Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ③] Data Protection by Design and by Default: Technological Measures

Just over five months from now, the GDPR will be enforced for a stricter, thorough, and fair protection of personal data of all EU citizens, and the organizations with the presence in the EU have a tough task of GDPR compliance in their hands. To lighten the burden, we wrote a checklist of requirements for the organizations to follow on our earlier blog. Continuing our blog series on the GDPR, we will take a closer look at a technological aspect of compliance and how organizations can approach it.

For starters, where should the organizations begin to comply with the technological requirements of the GDPR? We turn our attention to “Data Protection by Design and by Default”, or Article 25. It explains that the organizations that fall under the GDPR scope must implement appropriate technical and organizational measures, which are designed to implement data-protection principles to integrate the necessary safeguards in order to:

  1. meet the requirements of this Regulation and protect the rights of data subjects, and
  2. to ensure that only personal data which are necessary for each specific purpose of the processing are processed.

The organizations are explicitly required to implement appropriate technical measures for personal data protection. However, with a plethora of data security solutions out there, some organizations may feel lost. From the technological point of view, we understand the Article 25 as the organizations’ responsibility to apply a cohesive blend of multiple data security principles to the full extent of data life cycle, which largely consists of data storage, processing, and erasure. We believe that this approach will serve as a backbone from which the organizations can start preparing for the GDPR.

After collecting personal data by complying with the GDPR requirements, data storage follows. The fundamental security principle here is to store all the personal data in one or more secure data repositories, separate from, but accessible by individual PCs via local network. The most common data repository is the file server, which is often operated and managed in multiple numbers, dedicated to multiple groups of users that will only be allowed to work on the files while being restricted from unauthorized file exports. To make sure your file servers are kept safe from potential dangers, organizations must consider some of the key security principles as below.

  1. Physical security to prevent intruder breaches
  2. Encryption to ensure protection of data against hackers or theft
  3. Keeping it off Internet to restrict potentially malicious or accidental access from outside of your LAN
  4. Anti-virus solutions to prevent cyber attacks from the outside
  5. Maintain high availability to ensure continuity of work productivity in case of accidental or malicious disruption to file server(s)

Once personal data is stored in the file servers, it will be subject to data processing by diverse personnel such as employees, contractors, partners, and consultants. It is critical to realize that data processing is the breeding ground for both accidental and malicious data leak threats from inside and out. The most common form of data leaks is accidental, due to employee negligence, operational mistakes, or lack of education. However, organizations cannot overlook the risk of malicious data leaks that can be caused by greed, ego, and competition. Therefore, a stringent data security system is required to ensure that only the certain files and folders are accessible by authorized users. Furthermore, all user, file, and folder activities must be logged for auditing and only allowed to be accessible by certain users. When processing personal data, employees may also transfer or share it outside the secure premises. For secure processing of personal data, organizations can consider some of the general countermeasures as below to mitigate the risks of leaking data.

  1. Data loss prevention (DLP) detects potential data leaks by monitoring the important data and blocking it from leaving the secure premises from the end-points.
  2. Enterprise digital rights management (EDRM) provides file access control and file activity restriction features that are persistent and manageable even outside the secure premises.
  3. Virtual desktop infrastructure (VDI) runs multiple user desktops inside virtual machines (terminals) with persistent data security policies that only allows users to access the data within the centralized data center(s).

Once the processing of personal data is complete, organizations may undertake data erasure to free up their storage space, or to ensure that personal data remains unavailable to others. Data erasure is closely related to the Article 17, which states that the data subjects have the right to erasure, or the right to be forgotten. Therefore, organizations must be prepared to erase personal data, rendering it unrecoverable in any situation. In this case, direct data erasure on the storage devices, through one or a combination of the general methods as below, is the safest procedure.

  1. Data erasure software by overwriting with randomized data
  2. Degaussing, or elimination of magnetic fields on storage devices to erase all stored data
  3. Brute destruction of storage devices

Despite the advantage of complete data erasure, degaussing and brute destruction carry two distinct disadvantages. Firstly, they make the storage devices unusable, and secondly, they require the devices to be transported to the external facilities, risking them to potential theft or loss. On the other hand, data erasure via software bypasses the two disadvantages by allowing the organizations to ‘recycle’ their storage devices and perform data erasure within their office premises. Therefore, organizations can ensure complete and secure data erasure with a software initially, and by subsequently degaussing or brutely destroying devices.

Meeting the technological requirements of the “Data protection by design and by default” can help organizations to get off to a solid start in achieving GDPR compliance before the deadline. We recommend the organizations to consider implementing the technological measures for the three steps of data life cycle: storage, processing, and erasure. This approach allows the organizations to devise a cohesive blend of multiple data security solutions, which will protect personal data from leaks and breaches from both internal and external threats. Capping off our blog series on the GDPR, we will discuss how Secudrive solutions can technologically help you to achieve “Data protection by design and by default” to prepare for the GDPR.

