What can one do if sensitive data gets out in to the open?

ontheway

After the many recent examples of organisations losing laptops filled with highly sensitive data, a colleague and I were talking today about what could you do in such an event. I understand that you can take pre-emptive measures to reduce the risks, such as formal policy reviews/implementation, system/network security, etc, but what if you have all that in place and somewhere along the line a vulnerability is exploited and you lose control of the access to sensitive data that is your responsibility to protect.

I know the example above is quite abstract, so to give a hypothetical example. If you or I had simple word documents or spreadsheets (hard or soft copies) and an unauthorised party got their hands on a copy of them (or worse, the only copy of them), what could you do to retain control.

My argument is that once the data is gone it's gone, and you have to immediately consider that information public knowledge, whilst reviewing your current security policies and procedures to patch the weakness that were exploited. Can anyone here say that there are ways to perhaps invalidate stolen data so that they are useless if stolen or in the wrong hands. I'm also making the assumption that if data is encrypted, given enough time the thieves will be able to access it. So essentially encrypted data is simply public knowledge which will be known in time and there is nothing you can do about it.

What would you do if you were in the shoes of government agencies or anyone who could lose or has lost highly sensitive data?

FSL

If any of the data is personal you ought to be legally obliged to inform all those concerned what the data was and the date it was last known to be in your possession, and if known the circumstances leading to its' loss.

Presumably there are obligations under the data protection act.

If the data is commercially sensitive then you ought to make the loss known to the relevant personnel in the organisation in order that they can take action to alleviate any commercial consequences.

I personally believe a legal obligation should exist even if the chances of the data falling into any body's hands is remote. For example losing a laptop over the side of a ferry in the middle of a sea crossing.

fergalr

ontheway wrote: »

After the many recent examples of organisations losing laptops filled with highly sensitive data, a colleague and I were talking today about what could you do in such an event. I understand that you can take pre-emptive measures to reduce the risks, such as formal policy reviews/implementation, system/network security, etc, but what if you have all that in place and somewhere along the line a vulnerability is exploited and you lose control of the access to sensitive data that is your responsibility to protect.

I know the example above is quite abstract, so to give a hypothetical example. If you or I had simple word documents or spreadsheets (hard or soft copies) and an unauthorised party got their hands on a copy of them (or worse, the only copy of them), what could you do to retain control.

My argument is that once the data is gone it's gone, and you have to immediately consider that information public knowledge, whilst reviewing your current security policies and procedures to patch the weakness that were exploited. Can anyone here say that there are ways to perhaps invalidate stolen data so that they are useless if stolen or in the wrong hands. I'm also making the assumption that if data is encrypted, given enough time the thieves will be able to access it. So essentially encrypted data is simply public knowledge which will be known in time and there is nothing you can do about it.

What would you do if you were in the shoes of government agencies or anyone who could lose or has lost highly sensitive data?

This is a indeed very abstract question, so my reply will be quite generic and abstract.
Obviously, first and foremost, any responsibilities to those who may have been harmed by the loss must be dealt with, any legal or ethical obligations taken care of etc. I'm not going to talk about the legal or ethical steps you should take, as I don't think that's the thrust of your question.


One point to mention, you say encrypted data is simply public knowledge in time. If whatever encryption you are using is properly chosen and implemented, this should not be the case in practice. If a well locked down laptop, with a strongly encrypted full disk encryption was lost/stolen, I wouldn't be too worried about the data on it being compromised, not in a commercial setting. It really shouldn't be compromisable in relevant time frames. If a random thief steals a laptop, or random punter finds a stolen laptop with proper whole disk encryption I wouldn't say you have much to worry about (apart from that they stole in in the first place, obviously!)

Can anyone here say that there are ways to perhaps invalidate stolen data so that they are useless if stolen or in the wrong hands.

Short of a DRM/trusted computing type solution, or some sort of a system whereby connection to a server was required to download short term decryption keys to view to document etc, then from one point of view, no.


But there might be things you can do to mitigate the damage of the sensitive data becoming public. I will try and make some suggestions for consideration, in the abstract. This will obviously depend on the specifics of the business situation, but in general, a good thing to do is arrange a meeting with the affected parties, and proactively plan a response, and put contingencies in place. Some general hypothetical examples to give a flavour of possible responses might be:

* If you lost data containing credentials, have the credentials changed, inform admins to watch out for suspicious network activity, maybe setup honeypots for the old credentials (depending on the specifics of the laptop loss).

