Encryption: How Does Encryption Work

In this interview, Paul Herbka, VP of South Seas Corporation, based out of Colorado, USA, answers the question: “How does encryption work.”
He also helps to understand everything from file and data encryption to WEP Encryption, and talks about a variety of the software and security solutions available in the market today.
Take a listen to the interview, and/or read the transcript below.

Download this “How does Encryption Work Interview in MP3 Format”

The following is a presentation of IdentityTheftSecrets.com.
Identity Theft Secrets: This is Jonathan Kraft with IdentityTheftSecrets and we are fortunate today, we are here with Paul Herbka. Before we actually get into the interview, just to let you know a little bit about who Paul is; he’s actually the President of the Information Systems Security Association, the Denver Chapter of that. He’s also the Vice President for South Seas Corporation which is headquartered in Littleton and we’re going to talk a little bit about that. And he’s also certified as an Identity Theft Risk Management Specialist by the Institute of Fraud Risk Management. He holds the state contract for encryption in the state of Colorado, as well as Arizona. And I know that you’ve spoken at tons of conferences and a variety of different things just talking about all the different data security issues that people have.
So Paul, welcome to the call today! How are you?
South Seas VP (on encryption): Well thank you! I’m doing well Jonathan and I just appreciate the opportunity to share with people the information they need to know and help people become more secure.
Identity Theft Secrets: Well what’s interesting is for the environment of security and you’re going after … at least protecting companies from all these criminals — you kind of sound soft-spoken, it’s interesting! It’s always been interesting to me because I’ve known you for while, that you’re just kind of this nice, soft-spoken, just decent-all-around-kind-of-guy and you’re protecting huge companies from these issues. So, I think that’s kind of interesting!
But if you would, just talk a little bit about your background and what kind of got you into this arena and what kinds of things you’ve done in this space.
South Seas VP (on encryption): Sure! Well my background is, I’ve actually been in the IT industry for about 20 years total. I’ve got an accumulation of 16 years at IBM, couple of years at Kodak Health Imaging, a few years at 3Com Networking. I’ve have my own business doing consulting as well as working at South Seas where we focus on security solutions.
Interestingly enough, one of the other reasons that I’m so passionate about security and helping to protect people is that I was actually a victim of identity theft myself. So I understand the pain, and the agony and the frustration, that’s probably the biggest thing is the frustration from having to go prove that you aren’t the person who did all the fraudulent activities even though all the information matches you. So you basically have to prove you’re not who you say you are. And so because I know what it means on the backend, I’m more passionate about actually helping people to protect the data on the front-end and help corporations understand encryption and understand the different technology solutions so that they can protect the data of their employees and their customers and their constituents. So that’s really where my passion comes from, but I’ve always been involved in technology and IT and so I’m always excited when technology can actually help someone and it becomes a solution rather than a problem.
Identity Theft Secrets: Well and identity theft is really like a “simple” problem right, it’s something you can just solve on your own (laughs)?
South Seas VP (on encryption): Oh no and actually no and I’m glad you asked that. Actually identity theft is a growing problem and it is something that becomes and mushrooms into something that is just more than an individual can usually handle. It really just depends on the type of identity theft. There’s actually five different types of identity theft out there.
The one that most people are familiar with — which is financial identity theft. Then there’s also character identity theft. There’s Department of Motor Vehicle identity theft. There’s medical identity theft. And so when you look at all these different areas; if it’s just credit card, that’s one thing, if it’s a further financial one, where I’m taking out loans under your name and I’m doing other activities, that’s where it gets harder. And the medical identity theft I would say is one of the hardest to clear up. And often times you can’t always clear it up entirely but you can at least get it somewhat fixed but it’s still incorrect in multiple databases because we now live in a world where it’s … your information gets into a database after database after database and then some of those databases share with other databases and pretty soon this wrong information or incorrect information gets spread out in other places.
And the biggest problem in my mind is in the medical field, because now people are making medical decisions on you if you’re in a car accident and you go to the emergency room, they pull up information out of a medical database and they’re making decisions on what drugs to give you and what drugs not to give you based on the information in there. So it can be very scary.
In fact in my personal situation, I actually fought it for three years personally. I figured I’m pretty well-educated, I have a Master’s in Information Management Systems, I can help get this done. Was diligent, called a lot of people, called all the different police departments, did the police reports. Called all the different credit bureaus etc., and really still fought it for three years and continued to get letters from attorneys, letters from collection agencies, etc., and just could not get the problem resolved. And it seemed as soon as I thought I got it resolved, six months later there’d be a whole new wave of things.
