Underscoring the logic behind the recent state laws that require encryption, a Department of Homeland Security report concludes that DHS itself does not have adequate security for portable electronic devices. The report issues recommendations for best practices in encryption, which are not only relevant to DHS, but for any business or government agency that has portable devices that may contain personal information.

The report is based on an audit in which the Inspector General’s office identified several unauthorized data storage devices connected to internal servers and workstations. According to the audit, DHC has not fully complied with OMB requirements to control devices and protect against unauthorized access. Only five out of 11 agencies have implemented two-factor authentication, and none of them have controls to ensure that data extracts are erased within 90 days.

Continue reading Portable storage devices need security controls

I’ve spoken about Certificate Authorities and Certificates already. Remember that Certificates include: a public key, the owner and a digital signature. Well you’ve probably asked “what is a digital signature” and how do you “digitally sign” a certificate?

A digital signature is basically some value, a checksum. It is a data value based on a block of data and a private key. The digital signature associates the data with the owner of a specific private key. You can be confident that the person indicated as the owner of a specific private key is not an imposter. You can safely open the email you received from the “certificated” owner then respond to that person, the owner, without fear or apprehension that the email will go to the wrong person. This also allows you to trust that the contents of the email were written and encrypted by the owner of the private key.

If you decrypt a message successfully with a particular public key – a key that was certified by means of a digitally signed certificate – then you can certain that it could have only been encrypted with the corresponding private key.

You can obtain a digital certificate from a commercial certification authority, such as VeriSign, Inc., or Thawte, or from your internal security administrator or Information Technology (IT) professional. Or, you can create a digital signature yourself using a tool such as Selfcert.exe. SelfCert.exe is installed as part of Office XP and can be found in C:\Program Files\Microsoft Office\Office10

Keep in mind that certificates you create yourself are considered unauthenticated and will generate a warning in the Security Warning box if the security level is set to High or Medium. Microsoft Office will only trust a self-signed certificate on a computer that has the private key for that certificate available which is usually only the computer that actually created the certificate, unless the private key was shared with other computers. Any macro projects that you create and sign by using such certificates are considered to be self-signed projects.

If you wish to use digital certificates that are signed by commercial certification authorities, such as VeriSign, Inc., you or your organization must submit an application to that authority. You can also get a list of Microsoft trusted third-party commercial certificate authorities at http://msdn.microsoft.com/en-us/library/ms995347.aspx.