* If you lost data containing business strategies that might benefit a competitor (eg product roadmap laptop goes missing at a trade conference or marketing department loses laptop with next 2 years marketing strategy on it), notify the relevant people that competitors might now have those strategies, in case they wish to modify things accordingly - for example, they might want to bring forward the roadmap, put in place an alternative marketing plan in case competitor starts preempting, etc.

* If it contains details of a new product launch, they might want to bring forward the press release, preempting damage done by the leak/rumour/speculation.

* One real world example of trying to gain some benefit from a leak might be when Valve's source code when missing for HL2. They had to delay the release of the game as a result, but a skeptic might claim that they also used the leak to deflect bad sentiment for already necessarily delays; in engaging with their customers, and going public over the leak, they probably came away better from a bad situation than had they stayed silent.

Any course of action depends on the specifics of what went missing, and the specifics of the business in question.
But don't just sit on hands and hope no one notices; communicate the loss to the concerned parties, plan the best response, and deal with problems before they arise.

What would you do if you were in the shoes of government agencies or anyone who could lose or has lost highly sensitive data?

Not working in 'government agencies' any speculation I might make might seem a bit naive. But I will point out that compromise of highly sensitive data in the past (eg ww2) has been mitigated by campaigns of disinformation, 'leaking' of fake data etc.

trout

I've worked on 'response plans' in the past ... in terms of following existing plans, or crafting/amending new ones in reaction to a particular incident.

It's very hard to give a good answer to such a broad question.

You might find this site / FAQ to be useful, although it is not exactly bedtime reading.

http://www.cert.org/csirts/csirt_faq.html#15

CERT has a bias towards online or internet centric security - you might find more applicable reading for your situation on the SANS site ... www.sans.org ... go to the reading room and search for whitepapers on 'Incident Response'

I'm also making the assumption that if data is encrypted, given enough time the thieves will be able to access it.

Yes / No / Maybe so ... it depends entirely on the type of encryption, length of keys, and how well it has been applied, and how well passwords / passphrases have been protected and shared.

Strictly speaking ... you are correct. In theory any of the encryption schemes can be brute forced, given sufficient time and sufficient hardware. This comes at a cost. The cost is significant.

There are dedicated hardware kits in existence today that make a mockery of legacy encryption such as DES - the EFF Deep Crack machine cracked DES keys in a matter of days in the late 1990's. There are other purpose built devices such as the multi-core Copacabana machine built by German academics for cryptanalysis & AES cracking research. AFAIR it has over 100 uncommited processors working in parallel.

The key here (excuse the pun) is sufficient time. 64 bit keys can be cracked in days / weeks with existing and widely available hardware.

Longer keys will take exponentially longer to crack - 80 bit keys will be considered obsolete by 2015 if current hardware trends continue.

Current thinking is 128 bit AES keys require 10^13 years to brute force with today's hardware ... which is longer than the accepted (estimated) age of the Universe.

Where this starts to get fuzzy is purpose built machines, like Copacabana, or grid / distributed / parallel computing - but the pointy heads all agree on the orders of magnitude - many many billions of years of computing time.

It may be the effort required to implement a brute force attack on a properly encrypted device is out of the reach of most criminals, and even most governments.

In practice I use 256 bit AES encryption to protect sensitive data for work ... through the magic of a well known ZIP tool

Sorry for the long post ... I got carried away

fergalr

It may be the effort required to implement a brute force attack on a properly encrypted device is out of the reach of most criminals, and even most governments.

Realistically, in a business setting, if you are talking about an encrypted laptop getting lost/stolen, unless there's a pretty elementary mistake in the encryption setup, or a bug comes to light in the encryption software, you don't need to worry about your sensitive data being read.

Anyone with the kind of resources that can even consider mounting an attack on modern, strong encryption will have several vastly easier ways of getting the data they want.

Capt'n Midnight

trout wrote:

Longer keys will take exponentially longer to crack - 80 bit keys will be considered obsolete by 2015 if current hardware trends continue.

Current thinking is 128 bit AES keys require 10^13 years to brute force with today's hardware ... which is longer than the accepted (estimated) age of the Universe.
...

