Tuesday, April 8, 2008

"Password Protection" Safe Harbor - in Indiana the ship is sailing

As most of you are aware, data breaches happen all the time. So much so that almost all the states in the union have enacted laws requiring notification to affected parties when their personal identifiable information is in harms way. Soon we may see a national law. Further driving the point home are a myriad of laws that govern how data are to be protected, not to mention private industries governing themselves such as PCI DSS.

While I do enjoy seeing social controls being placed that might ultimately protect my well-being, I find too often that these laws are followed in a minimum necessary manor. Case in point, the NIH lost a laptop that had identifiable and protected data stored on it. Unfortunately, the data were not encrypted even though they should have been per departmental policy. While admitting that they were in the wrong, it seems that the NIH is taking refuge in some of the legislation that offer a password protection safe harbor. In other words, as long as the device is password protected, then you are OK. Read through the third paragraph from the story, quoted below, and tell me what is wrong:

“The [National Heart, Lung and Blood Institute] recognizes that such information should not have been stored in an unencrypted form on a laptop computer,” said Elizabeth Nabel, director of NHLBI, a division of NIH. However, at the time of the theft, the laptop was off and protected by a password that would take “considerable computer sophistication” to crack, she said in a March 24 statement.
Considerable computer sophistication - a few minutes with an alternative O/S and the data are owned. I brought the story to the attention of my staff and asked them to find a way to get to the data. We played capture the flag with a "password protected" laptop and a specific file. It took no more than a few minutes before the file was retrieved and the contents mailed back to me...I didn't even give them a file name or location either - just that it might have data in the format of a social security number.

What's the moral of the story? We know better, but we often don't do better. As security professionals (or anyone with stewardship over sensitive data) we should act with a suspicious mind. I see all too often people that have become immune to the effect of having sensitive, private information of others around them. To help them, I ask why their purse is locked up, but these files are not? Or, I ask for their drivers license and a voided blank check. This is pretty shocking to them, but it drives home the point that they are protecting themselves, while not affording the same type of protection to those that have placed their trust in our services.

Moving forward, the state and federal government are beginning to see the light too. In fact, House Bill 1197 in Indiana was approved and will change IC 24-4.9-2-2 to remove the password safe harbor and replace it with encryption. What this might mean for you is if data of and Indiana resident are accessed in an unauthorized manner on a portable electronic device and the data were not encrypted you or your company can face civil penalties of up to one hundred fifty thousand dollars ($150,000). Disclaimer - I'm not a lawyer and this is not legal advice.

What to do? Look into full volume encryption for laptops and desktops. These have been discussed at length here, and be sure to follow the best practices for them to mitigate the now open source RAM harvesting techniques. Second, train the staff at your place of employment. The more they know, and the more accessible you become, the more enmeshed security can become into business processes. Consider providing alternative methods for file storage and transfer. I like the Kanguru USB 2.0 flash drives - they feature AES hardware encryption and can be had in up to 16GB capacities. Last, check your policies and procedures with legal counsel to verify that they are in step with the laws for the areas you do business in.

1 comment:

David said...

The NIH is also banning use of sensitive data on Apple laptops, citing the lack of enterprise ready full disk encryption products. Relevant article here:


This is a common thread in organizations that I talk to - MacOS full disk encryption is close for many enterprise vendors, and the first one to market with a working solution may grab a nice chunk of the Apple marketplace.

In the meantime, policies regarding use of user directory encryption can help ensure data exposure is limited, but cannot provide the same level of assurance that FDE does.