Freely subscribe to our NEWSLETTER

Today, every business utilises technology in some form. However, this miracle of science has a split personality – a silent evil slashing an enterprises’ artery and haemorrhaging sensitive data, whilst the other is white knight reversing the tide and stemming the flow of bad blood generated with each data breach.

WIIDWID?

So let’s begin with why IT is doing what it’s doing. First is the realisation that it’s not alone in its penchant for acronyms, regulators have affection for them too, resulting in a common ground between the board room and the IT domain with compliance a significant driver to both :

DPA – The Data Protection Act 1998 is a UK Act of Parliament and the main piece of legislation that governs the control and protection of personal data.

PCI DSS – The Payment Card Industry Data Security Standard is a worldwide information security standard created to prevent credit card fraud through increased controls around data and its exposure to compromise.

HIPAA - The Health Insurance Portability and Accountability Act of 1996 is a set of US federal standards that requires healthcare organisations to implement security standards that protect (and keep up to date) patient data and to standardise on electronic data interchange.

SOX – The Sarbanes-Oxley Act of 2002 is a US federal law. The bill was enacted as a reaction to major corporate and accounting scandals. It covers issues such as auditor independence, corporate governance, internal control assessment and enhanced financial disclosure.

WATDIW?

Okay, that’s why, so the natural progression is what are they doing it with?

FIPS 140-2 - a U.S. government computer security standard used to accredit cryptographic modules. It defines four levels of security, simply named "Level 1" to "Level 4" however, it does not specify in detail what level of security is required by any particular application so it should not be considered as a guarantee that the product is secure.

Common Criteria – is a framework in which users can specify their security functional and assurance requirements, vendors then implement and/or make claims about the security attributes of their products, and testing laboratories evaluate the products to determine if they actually meet the claims. As with FIPS, just because a product is Common Criteria certified, does not necessarily mean it’s completely secure.

The Cloud – describes a new supplement, consumption and delivery model for IT services over the Internet.

Keylogging – tracking the keys pressed on the keyboard in a covert manner to steal passwords, banking details, etc. Previously a piece of malware, there are now hardware instances – for example a keyboard that looks legitimate so this is a diversifying threat.

DLP – data loss prevention refers to systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection, contextual security analysis of transaction and with a centralised management framework.

Encryption – the conversion of data into a form that cannot be easily understood by unauthorised people. Decryption is the process of converting it back to its original form.

FDE – Full Disk Encryption, does what it says on the tin, using disk encryption software to encrypt every bit of data that goes on a disk or disk volume (excepting the Master Boot Record, which most FDE solutions leave unencrypted)

SED – a Self Encrypting Drive is a hard drive based on the Trusted Computing Group’s specifications, it can lock-down data automatically in less than a second and can be immediately and completely erased in milliseconds. SEDs are easily deployed and managed cost effectively and are interoperable across PC platform types. It is an emerging technology so watch this space to see if it delivers.

BitLocker Drive Encryption – a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft’s Windows Vista and Windows 7 desktop operating systems, as well as the Windows Server 2008 and Windows Server 2008 R2 server platforms. It’s designed to protect data by providing encryption for entire volumes.

U3 enabled – U3 Smart Drives are regular USB flash drives with a twist. Programs can be installed on them that launch independently of the machine it’s inserted into and the data from those programs travels on the device – leaving nothing behind. Whilst beneficial in the fight against data leakage, it has a malicious persona – for example, if it’s preloaded with malware and plugged into a logged on PC it could inject a virus into the system that is untraceable.

Black List – a list or register of items, for what ever reason, are being denied a particular privilege, service, mobility, access or recognition.

White List – similar to a black list but instead of denying, you stipulate which are accepted so it’s easier to build up from a security perspective than eliminating backwards.

SAM Database – the Security Accounts Manager database, used by Windows (and possibly other OS’s), manages user accounts. It’s implemented as a registry file that is locked for exclusive use while the OS is running. If its contents were discovered by subterfuge, the keys are encrypted with a one-way hash, making it difficult to break. Some versions have a secondary key, locking the encryption to that copy of the OS.

TPM – Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a hardware pseudo-random number generator. It includes capabilities such as remote attestation and sealed storage.

Acronyms may be confusing but are not designed to make the user sound superior, they’re just an industry idiosyncrasy, we all have them. However, the threat against data is serious and we musn’t let language cause a misunderstanding that thwarts our efforts – after all, it’s not a necessity it’s a requirement.