How Would You Prefer To Send Sensitive Data?

sprkltgr writes "Our HR department is implementing new software. The HR Director has tasked me with sending our data out of our network to the consultant that's loading it in to the new package. Obviously this data includes items such as SSN, name, birth date, etc. Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"

PGP

[Foldarn]

PGP without pause

Re:PGP

[Foldarn]

If it's data to be processed and used with a database or something similar, then I'd suggest either SFTP or set up a site-to-site VPN between your 2 offices and either provide them with instructions for FTPing it off of your server or the other way around. A simple link would work as well: ftp://10.10.10.10/yourfile.csv that way it's almost dummy proof.

Re:PGP

[Foldarn]

Correction:  ftp://user:password@10.10.10.10/yourfile.csv is the proper example link.

Re:PGP

[Swampash]

If this is for a work task (and in the parent article it obviously is) I would only ever send sensitive data via PGP-encrypted and -signed email, or more specifically via PGP-encrypted and -signed attachment to an email.

Via encrypted signed email there's a paper trail. "The data you have is verifiably the data that I intended for you to receive, and the sensitive data haven't been mangled or modified (the hashes match), it is verifiably from me (that's my signature), and I have demonstrably met your request by sending you the information on this day at this time (email headers, server logs, whatever).

If it's important and it's for work purposes, COVER ASS AT ALL TIMES.

Re:PGP

[Metzli]

I would agree with PGP, once the proper legalities and assurances are in place. However, I'd worry about the non-technical issues before working on a technical solution.

There are a number of issues to be resolved before worrying about how to get the data transferred. Has the consultant and/or their firm verified their security and controls to your firm's satisfaction with something like a SAS 70? Are there legal agreements in place concerning the proper controls of this data, the explanations or responsibilities in case of a disclosure, etc.? Has the idea been proposed to create bogus data for testing so that live data isn't used? Can the application be loaded on-site, so that a machine outside of your firm's control will not contain highly-sensitive employee data?

I'd ask a lot of questions like these and get answers to my satisfaction before I sent out any data. I would greatly prefer to have to explain to my management why I'm "holding up the train" than have to explain to my coworkers why I was involved in the disclosure of their personal information and mine.

Re:PGP

[The+MAZZTer]

If you need to get on a VPN to access the FTP server you're already authenticated. There's no point in authenticating twice (unless you want different levels of access, or the FTP server is also accessible from other networks).

Re:PGP

[beav007]

PGP or GPG I've been hearing good things about ROT-13. Which one of these uses ROT-13?

Re:PGP

[shri]

I disagree. While PGP can transport the data securely, once decrypted, it will be rendered as insecure as the consultant's weakest point of security. If the data were truly sensitive, I'd send an anonymous set to the consultant, have them prepare a set of scripts / routines / procedures to import and then bring them onsite to complete the task.

Re:PGP

[Hojima]

What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?" 1)Titanium alloy capsule with message 2)rail gun 3)???? 4)Message delivered (and/or profit)

Re:PGP

[ResidntGeek]

has the resources to brute-force the encryption

If you're using PGP, such resources simply don't exist.

Re:PGP

[Anne_Nonymous]

Alternately, you could quantum encrypt the data, send the key by smoke signal, and nuke the entire site from orbit. It's the only way to be sure.

Re:PGP

[cayenne8]

"Yes, it's already authenticated, but most email systems will not route email over that VPN. It will route it to the publicly accessible IP."

That and email just is not a good way to send lots of data, it just isn't designed for it.

I'm more in favor of setting up a VPN....and using scp across it.

That will work better for what I guess has to be a good bit of bulk of data...and should be quite secure enough.

Re:PGP

[SanityInAnarchy]

VPN access is per-machine. FTP access is per-user. Making it accessible to anyone on the VPN is equivalent to chmod'ing 777.

It's amazing how many people make this mistake. NEVER implement an unauthenticated protocol, unless you can completely guard access to it -- and by that, I mean use it over pipelines, UNIX sockets, or in wrappers that include authentication.

Oh, and FTP sucks. I can't think of a good reason to use it at all, ever. Use Samba if it's convenient, otherwise things like scp/sftp, rsync, or actual database replication.

Re:PGP

[Eskarel]

Well e-mail isn't really a practical solution for a large volume data set, which presumably it is or there wouldn't be much point. So while PGP e-mail is quite a wonderful technique, it won't help much.