Blog Posts in this Series:
① The GDPR Summary: The 5 Key Points
② Checklist for the Organizations to Comply with the GDPR
→ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ②] Checklist for the Organizations to Comply with the GDPR

May 25, 2018, the deadline for GDPR compliance is approaching, and organizations around the world are gearing up to identify what to do and where to begin. More comprehensive and ambiguous than its predecessor, European Data Protection Directive, the GDPR promises to be difficult to comply with. Through its requirements, the GDPR not only places more obligations on the organizations but also gives more power to the EU citizens. If your organization falls within the GDPR’s territorial scope, it is responsible for organizational, operational, and technological requirements to ensure that personal data of the EU citizens are protected.

Some organizations might have a long way to go to meet the GDPR requirements, whereas others might be closer. However, for any organization, meeting these requirements will be unquestionably difficult. To help you prepare to comply with the GDPR, we have drawn up a checklist for you to follow, and ultimately identify what you need to do and where to begin.

Assess the Current Situation. The GDPR and its potential impact on data security and day-to-day operations must be acknowledged on an organization-wide basis, starting with the key decision makers. Initially, it is critical to identify the gaps that may cause non-compliance issues under the GDPR, and arrange the ways to make up those gaps. The next step is to know what the organizations are and will be dealing with, by asking the question “which data can be defined as personal data?” According to the Article 4 of the GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person… directly or indirectly.” Forms of personal data for identification of natural person ranges from common forms like name and identification number, to more specific forms like physiological, economic, and social information. Then, how about when collecting new personal data? Since the Article 13 requires the organizations to communicate how and why the personal data is collected and used, and Article 12 requires the communications to be transparent, organizations must first review their current privacy notice or consent, and make necessary revisions to be GDPR-compliant.

Know the Rights of the Data Subjects. The GDPR gives more rights to the EU citizens; therefore, organizations must examine whether their procedures cover all these rights as declared. Considering these rights, organizations can potentially revise existing procedures and go further, by evaluating their capabilities when the data subjects exercise their rights as manifested in the Articles from 13 to 22.

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

Data Protection by Design and by Default. The Article 25 explicitly articulates that organizations have a general obligation to implement technical and organizational measures to demonstrate that they have integrated data protection into everyday processing activities. This requirement can be considered as one of the key GDPR principles, as the legislators have recognized that privacy cannot be completely guaranteed only by laws, but that it must become a backbone in the design and maintenance of information systems and processing for each organization. In simpler terms, this requirement aims to guide the organizations to meet the GDPR requirements and protect the rights of data subjects through the means of technical and organizational measures. This requirement serves an equal purpose, but there is no one right answer; every organization must approach it differently by adhering to various data security principles and technologies. Specifically, where personal data processing could pose a risk to individuals, the Article 35 declares Data Protection Impact Assessments (DPIA) as mandatory in the situations. For example, if an organization is deploying new technology, such as artificial intelligence and profiling systems, or is processing personal data on a large scale, such as patient and medical data in health institutions, DPIA must be conducted.

Notify Data Breaches. According to the Article 33 and 34, organizations must ensure that appropriate procedures are in place to detect and investigate personal data breaches, and to notify the details to both supervising authorities and affected data subjects. Even though not all personal data breaches are subject to reporting, breaches that carry a risk to the rights and freedom of the affected data subjects, such as discrimination, damage to reputation, financial loss, loss of confidentiality, or other serious economic or social disadvantage, must be reported. However, the GDPR also provides exceptions to this requirement, if an organization has

  • implemented appropriate technical and organizational protection measures that render the personal data unintelligible to those without authorization for access;
  • taken actions to ensure that personal data breaches do not risk the rights and freedom of the affected data subjects; and
  • determined that notification to each affected data subject would “involve a disproportionate effort.”

Appoint A Data Protection Officer. As a core part of organizational requirements by the GDPR, organizations must appoint a data protection officer (DPO) in some cases. The Article 37 and 38 reveal the legal details on the designation and position of the DPOs. If your organization falls under the GDPR scope and satisfy the three conditions as below, you must appoint one or more DPOs.

  • Your organization is of public authority
  • Your organization conducts monitoring of individuals on a large scale
  • Your organization conducts processing of specific types of data such as criminal records

The Article 39 explains the minimum tasks of the DPOs as below:

  • inform and advise the organization and its employees for the purpose of GDPR compliance
  • monitor the processing of data to maintain GDPR compliance; and
  • act as the first point of contact for the supervisory authorities and for individuals whose data is processed.

