SoylentNews is people
SoylentNews
from the if-you-are-allowed-in,-then-you-are-allowed-in dept.
Sean Gallagher reports at Ars Technica that Dr. Andy Ozment, Assistant Secretary for Cybersecurity in the Department of Homeland Security, told members of the House Oversight and Government Reform Committee that in the case of the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, encryption would "not have helped" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering.
Ozment added that because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network. "If the adversary has the credentials of a user on the network, they can access data even if it's encrypted just as the users on the network have to access data," said Ozment. "That did occur in this case. Encryption in this instance would not have protected this data."
The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."
See our earlier stories: U.S. Government Employees Hit By Massive Data Breach and Hacking of Federal Security Forms Much Worse than Originally Thought
Original Submission
(Score: 2) by iamjacksusername on Thursday June 18 2015, @03:42PM
It is long past the time that we started treating security breaches as the rule rather than the exception. I found this analogy helpful (sorry, it is not the form of a car analogy). Imagine that you and all your friends have $100 in a box in your respective houses. Now, a burglar walking down the street knows you have $100 in a box in your house. However, you all took some precautions like making sure doors are locked. The burglar looks at your houses and moves on because every house probably has $100 in it and he wants the easy score. Now, imagine you and all your friends have $10B in cash. Generally, you are not going to keep that in your house. Maybe you put in a bank or some other secured location. Now imagine that a team of burglars know that there are 100s of secured locations all with $10B in cash just waiting. There could be hundreds of guards with hundreds of cameras, dogs and thick concrete walls protecting each location. The problem is that the risk / reward ratio just went through the roof and, with a $10B jackpot, someone, somewhere will be willing to finance a try. It is the old weapons vs armour debate. Eventually, the weapon wins.
So, what is the solution? Keep lowering the reward. Do not keep large amounts of data in one location. There should not be a single location that, if breached, becomes a single point of failure. In the case of the government, there should not have ever been a single, master database with all the personnel records of everybody. The government is a huge target already - putting everything in one place just makes the problem worse. A breach WILL occur. There should be much more focus on mitigation after the fact. Start from assuming that the database will be breached and information leaked. Then, decide how one would mitigate that damage.
This applies to the private sector just as much. I am in favour of statutory damages for personal information breaches. That is, if your personal information is leaked by a company, you are entitled to statutory damages from the company. This would solve a lot of privacy and data security problems as it creates a potential financial liability by simply possessing the information. Right now, every company mines personal data because possessing the data is "free" to them; data breaches are an externalized cost. So, they mine the data and target behaviors. If we created a cost to holding onto that data, companies would think long and hard about data mining and personal data retention. In my mind, it would solve much of the intrusive behavior shaping marketing practices as well as contribute to personal data security as fewer companies would hold onto it.