You've also got to remember that you only have control over the security of the data during transit. It's all you're legally responsible for and it's all you have any sort of effective control over. So you're really looking for the best solution based on the transmission type you choose. For anyone who wants to put all sorts of extra security on it remember the thing problem with copy protection you can't secure something and give people the access to view it at the same time, so if the recipient doesn't secure it properly in their system, no amount of PGP is going to help anyone.

If the data set is fairly small, then encrypted e-mail might be a valid solution. If it's small to middling in size or you need to do frequent transfers SFTP or FTPS would be viable(presuming you're not using keys generated in the last two years on a debian box).

The simplest solution would be to encrypt the data, put it on a CD/DVD/Portable HD, and send it by courier or deliver it yourself(ideally in a sealed envelope). You get a signature to verify you sent it, you get a signature to verify who picked it up, you've got proof it wasn't tampered with and if someone steals it along the way it's not worth anything.

If it were me I'd also ensure that your contract with the recipient includes liability for any security breaches within their system including appropriate financial penalties. Any of those solutions will ensure it gets to the recipient without someone else stealing it and that's all you can do.

Re:PGP

[andy.ruddock]

From DSA-1571-1 :
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

Re:PGP

[Eivind]

The likelihood that "someone" will brute-force the encryption is zero -- or close enough to make no difference. All the worlds banks are protected by the same encryption. If your data is REALLY more valuable than complete access to EVERY account in EVERY bank that has online banking, then you don't "ask slashdot" what to do about securing the data anyways.

Re:PGP

[Antique+Geekmeister]

The unencrypted FTP traffic on the far side of the VPN connection can be sniffed. Passwords should never, never, never be sent in the clear, even over a local network, because people are awful about change passwords and will use the same one in multiple locations. And if the VPN is between two networks, rather than between your machine and a remote network, the FTP traffic an be sniffed inside your own network.

It only takes one compromised laptop in most networks to engage in quite a bit of useful packet sniffing of exactly this kind of traffic. Unless that VPN is between your desktopo and the VPN server itself, it's hazardous.

Re:PGP

[Antique+Geekmeister]

I hope your scp setup has chroot cages set up, because otherwise, your clients can go poking around the rest of your SCP server and potentially do all sorts of damage. Keeping them from overfilling /tmp and /var/tmp on the server is difficult enough. Keeping them out of /etc/passwd to find account names is even more awkard: a secured SCP server is fairly awkward. I've been seeing a few recommendations to instead use WebDAV over HTTPS. There are plenty of Java based clients, chroot cages are built in, and Windows has direct access to it over a browser for download, and using hte 'Network Connections' for upload. I also understand that is supports SSL keys quite well, for public/private key access.

Re:PGP

[Simon+Brooke]

Correction: ftp://10.10.10.10/yourfile.csv is the proper example link.

You do not want to use FTP at all. FTP is a very insecure protocol. If the data is very confidential, then you need to secure it against

• An attacker pretending to be the designated recipient
• An attacker capturing the stream in flight
  • Where that attacker is within your network
  • Where that attacker is within the recipient's network
  • Where that attacker is between your network and the recipients

Remember no encryption is so good that it can't be cracked, given sufficient compute power and sufficient time, and that the profits from identity fraud are now sufficient to make it worth criminal gangs while to put significant resource into cracking encryption.

So to send this data, in my opinion, you need to split it into chunks which are in themselves of low value (i.e. first file, names and employee numbers; in the second file, social security numbers and employee numbers; in the third file, addresses and employee numbers; in the fourth file, ages and social security numbers; and so on); encrypt these chunks using different encryption keys, so that decrypting one will not provide the key to encrypting the next; and send them over a secure channel.

The UK Government has had a series of scandals recently where couriered media (CD-ROM disks) with valuable personal information has gone missing, so couriering this is not a good plan. Criminal gangs are apparently now willing to pay about US$50 per person for identity details like these, so in terms of value for unit mass, a CD with these details is worth much more than diamonds.

Re:PGP

[Simon+Brooke]

VPN *AND* scp? weirdo.

Not in the least. What guarantee do you have that there isn't an attacker already in your network, or the recipients network? Split into small chunks first. Encrypt with separate keys, then SCP over VPN.

Re:PGP

[|DeN|niS]

You are being awfully naive here. Personal details are worth about US$50 each to identity fraud gangs. 10,000 personal details times US$50 is half a million bucks, and that buys a lot of supercomputer time. Any encryption can be brute forced given enough brute force.

