Ohio Plans To Encrypt After Data Breach

Lucas123 writes "After a backup tape containing sensitive information on 130,000 Ohio residents, current and former employees, and businesses was stolen from the car of a government intern in June, the state government just announced it has purchased 60,000 licenses of encryption software — McAfee's SafeBoot — for state offices to use to protect data. It's estimated that the missing backup tape will cost Ohio $3 million. In September, the state docked a government official about a week of future vacation time for not ensuring that the data would be protected."

hindsight is 20/20

[Endloser]

People just won't learn that security should be proactive. Society is a very slow learner.

Backups Won't Be Encrypted

[nuxx]

Er, while this software encrypts data on the disk, it doesn't encrypt the backups. These will still be cleanly read from the disks and written out to tape.

What is my data doing outside anyway?

[Anonymous Coward]

Whether it's encrypted or not, why is sensitive data on employee laptops or in intern's cars?

How do you log and audit access to data to prevent abuses if you just hand out copies of databases?

How Long Before...

[Anonymous Coward]

...we see a story about 130,000 residence records locked and unavailable due to lost encryption passwords?

Brings me back to the question....

[ducomputergeek]

WTF is this stuff doing on laptops in the first place?

It seems logical to me that this kind of information should be on a centralized servers at a state office with managed firewalls and all the rest with only hardwired terminals allowed access with maybe a VPN set up for remote access if absolutely needed out in the field. I know wireless isn't 100% secure and no system is but that just makes logical sense to me.

And?

[Colin Smith]

Your problem is? They have been seen to have done something.
 

Re:A week's vacation?

[GodfatherofSoul]

Oh please. We've seen mistakes FAR bigger than this in the private sector with less or no consequences. And, if every software outfit canned its employees after a single mistake of whatever scale, there'd be a heck of a lot more turnover in IT.

What are these backup tapes, Kemo Sabe?

[igb]

You'll also be aware of the various rows here in England as the government displays its new networking technology: CDs and a courier. Most of us with medium-sized data farms (I herd about 50TB) are getting out of removable media as fast as we can. I've got 20TB of disk at the far end end of 30 miles of GigE, which with compression (all hail ZFS!) provides me enough space to keep copies of all the critical data, plus a few weeks of daily snapshots. My RPO is ``that day's work'' and my RTO is essentially zero: I can serve the data up over NFS from the replicas as easily as from the live systems. Obviously, some of it's better than ``that day'': the Oracle archive logs go straight over, and the Cyrus mail server will replicate live as soon as I can find the time to get it working. But we're only using tape now for monthly audit copies, and those can therefore safely stay in the machine room: the data replicates offsite, and then comes back into the tape silo monthly. A machine room fire costs us the audit copies: if I feel keen I'll start cloning those and sending them offsite. If I can scare up the budget and offsite space for a MAID then I can get out of tape entirely.

I Call Bullshit

[pseudorand]

Encryption is crap unless it's used by those trained to understand how it works and what it's limitations are, which I'm sure 60,000 employees will not be. What happens when an employee copies data to a USB disk or e-mails it to someone. If the software prevents this, it will be a major pain in the arse that will cost a lot more than $3 million in lost productivity. If it doesn't, then data will get stolen and everyone will say "no problem, it was encrypted", until massive identity theft cases force them to admit that not all copies were encrypted, but, because the guy in charge spent $3 Million, he'll argue that he did everything reasonable and no one will be held accountable. The real solution is to LIMIT ACCESS TO SENSITIVE DATA TO TRAINED EMPLOYEES WHO ACTUALLY NEED IT TO DO THEIR JOB. I can't imagine that there's 60,000 employees who actually need the personal information of 130,000 Ohio residents. I'm not saying it's obvious who needs what data, but $3 million would buy a lot of manpower to figure it out.

And what happened to Encrypted File System. You know, built-in to NTFS, complete with administrative recovery keys, doesn't cost $3 million? This sounds like just more government waste and McAfee marketing to me.

Isn't going to help

[belthize]

If they have 60,000 computers with 'sensitive' data on it then they're borked already.

      If they want to encrypt people's laptops/desktops then fine ... if they want to prevent
personal civilian data from leaking out they're off by a few orders of magnitude on the
extent of their distributed storage.

Belthize

Re:60,000 licenses?

[schneidafunk]

I know this is a terrible excuse, but paying for a solution *may* make the ignorant masses feel better.

taxpayer: "hey you could have prevented this disaster without spending an assload of money? WTF!"

Re:I Call Bullshit

[Starteck81]

Have you ever tired to teach a lot of non-technical people to follow security procedures? I work for a CPA firm that takes security pretty seriously. All of our hard drives encrypted. We have a secure webportal to transfer files instead of sending them via e-mail. We have encrypted usb thumb drives.

We have tried to train our employee's to use these tools so as to be secure but I still catch people sending things via e-mail and using unencrypted USB drives that they bought. It's not a huge percentage of people but it still happens and all it takes is one person not following the rules.

The point I'm trying to drive home is that at best you can only hope to mitigate your exposure to data theft. Encrypting your disks is a step in the right direction. As for your assertions that they use unencrypted USB drives and unencrypted e-mail well please sight a source that tells us for sure that they are unencrypted. Otherwise you're just making assumptions and we all know what happens when you do that...

Re:OpenBSD is the answer.

