when they work right, they are fun to use – but when something goes drastically wrong, it can feel as if your world crashed down around you. If your hard drive is still in working order, there is a very good chance that you’ll be able to recover your pictures, music, videos and valuable documents (and other data) simply with another computer; a specialized cable, a screwdriver; and a little time.

To start off, your best bet it to get a specialized USB cable that can plug directly into your hard drive that you’ll recover from the dead computer. There are several types, and I’d recommend getting one that can handle both PATA (IDE) and SATA hard drives (the two most common used in consumer computers) as well as 2.5” (laptop) and 3.5” (desktop) hard drives. You can also use a hard drive dock or external drive cases as well - but personally I find the specialized USB cable to be the easiest and most flexible option.

Next, remove the hard drive from the dead computer. On desktops it is usually held in with four Philips screwdrivers and on laptops it is usually under an access panel on the bottom of the computer. Remove any cables and caddies that the drive may have – all you need is the bare drive. Then plug in the USB cable into the hard drive (and a power cable if it is a desktop drive – also provided with the USB cable kit) and then plug the other end of the USB cable into a working computer. The computer will then set up the drive ad an external storage device and voilà! you’ll now have access to the files on that drive (provided that the drive is not encrypted or using some type of security feature).

Where to look

OK, so the drive is now plugged into your computer and seen as an external drive, now what? You have several options. One option is to simply look for the files on the drive from the dead computer that you plugged into the USB port and copy them onto the working computer. This is my preferred method personally. I like to “brute force” my way through the drive with Windows Explorer (or a similar file browsing tool) and manually copy/paste the data from one computer to the other. Another option is to follow a Windows dialog box (that usually pops up when you plug in an external drive) and have it help you copy your data from one computer to the other. If you are manually choosing to “brute force it” personal data is usually stored by default in the computers operating systems “home directory” for users.

Common Locations

for home directories (where <root> takes the place of the drive letter):

1. Microsoft Windows 95-Me <root>\My Documents
2. Microsoft Windows 2000/XP/2003 <root>\Documents andSettings\<username>
3. Microsoft Windows Vista / Windows 7 <root>\Users\<username>

Other “What ifs”

What if the files on the drives are erased? If they are, you can use a free recovery program such as Piriform’s Recuva to look for and (hopefully) restore the files. This simple, easy-to-use tool is terrific for recovering pictures from a camera’s memory card that have accidentally been erased as well!

What if the hard drive is the reason that the computer died (actual hardware failure)? If the hard drive is the part that caused the computer failure, then you may be out of luck. Yes, there are specialty recovery services that will pull apart the drives data platters and attempt to recover data (and they are usually successful - such services were used, for example, to recover data from the hard drives that were used on computers from the space shuttle Columbia after it broke apart in 2003) but such services are usually very expensive.

A word to the wise

Backup, backup, backup! Whether using one of the Internet based cloud services or a separate external hard drive – if you make it a habit of backing up regularly, chances are good that you’ll keep the loss of such a failure to a minimum if a computer fails. Of course one of the benefits of using cloud-based backup services is that you can have access to your pictures anywhere you have Internet access.

Summing it up

A computer that dies can be a loss – but don’t lose hope that your valuable pictures (and other stuff) are gone forever. With a little work, you can retrieve your data off the hard drives from a dead computer!

Pod Slurping

Pod Slurping – An easy technique for stealing data

The problem with uncontrolled use of iPods, USB sticks and flash drives on your network. A common misconception is that perimeter security measures such as firewalls and anti-virus software are enough to secure corporate data residing on the corporate network. In this white paper, we explore how the uncontrolled use of portable storage devices such as iPods, USB sticks, flash drives and PDAs, coupled with data theft techniques such as ‘pod slurping’, can lead to major security breaches.

Pod slurping: How can insiders steal your data?

iPods - if in wrong hands can do more damage

Developments in portable device and data storage technology are escalating. The latest versions of MP3 players and flash memory devices have huge storage capabilities; yet these gadgets are small enough to easily conceal and sneak in behind the corporate line of defence. Further to this, easy connectivity and high speed data transfer has become increasingly more widespread – a user may simply plug the device into a USB or FireWire port and they are up and running – no drivers or configuration required! In practice, this means that a data thief can get away with even more precious data, and a negligent employee can dump more viruses onto the corporate network even when connecting for only a short time. iPod is just one example of such portable contraptions. At a glance it is an innocent-looking portable audio device. However under the hood it boasts up to 60 GB of portable storage space; practically large enough to store all the data found in a typical workstation. This means that a malicious insider can use an iPod to covertly take out (i.e. ‘steal’) proprietary data and millions of financial, consumer or otherwise sensitive corporate records at one go!

