'

On heels of VA's giant data breach, White House & GAO review security practices

According to ComputerWorld, the White House Office of Management and Budget (OMB) and the Government Accountability Office (GAO) are jointly looking into the data security practices of the Veterans Administration as well as several other agencies.  Recently, a computer containing the personal data of over 26.

According to ComputerWorld, the White House Office of Management and Budget (OMB) and the Government Accountability Office (GAO) are jointly looking into the data security practices of the Veterans Administration as well as several other agencies.  Recently, a computer containing the personal data of over 26.5 million people was stolen from an analyst who was working for the Veteran's Administration.  In addition to the apparent inclusion of 2.2 million troops who are still on active duty, the breach is the largest of a long and growing list (at a rate of nearly one per day) of such breaches that you don't want to be on.

Writes ComputerWorld's Jaikumar Vijayan:

The recent breach disclosures prompted the OMB to direct all agency heads to describe the specific steps they are taking to implement the requirements of the Federal Information Security Management Act in their annual reports on their compliance with FISMA....."Agencies have a responsibility to ensure that they are FISMA-compliant and that their employees are trained to work with tough security measures," an OMB spokeswoman said. She added that the OMB has set "sound standards and policies" based on FISMA's mandates and is working with agencies "to make sure practices match these policies."

Clearly, there are some obvious questions that need asking.  When the data in question involves personal data that could result in a privacy or identity breach, how is it that these desktop and notebook computers can end up with an unencrypted copy, let alone a copy at all? What is it about the architecture of the applications that these people are working with that forces them to have a local copy of the databases on their systems.  Furthermore, as I just discovered in an exhausting system recovery excercise that I went through over the weekend, password protecting a Windows' system isn't enough.  You may need the right credentials in order to get at a system's hard drive if you boot that system with the operating system that's on it. But, if you boot it with some other operating system as I did to my crashed notebook with the Knoppix distribution of Linux, you can bypass Windows' login screens and get unbridled access to any part of the hard drive. 

At the very least, there are two things that should be done to such computers and files.  First, every computer can be password protected at the hardware (the BIOS level).  This is a password that comes into play before any operating system starts up.  In other words, the computer won't even attempt to start its operating system until you enter this password.  This password is set through a system's BIOS which is normally accessible by pressing F1 when a computer is first booting up.   Setting a password at the BIOS level is not foolproof.  But it raises the barrier over a system that doesn't have its hardware password set. Second, Windows XP has the built-in ability to encrypt any file.  All you have to do is find the icon for the file (eg: in the My Documents folder), right click on it, select Properties from the resulting menu, and then, on the "General" tab of the Properties dialog, click the "Advanced" button.  There, you will see a checkbox for encrypting the file.  You will be asked if you want to encrypt the entire folder that the file is in (something I didn't choose to do when playing around with the feature).  Encyrpting an entire folder is a good idea because, then, any files you drag into that folder are automatically encrypted.  Once encrypted, it doesn't matter what operating system someone boots the PC with, that file will significantly more difficult if not impossible to access for most hackers.

Vijayan's story goes on to report:

Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform, last week promised to introduce legislation seeking to strengthen breach-notification requirements at agencies. His vow followed a belated disclosure by the Department of Energy that the Social Security numbers and other personal data of about 1,500 employees and contract workers were compromised by a hacker last September.

To this I say, why not focus on the legislation that's already in front of Congress regarding such enclosures for everybody?  Currently, there are at least six (and maybe more) bills being considered that basically contain proposed government prescriptions for disclosure when there's a data breach.  The problem is that some of the ones getting the most serious consideration leave it up to the institutions in question to determine whether or not any particular breach is significant enough to warrant disclosure.  It's sort of like passing a law that says "The fox will now watch the henhouse."  As you can see from my string of coverage over a shamelessly under-reported banking breach,  when institutions are left to their own decision-making when it comes to such disclosures, not only might that disclosure not happen, where it does happen, it will be accompanied by a signficant about of obfuscating language, spin control, and shoveling of blame onto some innocent party that doesn't deserve to be blamed.