William Jackson | Cybereye: And the worst security idea of 2006 was . . .
- By William Jackson
- Dec 06, 2006
Once again it is time to take note of those security blunders from the past year that have given us so many opportunities to learn from our mistakes.
It has been a year rich in opportunity, with one lesson in particular being repeatedly hammered home. So the second annual Bonehead Award for Notable Failures in IT Security goes to all of those people who think it is productive to carry around sensitive data on portable devices.
There are many types of sensitive data that can get stolen, lost or just disappear. But since the passage of the 2003 California law requiring notification of breaches of personally identifiable data, losses of this type of information have been the easiest to track. The exposure of individuals to the risk of identity theft became a high-profile issue with the February 2005 fraud at ChoicePoint that exposed records on more than 160,000 people. Since then, more than 97 million personally identifiable records have been exposed, according to the Privacy Rights Clearinghouse.
Many of these breaches have resulted from poorly handled government records. The corker, of course, was this year's apparently random theft by a small-time burglar of a Veterans Affairs Department notebook PC containing records on more than 26 million people.
Many of this year's breaches were caused not by sophisticated hacking or fraud, but by the loss or theft of portable devices with increasingly large memory capacity. With such capacity at our fingertips, it is tempting to load large amounts of data onto mobile devices. As a result, there are innumerable notebooks, personal digital assistants, removable drives, USB drives and other devices floating around out there with sensitive data on them.
Attention is being given to securing this errant data. In the wake of the VA debacle, the Office of Management and Budget reminded agencies they should be using encryption and access controls on mobile devices. In September, the Army mandated use of a data-at-rest protection strategy for all 'mobile information systems.'
But I am not convinced that most of that data should be out there in the first place. If data is so sensitive that its exposure requires public notification and results in excoriating headlines, it probably should be held in a central location where it can be adequately protected and its access controlled. That means those who absolutely have to have that data to do their jobs probably will have to do it sitting at their desks in their offices, accessing it over a LAN, under the virtual eye of a watchful security officer. Loading it onto your notebook or thumb drive so you can work on it at home or on the airplane is as likely to increase vulnerabilities as productivity, even if it is encrypted.
This means that people who really use the data must be given the time and resources to get their jobs done while at the office, during regular office hours. If there isn't enough time to do that, additional people should be hired.
Decisions about staffing and funding aren't made by IT security people. Ultimately, it is up to Congress to provide the money and manpower to get the work of government done in a practical, secure manner.
But while Congress manages to find time to concern itself with whether the national anthem should be sung in Spanish, they seldom get around to this nuts-and-bolts issue. Despite the attention given to the problem of identity theft in the last year, none of more than a dozen data breach notification laws introduced this year made it out of committee.
Maybe the next Congress can find time in its busy schedule to address the issue.