In yet another laptop data breach incident, Riverside County Regional Medical Center in Riverside, California reported that a lost laptop containing Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) for about 7,900 patients went missing in December 2014. According to a letter filed with the California State Attorney General, potentially exposed PII and PHI information may have included Social Security Numbers, demographic information (such as name or date of birth), medical record number, diagnosis, treatment, and other medical information. Ironically, breaches involving laptops are highly preventable with the use of encryption technology.

Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. To read the data, you need to use a key or password to unencrypt the data. Crucially, under the California Breach Notification Law SB 1386, and most other state breach notification laws, the fact that lost data was properly encrypted will avoid the need for public notification.

It’s therefore highly important to confirm that any device in use by an organization is actually encrypted.

Encryption typically operates in the background

On laptops or desktops, installed encryption products typically function in the background. For example, a billing analyst using an encrypted desktop may interact with billing software, Microsoft Excel and email throughout a business day to complete work. This analyst may only encounter encryption while logging in at the beginning of a day and may not realize encryption is present. While some products such as Microsoft BitLocker employ a lock symbol next to a drive icon to indicate the presence of active encryption, most encryption products bury the status of encryption in an operating system menu or within software. Determining whether encryption is present and active are two distinct steps that require knowledge about a computer’s operating system and the ability to search a computer.

BitLocker Enabled in Microsoft Windows
BitLocker Enabled in Microsoft Windows

How to Tell Whether Encryption is Present?

Ideally, encryption should be installed so that it protects an entire hard drive—“whole disk encryption” — and not just specific folders or email — “file-level encryption”. In newer computers, encryption is often integrated in the operating system (such as the encryption products built into Apple’s new operating system Yosemite or Microsoft’s Windows 7 and up). Encryption may be set-up for default installation (i.e., a user has to de-select encryption during computer set-up).

1. Determine the version of operating system (“OS”).

OS Type: Microsoft Windows 8.1

OS Type: Microsoft Windows 8.1

Kivu_Identify_Encryption_3
OS Type: Apple OSX Versions

2. If native OS encryption is available, locate built-in encryption and review status.

  • Windows. In computers running Microsoft Windows 7 Ultimate and Enterprise (as well as Windows 8 versions), BitLocker encryption is installed and provides whole disk encryption capability. There are caveats to the use of BitLocker (such as configuration with or without hardware-level encryption ), but the presence of BitLocker can be confirmed by searching for BitLocker in the Control Panel. More details are available at http://windows.microsoft.com/en-US/windows7/products/features/bitlocker.

Kivu_Identify_Encryption_4
Windows with BitLocker Activated

  • Apple. In Apple computers, FileVault 2 provides whole disk encryption capability. To determine the status of FileVault 2 whole disk encryption in Apple Yosemite, go to the Security & Privacy pane of System Preferences. For older Apple OSX versions with FileVault, encryption is limited to a user’s home folder rather whole disk encryption. More details are available at http://support.apple.com/en-us/HT4790.


Apple OSX FileVault 2 Menu

3. Look for a third-party application.

There are several third-party software applications that provide whole disk encryption (examples listed below). These applications can be found by searching a computer’s installed applications. To determine whether encryption is active, the application will need to be opened and reviewed. Many encryption applications will use a visual symbol or term such as “active” to indicate that encryption is functioning. (For a comparison of encryption products, review the following discussion: http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software.)

Software

Windows

Mac OSX

1. Built into Operating System (“OS”) BitLocker FileVault 2
2. Third-Party Software Products
Symantec PGP X X
Dell Data Protection Encryption (DDPE) X X
Check Point Full Disk Encryption Software Blade X X
Pointsec (Check Point) X
DriveCrypt X
  • Finding third-party software on a Windows computer.

i. Locate and open the Control Panel by clicking on the Start menu (not available in Windows 8) or using Windows search. (To learn more about the Control Panel, refer to the link http://support.microsoft.com/search?query=control%20panel.)

Windows Search
Windows Search

ii. Navigate to the Programs section of the Control Panel.

Windows Select Programs Section
Windows Select Programs Section

iii. Click on Programs and Features.

Windows Select Programs and Features
Windows Select Programs and Features

iv. Scroll through the installed software applications to determine whether third-party encryption software is installed.


Windows Review Installed Programs

  • Finding third-party software on an Apple computer.

i. Apple computers are configured with Spotlight — an Apple-native search utility that catalogues and organizes content. (See the following URL for information on Spotlight: http://support.apple.com/en-us/HT204014.)

ii. Spotlight can be found by clicking on the magnifying glass symbol in the upper right-hand corner of Apple’s menu bar.

iii. Enter the name of the third-party software into the Spotlight search box and review search results. (See the “quicktime” search example in the screenshot below.)


Apple Spotlight Search

Caution with the Use of Encryption

  1. User Versus IT (Information Technology department) Installation.

    In Apple FileVault 2 user guidance, three scenarios are identified for the installation of encryption — IT only, user with IT support or user only. These scenarios apply to the installation of any encryption and software product. While it is less expensive to have end users configure devices, encryption is the type of activity that can render a laptop useless if improperly deployed. As a rule of thumb, IT should direct installation and configuration of encryption to protect corporate assets.