And as it turns out, the thieves or the criminals on the backend understand that, so they go and use the different identities they’ve used and proliferate that information out there and then they kind of put it in a file or store it for a while and then they bring it back out about six months later because they know by now the person’s tried to clear it up. Some of the things are clear and now they can use it again. So it’s actually a very frustrating process and unfortunately most of the laws are not written to protect the individual. They’re actually written to protect these large institutions or just to add what they think is security but they don’t actually protect the individual. And a lot of people’s life savings have been lost due to identity theft.
Identity Theft Secrets: So that’s, and you’ve gone through it personally. It’s interesting having talked with you about this, like your story and how much time you spent trying to deal with it yourself. I’ll have to ask you about that at some point just while we’re recording this so people can hear how serious your story was. I think today we’re actually going to talk about encryption which is actually the opposite side of it — making sure that companies and corporations don’t lose people’s information — that they actually have a way to hold onto that information. So if that’s alright, can we kind of get into that?
South Seas VP (on encryption): Absolutely!
Identity Theft Secrets: Why should a company then look at encryption? What’s the “bottom line” when it comes to encryption?
South Seas VP (on encryption): Well, the bottom line is probably two- or three-fold. First and foremost, I would say that it’s because it’s the right thing to do. But that always doesn’t drive business decisions.
The second reason would be compliance and really, when you look at the world of compliance, there’s a bunch of different laws and rules out there. So you have anything from HIPAA to SOX or Sarbanes Oxley to PCI, the payment card industry. So we have all these different rules that may, there’s GBLA or GLBA (Graham, Leach, Bliley Security and Safeguards Rule) rather. You have all these different compliance rules that say you have to do this, you must do that. And then one of the most important ones that came out started in California which basically said, “now if you have a breach and it has our customer information in there and they happen to live in California, then you need to notify them.” And since then, numerous other states, and I think it’s up into the 30’s now as far as the number of states –I want to say 38 states — that have rules on breaches and notifications. I know even Nevada just passed a law adding that “hey, you have to have encryption” so they added a law saying you must encrypt databases or things on laptops and removable media. So they’re getting more “business” about it, in that there are more issues, more fines, more things you have to do.
In fact I spoke with one customer and I won’t mention the name of the customer, but when I had spoken to them, they had had a breach and it had only been two weeks since then and they in fact, had already spent over $3 million just in fines and notifications alone. And they said, “Paul we haven’t even reached the tip of the iceberg with all the costs and expenses that this is going to hit us with.” Unfortunately, if had they merely had encryption in place before that happened, all that would have been saved.
Identity Theft Secrets: So we’re talking about a corporation that lost a number of people’s information. Can you say how many people’s information they lost approximately?
South Seas VP (on encryption): In that particular case, I’m not going to because it was a friend who worked at a company and so I told them I would use this story but not their personal information. There’s actually a really good website out there, The Clearing, clearing ….
Identity Theft Secrets: Privacy Rights Clearinghouse.
South Seas VP (on encryption): Privacy Rights Clearinghouse, thank you! That has the entire list of all the different breaches and so if I give you the specific number, you’d be able to match up pretty quickly.
Identity Theft Secrets: Sure!
South Seas VP (on encryption): I can tell you they were in the Wall Street Journal and really they thought they were secure. They were the typical company, they’re in a secure building. They have a full-time security guard. And these were desktops that were stolen, not just laptops. So they really thought they were protected, they thought they were doing the right things but in fact, if the criminals really want something, they’re going to go get it. And so we have to protect against the “bad guys.” And so really what they needed was encryption and since then of course they’ve encrypted everything and they continue to ensure that they have the strong security policies that they need.
Identity Theft Secrets: So why, kind of diverging again away from encryption here, we’ll come back to it. But why, what were their costs of $3 million two weeks out from the breach?
South Seas VP (on encryption): Well, a lot of those were because of the number of people they had to notify. So it’s not only the cost of writing the letter, getting the letter, but then they have to offer different services for the people that have been victims or potential victims. And then it’s actually getting the databases and sending it out to them and making sure the letters are updated, the addresses are updated, etc. So there’s a lot of manpower involved, there’s a lot of time and expense.
And then not only that, but there’s fines. So again, coming back to the compliance piece, whether its, you know, payment card industry or HIPAA or SOX, you know, if they fall under that, there can be a lot of fines assessed. So a lot of people now realize that it’s a business decision. It used to be, when HIPAA first came out, there was a lot of confusion and people were kind of scared, but they didn’t give enough direction. Then SOX came out and it had a little bit more teeth in it.