Don't forget that botnets with 300,000 machines have been found
This means they can do a years worth of number crunching in 10 seconds.

CPU's exist that can process 64 threads at a time , GPU's can be hundreds of times faster than CPU's for some tasks.

many alorithms have found to be weaker than first thought , speed ups here include stuff like cracking WEP in 3 minutes on one CPU a few years ago, to the point where breaking the security on WIFI takes less time than associating with the AP and getting a DHCP address.

This means that when someone says it will take X years to break with todays technology you can change that to seconds.

Some data like stock market quotes are freely available after 15 minutes so not a biggie.
Other data like the fingerprints of Wolfgang Schäuble, the German Home Secretary can't be changed http://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated/

probe

Why put any private/confidential/secret information at risk on a laptop, ever?

Instead keep it on a secure server in the organisation's office - with as much physical and online access control and connection encryption technology as is economically necessary in the circumstances to control access. This reduces the quantity of sensitive data that could be lost in the event of theft of a laptop to zero (especially if you are using software running in something like Sandboxie to prevent caching in the PC).

People build up stuff in their laptops over time, and one day the machine gets lost/stolen, and there is very little one can do to undo the potential damage. If instead they had to work in a secure online mode with company data when out of the office, the risks would be minimised. If the data is important enough, the company can probably get its hands on military grade encryption for the communications connection. EADS use military encryption from Thales / Matra for communications to prevent the Americans from stealing their Airbus aircraft technology development work in progress.

One can deploy multi-factor encryption involving a combination of smart cards, finger print readers, passphrases and other devices to control access.

Even if one didn't trust all this access control, one could have someone assigned in the office to plug in and plug out a USB hard drive containing the ultra secret company information, when they receive a phone call from the party who wants to access the data online. Assuming both individuals knew each other personally, it would guarantee that the data wouldn't even be accessible online except when it is required by an authorized verifiable person.

I suspect the so called "intelligence agencies" don't allow their spies to carry laptops with top secret stuff. It is all kept in bunkers at the command centre, and they access it over encrypted communications links - via satellite if necessary.

trout

Capt'n Midnight wrote: »

Don't forget that botnets with 300,000 machines have been found
This means they can do a years worth of number crunching in 10 seconds.

CPU's exist that can process 64 threads at a time , GPU's can be hundreds of times faster than CPU's for some tasks.

Yes - I made the same point about purpose built devices, including one built around FGPA's in the next paragraph in my post.

With regards to botnets and number crunching, I don't know ... the botnets I've read about lend themselves to a variety of purposes such as DDoS, spam, data gathering / keylogging or routing distributed traffic such as P2P data or even Skype ... but I've not read or heard about a botnet that lends itself to massively parallel computing for such a specific purpose as cracking AES encryption.

I'm not saying it can't be done, or isn't being done ... I just don't think it's trivial to implement, or all that common for such a specific purpose.

Your point certainly holds true for grid or massively parallel machines - either purpose built or generic grids configured for a specific purpose ... and if criminals can get their hands on that kind of computing power ... I shudder to think.

Still, your point is well made. All encryption schemes are susceptible to brute force, given enough time and hardware resources ... but this comes at a cost.

It's very hard to quantify that cost, but I'm sure the botnet charge controllers for their time. It's a business now

probe wrote: »

Why put any private/confidential/secret information at risk on a laptop, ever?

I've asked that question many times ... as soon as I hear a reasonable answer, I'll let you know. Don't hold your breath.

fergalr

Current thinking is 128 bit AES keys require 10^13 years to brute force with today's hardware ...

Originally Posted by Capt'n Midnight View Post
Don't forget that botnets with 300,000 machines have been found
This means they can do a years worth of number crunching in 10 seconds.

Still, your point is well made. All encryption schemes are susceptible to brute force, given enough time and hardware resources ... but this comes at a cost.

I'm not sure it makes sense to think about botnets or grids in this class of analysis. So, if you have 3 million machine botnet, you can do a years crunching in 10 seconds.
Even with this many machines, you're still talking 10*8 years to break your 128bit aes, based on the above stat - 100million years. Even dropping it another few orders of magnitude due to unknown factors, it's still not worth talking about botnets. I'm not sure about the numbers for hardware based solutions, but I think they are in a similar magnitude range. If you were really worried about things like this, just increase the key strength to 256bit and you really don't have to worry.