  2. Properly Set Up Users.

    When encryption is deployed, there is often a requirement to set up “approved” users for access. If a user is not set up, then access is denied. If IT does not have user-level access, then IT may be locked out.

  3. Key Control.

    IT should maintain control of encryption keys. IT should have keys for each device with deployed encryption. Further, all encryption keys should be backed up to a source NOT controlled by IT. With tight control and access over encryption keys, an organization minimizes the chance that encryption will lock an organization out of corporate assets. Providing IT with access to each computer’s encryption keys also prevents a disgruntled employee from locking an organization out of their own computers.

  4. Fully Document IT Encrypting Devices.

    If a device is lost or stolen, it may be crucial to prove that the device was encrypted in order to avoid the need for a costly notification of any persons whose PII has been compromised. Make sure that IT has fully documented the encryption process and specific serial numbers of devices so protected.

  5. Don’t Forget Other Sources Such as Cloud Applications.

    Document and control cloud data storage of corporate assets. For each computer where cloud-based applications are running (including email), digital assets should be evaluated as to whether encryption is required locally and in the cloud. Many cloud storage applications offer encryption for stored data and data being transmitted.

Other References

Hackers hit health insurer Anthem in ‘sophisticated’ attack

 

Millions of customer and employee records reportedly affected.

Feb 05, 2015 | By Patricia L. Harman

“Given the reported size and, more importantly, the extent (covering all business lines) it seems clear this was more than one server or database,” said Winston Krone, managing director of Kivu Consulting. “We may find that, like Sony, the hackers had time to navigate round the network (and sub-networks), possibly jumping between units. Consumers should assume nothing until the extent of the breach becomes clearer as the press releases today will be updated. The size will grow and it will be very likely that medical records have been [affected]. The question will be whether such additional compromise is limited to specific business units of Anthem.”

Krone offers this advice for all insurers concerning the protection of customers’ information. “Other insurers need to look at their entire networks which have grown with mergers and acquisitions, often without central security oversight and planning. One poorly protected network added to a larger organization will be the weak link in the chain. This may have been the cause of the Anthem breach.”

Read the full article here

Within the past year, Kivu has seen several malware trends emerging, including exploitation in widely used software applications (Heartbleed, Bash, and Shellshock), cycles of ransomware and destructive malware (Master boot wiper, HD wiper), and an increase of rootkits, botnets and traditional drive-by malware. In 2015, we expect to see new malware trends, including an increase in social engineering (attack the weakest link), exploitation of identified security flaws in newly developed mobile payment applications, exploitation of cloud SharePoint systems, and the continuation of exploitation of traditional Point of Sale (POS) credit card systems. Kivu also expects an increase in exploit kits for all types of mobile devices and traditional devices that contain diverse functionality.

Following is what Kivu recommends that companies do to help secure their systems and data.

Protecting Your Computer Environment Against Malware

To protect your environment, Kivu recommends a strength-in-depth approach, coupled with segmentation of sensitive data. Segmenting your network environment adds an additional security layer by separating your sensitive traffic from other regular network traffic. Servers with PHI, PII or PCI should be segmented from the backbone and WAN. A separate firewall should protect this segmented data.

Ensure that your firewall is fine-tuned, hardened, and that vital security logs are maintained for at least 2-3 months. Conduct regular external and internal vulnerability network scans to test your security perimeters and detect vulnerabilities. Remediate these security flaws within a timely manner.

Perimeter protection devices require regular maintenance and monitoring. Ensure that your ingress/egress protection devices (IDS/IPS) are monitoring real time to detect malicious network traffic.

Be sure to maintain and update your software and system applications on a regular basis to eliminate security flaws and loopholes. Verify that all security applications within your environment are fine-tuned and hardened and that security logs are maintained. Review your security logs on a regular basis to ensure that logging is enabled and that valid data is being captured and preserved for an extended time period without being overwritten.

Remote Access Considerations

Kivu recommends limiting and controlling remote access within your environment with two-factor authentication. Create a strong password policy that includes changing passwords frequently and eliminating default passwords for systems and software applications that are public facing.

For outsourced IT services, make sure your data security is in compliance with the latest standards and policies. Maintain and verify on a regular basis that all 3rd party vendors follow outlined security policies and procedures. Eliminate account and password sharing and ensure that all 3rd party vendors use defined and unique accounts for remote access.

Securing Vulnerable Data

Protecting your data is not only the responsibility of Information Security; it is everyone’s responsibility to do their part to keep your environment safe and secure. Encrypt, protect and maintain your critical data. Upgrade older systems when possible and verify that sensitive data is encrypted during transmission and data storage. Manage and verify data protection with all 3rd party vendors.

About Kivu

Kivu is a licensed California private investigations firm, which combines technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide. Author, Thomas Langer, EnCE, CEH, is an Associate Director in Kivu’s Washington DC office. For more information about malware trends and what your company can do to better protect its environment and data, please contact Kivu.