IMG_1824I was at a security social gathering on Thursday last week. They are happening now quarterly and organised by Copperberg. During a couple of hours I was thrown into deep discussions on network security at the hardware level seems a logical product in the cloud (check out SolarFlare), next was diodes in nuclear power plants, finally secure e-mail which is not quite as boring as it sounds. In fact quite the inverse!

SecureMailbox is able to create very simply a secure communication between you and another person, e.g. your doctor, and it’s made in Sweden. You don’t even need to create a special email address. Before I start sounding like some boring free marketing for this product check it out at the link above.

I got some energy from these 2 hours  and my brain received some food for thought. I am rather looking forward for next time…. hope to see you there too (FB link), if you are i Stockholm ;-)

Listen to Jennifer’s concerns on privacy and freedom of speech in 20 years time.

So it’s Monday morning and you need to get to the office, but you only have odd socks in your draws. Where have the matching socks gone?

I have a theory that there are little people living under our houses that run around collecting ‘odd-socks’, to save us from the err of becoming too predictable and symmetric. I call them “the Collectors”. They don’t only collect odd-socks, they collect hair clips, pens, and here is where the information security bit comes in… USB memory sticks,  commonly referred to as ‘thumb-drives’.

How else can we explain where our USB sticks disappear to? How many have you purchased or acquired in the last 10 years? Where are they now? Fortunately for us “the Collectors” are not interested in what is contained within this little plastic sticks, so it really is not a concern to us security conscious individuals. Or is it? Because although it really is no big deal if you turn up at the office with odd socks, it has become pretty cool nowadays. The memory sticks are a bit tricky. How much data is stored on them and is some of this personal data?

But what is personal data? This is difficult. Nowhere has a clear definition of personal data been stated, although  Personal Identifying Information (PII) and sensitive data has been defined. In the EU even the IP address is classed as PII.  The problem is that data can be combined from different data sources to become identifying data, that could be on one or more of yours, or your employees’ memory sticks.

The new EU Data Protection Regulation due out December this year, potentially January 2016, will have the power to impose fines on those companies that lose personal data. Numbers we have at the moment is between 2% and 5% of revenue for each data loss. In public sector the fines will be fixed. What this means is that when one of your employees loses one of their memory sticks your company is liable to the consequences.

So what’s the solution? Well this is what is rather nice, it is simple when it pertains to data that is stored on movable persistent storage, e.g. memory stick.

  1. Request all your employees to turn in their memory sticks;dataAsur encrypted memory stick with PIN
  2. Destroy them, securely;
  3. Replace with an encrypted stick, that has a simple PIN code build in;
  4. Enforce the use of encrypted sticks using a Port-LOCK functionality found in most virus scanning packages today that is often not implemented;
  5. Log all data that is copied to and from USB devices.

This is not difficult to implement, and pretty inexpensive. This mitigation will block one of the main channels/threat vectors for data loss in your organization.

You could of course just keep hoping that it is ‘the Collectors’ who have all of your mislaid memory sticks in your organization? If I am right about that too…. but I wouldn’t believe me, if I were you ;-)

I love this initiative from Symantec. It is the BEST method I’ve come across so far to help us be better at avoiding phishing attacks. It’s fun…..try it yourself!

Warrant Canary - graphic
A warrant canary is a posted document stating that an organization has not received any secret subpoenas during a specific period of time. If this document fails to be updated during the specified time then the user is to assume that the service has received such a subpoena and should stop using the service. Read more at


Thanks to SecurityNow podcast, I found an amazing treasure-trove of privacy tools and advice at Check it out!


Get every new post delivered to your Inbox.

Join 69 other followers