You keep saying that. Maybe you want to run the numbers sometime? Something like all the computing power in the world in constant use for X thousand years? Barring a fundamental flaw in the algorithm, or a botchy implementation (say generating your keys on Debian) there is no way this is brute forcable in anyones lifetime. It's just math. It's your random claim the russian maffia can break any encryption, versus math. I know whose side I am on.

Half a million bucks buys you a 56 bit DES message in under 24 hours. Note that an extra bit does not double the effort, it squares it. Do the math.

Re:PGP

[WuphonsReach]

Yes. The Russian mafia. They have much more than sufficient resource - not merely access to supercomputers, but also access to large botnets of other people's PCs. Cracking encryption is a task well suited to distributed computing.

Yes, these people can and routinely do crack military grade encryption, if the data is valuable enough. This data is valuable enough.

Highly unlikely.

What they (the attackers) are probably doing is either:

1) Man in the Middle (MITM) attack where the source/destination players (Alice & BoB) don't properly authenticate their encryption keys. Which lets them read all of the traffic by pretending to be the other end of the stream to each player.

2) Attacking the weak point of any encryption system - key management. Either by keylogging to obtain the passphrase, or other rootkit / cracking work to steal the private keys. Which then allows them to decrypt the messages. Getting key management correct is HARD (the devil is in the details).

3) Suborning either Alice or Bob (i.e. bribery or social engineering). Or simply via the lead lined rubber hose attack.

There's an awful lot of very very smart people out there who are looking at the current algorithms in use (AES, RSA, etc). If there were known weaknesses in the algorithms, we would have heard about them. Something that is encrypted with today's 256bit symmetric encryption algorithms is extremely secure for the foreseeable future (40+ years?). At least, as long as the encryption key is not leaked through some other fashion.

Re:PGP

[xalorous]

Use strong encryption.
Burn to physical media.
Send via bonded courier.
Send password via encrypted email, or via registered mail.

If you need frequent access from both ends, set up extranet with encrypted vpn with reasonable security on both ends. The data at rest should be encrypted with strong encryption and the password should change frequently ( 90 days). Access to the password and to the storage folder should be restricted.

Yeah, all you alarmists worried about 'one compromised computer' are right, but that threat exists no matter how you connect to transfer the data. The VPN doesn't answer this threat, it answers the threat of capture of data in transit.

Re:PGP

[drinkypoo]

Really, what's wrong with just using IPSEC and ftp? ftp is canned crap by itself because of the stupid networking requirements (if you're already using TCP, there's no reason WHATSOEVER to open two connections, much less to do it how ftp does) and generally impossible to secure through rational means but is fine through VPN.

Of course, you have to make sure that your switch isn't vulnerable to a poisoning attack that will let a local attacker sniff that password, unless you do direct host to host ipsec, which is my recommendation anyway. Then the whole thing is pretty secure. ipsec is relatively easy to set up on windows with preshared keys (I never did get certs to work between HPUX and Windows which is where I tried it, but if I'd had a Windows 2003 domain server it supposedly would have been easy) and plenty easy to set up on most Unices.

Alternatively, just put a simple password on the thing, USPS the password to the guy via some kind of registered mail, and then courier the data, and do it physically. This is much more secure, provided your carrier is competent. (Read: NOT UPS, who not long ago delivered eight pounds of court documents to me at 9850 on one street, while it was addressed to 9580 on another street.

Re:PGP

[ezzzD55J]

Note that an extra bit does not double the effort, it squares it. Do the math.

What?

An extra bit does double the keyspace.

Re:PGP

[0xFCE2]

Yes. The Russian mafia. They have much more than sufficient resource - not merely access to supercomputers, but also access to large botnets of other people's PCs. Cracking encryption is a task well suited to distributed computing.

Yes, these people can and routinely do crack military grade encryption, if the data is valuable enough. This data is valuable enough.

"military grade" is a pretty useless term here - the military uses all kind of encryption, from weak to very secure. But when talking about encryption suitable for "secret" stuff (i.e. classified secret), then you can be pretty sure the NSA is not going to allow any form of encryption which is known (to the NSA) to be breakable. Not breakable by any other (foreign) government agency with a multi-billion-dollar budget, and certainly not by the Russian mafia. And as a reminder, AES is a valid algorithm be used to protect secret communications and available to pretty much everyone.
To get your data, they would try to get the encryption keys by hacking the computer or by physically breaking into your house and office. They might even sneak backdoors in the software you are using and weaken the encryption artificially. But they will not bother with the encryption itself, unless you've been using weak encryption from the start.

