[Dataloss] followup: ACS Breach Warning Letter

[Al Mac]

The protection of password varies greatly across various OS that I have 
worked on.  I consider passwords much more secure on IBM mainframes than on 
Windows and Unix, but I do not know about Linux.

Companies might think their data is password protected, encrypted, other 
protections, but unless they have passed some kind of security audit, they 
really do not know for sure.  Many breaches have been because of some 
carelessness, and lack of security verification, leading to private data 
posted on the web that some kind of security procedure might have 
prevented.  I think that if security awareness training is too much of a 
bother for a company to be doing for all its people, at least it should be 
required for people with access to the sensitive data.

The mass public think passwords give some measure of protection, so these 
notification phraseologies are intended as PR mitigation.

Once upon a time certain types of communications were banned from Ham 
Radio, because of a rule that the FCC had to be able to digest anything 
over the public airways, without any effort.  This may be why a lot of 
pager traffic, and wireless, is in plain text readable by anyone with a 
police scanner hooked up to a computer printer, which may be illegal, but 
unenforced.

Once upon a time the DoD banned encryption in computer products going 
overseas, on the theory that the USA had some strategic advantage the 
military did not want exported.  But that mentality has been overshadowed 
by mass off-shoring of all sorts of computer manufacture and software 
development, let alone parallel development in other places such as Europe 
and Asia.  The illusion that we have some kind of advantage is akin to the 
Axis in WW II broadcasting all their secrets over communication channels 
that they were convinced no one could crack.

Al Macintyre
just a programmer, sys admin, security officer, help desk, etc. worker

, Bruce.Forestal wrote:
>Good Day,
>
>The claim of "password protected" is a joke as most all of these laptops
>are Windows OS with only a logon password which is easily bypassed.
>This is somehow supposed to make the public have a warm fuzzy feeling
>that their data is safe.  Once in a while we hear that the data is
>encrypted and password or pass-phrase protected.  Someone had commented
>previously that at least some of the current disclosure laws don't
>require notification if the data is encrypted.  I'm curious as to how
>many incidents of data loss are occurring but not reported because the
>data is encrypted?
>
>Speaking of encrypting personal information, has this technology not
>been taught in college, or banned from use by anyone outside of the DOD?
>Most all of these incidents of data loss could have been mitigated by
>just simple encryption.  Encryption is both easy and cheap; actually it
>can be had for free.  Laptops are a target for thieves, this is not
>going to change although one can surely reduce the chance of theft by
>teaching employees some user awareness but it won't be eliminated.
>
>I'm personally a fan of PGP Desk, all of my client data is saved on a
>PGP encrypted partition and all emails that even hint of sensitive data
>are encrypted.  Most Non Disclosure Agreements require me as consultant
>to protect client data, using anything short of a reliable encryption
>scheme would put my client data at risk and leave my butt hanging in the
>wind.  I would not be happy if my laptop was stolen or lost but at least
>I could state with confidence that the client data was very secure.
>Other than the NSA or like entities I don't know of anyone that would
>even have a chance of breaking the encryption.
>
>It's obvious in many of these data loss incidents that an encryption
>policy was not in place or not followed.  Roughly two-thirds of the
>states have a disclosure laws but that does not mean they are always
>followed and then there is the government side.  Does anyone know the
>disclosure laws for government?  Does anyone have an idea of the
>percentage of data loss that is not-disclosed?
>
>Bruce Forestal, CISSP
>AmbironTrustwave

<snip>