WIRE
Buying encryption?
Five good questions to ask before you do
P
ersonal data protection act
(PDPA), together with the
growing number of data
breaches are the most pressing
reasons why small and medium businesses
are implementing data protection
technologies including encryption.
However, with limited time and the
market flooded by various products, it can
be a difficult task for companies owners
and decision-makers to find the right fit
for their needs.
If you are faced with the decision
yourself, avoid pitfalls in selecting
an encryption product by asking the
following questions:
1. Which laptops present the
greater risk: On-site or off-site?
This might seem like a pointless
question with an obvious answer;
systems are more liable to theft when
away from the office. But making this
distinction and keeping it in mind is the
right place to start and when you have
settled on a solution, be sure to test
its effectiveness at managing problem
scenarios for your remote users.
40
SEPT 2017
2. Does the encryption system suit
the needs of your IT department
for full remote control of off-site
endpoint encryption?
All major endpoint encryption
products offer the means to manage
remote systems, but look carefully
at the requirements. Most need
either an open incoming connection
to a demilitarised zone (DMZ) on
your server, or a VPN connection.
All involve a higher level of IT skills
that can add additional costs and,
in order to function, may require the
user to initiate the connection; not
much use with a rogue employee or
stolen laptop.
A well-designed product will
give you the remote management
necessary without creating
additional security problems,
requiring specialist knowledge, or
adding expense to the project.
3. Why is this important?
Being able quickly to vary security
policy, encryption keys, features and
operation of endpoint encryption
remotely, means that your default
policy can be strong and tight.
Exceptions can be made only when
and where they are needed, and
reverted just as easily. If you cant do
this youll be forced to leave a key
under the doormat, just in case
tearing holes in your policy before
deployment is complete.
4. Does the solution allow remote
locking and wiping of keys from
laptops?
The answer might be crucial if a
company computer with full-disk
encryption gets stolen while in sleep
mode or with the operating system
booted up. Its even worse if those
systems come with the pre-boot
password affixed on a label or tucked
in the laptop bag. If a remote lock or
wipe function is not available, then
the system is either unprotected or
secured only by the OS password,
with the encryption being bypassed
in either case.
Similarly, it is important to
know whether the solution has
 been designed to accommodate
the typical use cases that would
otherwise unravel a well-designed
security policy.
5. Does the solution secure
removable media without having
to whitelist each item?
With an array of writeable devices
that people use for their everyday
work, it is almost impossible for the
admins to whitelist each and every
one of them, and decide whether its
permissible to read from, write to, or
not access the device at all.
It is much easier to set a file-
level policy distinguishing between
files that need encryption and
those that dont and keep these
protected every time they move from
workstation or corporate network to
any portable device.
In other words, if you connect
your own USB stick, it wont force
you to encrypt your private data;
anything coming from the company
system, however, will be encrypted
without the keys being held on
your device. It is a simple idea, but
one which makes any device safe,
without the need for whitelisting.
The security was there a long
time ago; what will make or break your
deployment is flexibility and ease of use.
In the end, you need to figure out if the
solution you want to use is easy to deploy.
If the setup of the solution takes
hours or even days and needs additional
tools for its operation, it might cause new
headaches for company sysadmins and
create new security risks. Aim for an easy-
to-deploy solution that doesnt require
advanced IT expertise and preserves both
finances and your human resources. If
the user experience mirrors that easy
deployment, then IT staff wont be
further taxed by user lockouts, lost data
and other frustrations.
All validated, commercial encryption
products have been more than strong
enough for many years, yet a significant
proportion of the recorded data Reading the case notes for these
breaches involving lost or stolen incidents reveals that being able to fit the
laptops and USB drives happened to solution to your environment, working
organisations who had bought and practices and making encryption easy for
deployed encryption products. everyday users as the real challenges.
About ESEt tEchNology:
ESET Endpoint Encryption
Simple and powerful encryption for organisations of all sizes allowing you to
safely encrypt hard drives, removable media, files and email. Hybrid-cloud based
management server provides full remote control of endpoint encryption keys and
security policies.
NEWS
Google pays $10,000 for students bug
Google has rewarded a Uruguayan student with $10,000 after he exposed a
security flaw that could allow hackers to access sensitive data. Ezequiel Pereira
discovered the vulnerability in Googles App Engine server after changing the
Host header in requests to the server using Burp.
The high-school student explained in a blog post, I was bored, so tried to
find some bug at Google. Following several failed attempts, he managed to gain
access to an internal webpage that did not check his username or require any
other security measure.
88% feel vulnerable to data threats
Organisations are increasingly aware of the threat posed by data breaches,
according to Thales 2017 Data Threat Report. A remarkable 88% of respondents
also admitted to feeling vulnerable to threats, with 9.1% feeling extremely
vulnerable. This is significantly higher than the number actually experiencing
data breaches.
PlayStation social media accounts briefly hacked
Sony became the latest entertainment company to suffer at the fingertips of
hackers after their PlayStation social media channels were temporarily hacked
recently. A group called OurMine claimed credit for the compromise that targeted
the companys Facebook and Twitter accounts. Sony quickly regained control of
the accounts but not before the hackers had posted a series of messages on the
social media accounts.
Read more about these and other security news at: www.welivesecurity.com
41
SEPT 2017