Re:PGP

[blueg3]

"Remember no encryption is so good that it can't be cracked, given sufficient compute power and sufficient time, and that the profits from identity fraud are now sufficient to make it worth criminal gangs while to put significant resource into cracking encryption."

No practical encryption, that is. One-time pads are uncrackable. However, your statement is misleading -- for many types of encryption, "sufficient time" is longer than multiple human lifespans, even with access to a large amount of computing power. It's generally the non-encryption parts of a security system that fail.

Re:PGP

[MikePikeFL]

FTP still has its place. If you are already going over VPN, FTP can be way better than SMB if say, the link dies at 699MB of a 700MB file. FTP resume performs miracles with an appropriate client (read ncftp). scp/sftp don't regularly support resume (I think there are some hacks out there), and sometimes rsync isn't universal (Win32, permissions, and rsync can do some evil things).

Obviously it all depends on the platforms in use, the links' reliabilities, the links' speeds, the criticality of time, one's patience, one's pain threshold, etc. YMMV.

Password protected PDF!

[Boogaroo]

Redacted using FBI security techniques will guarantee absolutely nobody will be able to see it.
Make sure you send the password with the file.

Re:Password protected PDF!

[genderbunny]

Nice, but it will never be as secure as sending a Word document with the font changed to Windings.

Re:Password protected PDF!

[enoz]

Send it in OOXML, Word won't even open it!

Couple idea's

[Drakin020]

Why not some kind of secure FTP Server for her to download it?

Or if the area is not to far, why not burn it to a CD or some other kind of media and physically take it to her.

By Hand

[rueger]

Deliver it by hand.... if you're lucky they'll give you one of those cool attache cases that handcuffs to your wrist.

Re:By Hand

[Dirtside]

No, if you're lucky, they'll include a key. If you're not, they'll include a hacksaw.

Re:By Hand

[Repton]

Seriously --- why not? Stick the data into a truecrypt volumne on a USB thumb drive (or USB hard drive, for big data). If the contractor is nearby, walk over and type the password in yourself. If not, courier it and use encrypted email to transmit the password (or just tell the guy over the phone).

How would I prefer to send sensitive data?

[Orange+Crush]

Not at all if I could avoid it, that's for sure. Why can't the consultant import the data into the new package on-site? Even the most secure transmission method can't stop someone outside of your control exposing that data. I'd be talking to my HR people and begging them not to send this data out. Probably a good idea to talk to Legal too.

Re:How would I prefer to send sensitive data?

[Tex2000]

The policy in my current company is that NO DATA is shared unless we have a "Non Disclosure Agreement" (NDA) Signed with the company/consultant that needs to work with our data. Have your legal department prepare such an agreement with items such as penalties for improper use of the information..

This kind of agreement sometimes scare consultants or companies, and it's cause for some struggle, but in the end if they can't handle the responsibility over your data then you should find someone who can.

pgp on a dvd or flash drive

[rboatright]

unless the data set is so large that the answer is pgp on an external hard drive shipped by fedex. and send the password by a SEPERATE CHANNEL. I prefer to send the key by TELEPHONE -- spoken, but that's up to you.

Locally

[thedarknite]

I'd get the consultant to come to the office. If the new software is going to be run onsite, there should be no reason why the data needs to leave. But if it does need to be taken offsite then having the consultant come in to collect it makes them responsible for keeping the data secure.

If she's cute....

[EmbeddedJanitor]

Take some of those fur-lined handcuffs too. Do it on a Friday and get the weekend.

Sending sensitive data isn't that hard.

Send all the data via FedEx on a CD, in an encrypted file. Send the password via e-mail.

Of course, this doesn't address the issues revolving around exposing all this data to your consultant to begin with.

E-Mail

[bluefoxlucid]

Deliver the data by e-mail, but store it such that it's determined losing it does not present plausible risk. I mean what other options do you have? Authenticated download over SSL perhaps.

PGP maybe. Say we PGP encrypt an e-mail. We now rely on the secrecy of the recipient's private key. This means we rely on the recipient's security infrastructure to properly protect a piece of data until the data we transmit has become non-useful (this includes destroying all copies of the key -- when actually done, we guarantee the key remains secret forever). Can we trust this? Not really.

Well with SSL, the certificate gets verified against a CA signature. The client automatically establishes encryption in a secret way (randomly generated public key, sent to server, which sends a signed and encrypted session key) so we know no third party can eaves drop, without any infrastructure on the client end. Now, this is where I pull up Ettercap in the next hotel room over, and the client clicks "Accept certificate temporarily for this session" when it warns him my MitM cert is self-signed. Again, can't trust this.

