You should never have the only copy of your important files be stored on your flash drive. It will die (or be lost or be stolen). If this is the case, you may be completely out of luck.

I had a friend give me a flash drive this past weekend. The flash drive is not recognized by any computer. Where there normally is a light that comes on when plugged in, now there is no longer a light.

If the problem is more that just a poor USB connector, then it will be pretty costly to recover the data, if it is possible at all… Usually the cost will outweigh the benefit of recovered files.

So, use the flash drive only as a working and portable storage device. Make sure they are encrypted. Copy the files back to your computer if they are important. That way they will be a part of  your normal backups. (You do have a backup system, right?)

If you don’t have a backup system in place, consider using something like LockYourData (www.lockyourdata.com). It allows  you to manage both online and local backups as well as keeping multiple generations of files.

The last thing you want to hear is the words of Dr. McCoy as he looks up and says, “He’s dead, Jim.”

- Dan

And so began the conversation…

Of course, backups are a part of the disaster recovery, but not the complete plan.

Just last night I found out about a local business whose server crashed. They had been dutifully performing backups. The backup subsystem reported that backups had been created. But…

It turns out that the backups are unreadable and now they are scrambling to determine the next steps to keep their business running.

Tip: Periodically check your backups to make sure that (1) they are readable, and (2) that they contain the information you hope they do.

Put this into your list of things to review on a monthly basis. As some point you will be glad that you did.

- Dan

The end of the year is a good time to take stock of your security measures and operational practices and do some maintenance.

I like to ask the question Where are we? at the end of the year. What is being done to protect the information assets of my company or myself and family? After I have a good grasp of this, then I like to ask myself the logical next question, which is Where do we want to be? Comparing the two gives some idea of where to focus my information security energies.

Yeah, I know that previous paragraph is pretty vague.

How about some specific ideas when asking that Where are we? question.

• Do I know where all the important data is being stored? Is it all on the hard drive of one notebook computer? Or, is some stored on my computer, some stored on my wife’s computer? Maybe it is stored on a file server on the network!
• What am I doing to protect the data on my notebook computer? Am I doing backups? How do I know that the backups can be used?
• What if my notebook computer gets stolen and my personal financial information (with bank account numbers and passwords) is stored on it? What am I doing to encrypt or adequately protect that data?
• If you host your own web services, you should evaluate the access rules on your firewall. Do I really need to allow access on the ports that I have open?
• Am I patching the OS on my servers? Do I test patches in a controlled environment before installing them on the production servers?What about the patch level of my workstations? Am I using Automatic Updates (on Windows) to keep them updated?
• When was the last time I changed the WEP/WPA key on my wireless access? Am I using WEP or WPA or something else? Am I sure that only authorized people know what it is? Maybe the neighbors are leaching the signal!
• Do I have any idea of what “normal” traffic looks like on my network? What applications are being used – P2P, chat, BitTorrent, webcams? What about filtering? Is my filtering functioning as desired?
• When was the last time that I forced password changes for users? How about administrator/root accounts?

Wow! That sounds like a lot of work! It’s not, really, but these things need to be considered periodically.

In the next entry, I will be discussing the Where do we want to be? question.

- Dan

getdropbox.com is a relatively recent entry into the fray of on-line storage and is still in “beta” mode. Getting an account requires an invitation from someone who already has an account. This free account gives the beta-user 2GB of storage. Once an account has been set up, a bit of software is installed on the local computer. This software creates a new folder (dropbox) on the local computer. As files are moved into that folder, they are auto-magically uploaded to the folder on the getdropbox.com servers. These files are only accessible by you, or any other computer with the getdropbox software and and that is linked to your account. Pretty simple, eh?

getdropbox.com also allows you to make some of your files publicly accessible. A unique URL is provided for each file. Anyone who knows, or is lucky enough to guess, this URL can access this file. The file is readable, but changes cannot be written back to the servers.

The capability is also included to share a folder with other getdropbox.com users, but whose computer is not linked to your account. You just need to send them an invitation (via email) to the shared file. At this point they have full read/write access.

Now, how can this be used for an online backup? As mentioned earlier, the software watches the dropbox folder on your computer and automatically synchronizes with the on-line server. If you are using Mac OS X you can simply create a symbolic link in the dropbox folder pointing to any other folder you want automatically backed up. (Unfortunately, this capability is not available to Windows users at this time.) The developer indicates that they are internally testing a Linux client. Then, this should be available for LInux, also.

So, how secure is your data? According to the FAQ, the data transfer takes place over an SSL connection. I’ve not yet had the chance to examine the network traffic to verify this. But, and this is significant, does not state that the files are encrypted on their servers. According to the FAQ, “Files are encrypted with AES-256 before being stored on our backend.” They indicate that in the future users will be able to define their own private keys to encrypt the data, but this is not currently implemented. I would highly recommend that any confidential information be encrypted prior to putting it in the dropbox folder on your computer.

So, would I recommend that you use getdropbox.com for on-line data storage for your company? Yes, if the following conditions are met…

1. Sensitive data is encrypted before being put in the dropbox folder for synchronization
2. The total amount of data is less than the amount allocated to your account. Right now the maximum folder size is 2 GB
3. There is a need to share files with others trusted individuals outside the company
4. You business model allows for your company information to be stored outside of your control

Ok, then, what about personal use? Pictures that need be shared with family would be fine to have stored. Likewise, other personal files may be fine. But, I sure wouldn’t put my Quicken data files up on a service like this unless I first encrypt it. (TrueCrypt would be a fine piece of software to use for encryption.)

Finally, the getdropbox.com privacy statement only speaks to personally identifiable information you submit as you create your account. Of course, they reserve the right to sell or disclose your information to service providers, business partners, and others. It is curious to note that they omit speaking to what they will do with the files you store on their site!

Disclaimer: The information in this post is current as of the date and time of the posting. The details of the getdropbox.com service are always subject to change.