Protect Confidential Data - Embrace Encryption #identitytheft #foss

Update 05/28/2014 - TrueCrypt is now defunct

Keka, a 7zip compression AND encryption utility for Mac OS X+

One of the interesting questions I've run into over the last few years--with no satisfactory answer--involves what school districts can do about unencrypted, confidential data. When I raised the issue in one district, the response was, "We'd have to implement an enterprise-level encryption solution." Of course, that never happened and data continues to be unencrypted and saved on laptops, netbooks, USB flash drives, external hard drives, etc.

For me, personally, this point has been driven home in the sense that every member of my immediate family--as well as my 82-year old mother, a retired educator--except my 12 year old son has had their confidential data compromised due to a data breach. Whether it was someone at the TRS, or at my daughter's high school, confidential data has found its way out to the world through a failure to encrypt data and keep it secure.

While privacy is often over-rated in our increasingly connected world, identity theft remains a rampant problem with real fiscal and social consequences. Two questions come to mind, such as 1) What approach has your District taken to secure confidential data? and 2) What response plan does your District have in place?

1) What approach has YOUR District taken to secure confidential data--including professional development--and have you empowered school district administrators and staff to use free, open source encryption tools like those I reference in the blog entry below?

To quickly revisit my recommendations, I suggest individuals do what their organizations have failed to do--learn how to encrypt data. It's not difficult.

There are 3 approaches you can use, which include the following:
  1. Use 7zip to compress and encrypt (using a password) your files, either individually or en masse (like a folder). 7zip employs AES-256 encryption for its password security (of course, you have to have a tough to crack password).

    Consider this piece of information: 7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password. (Read Source)

    Here are some specific suggestions for 7zip programs (all free, open source):
    1. On Windows, use 7zip.org compression tool.
    2. On Macintosh, use Keka, a wonderfully "new" 7zip tool for Macintosh that should replace your compression utilities.
  2. Use TrueCrypt.org to create a "locked" box of any size you wish. Into this locked box, you can place sensitive files and protect them. This works for Windows, Macintosh and Linux.
  3. Give AESCrypt.com a try. This is my favorite solution for quickly encrypting files, especially on Windows since it has right-click possibilities. Unfortunately, you will have to use the command line on Linux and Mac...as such, Mac users clinging to their precious GUI ;-) may want to stick with Keka or Truecrypt.
Finally, if you don't think you can remember all these passwords, use Keepassx--which you can put on Dropbox.com and access them from your phone--to store your passwords. That way, you can easily keep track of all your top-secret passwords and not have them written down on post-it notes or have them taped to your desk. Keepassx is easy to use encrypted database that works on Mac, Windows, Linux, iOS (e.g. iPad/iTouch), and Android devices.

How do you handle principals who backup ALL their work data to an external USB drive, take it home, without really giving thought to the fact that they are storing confidential data unencrypted on that drive?

In one school district I happened to work in, securing confidential data was a powerpoint presentation like the following one embedded in a Moodle course management system. Is such a presentation sufficient? You be the judge. In the meantime, what has YOUR district/school done?


Some quick facts that have only gotten worse with time:

  • More than 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in losses and totaling an estimated $5.4 billion in theft of proprietary information. **Source**: Safeware Insurance, 2004
  • 73% of companies do not have specific security policies for their laptop computers. **Source**: Gartner Group, 2003
  • Informal surveys show that thieves are intent on selling the data in 10 to 15 percent of laptop thefts. **Source**: Securityfocus.com, 07/30/2001).
  • 97% of stolen computers are never recovered. **Source**: FBI
  • According to 2003 statistics, Texas ranks fourth per capita among all states for identity theft with about 93 of every 100,000 Texans being a victim. More than 20,000 Texans were victimized in 2003. Source: Texas ID Theft Statistics, 2003
Let me say that again. Ninety-seven percent of stolen computers are NEVER recovered. That means your data could be out there forever, waiting like a time-bomb to explode until someone discovers it and then uses it.
Encrypt all critical files on your mobile device: Any of the following items is considered “critical” from my perspective:
  1. Name, address and birth date. This information can be used in combination with other data to impersonate you.
  2. Documents with social security numbers in them.
  3. Documents with credit card numbers, bank account information, etc.
  4. Any information that might be considered confidential. This can be your spouse or child’s medical information, house insurance, etc.
  5. FERPA data - Not sure what that is? Read this blog entry on the subject.




Once you have identified confidential data, realize that you should separate it from other data on your hard drive. When you do this, you make it easier to protect. Once you have encrypted the data, you can easily move it from one place to another. I follow these steps to ensure my data is protected:
  1. Move all confidential data files into a common folder.
  2. Use one of the aforementioned 7zip compression option to create ONE, compressed AND encrypted file with confidential data.
  3. Make a backup of the compressed,encrypted file to external USB drive (e.g. 120gig or PenDrive, etc.). Include a copy of the program you did the encryption with. 


Some other tips are included in this blog entry for school administrators.

2) What response plan does your District have in place to deal with a data breach?

Your response to this question really depends on whether you've answered question #1 well. For example, did you know that if data is encrypted, even if the storage device it's on is stolen, you are not required to report that confidential data was on the device? Think of the embarrassment this would save your organization!

Again, if your laptop's confidential data is encrypted, you report the theft of the laptop, but not the loss of data. That's because the data is encrypted...note that passwording a computer via it's BIOS or screensaver isn't sufficient.

But what happens if the worst has happened and the lost data was not encrypted? Move quickly to notify affected individuals. Some steps recommended by this government web site:


  1. Notify law enforcement
  2. Notify affected businesses such as bank and credit issuers. 
  3. Develop a strategy that will provide affected individuals protection through Equifax, Experian, TransUnion
  4. Notify individuals affected in concert with law enforcement, designating an organization contact person and setting up a web site with frequently asked questions (FAQ).
And, finally, send affected individuals a letter like the following, graciously provided by the FTC:

MODEL LETTER FOR THE
COMPROMISE OF SOCIAL SECURITY NUMBERS
Dear _____________:

We are contacting you about a potential problem involving identity theft.
[Describe the information compromise and how you are responding to it.]

We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review.
Equifax
Experian
TransUnionCorp
800-525-6285
888-397-3742
800-680-7289
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call [insert contact information for law enforcement] and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at www.ftc.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations.

We have enclosed a copy of Take Charge: Fighting Back Against Identity Theft, a comprehensive guide from the FTC to help you guard against and deal with identity theft.

[Insert closing]
Your Name



Get Blog Updates via Email!
Enter your email address:
Delivered by FeedBurner


Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

Comments

Popular posts from this blog

#Chromecast Add-Ons to Play Various Video File Formats

Free Professional Learning! Education On Air #googleedu

10 Steps to a Blended Learning Classroom #MIEexpert #MIE #tceamie1