Well, let's hand it off on a USB flash drive. Does he lose it? Leave it in his car? Hell, it's now on a storage system at another company with odd security practices. Again, out of your control.

All solutions suck. Transport isn't an issue, it's ensuring data confidentiality at the destination (including any encryption keys used to secure the transport, as well as the decrypted data itself once stored at the other end).

Public key is to complicated for a simple one-shot

[RickRussellTX]

Simply use symmetric encryption (AES-256, for example) with a strong random key, then provide the key on a separate hand-delivered or voice-delivered medium.

Public key doesn't really buy you anything in this case -- if somebody grabs their copy of the symmetric key, you're screwed. If somebody grabs their copy of the private key, you're screwed. Protecting the private key with an additional symmetric key doesn't make it more secure.

But explaining to a clueless consultant how to keep a single key secure is a lot easier than trying to explain public key/private key operation.

Simple...

[Jane+Q.+Public]

If this is a manual task, and you are on a *.nix box or similar (OSX too), just use scp (Secure CoPy). If there are lots of files, package them first to make things easy (tar.gz or .zip or whatever), and just scp the file to the other computer. It takes the same parameters as ssh and uses ssh but was designed to just send files securely. With scripting languages you can also automate this process.

Pinkerton

[tverbeek]

Hand delivered by a trustworthy courier.

OTP

[Iamthecheese]

Well, the first thing you need is physical security. I would reccommend Blackwater for their premium quality goons. You'll need at least two platoons and a morter squad. Then you'll want to hand-deliver a one time pad to their secure vault, with a completely off-network computer to do the decryption. You can solder off all the connections except a secure thumb drive for the OS and the DVD containing the OTP. You'll have to keep your own copy of the OTP in your own vault. And I highly recommend Windows ME on a Dell for the encryption routine.

GPG? The Open Source Version of PGP

[NeverVotedBush]

I agree completely with Orange Crush. You let that data out and it is now subject to this other entity's security policy.

If you are going to let it off-site, is there a contractual agreement regarding how the data will be protected? Are their security policies audited by a third party? Worst case, does your company's insurance cover financial losses due to a third party mishandling your data?

I'd provide them with dummy data in the proper format to simulate your company's data and do like Orange Crush suggests and put data and application together only on your own premises.

But if you can't/won't do that, I'd say encrypt the hell out of it and burn it to CD, and send it by registered courier where someone has to sign for it to acknowledge chain of custody. Send the key by an alternate method.

Do you know this company's security policies? Are there any kind of investigations/background checks performed on its employees? If it is a small shop, what kind of firewall protection do they use? Is some programmer's kid using his laptop to play games on the Internet and download "free" screen savers or ring tones?

I assume that your data is in there too. How would you want it handled and what would you consider doing legally to your company if the data was in any way mishandled and your information to find its way into some identity thief's possession or posted on the web? What if your identity were to be stolen and your accounts raided or your credit ruined?

I know this probably sounds fairly paranoid and I'm sure a lot of people might suggest easier and less secure approaches, but the reality is that this kind of data is a target and far too many people do not properly protect their business computer systems because they just don't realize how pervasive intrusions and spyware are.

How would you want your data handled?

Re:GPG? The Open Source Version of PGP

[NeverVotedBush]

There are a lot of good posts in this topic. Especially the ones about the legal issues.

These days a big issue is CYA when it comes to people's personal data. As others have noted, be sure to investigate any laws that might define how the data must be treated if it has to go off site. Be sure that your management signs off on the procedure and be sure you can document it.

The days of just letting people download data are long gone. And don't use FTP if you do. Use the secure version (sftp) and encrypt the data before it transfers. That way it's an encrypted tunnel carrying encrypted data. But I wouldn't recommend this method. I'd get a signed chain of custody with media physically delivered and assurances that all copies of the data is completely and securely destroyed and the original media returned when the job is finished.

Best way is not to let the data out in the first place.

Re:GPG? The Open Source Version of PGP

[MyDixieWrecked]

gpg/pgp is great for the transfer... however once it's in the person's inbox, you have no idea what they're going to do with it.

Giving anyone other than my parents personal information about myself (credit card number/ SSN) over the phone pains me. It feels like I'm running a red light every time and I'd rather not do it.

Spy Style

[bsDaemon]

Encrypt the drive and put it in a locked case, handcuffed to your wrist. Have a second person carry the key to the handcuffs and to the case and take a separate train. Just for good measures, send out decoys for both yourself and the man with they. Rendezvous at the consultant's headquarters.