If you were talking about new mathematics becoming available, or new science, such as quantum computing, changing how we think about computational complexity, then, yes, there are threats to schemes that are secured by computational complexity - but why talk about large botnets and grids then - all bets are off.

All encryption schemes are susceptible to brute force, given enough time and hardware resources ... but this comes at a cost.

Well, there's always one time pads etc - costly to deploy, not practical for commercial settings, but if your going to start talking about million machine botnets and spies thats the kind of territory your in - pretty sure I read supposition somewhere (schneider?) that they used one time pads in usa-ussr comms and settings like that.

Originally Posted by probe View Post
Why put any private/confidential/secret information at risk on a laptop, ever?

I've asked that question many times ... as soon as I hear a reasonable answer, I'll let you know. Don't hold your breath.

The reasonable answer is very simple: The overall benefit of putting the sensitive information in such a position of risk, outweighs the consequences of the data being stolen, factoring in the likelihood of it being stolen.
Not being facetious, but this happens all the time.

Losing next years marketing plan might cost the firm 50k of competitive advantage, with the chances of losing it from the well secured laptop estimated at .1% (to use a naive way of modeling risks for sake of brevity) and the benefit to having the head of marketing have the plan on her laptop at each conference is estimated at 40k in operational efficiency, etc etc. so the benefits outweigh the bad consequences when the likelihood of the bad consequences is taken into account. (without getting into risk analysis, I'm not saying it's as simple as multiplying the damage by the probability or anything as naive as that).

I'm going to stick my neck out here and say that this is both a completely reasonable answer, and the only reasonable answer.

probe

fergalr wrote: »

The reasonable answer is very simple: The overall benefit of putting the sensitive information in such a position of risk, outweighs the consequences of the data being stolen, factoring in the likelihood of it being stolen.
Not being facetious, but this happens all the time.

Losing next years marketing plan might cost the firm 50k of competitive advantage, with the chances of losing it from the well secured laptop estimated at .1% (to use a naive way of modeling risks for sake of brevity) and the benefit to having the head of marketing have the plan on her laptop at each conference is estimated at 40k in operational efficiency, etc etc. so the benefits outweigh the bad consequences when the likelihood of the bad consequences is taken into account. (without getting into risk analysis, I'm not saying it's as simple as multiplying the damage by the probability or anything as naive as that).

I'm going to stick my neck out here and say that this is both a completely reasonable answer, and the only reasonable answer.

I'm not concerned with "marketing plans". I am concerned with employees of government agencies and banks and any other organisations that collect personal information on people allowing their employees to download datasets into notebook computers and take them around the place.

The weakest link in encryption is the password. Virtually any password that someone can remember can be cracked by for example a dictionary or brute force attack.

For encryption to work properly you need multi-factor authentication, and very few organisations in Ireland (or in other English speaking countries) seem to be using it.

Forget AES-128, you could have AES-4096 (if there was such an animal), and if you used a non complex password (eg "manchesterunited" rather than "qxEKY:u+0LQ>ATIVbyWhrVQ#>^it#*\pj*!d7V_cm\=u*z3~[qUjMK2.+M^"RFk", assuming your laptop had 10 or 100 million payment card numbers and related personal information, I have no doubt that there are people in the business who would be able to gain access to the data. Few people would be able to remember and enter "qxEKY:u+0LQ>ATIVbyWhrVQ#>^it#*\pj*!d7V_cm\=u*z3~[qUjMK2.+M^"RFk" with ease, which is one of the reasons why one needs multi-factor authentication devices.

The idea of letting employees take large datasets of personal information around in notebook computers is negligent in the extreme. Any organisation found engaging in this practice should be shut down, if they fail to stop the practice. Period.

fergalr

I'm not concerned with "marketing plans". I am concerned with employees of government agencies and banks and any other organisations that collect personal information on people allowing their employees to download datasets into notebook computers and take them around the place.

assuming your laptop had 10 or 100 million payment card numbers and related personal information

Woah, hold on a moment - your original question was:

Originally Posted by probe
Why put any private/confidential/secret information at risk on a laptop, ever?

in the context of mitigating the loss of sensitive information, generally.

You didn't say:
"Why put the [nuclear codes]|[cataclysmic dataset that we absolutely can't lose]|[full personal data of 100million customers] at risk on a laptop, ever"

These are two very different questions, of course.

