Update 1/1/2012: Use AES Crypt to encrypt files. Read about it here.
Update 09/02/2011: It just happened again to another Texas school district. Read more here.
"Psst...Hey, you wanna a new credit card? How about a new social security number?"
Time and again, confidential data is put into the hands of hackers by unsafe privacy policies, human negligence (or ignorance) about data encryption, social engineering (it's glorified, isn't it?) and a mix of variables some find too difficult to predict. The end result, though, is the same--people's private information ends up in the hands of criminals...or young adults. And, often, simple encryption strategies would have prevented the scandal, the thousands of dollars in identity theft privacy protection that will now be spent.
How does private data on a school district's "internal network" end up in the hands of hackers? One of the eye-openers is that breach of encrypted data need not be shared. That is, if your confidential data is encrypted, and someone steals it, the organization who was hacked need not say a word. They only need to notify you IF the data was unencrypted.
This is the equivalent of the State Comptroller of Texas leaving Teacher Retirement System confidential data for Texas educators (inservice and retired) UNENCRYPTED on a server earlier this year.
School organizations are victims, sure, but they also can be seen as careless when they break one of the cardinal rules of securing confidential data, a lesson all the more clear since the State Comptroller's debacle earlier this year:
Describe and practice strategies for securing wireless connections (e.g., connect to only legitimate wi-fi hot spots or turn off wi-fi, turn off file share mode, encrypt sensitive data/ information, use and update anti-virus software, use a firewall, update operating system.
Would school administrators PASS cybersecurity requirements defining how to assure personal protection of confidential data in the iKeepSafe CyberSafety curriculum? I doubt it...and I doubt most network specialists would either.
And, before these organizations--and their vaunted IT Security Admins--say, "These are free, open source tools that couldn't possibly be implemented enterprise-level!"--which, not surprisingly, I've heard before--let's remember that the use of ANY ONE of these free, open source tools would have eliminated the negative publicity, voided the effect of a confidential data breach, prevented the tarnishing of the District's public image.
Whether you pay thousands for encryption solutions, or use free open source encryption solutions suggested below, it's long past time to use them.
School districts and anyone who deals with confidential data, here are some suggestions to get started....
It's easy for folks to get angry about lost confidential data. It takes only moments to use one of the approaches above to secure it. If you have confidential data on your computer, at the very least, use TrueCrypt to protect your data. Try the other solutions to go further.
- Embrace Encryption
- TRS Confidential Information Fiasco
- Wiping Free Space on your Hard Drives
Identity Theft - http://delawareemploymentlawblog.com/wp-content/uploads/2008/05/idtheft.jpg
Get Blog Updates via Email!
Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure