rudis dot net

A story in the Fairview Observer illustrates a number of problems that plague more than just small county election offices.

In Davidson County, two laptops were stolen from the offices of the election commission. One of the laptops had a password taped to the top, though the election administrator, Ray Barrett, claims that it was an old password that had been changed. The other laptop was claimed to be broken. These systems were not secured - no hard disk encryption, no physical isolation - and contained approximately 337,000 Social Security numbers.

The Mayor has called for a government-wide security audit, but that may do little to allay the fears of voters and voter watchdog groups. Without encryption, the data on the disks inside those systems is completely accessible to the thieves. Beyond the PII loss, there is also a concern that the voting machine ballot testing software may also be loaded on the systems, potentially putting election results at risk.

There are reports that the security guards ignored their duties the night of the break-in and, in an audit of the access card key swipes, it was discovered that no guards had been watching the building at all on Saturday nights through early Sunday mornings for months.

What could they have done to prevent this?

• Physically secure the portable computers
• Employ full hard disk encryption
• Maintain an accurate and up-to-date inventory of what data and applications reside on all systems
• Never tape passwords/passcodes/passphrases to machines
• Have a tested incident response program in place
• Perform regular audits of the physical security controls

Would it have been *that* hard to lock the laptops in a desk or cabinet? Is hard disk encryption *that* expensive or difficult to employ? In such a small environment, is maintaining an asset database *so* time-consuming and intensive to make it not worth doing? Is it completely unreasonable to expect folks to remember a password? Should an organization not already be making sure outsourced functions are meeting expectations?

The only area that I am willing to give them a "bye" on is that of incident response procedures, and even that is not too difficult to get a handle on.

Unfortunately, Fortune 500 corporations make the same mistakes. Security is not that difficult, yet most folks pay little-to-no attention to even the fundamentals.

If someone broke into your store/small business would you have fared better than the Davidson County officials?

The House introduced H.R. 4791 this week (these things have a way of cascading into the private sector, so it's good to watch what they're up to). Some "highlights" include:

• expands the definition of PII
• formalizes data breach/loss reporting requirements
• mandates encryption and/or obfuscation of records containing PII data
• requires keeping an accurate & current list of systems with PII data at rest or in transit
• outlines notification requirements
• forces protection on mobile devices
• ensures remediation plans are followed when gaps are identified
• *requires a yearly PII audit*
• extends the requirements to contractors that host or process PII data for the govt
• establishes many, many rules with data brokers

If made into a law and applied to private companies, this could generate a slew of additional work for anyone who isn't already doing all they can to protect our personal information.