Don't forget to wear mirrored sunglasses.

What about once it gets there?

[Geek_engineer]

I would be much more worried about the security after you get the data there. How does the consultant protect his network (wireless???) and physical building? Does he keep the data encrypted so if a computer is stolen, it cannot be read? There are any number of good encryption methods to use in transmitting the data, then phone with the key.

Don't over think this

[Alpha830RulZ]

If it were me, I wouldn't even be worried about FTP for a one time transfer. When was the last time , or the first time, you heard of someone sniffing sensitive data in mid transmission? The vast majority of compromise issues are due to compromise of files on a machine somewhere. You should be concerned about the work environment of the consultant, and procedures there, far more than how you get data to the consultant. Ad hoc work environments are usually far more lax in their controls than a production environment. HR departments are (in my experience) far less knowledgeable about how to protect data than IT types. This is where your risk lies.

We use an SFTP server for transmission of financial data, and I don't lose a bit of sleep over it. You are at much higher risk for either your HR department or the consultant doing something stupid with the source or result files on their network. Your need is just to make sure that it doesn't happen on your watch.

I would be more concerned about making sure that the HR folks and the consultant cleaned up their work files afterword.

Secure in layers

[sthomas]

If you are required to transfer the data outside of your organization, then there are two areas of concern - confidentiality of the data in transit, and confidentiality of the data once it arrives and is in the consultant's control.

Data in transit:
Encrypting the data prior to transfer is highly recommended, so that when it arrives it is in a secured package, and it also reduces risk should an email be misaddressed or forwarded to an unintended recipient. For this part PGP is an excellent tool. You can encrypt using exchanged keys, or you can encrypt using a strong passphrase and then communicate that passphrase out of band (phone call is preferable, separate email is workable but less preferable). For the method of transfer, securing the channel of communications is another added layer of security on top of encrypting the data ahead of time. If you are using an interactive transfer like (S)FTP, it will protect the authentication credentials from prying eyes. Although someone intercepting the PGP encrypted file now may not be able to decrypt it, tomorrow's technology may make the task trivial, so protecting it is recommended. TLS-encrypted email from organization to organization is also a good choice, but may be beyond the scope of your project. However, if this will be an ongoing need, or if your HR rep is also passing confidential content in email, it's definitely worth looking into.

Data Protection after Transit:
Once the person has received the file, your data will continue to be at risk. Each copy they make of the encrypted file is another file that could potentially be moved outside of a controlled environment. Once they decrypt the data, the risk to your organization climbs as they strip away another layer of protection. At this point the processes the consultant has in place are critical to protecting your data, and lack of processes or sloppy adherence puts your organization at risk. I often use users' Outlook Sent Items to show how easily copies of data files propagate. Anywhere they store the data, encrypted or not, may be released outside of their environment when they dispose of hard disks or tapes, or if they have them replaced because they are faulty. We empower users with tools, and those tools can increase risk in unexpected ways.

Remember the most important security rule - always protect in layers. Remind everyone to treat all data like it's their own banking information or cash money. Require your partners/vendors/consultants to meet or exceed all of your controls. Allow as few copies of data (encrypted or non-) as absolutely required for operational and preservation purposes. Continually remind everyone of the potential risk of data loss. Make sure users understand that there is no single security solution - encryption provides one layer of protection, but the best security is constant vigilance and treating your data like it's cash money.

I would recommend you have a serious discussion with your HR rep, starting out by saying "I just want to be sure you're aware of the risk here, and we are doing everything we can to protect our company and our employees." Then spell out the risks without exaggerating, and remind him/her that it's situations like this where bad decisions end up in the newspaper. The first decision is "do we have to move this data outside of our organization?" and it should only be done if it's absolutely required. If it is, then layering security and requiring that your vendor/contractor treat it with the right level of sensitivity are all that you can do.

PGP Universal Server or Tumbleweed

[shumacher]

We wrestled with using GPG/PGP/X.509 and things like AES encrypted zip files for a while. No matter what, we couldn't trust:

• That local users would create decent passwords
• That remote users would be able to understand how to decrypt/open the documents
• That users wouldn't send the password in the same email as the encrypted file

The found marginal success with Office document encryption, but ultimately, things were nearly impossible to audit when people were doing their own encryption.
We put a PGP Universal server with web messenger between our internal mailserver and our SMTP gateway, and set policies on what does and doesn't get secured. Aside from the occasional external user who is baffled by the concept of creating a passphrase, the server has been trouble-free. If you have to deal with arbitrary external mail recipients with unknown levels of clue, I highly recommend picking either PGP Universal or Tumbleweed.

my pick

[DragonTHC]

encrypted thumb drive.

use truecrypt and create an encrypted file on a thumb drive. then if it gets lost, no one can retrieve it.