And now PCI, the payment card industry, there’s now a new version and if you look at PCI DDS 6.6 you actually see that it says, “hey, you’ve got to do web application firewall as well to protect.” So they’re now giving more specific instructions and saying, “hey, you’ve got to have this in place.” And they still have what they call “compensating controls,” that at the heart of it, it says, “hey look, you either do this or you’ve got a lot of explaining to say why you don’t need to do this.” So they’re giving firmer recommendations and they’re actually giving fines that go to the people that are losing the data.
Identity Theft Secrets: So you just mentioned a kind of encryption. What different types of encryption are there?
South Seas VP (on encryption): Well, I’m glad you asked that. There’s actually several different types and I’ll kind of break it down into two giant categories. The first category of encryption would be like for PC’s, laptops, desktops. And then underneath that comes in all the other different mobile devices, like PDA’s, Smart Phones, Blackberry’s, etc., as well as removable media and the other items that might go into a PC.
And then on the other side of those giant ranges, would be the databases. So databases are typically on servers whether they’re held in Oracle or Sequel or different type of database. They’re actually usually held on a server and accessed by numerous people and so you want to make sure that people can still get to it, but that it’s encrypted. So they are kind of the two general categories would be: database encryption which is handled one way and then PC encryption which is handled a different way.
Identity Theft Secrets: Cool, ok. And without getting too technical, I understand that encryption is basically taking the information and arranging it in such a way, putting it into some sort of code, that doesn’t allow somebody to actually read it. You need a computer or some other piece of information in order to make it “readable.” And that’s called an algorithm, right?
South Seas VP (on encryption): Correct, in essence. What an algorithm does, it’s the way of changing that information up and scrambling it. So if you think of it as kind of like translating it from English to French or from French to German. So it’s a totally different language that if you don’t know it, it looks like “garbledy-gook” and it’s un-understandable. However, if you understand it, then it works.
So it’s kind of like a secret code and the easiest way to think about it is an algebraic equation like x + 2. So it would be the letter a + 2 and then you write that solution on there and then it would give you different algorithms. They’re obviously much more difficult than that – that would be a simple expression or algorithm.
But the algorithms that are used, there’s a bunch of different ones out there and the most important ones are the most current ones now, would be AES and there’s two versions, well, there’s multiple versions of it, but the most standard are 128 and 256. So you really want to pick a solution that uses the AES-256 here within the United States; simply because that’s the strongest solution out there. And there are different websites, like the NIST website that tells you, “here’s how many years with today’s current technology we would expect that that will last before it’s able to be hacked.” And the good news is its many, many, many years and so that’s the highest standard right now out there that you can use. So when you’re looking at a solution, you want to make sure it knows that the parts that you need encrypted but also that it uses an algorithm that’s going to be strong and not hacked or broken and so that would be the AES-256 algorithm.
Identity Theft Secrets: So that would be like the top solution for someone to look at? I mean like a company; we’re not talking about individual consumers here. But for a company to look at, they should be looking at AES-256 encryption?
South Seas VP (on encryption): Absolutely, absolutely. And that can come from numerous different companies. So some of the top companies out there that work with encryption, one that’s been around for a while that people know is PGP. Some other ones would be like GuardianEdge, also there’s Utimaco and then there’s also Pointsec which was bought by Check Point. So all of these are different companies that offer … now those are companies that offer solutions in the mobile devices and the PC encryption. So when you’re looking at that, you really want to make sure, there’s two different types: there’s full disk encryption and then there’s file and folder encryption. You want to make sure if you’re trying to secure your laptop or desktops so if it gets stolen you don’t have to worry about a breach or worry about notification, you really want to use full-disk encryption. And than means that everything on the disk, whether it has data on it or not, is encrypted including the master boot record and all the other different hidden files that people don’t always know about but that the hackers use to get into a computer without having the correct credentials.
Identity Theft Secrets: So again, we’re talking about a company that’s going out and putting this onto their employee’s computers, right? What would be the best way? Because if I’m working at a company as the technology person or if I’m just working at a company and I need to setup some sort of security solution, what’s the best way for me to get this out? I mean to deploy it onto the company’s computers?