However, who do they need to appoint as the DPOs? Not everyone can perform as a DPO, after all. While the GDPR does not specify the definite qualifications which the DPOs are expected to have, it requires that DPOs must be experienced and educated in the field of data protection law.

With organizational, operational, and technological requirements, this checklist may seem overwhelming. It is no doubt that getting started is the most difficult, yet the most significant step to take. However, how can we really get started for GDPR compliance? Among the requirements, we believe the organizations can start technologically. Head to our next blog and find out what the key technological requirements are for GDPR compliance.

Blog Posts in this Series:
① The GDPR Summary: The 5 Key Points
→ Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ①] The GDPR Summary: The 5 Key Points

After four years of discussion and preparation by the European Parliament, the Council of the European Union, and the European Commission, the General Data Protection Regulation (GDPR) is now ready to become effective on May 25, 2018 to achieve more comprehensive enforcement of personal data protection laws for all EU citizens. The importance of protecting personal data with legitimacy has been a major talking point in the recent times, and the EU is taking its bold step to set the bar for the rest of the world to follow.

Leading up to the GDPR

Let’s roll back the years to 1995, when the European Data Protection Directive was imposed to regulate the processing of personal data in the EU. Back then, personal data was simply a component of vast information database in the private scope, and was protected solely under the notion of ‘right to confidentiality.’ Fast forward to now, personal data plays a key role in achieving prolonged growth and greater success for global enterprises, as collecting, processing, and exchanging personal data has become the cornerstone of any business activity. This transition has been apparent and rapid with the various technological and business innovations like social media, complex data analytics, and data storage to achieve superior customer relationships. To keep pace with this unstoppable transition, global enterprises required, and have been obtaining a much wider range of personal data from more people around the globe. Consequently, personal data protection laws had to be reformed to acknowledge the notion of ‘right to protection,’ rather than that of ‘right to confidentiality.’

Understanding the GDPR

Come May 25, 2018, all organizations, even outside the EU, that are currently processing or planning to process personal data of the EU citizens must be prepared to comply with the GDPR. Unfortunately, it does not seem to be an easy task; therefore, we have summarized the GDPR into five key points.

One Law for 28 EU Members. Superseding the former European Data Protection Directive, the GDPR is unified legislation that applies to all 28 member states of the EU. Under one set of laws, each EU member state will establish independent Supervisory Authorities (SA) that will receive and investigate complaints or data breaches, issue warnings or fines, and cooperate with other SAs if required. This change can be considered as welcoming, as the organizations are only required to comply with one set of laws, even if their activities are widespread across multiple EU member states.

More Power to the Data Subjects. The GDPR promises increased power for the data subjects. Data subjects are the natural persons whose personal data is processed by an organization. First and foremost, the organizations must provide clear and concise consent to the data subjects before collecting their personal data, signifying the end of long, illegible terms and conditions that are full of legalese. Furthermore, data subjects can lawfully request the organizations for the access, rectification, erasure, restriction of processing, portability, and objection of their personal data. Accordingly, the organizations must provide documentation that proves the completion of the data subjects’ request(s). Also, the GDPR provides the data subjects with the explicit right to lodge a complaint with the SAs, if any processing of their personal data infringes the GDPR requirements.

Strengthened Authority and Heavier Sanctions. The GDPR declares strengthened authority and heavier sanctions for non-compliance. Through the SAs, written warnings or periodic data protection audits will be imposed in cases of the first and unintentional infringement. Severe infringements may be punishable by a fine up to 20 million Euros or 4% of the annual worldwide turnover. Stricter sanctions dictated by the GDPR certainly put pressure on enterprises and organizations to invest substantial capital and resources to ensure that personal data remains protected and data subjects’ right and freedom are not harmed by non-compliance.

Data Protection by Design and by Default. It is the organizations’ legal responsibility to establish appropriate organizational and technological measures to meet the requirements of the GDPR and protect the rights of data subjects. Organizational measures pertain to appointing appropriate personnel, who can dedicate their expertise and responsibility for the GDPR compliance, while technological measures are associated with the integration of necessary security into the processing of personal data to ensure that rights of the data subjects are protected. This responsibility alludes to the GDPR’s new obligation of appointing Data Protection Officers (DPO) and establishing organization-wide data security.

Data Breach Notification. Unfortunately, data breaches can always occur. In this case, DPOs must take it seriously and notify it to the SAs immediately, or within 72 hours of discovery, by specifying the details such as the number of affected individuals. Furthermore, the affected individuals must be notified of the data breaches as soon as possible. Failure or refusal to notifying such data breaches to the SAs can result in sanctions.

