nCircle.com >> 360 Security

« The Price Of Patches | Main | SCADAGard SIG To Be Established »

Dataloss and Your Privacy

In September of this year, I did some research into TurnItIn.com, an anti-plagiarism site. During my research, I contacted a few privacy organizations, one of them being the

Privacy Rights Clearinghouse (PRC). This was the first time I had stumbled across the site, I now regularly visit it. It has also directed me to a few other sites. One of these sites is the Attrition Dataloss Archive and Database ( CSV Database - RSS Feed ).

I decided to look at some of the numbers and I was shocked, yet at the same time I wasn't... the result was somewhat obvious when you thought about it. A quick count based on the "type" field in the CSV reveals 117 breaches of personal information due to what's identified as "Hack" and 166 breaches due to "Stolen *" (Where * could be hard drives, laptops, computers etc). While the data theft due to hacking dates back to 2000, while, other than one or two occurrences, most data theft due to theft has occurred in the last two years. This year, there have been 79 breaches to personal data storage due to Stolen Laptops (not including Stolen Media or Desktops) and only 50 due to hacking.

Companies these days are supposed to be more "security-aware". More companies ensure they have proper firewall and IDS/IPS implementations. Vulnerability management products are being installed and deployed on site. Pen-Testers and Security Consultants are being brought in. This seems to be working, breaches due to "digital issues" are dropping, it's physical breaches that are increasing. It makes me wonder if companies have made a trade off... "I've got to increase my IT Security, we can't increase the budget, so we'll drop some of the physical security we currently have in place". I doubt this is the case in most places, however it is a possibility.

The problem is more likely user awareness... People have their laptops... their "portable information vaults". The problem is that a laptop isn't a vault. It's vulnerable. Perhaps company policy doesn't outline what's required. Does it state that your laptop has to be locked down when out in public? Does it require that the drive be encrypted? Are drives wiped when the laptop is "out of circulation"? Does company policy really allow for all of this personal information to be stored on laptops?

It makes me think about college. When I was going to college, I was also working in the Student Support Center. As part of working there, everyone had a laptop. We were also provided with Kensington Cables. These locks were cheap (compared to the cost of a replacement laptop) and worked great... No one could walk past and just grab the laptop and run. Something we were responsible for, was preparing assets for sale. Older computers that were no longer useful and not up to the college standard were sold off for fairly cheap. Prior to selling these computers, the hard drives were wiped. Everything had DBAN run across it. It was policy to ensure that private data wasn't willingly passed on to others, and that every possible step was taken to ensure it also wasn't unwillingly handed out.

Right now, my biggest concern is that as companies focus on protecting physical assets again, they'll let the protection of their digital assets start to slip. That instead of working to find balance, they'll juggle from one extreme to the other. One thing I'm going to do in an effort to help with that is send an email off to our Director of IT as soon as I'm finished with this post. I'm going to ask him if he can pop over here and post a small write-up on what a proper laptop policy should look like.

Lastly, I'd like to turn this into a discussion. While my main goal was to provide some useful links, I also wanted to see discussion come of this, which is why I did more than just post the links. I'd like to remind everyone that our readers are always welcome to post their thoughts and criticisms and for those of you that would prefer something more anonymous, feel free to visit the nCircle poll which happens to be on the security of personal and confidential information.

Posted by Tyler Reguly on November 21, 2006 9:30 AM |

Search


About

This page contains a single entry from the blog posted on November 21, 2006 9:30 AM.

The previous post in this blog was The Price Of Patches.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]