South Seas VP (on encryption): Well there’s numerous what they call, push methods or deployment methods using .MSI files or different packages. You could also put it up on a website and they could pull it down to their computers. Or you could even put it on a thumbdrive and put that code on each computer manually. So it depends on the number of PC’s you have; the easiest would be to use one that has a central management system that can actually push it out to all the different computers on the network; so that if you have thousands of computers, you can do that. We have an example would be, we have one customer that’s a worldwide customer and they were able to push out literally thousands of computers for encryption a day. So they pushed out encryption to thousands of computers a day and that obviously helps make it very quick.
Identity Theft Secrets: Well and that also allows them to update their encryption if they need to on all of those computers at one shot, right?
South Seas VP (on encryption): That is correct. It also allows you to change your policies on that so if there are new hacks that come out or different policies that we find out we need to tighten down or you decide you want to tighten down, you can send those out and they all get tightened down right away to everyone using that encryption.
The other key factor that you want to look at is, not only how are you deploying it but also how are you going to help manage that and what are the use cycles or usage abilities of your end-users? Are they going to be on the network or not on the network and if they’re going to be remote, will they have VPN access or not? Because you need to find a solution that will enable you to not only make sure they get the updates they need, but more importantly, if they forget their password which “occasionally” end-users do, if they forget their password, can you reset them remotely by letting them call into the help desk and then you give them codes or do a challenge response or some type of an activity over the phone where you allow them to get into their laptop even though … or reset their password even though they’re not on the network. So those are some huge things to consider.
Identity Theft Secrets: Sure, definitely. Well then that’s on the PC side, what is the best solution, would you say, for a database if somebody’s got a centralized database and they need to encrypt the information that’s at the database?
South Seas VP (on encryption): Well there are two major solutions out there – I mean there’s probably 30, but the two ones that we recommend and that we’ve found that work the best are from two different companies. One is from a company called Protegrity and the other is from a company that was called Ingrian and has now been bought by SafeNet. Both of them essentially do the same thing; it’s an application or a solution that sits above your database, kind of surrounds the database and just encrypts those files or rows or columns that are the data that needs to be encrypted. For example, if you have all their social security numbers or their address or their phone numbers or dates of birth or things like that or their credit card numbers, those are all items that you’d want to make sure are encrypted, but you may not need to encrypt everything on the database like the last time you saw them or things like that. That may not be confidential or private information, but on the stuff that is, you need to make sure it’s encrypted.
So both of these sit above the database and then manage the encryption and decryption of all that data. So those are some examples of solutions. The nice thing about that is that once you’ve done that at the database level, then when you make your backups of that database, that data is now encrypted on your backup so now you don’t need a different solution to encrypt the backup tapes or the backup drive which may be taken off site. They’re already encrypted so you don’t have to worry if those get lost in transit you don’t have another point or area where you might have a breach that you need to report and that you might get fined millions of dollars again.
Identity Theft Secrets: Right … again!
South Seas VP (on encryption): Again, yes.
Identity Theft Secrets: So then as an individual user, if I want to encrypt my own personal PC, what would you say are some of the best solutions for me as an individual user? Do you, I don’t even know if you specialize in that area, but do you know or do you know where an individual user would go to look for that individual PC encryption?
South Seas VP (on encryption): Absolutely. There are several solutions and really it would depend on your technical skills and abilities, it would also depend on what type of PC you have, whether you have a Mac or a Windows version, Linux. So depending on what type that is, there are a bunch of different solutions out there. Some of them are free, but they don’t work as well. Some of them are purchased that are more commercial, so it really just depends on how important the data is that you have.
If it’s pretty critical, let’s say you’re working on anything that would be defense-related or anything that has social security numbers or credit card numbers or a database such as that, then you’d want to make sure you use a full disk encryption solution.
The other nice thing is at South Seas we actually help corporations, large and small, as well as individuals if they need it, with encryption solutions and we do help with the hardware, the software, the services. We also offer Level 1 support. We also do any training. So primarily obviously that’s targeted for large enterprise, state, local government, higher education K-12, but really the solutions are all the same, whether you’re an individual or a large company you need to have that full disk encryption and you need to have the security and a way to get into it if that end-user forgets their password.
Identity Theft Secrets: Ok, cool. Well, that’s all great stuff to know about encryption. I mean the thing … it’s not something everyone thinks about, you know? “I need to encrypt my data.” What does that even mean? But then, let’s talk about why people need to encrypt their data because there are hackers. There are people out there actively looking, everyday looking to steal people’s information, we’ve interviewed them before on IdentityTheftSecrets. So, if there’s a hacker out there and they’re looking to hack into my computer, how does the encryption … or what might they use, what sort of hacks might be out there, that encryption would prevent?