Due to comprehensive and strengthened enforcement, complying with the GDPR will neither be an easy nor avoidable task for many organizations that wish to operate in the EU. As our commitment to data security stays true, we felt obliged to seriously approach and understand the GDPR, and share its implications to data security. The deadline to compliance, May 25, 2018 is approaching rapidly, and we hope that your journey to GDPR compliance will start off positively with Secudrive.

Blog Posts in this Series:
→ The GDPR Summary: The 5 Key Points
② Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog USB Sescurity

How to Protect Top Secret Information on USB Flash Drives.

On October 28, Daily Mirror reported a severe data breach through an unencrypted USB flash drive that was discovered by a pedestrian in the street of west London. The USB flash drive contained 2.5 GB of classified data, in the form of at least 174 documents, maps, and images. Discovering what this data detailed alarmed the authorities at Heathrow Airport, as it revealed top secret information that was critical to the UK’s national security such as Queen’s route to the airport, security patrol timetables, IDs for restricted areas, and operating manuals for Doppler radar surveillance system. The shocking details did not stop, as the USB flash drive was not even encrypted, meaning that anyone could access it without entering a password. The Metropolitan Police is seriously considering this happening as a terror threat and is currently investigating how this critical information was originally leaked out. Furthermore, the authority may have to invest a massive budget to build a new security system for Heathrow Airport, as the current system may have been already compromised and possibly leaked out to the wrong hands.

Without a doubt, this security lapse has been a hot issue in the IT security industry. Right after the news broke out, Spiceworks, one of the biggest online communities for IT professionals, has been conducting a poll to find out if IT professionals or organizations prevent data leaks by encrypting data or disabling USB ports. As of November 14, the results showed that 325 of 865 respondents (38%) neither encrypt data nor disable USB ports to prevent data leaks. Among those that impose security measures, 26% disabled USB ports, 13% encrypted their data, and 18% implemented both.

Organizations that appreciate data security disable USB ports on employees’ PCs, as 44% of the respondents answered in the poll above. This security measure allows the IT administrators to monitor who transferred and worked with what data through which network, only by permitting data transfer online. However, this measure presents a shortage, as the data security still remains in doubt due to the inability of managing the file activity once the files leave the secure office premises. In response to this shortage, organizations often store the files on USB flash drives that will be given to trustworthy employees who monitor the file activity with naked eyes, ensuring that nothing gets out and the files return safely to the office premises. Additionally, organizations use USB drives in other numerous ways to store and transport data within, or outside the office premises. Therefore, USB drives are considered as the widely accepted means for data management and transport, as 51% of poll respondents do not disable USB ports or only encrypt their data.

However, is USB drive encryption or USB port restriction, or even a combination of both truly enough to achieve reliable data security standards? Are we covering all the possible fronts?

Going back to the security lapse concerning Heathrow Airport, it is beyond belief to learn that an authority that is responsible for the national security of the highest order does not use encrypted USB flash drives. However, even if they did encrypt their USB flash drives and top-secret data, would this solution be sufficient to prevent data leaks in the future?

The answer is a clear no, as the risk of data leakage by an insider with the highest security clearance, who can copy and export the top-secret files to the wrong hands via USB flash drives, can never be overlooked. Even worse, it is almost impossible to identify the ‘what,’ ‘who,’ and ‘when’ about the data leakage.

If you must store ‘top secret information’ on USB flash drives, they must be not only encrypted but also copy-protected. If an employee, who is carrying one or more USB flash drives with top-secret information, must work with a co-worker out of office, it is imperative to restrict the employee’s right to copy, print, screen capture, and network transfer the files on the USB flash drives. Moreover, the USB drives must be configured to be only accessible via specifically permitted IPs, and the administrator must be able to monitor all activities real-time through the internet. Secudrive USB drive solutions are designed to prevent any leakage of top-secret information from USB flash drives.

If you expect a potentially catastrophic result from leakage of top-secret information, Secudrive USB flash drives are the perfect solution that provides infallible security with hardware encryption chip, copy-protection with digital rights management, and remote monitoring and management. Before trusting your employees or official documents like a non-disclosure agreement, protecting your data from leakage, malicious or accidental, begins by establishing a robust and dependable security system that protects your confidential, top-secret data from both internal and external threats.

Categories
Blog File Server Security

Secudrive File Server: A File Server Data Loss Prevention with Digital Rights Management

Most organizations have file servers: Even small ones usually have at least one file server. However, larger ones have multiple file servers for teams or task-forces. File servers are storing sensitive files such as customers’ privacy, proposals for bids, drawings for new product development, and, etc. multiple users such as employees, consultants, contractors, partners share the information. Therefore, it is imperative to establish and manage an intricate and assured security system to prevent both accidental and intentional data leaks.

