Underscoring the logic behind the recent state laws that require encryption, a Department of Homeland Security report concludes that DHS itself does not have adequate security for portable electronic devices. The report issues recommendations for best practices in encryption, which are not only relevant to DHS, but for any business or government agency that has portable devices that may contain personal information.

The report is based on an audit in which the Inspector General’s office identified several unauthorized data storage devices connected to internal servers and workstations. According to the audit, DHC has not fully complied with OMB requirements to control devices and protect against unauthorized access. Only five out of 11 agencies have implemented two-factor authentication, and none of them have controls to ensure that data extracts are erased within 90 days.

Portable storage devices do represent a major emerging security threat to any business or agency. Uncontrolled use of these portable devices, which may include flash drives, external hard drives, or even portable music players, according to the DHS report, “increases the risk of theft and mishandling of sensitive information when users insert their personal or unauthorized devices into their agencies’ computers’ Universal Serial Bus (USB) or FireWire ports.”

The portability of these devices, and the fact that more people have them on ordinary consumer devices such as the iPod, increases risk all around, and measures have to be taken to ensure that an employee can’t simply download data onto their music players.

The report highlights a few very startling breaches. In New Mexico, USB flash drives containing classified government information from Los Alamos National Laboratory was found at a contract employee’s home; and stolen military flash drives containing military records were found being sold at an Afghanistan street market.

The report recommends that all sensitive data stored on laptops and mobile devices be encrypted, that two-factor authentication be used for remote access, that a timeout feature for remote access be enabled, and that all data extracts of sensitive information be logged and that those extracts are erased within 90 days.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Portable storage devices need security controls

I’ve spoken about Certificate Authorities and Certificates already. Remember that Certificates include: a public key, the owner and a digital signature. Well you’ve probably asked “what is a digital signature” and how do you “digitally sign” a certificate?

A digital signature is basically some value, a checksum. It is a data value based on a block of data and a private key. The digital signature associates the data with the owner of a specific private key. You can be confident that the person indicated as the owner of a specific private key is not an imposter. You can safely open the email you received from the “certificated” owner then respond to that person, the owner, without fear or apprehension that the email will go to the wrong person. This also allows you to trust that the contents of the email were written and encrypted by the owner of the private key.

If you decrypt a message successfully with a particular public key – a key that was certified by means of a digitally signed certificate – then you can certain that it could have only been encrypted with the corresponding private key.

You can obtain a digital certificate from a commercial certification authority, such as VeriSign, Inc., or Thawte, or from your internal security administrator or Information Technology (IT) professional. Or, you can create a digital signature yourself using a tool such as Selfcert.exe. SelfCert.exe is installed as part of Office XP and can be found in C:\Program Files\Microsoft Office\Office10

Keep in mind that certificates you create yourself are considered unauthenticated and will generate a warning in the Security Warning box if the security level is set to High or Medium. Microsoft Office will only trust a self-signed certificate on a computer that has the private key for that certificate available which is usually only the computer that actually created the certificate, unless the private key was shared with other computers. Any macro projects that you create and sign by using such certificates are considered to be self-signed projects.

If you wish to use digital certificates that are signed by commercial certification authorities, such as VeriSign, Inc., you or your organization must submit an application to that authority. You can also get a list of Microsoft trusted third-party commercial certificate authorities at http://msdn.microsoft.com/en-us/library/ms995347.aspx.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Digital Signatures and Security Encryption