South Seas VP (on encryption): Absolutely, that’s a great question, I’m glad you brought that up. It also points … remind me to talk about why people may need to encrypt or use encryption even if they don’t have a bunch of secret information on that specific PC. Because that PC can then be used to get to other PC’s and I’ll talk about that a little bit later.
But some of the things that can be used, so one example is often times you’ll use a hacking tool which is a bootable CD that then looks into the different registries, looks into the main file within Windows that looks into the master boot record or tries to change the master boot record and allow itself in. There are also several programs or hacks that allow you to go in and take over the operating system. And several things out there that most people have heard about — there are Root Kits, there are Trojans, there are Key Stroke Loggers, etc., that the whole goal of them is to get in, take control of the PC and then give that control to someone else.
So by encrypting this, a laptop with a full disk encryption, you actually hide the original master boot record and then uses its own version of a master boot record and then compares it to the hidden one to make sure nothing has changed. So by doing that you automatically get protection from Root Kits and some of the other scary stuff out there that people use to hack.
The other thing is that it actually protects you from all, most of the hacks that people use using the externally booted CDs or discs, where they now try to get in and find memory or find written things, they won’t be able to. And in essence, they might be able to reboot with a different operating system, but they won’t get to any of the data because all of the data is encrypted. So it really protects you for just about any of the traditional hacks on a laptop.
Identity Theft Secrets: Cool. But then there’s no such thing as security that’s 100% secure and I know that for sure. But you create better security, you create a better lock, you attract better criminals to crack that lock. So what hacks are available that encryption doesn’t prevent?
South Seas VP (on encryption): Well, there are a few out there that encryption doesn’t prevent and one of the most notable ones — Princeton did a paper and when Princeton did that paper they said “hey, it’s called a Cold Boot Memory Hack” and it’s where when you turn off your PC, the actual data on the RAM chips, on the memory chips, stays resident there, stays there for a few seconds up to a few minutes. What they found was is if you then take the computer apart and freeze the memory and then take the memory out, and put it on a special board, because you froze it, that memory stays longer and now they have actually several minutes to work on that and try to extract passwords or log-in information.
Identity Theft Secrets: Wow!!
South Seas VP (on encryption): Yeah, so they’ve actually been able to do that, they wrote a whole paper on that and said, hey here’s something you can do.
Identity Theft Secrets: So they taught people, they taught criminals how to do it in their research.
South Seas VP (on encryption): Exactly and the interesting part was there was a gentleman out of New Zealand that said “boy, you Princeton people think you’re so brilliant, this is a paraphrase, you think you’re so brilliant. You don’t have to go through all that trouble, there’s an easier way.” He had written a program many years ago and it was actually using a Firewire, it’s called a Firewire hack, and it uses Firewire because one of the native abilities of Firewire is it gives you something called direct memory access, DMA. And by using that you get direct memory access and you can actually pull the passwords out while the computer is still on. You don’t even have to turn it off. You just hack right into the Firewire port and are able to get in. And then what it does is instead of actually finding a password, it actually does a registry reset where it says hey, which passwords are acceptable? And it basically sets that default to say any password is acceptable. So now, after running that program, and the nice thing about this gentleman is he then used eling but he actually created a cool little package and put it on the internet and it includes his code, it includes instructions and a PDF; and so “here’s how to use the hack, here’s how to do it, here’s the tools you need, here’s how to set it up.” And not only that, but he says even if the computer, so that’s all through just a Firewire hack and he gave that now to the world through the internet.
And then beyond that, if you take it one step further, even if you have a laptop or desktop that doesn’t have a Firewire port, you can easily buy a PCMCIA card that does have a Firewire port and because that’s Plug and Play, you could literally plug that into a laptop, the Firewire port will become active and now you can get in even though it didn’t have a native Firewire port, you can now use that same hack and get in and that’s something that was demonstrated several times to show people that yes, unfortunately it is real and it only takes a few minutes to setup and literally a few seconds to run and regardless of what password you’ve picked, ;hard or strong, weak or not, it doesn’t matter because it sets it to where I can use any password I want. And that has nothing to do with encryption, but it’s just a different way to get in that doesn’t use encryption but it fools the computer that’s now in a warm state to how to get in.
