Slashdot Mirror
TSA to Contractors - Encrypt Your Laptops
eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"
Yeah, I installed TruCrypt today so I could encrypt my drive yesterday.
Uh, dude, I think you mean "reactive".
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place
The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?
Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.
Are there any real-world effective laptop encryption solutions?
Encryption requiring a simple password:
They key space will be limited making for easy cracking.
Encryption requiring a sufficiently complex password to avoid above:
The password will be too hard to remember so people will write it down... on a sticky note on the laptop.
Encryption requiring an external device to supply complex key:
This will fail because many people will either attach the device to the laptop, or keep it in the same bag as the laptop.
I guess the simple password solution is the best since it would at least require a degree of technical expertise from the thief to get around.
I keep wondering, if the data is that sensitive, IT departments should have it physically never leave the data center. Instead, offer different means of access via secure means, such as Remote Desktop, ssh, a secure webapp available after connecting to a VPN, or some other means of accessing the data and gathering reports from remote. Keep the data available, but have it physically reside in the (relatively) secure environment of the data center.
If someone needs offline access (for example in a remote location with no Internet access), that is a different story, but in a number of laptop theft cases, there is no real reason the info is physically sitting on the laptop.
Of course, this won't prevent an employee from doing an export of all the tables to their laptop, but having the sensitive data behind a username, password, and a SecurID token means that the losses due to a stolen laptop will be minimal. Add a decent FDE program (BitLocker is decent because it doesn't get in the way of users, provided they can access their user), and a laptop loss can be written off as "just" hardware.
A number of Dell laptops and desktops have the ability to have CompuTrace installed in the BIOS. This is another good tool to help find stolen goods.
By using the tools out there, from WDE, to having data physically residing on a different location (although there are cases where this isn't possible), to CompuTrace, damage done from a stolen laptop can be greatly mitigated.