Secudrive File Server manages user rights by using Data Rights Management (DRM) technology to prevent data loss from the Windows file server. Even though a user has permission to access a file server, Secudrive File Server makes it possible to prohibit the user from copying or transferring a file from the server to anywhere out of the server. It whitelists applications to use specific applications and not to use an unknown one on the file server so that it can protect file server data from a ransomware attack. It filters file activity logs by users so that it can enable an administrator to monitor user activities at a glance and to use them for post-audit. It can be installed on an existing file server keeping existing Windows Active Directory(AD) environment so that existing shared folder, user, group, and permission can be utilized without any additional operation. Finally, it supports Microsoft Distributed File System(DFS) to manage remotely and collectively scattered multiple file servers in an organization.

Data loss prevention using DRM. Secudrive File Server can restrict user rights for copy, print, screen-capture, and network-transfer which cause data leakage from a file server. It can block all ways relating to copy such as ‘copy and paste,’ ‘save as,’ ‘clipboard copy’ as well as general ‘copy.’ Clipboard copy on a file server can be exceptionally allowed for productivity. Print can be prohibited, or only water-mark printing can be allowed for post-audit. If screen-capture is blocked, not only ‘print screen’ as a basic function of Windows but also screen capture trial by using a third-party sniffing tool does not work. Finally, it can also prohibit network-transfer by using ‘copy to web’ which can copy to the public cloud like ‘OneDrive.’

Ransomware attack prevention using application whitelisting. Prohibiting user rights using DRM technology works only if a user uses specific applications which are supported by Secudrive File Server. Secudrive File Server offers supportive applications including computer-aided design(CAD) files as well as various Office files, and then an administrator can whitelist apps among the list. By doing so, other applications including ransomware except the whitelisted are blocked from being installed and run on the file server so that the file server can be protected from ransomware attacks. An administrator also whitelists domains, IPs, and ports for network-transfer, if he/she enables a user to save a file onto groupware in the intranet.

User and file activity log monitoring. An administrator can monitor detailed file activity logs on when a user creates, modifies, deletes, copies, prints, screen-captures, and network-transfers a file as well as user activity logs on when and where a user accesses a file server. If file transfer out of the file server is allowed, the transferred file can be automatically backed up, and the log can be left for post-audit.

Easy installation and operation while keeping the existing system. Secudrive File Server can be added to the existing file server(s) keeping existing settings relating to information on users, folders, groups, and permissions. Secudrive File Server shows existing shared folders and enables an administrator to choose one among them and change it to ‘a secure shared folder’ on which DRM policy for users can work. Secudrive File Server also provides an easy user interface to add, modify, and delete a user, a folder, a group, and permission in an administrator’s console.

Compatible with enterprise environment. Secudrive File Server is compatible with AD environment so that existing AD environment can be maintained without any modification. It supports Windows Distributed File System to remotely and collectively manage scattered multiple file servers at a glance in large organizations.

Secudrive File Server could be an easy and efficient data loss prevention solution for a file server(s) with DRM technology so that it can make file server(s) a secure cooperative workspace for enterprises by protecting data from insider threats as well as outside attacks. Secudrive provides more detailed information and 30-day free trial of Secudrive File Server from its website.

Categories
Blog USB Sescurity

Four Basic Requirements for USB Drive Security

USB flash drives are still popular portable storage devices because they are small and have relatively large storage capacities. Data on USB flash drives are not only readable but also editable, while data on CDs/DVDs are only readable. Users can edit the data on USB flash drives anywhere and in any situation.

You can place data on a USB flash drive to keep it physically separated from the rest of the data on a laptop and minimize the effects of a data breach if you lose the laptop. You can also use data on a USB flash drive by plugging it into a computer even when you’re offline; in contrast, you can access data on the cloud only through a network, meaning you can only use it when you’re online.

Although USB flash drives have significant advantages over other storage devices, many organizations now prohibit employees from using them by blocking the USB ports on their computers. These organizations make employees use and transfer data only through their networks, through which they monitor their data activities. The reason for this prohibition is that USB flash drives are vulnerable and lack security safeguards—unlike computers, which various information-security solutions protect to prevent data breaches.

However, many organizations still use USB flash drives. Some allow employees to use them freely to increase productivity, while others allow them in special cases despite prohibiting them generally. Companies that allow USB flash drives should use ones that are safeguarded by security solutions as secure as laptops are to prevent data breaches. If the data on a USB flash drive is as important as the data on a laptop is, it is easy to understand why it is imperative to protect the drive’s data. Below, we describe basic ways to protect data on a laptop. These basic methods can also promote USB security.

First, encryption software should be installed on a laptop in case it is lost or stolen. Second, antimalware software is required to prevent malware infections. Third, data-loss-prevention software protects against unauthorized data transfers outside the office. Finally, laptops should be managed collectively and remotely. The organization should require these four basic principles of laptop data security.