So if you want to protect from that Firewire hack, then you need to buy another module or another program or another solution or find one that has this integrated as one of its options to do what they call “port control.” So you actually are locking down the ports. And sometimes they’ll talk about the infrared port, the com port, the Wi-Fi, the Bluetooth and then the Firewire. The most important of those is the Firewire because of this hack that’s been published worldwide that makes it easy for a 15-year-old who doesn’t even know what they are doing to go in and execute this hack from this brilliant guy down in New Zealand. So it gets pretty interesting.
But to answer your question that the port protection would be something you would need. And most of the top vendors have some type of port control or port protection. It usually costs extra, it’s additional, but it’s going to lock you down from that, so that now you’re protected from the hacks the encryption doesn’t protect you from.
So again, as you said, there’s no just one solution makes you fully secure, but it’s a combination of these solutions that make you more and more secure that protect you from the different types of hacks.
Identity Theft Secrets: And what products … that’s just crazy to me. That requires somebody having physical access to your computer, right?
South Seas VP (on encryption): Correct.
Identity Theft Secrets: But, that having been said, a friend of mine actually was recently in Europe, sleeping in his hotel room and neglected to close his door at night. Big internet marketer, I mean people in the internet marketing world know his name. He was sleeping in his hotel room at night, he neglected to close his door all the way and someone actually came into his room and stole his laptop while he and his family were sleeping in the hotel room.
South Seas VP (on encryption): Wow.
Identity Theft Secrets: Yeah, and who knows, maybe he was just taking it and selling it or whatever, but the point of that being, it’s pretty crazy how you don’t think about your hard drive being stolen or your computer being stolen.
What products would you say are out there to protect people for this port protection?
South Seas VP (on encryption): Well, that’s a great question; there’s actually several. Most of the top solutions that I talk about whether it’s GuardianEdge or Pointsec from Checkpoint or Utimaco; they all have the different solutions that they add. And some of them call it a port control; some call it a port protector. They have different names but they are all programs specifically to lock down or control the ports.
The other factor that a lot of people don’t always remember too is that you need to lockdown your removal media. Meaning most importantly, like your iPods or your thumbdrives or your removable drives that are maybe a USB-attached remote or hard drive. Those are all things that you need to lockdown or the information that you store on the PC can be transferred over to that and even CDs/DVDs that can be burned, you want to lock those down. So that, you know when you hear the stories of whether it’s a cleaning crew that was hired for secondary purposes to go in and steal data or they were given incentives. Or if it was someone coming in and pretending they were the cleaning crew but they’re actually doing the podsurfing or doing some other kind of stealing information off, even if they don’t steal the actual PC, they may steal information off on a USB drive. Or it might even be an employee that has hit a hard time and is now disgruntled at the company or was paid a lot of money from somebody else to get trade secrets or confidential information, etc. So you want to lockdown your removal media.
It’s one thing to have a written policy that says, hey, no one can store information onto a USB drive unless it’s encrypted or no one can period, depending on your policy. It’s another thing to be able to enforce that. So there are other solutions some of them that are part of the same solutions from those top vendors and others that are from different vendors such as Vontu, Symantec who has bought Vontu that allow you to actually enforce that policy and if a file is being written over to a USB drive or a CD drive, it can say, “nope, this contains confidential information and that can’t get written over.” Or it allows you to write it over, but it tracks it and logs it. So there are a lot of different ways to “skin that cat” so to speak. But the important thing is to make sure you do have a policy in place and that you have a way to enforce that policy. And that’s the beauty of technology, now it’s gotten to the point that you can do it, but again it all comes down to money.
One of the statistics I can tell you is that it’s always cheaper to proactively prevent a breach than it is after the fact to pay for the cost of a breach. And I’ve heard different numbers, anywhere from 4% up to 25% of the cost to be proactive versus reactive. I’d say it’s closer to the 4-5% to do it proactively versus to do it reactively. I know a perfect example is the encryption solution for the one customer is about $40,000 and they have a large company versus the millions of dollars that they had in fines and notifications. So again, you can pick and we’ve all heard, “you can pay me now or pay me later.” You know the world is going to make you pay. It’s always cheaper if you do it proactively.
Identity Theft Secrets: Sure, an ounce of prevention is worth a pound of cure.
South Seas VP (on encryption): Absolutely!
Identity Theft Secrets: Basically what you’re saying then is for corporations it’s always cheaper to invest in some sort of system, or some sort of security solution than it is to deal with it after the fact.
