Update 1/1/2012: Use AES Crypt to encrypt files. Read about it here.
Update 09/02/2011: It just happened again to another Texas school district. Read more here.
Source: Social Engineering: The Basics
“Psst…Hey, you wanna a new credit card? How about a new social security number?“
Time and again, confidential data is put into the hands of hackers by unsafe privacy policies, human negligence (or ignorance) about data encryption, social engineering (it’s glorified
, isn’t it?) and a mix of variables some find too difficult to predict. The end result, though, is the same–people’s private information ends up in the hands of criminals…or young adults
. And, often, simple encryption strategies would have prevented the scandal, the thousands of dollars in identity theft privacy protection that will now be spent.
The private information of thousands of El Paso Independent School District students, teachers and other employees is at risk after hackers broke into the district’s internal computer network.
The security breach was discovered Wednesday when a computer security company noticed hackers bragging on a website about breaking into the EPISD system.
EPISD officials confirmed that the district’s internal network (myepisd.org) was infiltrated and that hackers gained access to information such as names, birth dates, addresses and Social Security numbers of district employees and students.
(Source: El Paso Times)
How does private data on a school district’s “internal network” end up in the hands of hackers? One of the eye-openers is that breach of encrypted data need not be shared. That is, if your confidential data is encrypted, and someone steals it, the organization who was hacked need not say a word. They only need to notify you IF the data was unencrypted.
This is the equivalent of the State Comptroller of Texas leaving Teacher Retirement System confidential data for Texas educators (inservice and retired) UNENCRYPTED on a server earlier this year.
School organizations are victims, sure, but they also can be seen as careless when they break one of the cardinal rules of securing confidential data, a lesson all the more clear since the State Comptroller’s debacle earlier this year:
The hackers also claimed to have students’ Social Security numbers. “And yes, the ssn’s are in plain text. I’ll not disclose any of that tho,” the hacker stated…”It does seem the Social Security numbers were not encrypted, and that is not a smart practice,” Titus said. “The Social Security numbers were not posted on (the hacker’s website), but we know the hackers have access to it. We don’t know if it is being traded on identity theft networks. The frustrating part is that preventing identity theft for kids is very difficult.” (Source: El Paso Times)
Kinda scary, huh? Unencrypted data floating around on school organization networks…why aren’t we all learning digital citizenship lessons and learning to ENCRYPT our data better?
Describe and practice strategies for securing wireless connections (e.g., connect to only legitimate wi-fi hot spots or turn off wi-fi, turn off file share mode, encrypt sensitive data/ information, use and update anti-virus software, use a firewall, update operating system.
Source: Digital Security B, CyberSecurity iKeepSafe.org Curriculum Matrix
Would school administrators PASS cybersecurity requirements defining how to assure personal protection of confidential data in the iKeepSafe CyberSafety curriculum? I doubt it…and I doubt most network specialists would either.
And, before these organizations–and their vaunted IT Security Admins–say, “These are free, open source tools that couldn’t possibly be implemented enterprise-level!”–which, not surprisingly, I’ve heard before–let’s remember that the use of ANY ONE of these free, open source tools would have eliminated the negative publicity, voided the effect of a confidential data breach, prevented the tarnishing of the District’s public image.
Whether you pay thousands for encryption solutions, or use free open source encryption solutions suggested below, it’s long past time to use them.
School districts and anyone who deals with confidential data, here are some suggestions to get started….
It’s easy for folks to get angry about lost confidential data. It takes only moments to use one of the approaches above to secure it. If you have confidential data on your computer, at the very least, use TrueCrypt to protect your data. Try the other solutions to go further.