I agree - start by finding a new consultant!

[arete]

I agree completely - getting the files TO the consultant securely is relatively easy... a GPGP key exchange followed by a phone call can pretty simply ensure who they are as well as anything. (I mean, as well as you know who the company is now - it's whoever answers their phone number.)

But then they HAVE the data, and if you care about your data, that's a problem.

In a perfect world, I would start by finding a new consultant - one who wouldn't even consider RECEIVING such data through email. I suppose in a PERFECT world, there wouldn't BE such consultants.

But failing that you need to lay out every security policy you think is important to secure your data, including INSIDE a network... firewalls, care with files, background checks on IT staff, background checks on the consultants. You need this laid out in excruciating detail. And you need it in the contract with them.

Ideally YOUR company needs to do the background checks on their staff... At a minimum you need to do a really sound credit check of them and have your attorney draw up a contract where they indemnify you for any loss due to a breach and any attorney fees to defend against and to recover from it. Etc.

Basically the same kind of due diligence you'd have for someone you were letting come in and install new servers and new firewalls on your site with access to everything you've already got. Or if they refuse to get up to a reasonable standard, you can tell them they need to do their work on your site.

Red flag.

[PeanutButterBreath]

If this consultant asked for this data to be sent via email in the first place, that is a big red flag to me. It suggests a pretty lax attitude towards sensitive data, possibly an indication of general cluelessness/laziness/hubris.

Frankly, I would be a little suspicious of any person who wanted to take custody of this information at all if test data can be used instead. I would never take on that kind of liability if I didn't absolutely have to.

In an environment where neither HR nor their contractor seem to have a clue, I would enumerate my concerns (in writing) and insist that they make the call (in writing). Too many weak links in this chain.

Re:Red flag.

[SanityInAnarchy]

Just so long as you at least verify fingerprints via the phone. Fingerprints aren't any more secret than the public key, but at least on the phone, a MITM insertion attack is much more difficult -- they would sound different.

Registered Mail

[john.r.strohm]

I'd send it on CDs, by Registered Mail, the same way defense contractors and government agencies send classified stuff, for the same reasons.

Yes, Registered Mail costs more. It is worth it. Registered Mail *EXISTS* for the sole purpose of shipping high-value items that MUST NOT GET LOST OR STOLEN. That is precisely what you have here.

And for those of you in the peanut gallery: Yes, I have done Registered Mail. Several times. It is a pain in the ass. The Postal Service thinks it is a pain in the ass, and will try really hard to talk you out of it. I usually have to say "Registered Mail" two or three times before they figure out that I really do know what I want. I have had Postal Service clerks ask if I knew the difference between Registered and Certified. They were always very disappointed when they discovered that I *DID* know the difference, could explain it to them, and wasn't about to back down.

If you are really paranoid, you send two packages, both by Registered Mail. One contains encrypted CDs. The other contains the decryption key. Or you split the data into two packages, that must be combined in a nonobvious way to reconstitute the data.

But the KEY to the transfer is Registered Mail.

It doesn't matter, you've already lost

[Jerf]

If the consultant really expected you to email the data, and expressed even a modicum of surprise that you wouldn't do it, they've already disqualified themselves from being able to securely handle your data.

Do you really think that this is the only flaw in their handling of sensitive data? That, otherwise, they are security conscious and careful, except for this odd flaw where they don't understand how insecure email is?

If you care, it's time to change consultants.

If you don't care, just email it already.

(I'm actually not quite as rigid as this may sound out-of-context. I don't agree that security is all-or-nothing, so please don't strawman me that way. My second paragraph is important; anyone who expects those things emailed to them is so far away from the necessary knowledge and skills that debating whether they are close enough or whether they will be able to take reasonable care is a waste of time, arguing about whether the receiver made a touchdown when they got tackled on the 10 yard line on the wrong side of the field.)

Emailed?

[e-scetic]

If I was that consultant my first question would have been how to transfer that data securely - but maybe that's because I know what I'm doing. Therefore, I'd be totally allergic to giving that data to this consultant, regardless of any non-disclosure agreement.