South Seas VP (on encryption): Oh, 100%! Especially if they’re wanting to be a company that wants to be around in the long-term. Because it’s not a matter of “if”- it’s a matter of “when.” These things happen, right? I’ve heard numerous stories of people who have, whether they’re traveling in the States or outside of the States; laptops got stolen out of cars, out of trunks, at their desks, at the library, at the bank. It doesn’t matter where. When times get tough and people are desperate, they’ll look for ways to get creative and steal things. And you never know, the hard part is, once it’s stolen it’s hard to prove whether or not that was a “smash and grab” for the hardware for some quick cash or if it was a targeted “smash and grab” specifically to get access to the data that that company holds.
Identity Theft Secrets: Right and in a lot of cases, the data is a lot more valuable, in almost all cases, the data is a lot more valuable than the hard drive or the information on the computer itself.
South Seas VP (on encryption): Exactly and …go ahead. Go ahead.
Identity Theft Secrets: I was just going to say are there products that can help you, I know that there are, but what sort of products do you recommend for people to be able to track down computers if they are stolen? Even if they are an encrypted computer, you’ve just gone through and told us all these different ways that encrypted computers can be hacked into. So if a computer is stolen, what’s the best way to track it down and track it down quickly?
South Seas VP (on encryption): That’s an excellent question. Two points that that reminds me of: one is, it does depend on the speed of the computer, right? So encryption is great for “data at rest,” meaning that the computer is turned off. However, if people are using different things like putting it in a “sleep mode” or if they’re leaving it at Starbucks and going to use the restroom and then they come out and it’s gone, it’s not longer in data at rest, it’s “data in motion,” it’s data that’s active and being used. That’s where encryption, by itself, doesn’t help, but some of the port protection products do.
So now let’s move to the place where it’s actually been stolen, now what do you do? One of the products out there is from a company called Absolute Software and they have a product that’s affectionately called LoJack for Laptops or LoJack for PC’s. And what it does is it actually will track that laptop so you know if it’s stolen, when it’s stolen and the next time it goes on your network or on the internet, they can actually track it down. The nice thing about this is even if you have encryption in place, this helps you close out that file because you finally get the data back, you get that laptop back. You can do forensics to see what was touched. Not only that, but if it was touched, you can find out was it an inside job or not. Usually if it’s an outside job and you have encryption and it was in a cold state, then they’re not going to get to the data and you know that you’re protected. But if it’s in a warm state or if they have the password because it’s an inside job, then that allows you to close that down so that you don’t have it. A lot of the FBI statistics show that if there’s recurring theft, it’s an inside job and if you can close that out or find that out the first time, you can save yourself the headaches of multiple breaches by closing that down and finding out who has it.
In fact, there’s been several notable cases here in Colorado. One case was at the CSU. They had a bunch of computers stolen, well not a bunch, but one is too many, and they had a computer stolen. And when they went and recovered it — because they were using the Computrace software, it’s called Computrace Complete, they were actually able to not only recover that but a bunch of other equipment that was stolen. The police love it, in fact the Fort Collins police said, we wish every customer had this product, whether they were an individual, or a school, or student, a teacher, staff, etc., because it made their job easier because they were able to track it down and get warrants very easily because they had all the proof they needed.
So: a) I know the product works; b) it’s also endorsed by law enforcement and c) it helps give you that full, complete cycle so you don’t have to worry about an open file or a pending file with insurance or anything, you can close that out and be done with it.
Identity Theft Secrets: Awesome. Wow! Kind of an application for that that I wouldn’t really have thought of necessarily you know? It’s not something you think of right off … being able to prosecute some sort of case.
South Seas VP (on encryption): Right, right and it really does make it easy and the information is given to the police so it’s kind of out of your hands and you don’t have to be the bad guy. You can just give that over to the authorities and let them go do their job and recover the PC for you. And again, while the PC itself isn’t the most important, being able to close the file and say we got the PC and we did the forensics and we don’t have to worry about it. That’s what really gives people the sigh of relief including the insurance companies. It also, by the way, helps when you have your PC audits or your SOX audits, etc. They like seeing reports like that versus “well, we lost one but we don’t think it was used fraudulently. ”
Identity Theft Secrets: Right. (laughs)
South Seas VP (on encryption): That doesn’t work well.
Identity Theft Secrets: “It’s … umm… sort of … it disappeared, but we ….” A friend of mine actually just got a letter from Countrywide? Was involved in the sale of information from Countrywide. I don’t know if you know about this, but one of their employees actually sold a bunch of customer’s information. And it goes through all the information that was sold, you know. “If you were automatically debiting with us, chances are likely that your banking information was also sold.” I mean all this stuff, your social security information. And then it goes, “what should you do now?” “Well, we recommend you shred your information, we” (laughs) … it’s like, ok, you just lost all of my information and you’re recommending I buy a shredder?! You kidding me? Like, “we recommend you sign up for a credit monitoring solution.” You just lost all of my information and you’re recommending I sign up for credit monitoring?! Wow, that’s great, thanks!