Encryption. Encryption guards against data breaches in the event the device is lost or stolen. Some encryption software can encrypt general USB flash drives. Some USB flash drives include preinstalled encryption software, and others include an encryption chip or keypad. Generally, USB flash drives with encryption chips are recommended for the enterprise level of security (read about Types of Encrypted USB Flash Drives).

Anti-malware. A USB flash drive also needs anti-malware software to prevent malware infections. When a USB flash drive is plugged into a computer that malware has already infected, the malware can easily infect it as well. The infected USB flash drive can then spread the malware to other computers in the organization.

Digital Right Management. You should prevent users from taking files from your USB flash drive without your permission. You cannot monitor an unauthorized data breach if a user uses the drive outside the network; therefore, you need to prohibit user rights to copy, print, screen-capture, and network-transfer files containing sensitive data before giving the drive away. That is the only way to protect against a data breach.

Remote Management. Finally, you should remotely monitor what users do with the files on USB flash drives they borrow from you. Before you give one to a user, you should set the password, usable period, usable IP bandwidth, and user rights. When a USB flash drive is lost or stolen, you can remotely destroy its data or block access to them. When using a USB flash drive offline, you should save its usage logs and transfer them through the network when you return to online use. You should also manage user rights and usage for offline users.

Secudrive prepares its USB solutions to meet the four basic requirements for USB security. It equips all its USB flash drives with AES-256 encryption chips, so only users who know the passwords can access them, and all their files can be transparently encrypted by the chip every time a file is storing on the drive. Secudive can preinstall the Trendmicro malware module for USB security to prevent malware infection by client request. The antimalware module can automatically update when a USB flash drive connects to the Internet. Secudrive USB Office and CAD make it possible to protect users from unauthorized copying, printing, screen-capturing, and network-transferring various Office and CAD files. Finally, Secudrive USB Management Server enables administrators to manage security policies—including user rights—and monitor file-activity logs remotely.

Categories
Blog USB Sescurity

How to Protect a File on a USB Flash Drive from Being Copied

We are usually nervous when we hand over sensitive files to an employee who recently started, one who may soon quit the job, or a partner whom we have been working with for only a month. If a sensitive file contains a new product design or a proposal for a big bid that our company spent considerable money and time to develop, that file is vital for company survival. We may also be anxious when we have even a trustworthy employee, whom we have worked with for a long time, carry the file outside of the office.

We usually use a USB flash drive to manually carry files due to the following reasons: 1) the data file size is too large to send via email, 2) the public cloud or a file transfer service is not as secure as our on-premises storage or service, and 3) a sender wants only the appointed person to handle the files. Thus, we send a trustworthy employee with a USB flash drive containing crucial files to someone to manually retrieve, and we pray that the files will not be breached; however, a USB flash drive is small and can easily be lost or stolen. Moreover, we cannot be assured that a USB flash drive is not intentionally or unintentionally given to an unauthorized person when carried out of the office.

When we ask how to protect a sensitive corporate file on a USB flash drive from being copied, many IT pros first recommend encryption. An encrypted USB flash drive can protect the content—if the USB flash drive is lost or stolen—from a person who doesn’t know the password. General USB flash drives can be encrypted using USB flash drive encryption software. There are encrypted USB flash drives with a physical keypad or embedded with an encryption chip.

But what if a person who knows the password copies a file from the USB flash drive and pastes it to some unauthorized storage or gives the USB flash drive with the password to an unauthorized person?

When we ask about it, some IT professionals say, “That’s not the job of IT. HR should have hired trustworthy employees. And if you are worried about it, you can get employees’ signatures on a non-disclosure agreement (NDA) when they are hired.” Employees who were trustworthy when they were hired can change. They may develop a grudge against their boss or company, or they could get in personal financial trouble and need money. Of course, NDAs can make employees hesitate before performing any wrongdoing; however, at the decisive moment many people “forget” that they signed an NDA when they were hired. Once the data is breached, NDAs cannot save a company, and a company may be awarded significant financial damages in court that an individual cannot indemnify. Worst case scenario: a company can go out of business because of a breach in security.

Finally, someone says, “You cannot protect any file on a USB flash drive from being copied if somebody can see the file, because he or she can write down the content on paper, take photos, or record a video.” This means technology cannot protect you from a data breach. And, what about the security solutions that we are using? Those “analog attacks” are the slowest, most difficult, and most incorrect ways to breach data.

Locking a door cannot completely prohibit all thieves from opening the door without a key, but it can take more time for thieves to open or destroy the lock. The time could result in thieves being caught, hesitating to break in, or giving up before they attempt to break-in. That is the purpose of locks. Similar to how we don’t open a door because there is not a perfect lock for every thief, we should not give up on technological security safeguards for a data breach because we cannot protect from analog attacks.