Gartner analysts Contu and Girard (2004) warned of the security risks associated with the uncontrolled use of portable storage devices within corporations. Today, information theft has become a plague on modern society; data leakage, data ciphering, and data disclosure incidents are all but some of the terms used by security experts to refer to information theft. However, the most original term so far is probably the term ‘pod slurping’ that was coined by US security expert Abe Usher (2005).

Pod slurping: An easy technique for stealing data

Usher uses the term ‘pod slurping’ to describe how MP3 players such as iPods and other USB mass storage devices can be easily used to steal sensitive corporate data. “There are dishonest people in the world”, says Usher, “many of them work at many companies – and these USB devices make it rather trivial to steal huge amounts of data” (Schick, 2006). To demonstrate the vulnerability of corporate security, Usher developed a “proof of concept” software application that can automatically search corporate networks and copy (or “slurp”) business critical data onto an iPod. This software application runs directly from an iPod and when connected to a computer it can slurp (copy) large volumes of corporate data onto an iPod within minutes. What’s more is that slurping is not limited to iPods and MP3 players alone. All portable storage devices can be used to slurp information; digital cameras, PDAs, thumb drives, mobile phones and any other plug-and-play devices which have storage capabilities! Data slurping is a very simple automated process and does not require any technical expertise; a user may plugin the portable storage device to a corporate workstation and by the time it takes to listen to an MP3, all the sensitive corporate data on that workstation is copied to the portable storage device.

Insider information theft is a real problem

Information theft has now become a major concern for every organization and thus data leakage prevention is slowly taking up a bigger portion of the IT budget. This drive is attributed to two factors: The wave of malevolent threats that is hitting every industry and the increase in regulatory requirements which demand more protection and tighter controls over client records and other confidential information. More stringent controls and severe penalties are forcing organizations to address regulatory compliance more seriously. In January 2006, the Federal Trade Commission charged commercial data broker ChoicePoint Inc. a settlement fee of 15 million dollars for leaking consumer data and violating consumer privacy rights (Federal Trade Commission, 2006). A misconception shared by many organizations is that security threats mostly originate from outside the corporation. In fact, countless dollars are being spent every year on firewalls and other solutions that secure the corporate perimeter from external threats. However, statistics show that internal security breaches are growing faster than external attacks and at least half of security breaches originate from behind the corporate firewall. Unfortunately, corporate insiders are the first and easiest route to evade perimeter security. The trusted position of corporate employees and their constant exposure to corporate data makes detecting and stopping of data theft an enormous challenge – especially in environments where corporate data is largely distributed!

Why would insiders want to slurp information?

Is your computer safe from insider theft.

Corporate data can be profitable in various ways; blueprints, engineering plans, tenders, pricelists, source code, database schemas, sound files, lyrics and much more – all this valuable intellectual property may be exploited
by individuals or corporations to gain economical and business advantage over their competitors. The 2006 CSI/FBI survey indicates theft of intellectual property as having the fourth highest economical effect over organizations (Gordon et al., 2006). Malicious perpetrators may also steal sensitive consumer information such as medical and financial records from a company and divulge it to the public. This would damage the company’s reputation as well as make it liable to legal prosecution for violating consumer privacy rights. In a nutshell, malicious intent, monetary gain and curiosity are probably the major motives behind information
theft. Anyone is an enemy for a price and thus perpetrators can be various. Disgruntled employees that believe they are disrespected or exploited by their employers may take advantage of their trusted position and sell
corporate plans and other sensitive information to direct competitors. Former employees who feel they have been unfairly dismissed may use their inside knowledge or exploit internal relationships to access, steal and
publicly expose consumer information and damage the company. Trusted insiders can also turn into paid informers and engage in industrial espionage, data warfare or other extensive fraudulent activities such as
‘identity theft’. The term ‘identity theft’ refers to crimes in which someone obtains and uses the personal details of another person (e.g. social security or credit card number) to commit criminal acts, usually for financial gain. To date it is the fastest growing crime in the United States. It was estimated that identity theft victims amounted to around nine million adults in the U.S. in 2005 (Johannes, 2006).

How can corporations mitigate the risks of information theft?

The key advantage of iPods and similar portable storage devices is easy access. In theory, this may be of great advantage for corporations. However, it is a well-reported fact that access and security are at opposite ends of
the security continuum. The reason is that you never know what users may be doing with their portable devices. An employee might appear to be listening to music on his iPod, but actually he or she might be uploading malicious files or slurping gigabytes of valuable corporate data. A possible solution to avoid information theft is to implement a corporate-wide portable storage control policy. To mitigate the security risks, some experts and researchers suggest conventional courses of action such as the physical blocking of ports, stringent supervision as well as drastic actions such as the total ban of iPods and similar devices from the workplace. However, this is not the best practical approach. Portable storage devices can be beneficial tools for the corporate workforce and a blanket ban would be counter-productive. In addition good practice dictates that you must never rely on voluntary compliance.