[pat mcguire]

The problem is that the government workers don't have the proper technical expertise. Security is only as strong as the weakest link, and even with Windows on the laptops the operating system is usually not the issue, the stupidity of people are. All OpenBSD would do is add another layer of security that the user would disable in order to save five seconds and the trouble of remembering a password. Secondly, OpenBSD's security is mostly directed at remote attacks, as the developers realize that there's no way to secure a computer in the hands of somebody else.

Horse gone - Elephant still in room

[toby]

Hmm... I wonder if they give a damn that their state-wide reliance on Windows is another accident waiting to happen.

Care about trojans, keyloggers, viruses, and all the other uncountable ways to lose confidential data, not to mention productivity?

Get rid of Windows as well. You'll never regret it.

Re:A week's vacation?

[syousef]

I work as a DBA in a nonprofit healthcare organization. If our backup guys lost a tape, and I hadn't bothered to check off the box in our database backup software that says "Encrypt: 256-bit AES", I would lose my job.

What you need to ask is what was the procedure and was the guy following it?

If it's standard procedure for this guy to carry unencrypted data around in his car, it's the guy setting policy/procedure that should be made responsible.

If it is standard procedure for you to encrypt your data, and you fail to follow that procedure you should be disciplined. Better still would be to find a way to make that little check box for encryption on by default. Even better would be to find a way to restrict export without encryption unless it's authorized by a second person. It shouldn't be easy for you to make a mistake that could cause you or your company massive damage.

Re:Wonder if McAfee payed them

[WhatAmIDoingHere]

Doesn't matter if it's carved into a brick of lead weighing 4 tons and can only be read by a half blind midget who is kept locked in a dungeon under the guard of five dragons.

The brick being stolen is a security breach, and the information that was carved into it is now to be considered 'out in the open.'

Security through obscurity? Get real.

Re:Backups Won't Be Encrypted

[palegray.net]

You make the assertion that this software won't encrypt the backups. Please answer the following questions:

1. What are your sources for that assertion?

2. Have you personally used the software?

3. Have you seen this page [safeboot.com]?

Next time, please think before posting. If you're 100% sure your original statement is valid, I'll gladly stand corrected and eat a healthy slice of humble pie.

Re:Wonder if McAfee payed them

[a_nonamiss]

According to your definition, there is a whole hell of a lot of data "out in the open." In Windows 2000/XP, it's reasonably difficult to encrypt your system drive and your pagefile. Even if you diligently keep 100% of your data on an encrypted volume, can you guarantee that no social security numbers were written to your pagefile? That data can be scraped, you know. Plus, if your computer is stolen, can you tell with any degree of confidence which records were in that pagefile? No? Then you have to assume that all of them were compromised.

Truthfully, the only perfect security is a computer that's disconnected from the Internet, underground, in a locked room turned off with all the hard drive cables removed. And even then, "they" can probably read the information from their satellites in space. In the real world, we need to make compromises.

All of our company backups are encrypted using 256-bit AES encryption. If one gets stolen, I can't "guarantee" that the data hasn't been compromised. After all, someone with a few billion^10 CPU cycles to spare could crack the encryption algorithm. Sure, AES is trusted by the Pentagon, but that doesn't mean it's 100% infallible. In fact, there's a calculable mathematical chance that someone could guess the encryption key on the very first try, even without a supercomputer. It's damn unlikely, but certainly not impossible.

So the question comes down to this: what level of risk are you prepared to accept? More importantly, what level of security are you willing to pay for? Security isn't free. "Perfect" security (like nuclear launch codes, where failure is absolutely not an option) is very expensive. Would you be willing to donate a couple thousand dollars of your own money (along with every other taxpayer) to replace all computers in the country with ones that have hardware-level encryption? Is that good enough? Most of our customers are small, non-profit organizations already run on a shoestring budget. Most of them can't afford to hire a proper secretary, let alone an IT specialist who knows how to use TrueCrypt and enforce security policies.

Listen, I'm not arguing against data security. If you knew me personally, you'd know I'm a very security conscious individual, but I'm saying that we need to be realistic. We need to spend a finite amount of money where it will do the most good. Those millions of dollars in Ohio put towards useless credit checks were funneled directly away from our customers' already meager budgets. My boss is a nice guy, but he needs to keep the company running, so he can't donate our services. That money could have been spent on education, or updated hardware, or proper disposal of old equipment. Put in perspective, there are breaches far more egregious than this one that happen every day, and I can say first-hand that they are usually the result of ignorance. Some people don't know it's not OK to save a SQL backup to a USB key and take it home. Some people don't know that you have to DBAN a hard drive before you throw the computer away. These are far more dangerous than a lost (and probably trashed) AS400 backup.

Re:Technological revolution has been far faster...

[stonedcat]

You're speaking of the people who can't be bothered to figure out how to set the clock on the vcr....

It's not that they can't adjust, it's that they don't want to adjust.
People are becoming stupider and lazier than any other period in modern history.
No one gives a shit how it works, just that it does what it's supposed to.
As our species moves forward into existence either they'll have to learn or be left behind.
It is no longer about survival of the fittest, it's about those who care and do not care.
I'd be happy to say those left behind would perish, but governments worldwide have enacted many laws and safety precautions which protect them from themselves.

We're doomed to cater to the stupidity and worthlessness of the masses well into the spaceage.

Re:And?

[barzok]

Sure, they did "something."

But they didn't address the problem that actually led to the breach. They're encrypting laptops, but it was backup tapes which were compromised. No mention of those getting encrypted.