Obviously, if the consequences of losing something are severe enough, you shouldn't subject it to the risk of being on a laptop - even a well secured one - perhaps as much because you might not want to trust the single employee that owns the laptop with 100million payment card numbers, as anything to do with the crypto system.
This stuff should be stored in a secure data centre somewhere, and not allowed out.
Or, if the consequences are really really bad enough, just deleted.


But I was just outlining a set of situations in which sensitive data should be allowed on laptops - the situations where the benefits of having it there, to all parties, outweigh the consequences and risks of losing it.

If it's data that you absolutely can't lose, which is the scenario you refer to, rather than data that's merely sensitive, it's a different story.

For encryption to work properly you need multi-factor authentication

Don't agree here - it might be good and desirable in many situations, adding extra layers of security, but I think that statement is too strong? I've seen encryption deployed in plenty of situations where it adds a lot of security, but still isn't multifactor.

The weakest link in encryption is the password.

What the weakest link is depends on the system in question, that statement is really too general to be really true, but I assume your just pointing out that whatever token(s) are used have to be sufficiently strong to not compromise the system; yes, of course they do.

Virtually any password that someone can remember can be cracked by for example a dictionary or brute force attack.

"Thegreeneggfishswamdailyoverthebluemoonin1792untilthebluebirdscameandatethemallupThetimehascomethewalrussaidtotalkofmanythings"
etc.

I'm pretty sure people can come up with things that are much easier to remember than the example you gave, but that are still not going to succumb easily to a dictionary or a brute force attack. I haven't done the numbers of brute forcing nonsense phrases, but there are a lot of english words.

More factors might well be better, just disagreeing with the generality and breadth of your statement.

probe

fergalr wrote: »

Woah, hold on a moment - your original question was:


in the context of mitigating the loss of sensitive information, generally.

You didn't say:
"Why put the [nuclear codes]|[cataclysmic dataset that we absolutely can't lose]|[full personal data of 100million customers] at risk on a laptop, ever"

These are two very different questions, of course.

Obviously, if the consequences of losing something are severe enough, you shouldn't subject it to the risk of being on a laptop - even a well secured one - perhaps as much because you might not want to trust the single employee that owns the laptop with 100million payment card numbers, as anything to do with the crypto system.
This stuff should be stored in a secure data centre somewhere, and not allowed out.
Or, if the consequences are really really bad enough, just deleted.


But I was just outlining a set of situations in which sensitive data should be allowed on laptops - the situations where the benefits of having it there, to all parties, outweigh the consequences and risks of losing it.

If it's data that you absolutely can't lose, which is the scenario you refer to, rather than data that's merely sensitive, it's a different story.


Don't agree here - it might be good and desirable in many situations, adding extra layers of security, but I think that statement is too strong? I've seen encryption deployed in plenty of situations where it adds a lot of security, but still isn't multifactor.


What the weakest link is depends on the system in question, that statement is really too general to be really true, but I assume your just pointing out that whatever token(s) are used have to be sufficiently strong to not compromise the system; yes, of course they do.


"Thegreeneggfishswamdailyoverthebluemoonin1792untilthebluebirdscameandatethemallupThetimehascomethewalrussaidtotalkofmanythings"
etc.

I'm pretty sure people can come up with things that are much easier to remember than the example you gave, but that are still not going to succumb easily to a dictionary or a brute force attack. I haven't done the numbers of brute forcing nonsense phrases, but there are a lot of english words.

More factors might well be better, just disagreeing with the generality and breadth of your statement.

Mobile data solutions are so prevalent today, why bother carrying around information? Aside from the risk of loss, in a corporate environment most information is constantly changing and needs to be kept up to date. If you have a single copy on a central server, everybody will be singing from the same hymn sheet.

If you allow people carry around one type of information, in a matter of time other, more sensitive, stuff will find its way on mobile devices too.

"Thegreeneggfishswamdailyoverthebluemoonin1792untilthebluebirdscameandatethemallupThetimehascomethewalrussaidtotalkofmanythings"
type passwords aren't practical. They will meet heavy user resistence as people get timed out during phone calls and meetings for example, and are forced to re-enter them every time.