So outside of visiting sites like IdentityTheftSecrets and listening through interviews like this, I mean this has just been an awesome interview of great information for people who’ve listened all the way through it, I think. It’s been great for me and I know a lot of stuff about this. Where do you think, are there some good places people can go to get training and solutions and installation help that you know of?
South Seas VP (on encryption): Absolutely. I would say there’s two areas. One is if they’re looking for on the IT side and they’re looking for encryption solutions, certainly we can help them. We’d love to do that. We’re headquartered in Colorado but we do work nationwide. They can reach us at 1-866-794-1655, that’s 1-866-794-1655. And again that’s South Seas Corporation. Or they can dial me directly at 303-798-7588 and we’d be more than happy to help them with that, point them in the right direction for the right solution. And if it’s something that they need help with training or installation services, we can certainly help them with that as well. We also pride ourselves on being one of the few companies that actually offers Level 1 support for anything we sell. Which means they don’t have to worry about if they bought encryption from one company and maybe the LoJack tracking software from a different company, they don’t have to worry about finger-pointing; “hey, this doesn’t work with that or what not.” They just call us and we make sure that it works and most of the solutions we sell we’ve already tested to ensure that they’re going to work together because we know we’re going to be doing the Level 1 support. So I think for encryption side that’s key.
I also have some suggested reading if they have concerns about identity theft, there’s actually a great book out there called “The Silent Crime, What you need to know about Identity Theft.” It was written by Michael McCoy and Steffen Schmidt. They are basically working out of the state of Iowa. And it really goes through all the different solutions for identity theft protection. And having been a victim, I found that it was really helpful because you hear all these different products out there and you go, well, which ones work and which ones don’t? In fact, I was just at a King Sooper’s and they had an identity theft solution that was there as well. And it seems like everyone is jumping on the bandwagon, but which ones are helpful and which ones do things that you need versus don’t?
Identity Theft Secrets: You can buy “Kroger Identity Theft Protection,” while you’re getting your avocados, tomatoes and bread; would you like to buy identity theft protection?
South Seas VP (on encryption): Exactly! It kind of made me crack up and I was like “wow, it’s just amazing what’s out there.” But in that book, “The Silent Crime,” they actually highlight some of the key solutions out there. If you look on page 190 and 191 of that book, they highlight different solutions and it shows you, here’s the different costs, here’s the pros and cons and these are the solutions that are best. So rather than me telling you here’s what I recommend, I would say go get the recommendations of some people that have spent literally tons of money researching all the different solutions, looking at the pros and cons. It’s a great book because it’s neutral, it’s written from a researcher’s prospective; “hey, I’ve done the research and here’s the good and the bad.” And I can tell you from my own personal experience, that one of the solutions they use in there and that they recommend as the best one is one that actually helped me resolve my personal situation and so I’m definitely a big fan of it just from my own personal experience. But also know after reading this book that there’s a lot of reasons why it works so well and why other products just don’t work because they don’t answer the full solution or they only hit certain areas rather than fixing all the different areas that are affected when you’re a victim of identity theft.
Identity Theft Secrets: Well again, your phone number? Or where people can get a hold of you for more information?
South Seas VP (on encryption): Absolutely. They can contact Paul Herbka at South Seas Corporation, 1-866-794-1655 or my local phone is 303-798-7588. Or if they prefer email, they can email me at pherbka, that’s p-h-e-r-b as in bravo, k-a @SouthSeasCorp.com. And again I’d love to share hints and tips with them and if they’re in the middle of doing an encryption project they definitely want to make sure that they have a checklist. I’ve created a checklist that I’d be willing to send to them that really goes through here are things you need to consider. And again, I don’t care what solution they pick, but the important thing is, are they locking down all the different gates and doors and areas that they need to make sure that they’re protected?
Identity Theft Secrets: Awesome! Well thank you so much for taking the time with us today. This has been educational for me for sure and I hope it’s been educational for other people as well.
South Seas VP (on encryption): Thank you for your time.
Identity Theft Secrets: Thank you!
This has been an audio interview with IdentityTheftSecrets.com. We can be found online at www.i-d-e-n-t-i-t-y-t-h-e-f-t-s-e-c-r-e-t-s.com. IdentityTheftSecrets.com.