What to do

[hejish]

First, your company must have a policy. SSN's are sensitive data. Second, your company must have a contract with any folks not working for your company requiring that this data be protected in a manner compliant with your company policies. Third, the recommendation to have the consultant work on site or work with the data on site is appropriate. Requiring that the data NOT leave your site sounds very reasonable. If they are remote use 2-factor authentication to get into such sensitive data and administration of systems.

Don't send it to a consultant who would ask ....

[CFD339]

...by email.

This consultant wanted you to send it to them? I've been a consultant and developer for nearly 20 years. I would NEVER EVER ask for data like that to be sent to me. I wouldn't want to be anywhere near owning that kind of responsibility for someone else's critical data. You couldn't make me take it if you tried.

Your biggest problem, as pointed out by others, isn't the in-transit data but rather what it does once the consultant gets it. If he's so unaware of modern security best practices as to ask you to send it to him, it's fairly a sure bet that his environment and practices are no where near good enough.

How will the data be sent back?

[scrib]

If you're sending data to a consultant for processing, how do you expect the consultant to return the finished product to you? You can be as paranoid as you want and totally ineffective if next week the consultant emails you an unencrypted MDB file.

The other replies make a lot of sense in pointing out that your security policy is only as strong as the consultant's weakest link. Can someone potentially sniff the email as it goes by? Sure. Is anyone actually watching? Probably not.

PGP or GPG keys sent via email are always vulnerable to "man in the middle" attacks unless you verify the fingerprints through other secure channels, etc and so forth. Is anyone taking the trouble to do that for access to your data? No. Seriously.

You could probably even get away with putting all the data into a single ZIP file, and then putting THAT single ZIP file into a password protected ZIP file. (If you have more than a few files in a password protected ZIP file, there are apps out there that can do some comparisons and crack them open in moments.) One file in a ZIP, with a strong password given over the phone, should keep out the nosy and all but the more educated hackers. The educated hacker already has access to your system after asking HR's password on a "support" call.

I'd agree with the masses - GPG. However, it is VITAL that the consultant knows to encrypt the data sent BACK or it is just a waste of time. Good luck!

Don't send it at all

[elronxenu]

You are about to send sensitive data to a third party who will load it into a new database and send you back the database. That's insane.

You need to bring the destination (the database) in-house. Either load the data yourself, or get the consultant to come in-house to load the data. Under no circumstances should the sensitive data travel outside your network boundary. It's not a question of "how strong is my encryption" at all.

AES 256

[Heembo]

WinZip with AES 256 encryption using a very strong password delivered via phone is sufficient in some situations.

PGP yet again .. with some real world examples

[johnlcallaway]

I have worked for two different companies that sent ACH (EFT) type transactions worth tens of millions of dollars over the internet. We used an SSL HTTP web site for the transfers, and encrypted AND signed the packets with PGP keys. That way, when we got the packet, we could decrypt it AND verify the originator.

I'm sure if someone worked hard enough they could have broken it, but since the firewall would only allow connections from specific IPs, it would have been tough to inject data into the system.

This meant that the biggest threat wasn't someone stealing the raw data, but someone on the inside gaining access to the data after it was processed or was being processed and possibly in an unencrypted state. The DBA used some type of Oracle encryption to prevent someone gaining access to the database and being able to run SQL queries and return unencrypted data without some type of key (I don't know how it worked ... sorry.) And unencrypted data was never allowed in the DMZ. I'm not sure how long unencrypted data may have been on app servers or in memory, but I remember security and the developers having a lot of conversations about it.

So .. don't stop at just the transmission. Security has to be looked at from source to destination and archival.

bzip, split and send three ways, scp, email, pendr

[refactored]

1. write wee scriptie that splits a file 3 ways byte 1 to file 1 byte 2 to file 2 byte 3 to file 3 byte 4 to file 1 ....
2. write wee scriptie that merges them again.
3. email scriptie to consultant.
4. tar bzip2 the files.
5. cut out 4 bytes from the middle of the tar ball.
6. hex dump the 4 bytes and read them to him over the telephone.
7. split the cut down tarball three ways.
8. scp one to him, give him an https url for another, put the third on a usb pen and snail mail it.

   1. When he totally freaks out and starts screaming. Rename the file to GrowYourPenisNow.doc, spoof the From: header to be from hotmail.com, add a subject line V1agra and send.

      Nobody will ever bother to read it.

Re:PGP -- step three revealed!

I think I can help here: step 3 is: 'apply copious amounts of lubricant'.

Re:hold it

[nahdude812]

Nor is chroot intended as a security tool, even though it's widely used as such. It's quite possible to break out of chroot jail.