Everybody is familiar with multi-factor authentication. It is built into your mobile phone (the SIM card = something you have, and the PIN is something you know). The same goes for an EMV Visa or Mastercard. You get three attempts to enter a short password (eg a PIN) and if you get them wrong you get locked out. There are other cheaper multi factor authentication schemes with free open source software, whose only cost is a cheap USB memory key.

Why build motorways without service areas and interchanges? Ultimately you will have to go back and buy land and build them n years after the motorway opens and it will cost zillions.

The same applies to computer security. Do it properly, using best practice solutions from the outset. The "if sensitive data gets out in the open" will never arise if you do - or at least you are reducing the probability to close to zero. TJX's computer security breach cost them several hundred million dollars. It would have cost them very little to engineer their systems to eliminate the risk if they did the job properly from day one.

You are signing a blank cheque if you allow employees out of the office with any data stored in their PC or mobile device, because you don't know where it will end up at the end of the day. And which bastard will take exception to your negligence, and take you to the cleaners.

rmacm

probe wrote: »

I'm not concerned with "marketing plans".

You're not but businesses are concerned with "marketing plans" and the loss of such may be woth considering for them. Through a relation or two I know a few businesses that would be quiet concerened about marketing plans becoming public knowledge.

probe wrote: »

Mobile data solutions are so prevalent today, why bother carrying around information?

I've got a number of colleagues who frequently travel to areas of Africa where access to the corporate network isn't practical so they need to carry condifential information around with them....ok it isn't credit card numbers or customer data but it is stuff that the company they (I) work for would consider sensitive.

probe wrote: »

Everybody is familiar with multi-factor authentication. It is built into your mobile phone (the SIM card = something you have, and the PIN is something you know). The same goes for an EMV Visa or Mastercard. You get three attempts to enter a short password (eg a PIN) and if you get them wrong you get locked out.

Using multi factor authentication doesn't neccessarily equal familarity with such technologhy. People use it because that's what they're told to do rather than out of any knowledge of why it makes things more secure.

probe wrote: »

Why build motorways without service areas and interchanges? Ultimately you will have to go back and buy land and build them n years after the motorway opens and it will cost zillions.

Because it's cheap and we love doing things on the cheap in Ireland.

probe wrote: »

The same applies to computer security. Do it properly, using best practice solutions from the outset. The "if sensitive data gets out in the open" will never arise if you do - or at least you are reducing the probability to close to zero. TJX's computer security breach cost them several hundred million dollars. It would have cost them very little to engineer their systems to eliminate the risk if they did the job properly from day one.

You are signing a blank cheque if you allow employees out of the office with any data stored in their PC or mobile device, because you don't know where it will end up at the end of the day. And which bastard will take exception to your negligence, and take you to the cleaners.

Agreed, however you have to deal with idiots a lot of the time. Of course there's always a trade off, companies will weigh the risk of losing information on laptops against not having that information in the field when required by people and if the benefit outweighs the risk you can see which decision they're going to make.

fergalr

rmacm wrote: »

Of course there's always a trade off, companies will weigh the risk of losing information on laptops against not having that information in the field when required by people and if the benefit outweighs the risk you can see which decision they're going to make.

Yeah, this is the point I'm trying to make, that this is the justification for carrying the sensitive data around.

Regarding storing everything on the server, as probe says; well, nevermind Africa, plenty of parts of Ireland still don't have sufficient broadband access to allow everything be streamed on demand from the server.

The same applies to computer security. Do it properly, using best practice solutions from the outset. The "if sensitive data gets out in the open" will never arise if you do - or at least you are reducing the probability to close to zero.

The thing is, while I agree with this from an idealistic, technical, point of view, as an engineer, and from business experience, this just isn't always a relevant realistic standpoint.

There's a lot of businesses where if they build everything properly, using best practice solutions, from the outset, as you say, they'll have a very secure infrastructure but no business - because the resources sunk into these systems (and everything else that has to be built properly from the start) sink the business.
This is an unfortunate reality of running a business - when you are first establishing procedures and infrastructure, you are rarely in a situation where it makes financial sense to properly secure everything, build everything, etc.