Meanwhile, if the sensitive information can be copied by analog attacks, the information should be kept in the founder’s brain. Then that would not be a job of IT.

However, Secudrive USB solutions provide a clear, easy way to protect sensitive files on a USB flash drive from being copied. Secudrive USB Office and CAD edition are secure USB flash drives equipped with encryption chips. These chips make it possible for users to securely read and write Office and CAD files on the secure USB flash drive while protecting the files from being copied, printed, screen-captured, and/or network-transferred. They also record all user activity. Secudrive USB Management Server enables an administrator to manage the USB flash drives and user rights and to monitor file activity logs through the Internet.

Categories
Blog USB Copy Protection USB Sescurity

Data Breach Risk Caused by Contractors

Many companies hire contractors when they consider a job to be of secondary importance to their business and need short-term labor or high-quality professionals for a specific job. A contractor, for the purposes of this blog, can be a freelancer, consultant, third party, or business partner who is hired from outside of a company. Hiring a contractor is a big deal in terms of information security, even though it is common knowledge that it is a good way for companies to maximize organizational flexibility and cut costs.

In recent news, Target agreed to pay USD 18.5M to settle claims by 47 states and the District of Columbia and to resolve a multistate investigation into a massive data breach in late 2013. Target said the total cost of the data breach was USD 202M as of May 2017, and it had not yet been finalized. The breach began at the PC of an employee of a third party who was responsible for maintenance of Target’s HVAC. A hacker accessed the PC and installed malware—the PC did not have anti-malware software. The hacker spied on the connection between the PC and Target’s system, finally gaining access to Target. The hacker stole the credit and debit card information of as many as 40M shoppers.

In another breach, the episodes of “Orange is the New Black,” a popular television show on Netflix, were released to the public by a hacker before Netflix’s official release this spring. Larson Studios, a third party for Netflix, had the files to conduct audio postproduction. A hacker attacked the third party, which was not fully equipped with a security system, to gain access to the files. The hacker then asked Netflix and Larson Studios to pay a certain amount of money within a certain timeframe or else the hacker would release the files to the public. Netflix and Larson Studios rejected the proposal, so the hacker released the files. In conclusion, many episodes of the new season in which hundreds of millions of dollars had been invested, was released before commercialization, resulting in tremendous consequences for Netflix. Many security professionals have pointed out that third parties in Hollywood have very vulnerable information security systems and this kind of data breach will continue to be in the future.

Finally, Edward Snowden’s Case should not be overlooked in examining this issue. Snowden, an employee of a third-party contractor with The National Security Agency(NSA), gained an access right to servers during his job. He put about 1.7 M top secret documents onto an unauthorized USB flash drive, carried it out of his workplace, and released the sensitive files to the public. Even though Snowden was determined a whistle-blower for the public interest, it was a damaging data breach by an NSA contractor.

The reasons for the above three data breaches are different, so the countermeasures against them should be different as well. However, it is apparently more difficult for an organization to prevent a data breach involving a contractor than a regular employee for the following basic reasons: 1) contractors might have less loyalty to the organization than employees do; 2) contractors cannot obtain regular information security education as easily as employees can; 3) contractors’ information systems cannot be easily treated as parts under organizational information security systems and cannot be managed and monitored as strictly as an in-house system; 4) contractors are sometimes temporarily allowed to gain access to the in-house system, and they often keep their access even when the work is completed.

Nonetheless, it is important to note that unstructured data, such as business files and drawing files that are used by contractors, have not been managed securely enough, whereas organizations usually manage access/rights very strictly when a contractor is granted access to structured data, such as a database storing millions of customers’ information. The sensitive files of the organization can be sent or copied to contractors’ laptops and servers without any restriction, and the organization often has no idea how secure files are managed by contractors. Thus, there are huge blind spots in information security that can cause a great disaster.

Our next blog will demonstrate how to prevent a data breach by utilizing Secudrive solutions, especially when an organization cooperates with contractors. Secudrive solutions can allow workplaces to cooperate by making it possible to safely store, deliver, and manage sensitive unstructured files in separate devices from the in-house system.

Categories
Blog USB Copy Protection USB Sescurity

How to Remotely Manage USB Flash Drives

If you store your files on a USB flash drive, you can update them and share them with others using any computer, anywhere. This is why many organizations decline to take the USB ports off their employees’ computers, even though USB flash drives are responsible for many data breaches. As long as an organization continues to allow employees to use USBs, however, these flash drives should be vigorously managed in terms of information security.