I'm not talking here about the 'nuclear codes' scenario, where it doesn't matter how much resources you have to throw at it, as long as it's secure, or a scenario where you have another ultimately important reason to not lose the data (eg, an ethical responsibility of some sort to other stakeholders); but in most business cases, where the sensitive data is 'marketing plans' or 'last years sales data' or whatever, cost/benefit analysis has to be done.
And sometimes the sensitive data is worth risking, by bringing it around on laptops, because of the business benefit arising bringing it around.
Why is this basic business reality apparently so hard to grasp for some security people?

seanybiker

have handy security on my phone. If phone gets stolen i simply text my password and whichever command i want to do and the phone will do it. If i want to delete everything off the memory gt only takes a simple text. Handy to have.

rmacm

fergalr wrote: »

Yeah, this is the point I'm trying to make, that this is the justification for carrying the sensitive data around.

Regarding storing everything on the server, as probe says; well, nevermind Africa, plenty of parts of Ireland still don't have sufficient broadband access to allow everything be streamed on demand from the server.

Oh I agree, a huge amount of the reasoning behind myself and others I work with carrying sensitive data around is the lack of a reliable connection back to the corporate network wherever we end up (ok for me it's not a huge issue because if I did travel most of my work would be in Europe) but for some colleagues who work in Africa most of the time this tends to be a problem.

fergalr wrote: »

The thing is, while I agree with this from an idealistic, technical, point of view, as an engineer, and from business experience, this just isn't always a relevant realistic standpoint.

I think (or at least I'd like to think) that this is the position a lot of businesses would approach things from. Fair enough if you're dealing with credit card numbers, these shouldn't be allowed to be let out on employee laptops but this isn't the be all and end all of things. There are businesses I know and have worked that would be far enough away from the (end) customer not to have these sort of details available to them but they would have what they consider sensitve information on employee laptops.

When a company does that of course you'd expect them to implement something like Pointsec on the laptops to provide some measure of security. I'd hope that the companies have done some kind of cost/benefit analysis on losing this type of information and have come out in favour of allowing employees to carry it around. Of course at that stage you're into the realm of trusting other people which may not be a good idea.

probe

seanybiker wrote: »

have handy security on my phone. If phone gets stolen i simply text my password and whichever command i want to do and the phone will do it. If i want to delete everything off the memory gt only takes a simple text. Handy to have.

That's assuming they leave your SIM card in the phone. Chances are they will put a new SIM card in the phone, which will give it a different number, and you won't be able to make contact to zap it.

I've had a few phones stolen over the years (eg once from a car, while I was filling it up with fuel - I was entering my payment card PIN into the keyboard at the pump with my back to the car and the phone vanished). Nobody ever made a call using my SIM card.

The IMEI blocking system run by the GSM cartel seems to be almost totally useless.

probe

rmacm wrote: »

You're not but businesses are concerned with "marketing plans" and the loss of such may be woth considering for them. Through a relation or two I know a few businesses that would be quiet concerened about marketing plans becoming public knowledge.

My point is that I am concerned about my personal ID info, bank account, card numbers etc. I want businesses to look after these. I have no doubt that they will take care of their "marketing plans". If they don't, they deserve to suffer the consequences. I don't want to suffer the consequences of their incompetence by having my credit rating trashed which takes me years to fix, as a result of business or government or some other organisation's incompetence.

I've got a number of colleagues who frequently travel to areas of Africa where access to the corporate network isn't practical so they need to carry condifential information around with them....ok it isn't credit card numbers or customer data but it is stuff that the company they (I) work for would consider sensitive.

Nothing to stop them using open source or proprietary security for these data. If they consider the information sensitive, they do what they feel is necessary to protect it.

When I suggest keeping stuff centralised, online, accessed by secure multi factor authenticated communications, I mean for personal data held by financial institutions, government agencies, and similar.

If someone has a plan to turn sea water into diamonds on their PC, it is up to themselves and the organisation they work for to enforce security measures that meet their requirements.

The more people are forced to go online to access work related data, the better the infrastructure will become. I've come across several business executives in lounges at Irish airports over the past year or so (not exactly the African jungle) who were unable to connect to their corporate network over a VPN due AFAICS to port blocking by a large British telco (this is who one guy told me blocked his connection attempts, after stealing probably €20 from his credit card for using the access point) on their public WiFi networks in Ireland.

The same problem arises if they use 3G mobile data connections with various carriers. The only reason I can think that telcos want to block VPN connections to pharmaceutical companies and similar home networks is that they are actively snooping on the traffic for some reason? They are trying to force employees to log into their networks in the clear. Corporate espionage? Feeding ECHELON...... with European companies' proprietary information....?