Think about an unintended data breach caused, for example, by a lost USB flash drive storing electronic personal health information. Perhaps encrypting USB flash drives can be enough to prevent unauthorized access to the data on them. Consider the Snowden Case, in which an insider maliciously moved an organization’s sensitive data to a USB flash drive in order to hand it over to an improper person. To avoid such cases, you must adopt copy-protected USB flash drives that allow an administrator to manage users’ rights for copy, network transfer, print, and screen capture.

Secudrive USB Management Server makes it possible for an organization to remotely manage scattered USB flash drives to prevent data leakage, either as a result of employees’ malicious intentions or by mistake. Its major features are as follows:

  • Asset management: USB flash drives can be registered. All information on flash drives, such as the USB type, user, group, security policy, and serial number, can be viewed.
  • Password management: It is possible to set rules for passwords, including minimum length, a minimum number of digits and upper-case letters, and maximum failed trials. Flash drives can be locked, and data in them can be destroyed when the maximum number of trials is exceeded.
  • Usage management: A USB flash drive can be used only with pre-authorized computers. It is possible to manage usage expiration date, a maximum number of logins, a maximum idle time before log out, usage policy when offline, and other settings.
  • Digital rights management(DRM): It is possible to manage users’ rights to copy, print, screen capture, and network transfer. Compatible applications and accessible networks (IP, port, and URL) can be whitelisted. It is possible to prevent the creation of autorun.inf.
  • File management: Maximum file activity log size can be set. Files imported from and exported to other devices can be encrypted and backed up. Files with particular extensions can be blocked or allowed. Files can be distributed to USB flash drives remotely.
  • Log management: It is possible to monitor detailed usage logs such as IP access, access time, and file activities (create, view, modify, save, copy, print, network transfer, screen capture, and delete).

Secudrive USB Management Server is compatible with Secudrive USB Basic+, Secudrive USB Office+, and Secudrive USB CAD+. Secudrive USB Basic+ is a hardware-encrypted USB flash drive with an encryption chip that does not support DRM-related features. Secudrive USB Office+ and Secudrive USB CAD+ are also hardware-encrypted USB flash drives to which DRM features have been added. Secudrive USB Office+ prevents data leakage from business files such as Microsoft Office files, whereas Secudrive USB CAD+ does the same for CAD files such as those from AutoCAD and CATIA.

Organizations have their reasons for using USB flash drives. Secudrive USB Management Server makes it possible to remotely manage them to prevent data breaches of every kind.

Categories
Blog USB Copy Protection

Updating Content on USB Flash Drives After Distribution

CD/DVD is still one of the most popular mediums for content distribution because it is cheap, convenient to produce and easy to handle and deliver for content producers. In comparison to streaming and download services, a CD/DVD does not require an authentication process through e-mail or an internet connection. This technology makes it so that only people who own the physical CD/DVDs can access their content.

However, if the content on a CD or DVD needs to be regularly (or irregularly) modified, CD/DVD is not a good medium for content distribution because you will have to redistribute a new CD/DVD every time the content is changed. You should prepare new physical CDs/DVDs again, burn new content to them and redeliver them to hundreds or thousands of users. That is time consuming and may cost a lot of money. In addition, if you have to keep integrity of data, you’ll have trouble of ensuring that only the newest content is used by recipients after each redistribution.

A streaming/downloading service is also not a good option if (a) internet connection is not guaranteed among users, (b) the file size is large and/or there is not enough network bandwidth to properly deliver it to users, (c) the content is so sensitive that producers need to mitigate the risk of unauthorized access (d) users may not be familiar enough with the Internet-service environment to use a streaming or downloading service.

In any case, Secudrive USB Copy Protection is an effective alternative.

Secudrive USB Copy Protection makes it possible for media producers to set up a URL for clients to download updated content that was previously distributed on a USB flash drive. If you have to update content after the first distribution Secudrive USB Copy Protection makes it so that you only have to upload the new content to a folder and then register the content folder. Secudrive USB Copy Protection automatically compares the content to the original and creates a kind of encrypted .zip file. After you upload this updated file, it is downloaded and updated automatically when you plug the original USB flash into any PC connected to the Internet. Because only the modified files are updated in this situation, Network traffic is minimized

Furthermore, this system makes it so that specific USB flash drives can be prohibited from using the content, or specific USB flash drives can be completely wiped remotely using the update feature. You can also check whether or not a specific user has updated the content.

The bottom line is that Secudrive USB Copy Protection is a copy-protection solution that distributes content through USB flash drives. It can set password access, block access or wipe all the content on a USB flash drive if an incorrect password is used a certain number of times. You can set an allowable period of time in which users can access the content on the flash drives or specify a maximum number of logins. In addition, it allows you to white-list which applications users can access, and you can prevent printing, screen capture, network transfer or copying of the content on the USB flash drives. All these features make Secudrive USB Copy Protection an ideal solution for those needing to exercise maximum control over distributed content.