How Would You Prefer To Send Sensitive Data? 542
sprkltgr writes "Our HR department is implementing new software. The HR Director has tasked me with sending our data out of our network to the consultant that's loading it in to the new package. Obviously this data includes items such as SSN, name, birth date, etc. Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"
Couple idea's (Score:4, Informative)
Or if the area is not to far, why not burn it to a CD or some other kind of media and physically take it to her.
Re:PGP (Score:5, Informative)
Re:PGP (Score:5, Informative)
Sending sensitive data isn't that hard. (Score:3, Informative)
Of course, this doesn't address the issues revolving around exposing all this data to your consultant to begin with.
E-Mail (Score:5, Informative)
PGP maybe. Say we PGP encrypt an e-mail. We now rely on the secrecy of the recipient's private key. This means we rely on the recipient's security infrastructure to properly protect a piece of data until the data we transmit has become non-useful (this includes destroying all copies of the key -- when actually done, we guarantee the key remains secret forever). Can we trust this? Not really.
Well with SSL, the certificate gets verified against a CA signature. The client automatically establishes encryption in a secret way (randomly generated public key, sent to server, which sends a signed and encrypted session key) so we know no third party can eaves drop, without any infrastructure on the client end. Now, this is where I pull up Ettercap in the next hotel room over, and the client clicks "Accept certificate temporarily for this session" when it warns him my MitM cert is self-signed. Again, can't trust this.
Well, let's hand it off on a USB flash drive. Does he lose it? Leave it in his car? Hell, it's now on a storage system at another company with odd security practices. Again, out of your control.
All solutions suck. Transport isn't an issue, it's ensuring data confidentiality at the destination (including any encryption keys used to secure the transport, as well as the decrypted data itself once stored at the other end).
Re:By Hand (Score:3, Informative)
Re:PGP (Score:2, Informative)
Re:GPG? The Open Source Version of PGP (Score:5, Informative)
Giving anyone other than my parents personal information about myself (credit card number/ SSN) over the phone pains me. It feels like I'm running a red light every time and I'd rather not do it.
Re:PGP (Score:4, Informative)
Why not 7Zip (Score:1, Informative)
Re:encrypted filesystem on a USB drive (Score:3, Informative)
Back when I worked for a defense contractor, FedEx was legal for shipping classified hard drives.
Old Grouch Here (Or maybe Old Farte) (Score:3, Informative)
Re:PGP (Score:4, Informative)
That and email just is not a good way to send lots of data, it just isn't designed for it.
I'm more in favor of setting up a VPN....and using scp across it.
That will work better for what I guess has to be a good bit of bulk of data...and should be quite secure enough.
Re:PGP (Score:5, Informative)
It's amazing how many people make this mistake. NEVER implement an unauthenticated protocol, unless you can completely guard access to it -- and by that, I mean use it over pipelines, UNIX sockets, or in wrappers that include authentication.
Oh, and FTP sucks. I can't think of a good reason to use it at all, ever. Use Samba if it's convenient, otherwise things like scp/sftp, rsync, or actual database replication.
Re:PGP (Score:3, Informative)
Then only the person who is allowed to see it can.
too lazy to do key management ... used voltage (Score:2, Informative)
Email was pretty much the file transfer mechanism of choice for the business (for better or worse).
Major issues from my team (Info Sec):
1) how do we stay out of the key management business (anybody that has been to the key ring, PKI, certificate, etc. management barbecue knows what I am talking about here)
2) that we get all the mail off of our systems at the time of delivery (basically, in the wild world of e-discovery, we did not want to have to get into managing other company's 'sensitive emails')
3) no software required on the recipient's machine
I have used, tinkered with, been burned by, loved, and hated pretty much all the top players in this space... but based on our requirements and my personal motivation to just solve my email encryption problem and go back to my other work without needing to tie up resources to support users that were now using the implementation... I went with Voltage (http://www.voltage.com). It took two change control windows to get it into prod (one to test, and one to go live). For the sensitive email traffic that was not handled by gratuitous SSL/TLS (roughly 100k+ messages per day) we used Voltage at the gateway with users entering a key word in the subject line to encrypt. It took a little bit of training and some internal showing of dirty laundry, but users eventually caught on... and within about 3mos of implementation we were dealing with high 100s to low 1000s of user violations. We could have dropped the number to 0 by rigging our DLP product into the mix and forcing all remaining sensitive data flagged by our DLP solution to go through Voltage, but the business was happy with the drop in violations and did not want to do that.
In short, we dropped our plain text email violations from about 300k+ per day to about 1k per day, nobody had to do the key management dance, and no residual customer email was left in our environment. As a side note, Voltage also has a SAAS product that is completely managed by them that we referred our power recipients and business partners off to... once again, no work there for me or my team.
Hope this gives a decent data point for your issue.
Re:PGP (Score:5, Informative)
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.
Dropbox is simple enough (Score:2, Informative)
In lieu of new consultant, require data standards! (Score:1, Informative)
However, assuming that you can't do anything about it, here are the methods I have used, depending on the capabilities of the client:
1) standard FTP of PGP encrypted files
2) sftp/https using digital certificate authentication
3) e-mail of PGP enrypted attachments
4) enrypted private VPN tunnel (IPSec)
Where do I store this data? On a truecrypted volume, manually mounted if the system reboots (password NOT stored anywhere on the system). If my office gets broken into, they only have a useless disk of gibberish.
Re:PGP (Score:5, Informative)
Re:PGP (Score:5, Informative)
You do not want to use FTP at all. FTP is a very insecure protocol. If the data is very confidential, then you need to secure it against
Remember no encryption is so good that it can't be cracked, given sufficient compute power and sufficient time, and that the profits from identity fraud are now sufficient to make it worth criminal gangs while to put significant resource into cracking encryption.
So to send this data, in my opinion, you need to split it into chunks which are in themselves of low value (i.e. first file, names and employee numbers; in the second file, social security numbers and employee numbers; in the third file, addresses and employee numbers; in the fourth file, ages and social security numbers; and so on); encrypt these chunks using different encryption keys, so that decrypting one will not provide the key to encrypting the next; and send them over a secure channel.
The UK Government has had a series of scandals recently where couriered media (CD-ROM disks) with valuable personal information has gone missing, so couriering this is not a good plan. Criminal gangs are apparently now willing to pay about US$50 per person for identity details like these, so in terms of value for unit mass, a CD with these details is worth much more than diamonds.
Do you want theory or reality? (Score:3, Informative)
For the "real" answer - Using WinZip, pick 256-bit AES encryption and zip your file. Then send it via regular email, and call the recipient with the password (and although you don't need to pick an easy password, prepare to have to repeat it a few dozen times if you choose anything even remotely secure).
That satisfies any privacy/data security laws applicable to the situation, including HIPAA (presuming the recipient actually has the right to access the requested data) if this happens to involve sending medical records. No, not a glamorous solution, but it works.
Re:PGP (Score:3, Informative)
hold it (Score:3, Informative)
You can use chroot as an additional security blanket, to protect against possible bugs in scp. But if you don't use chroot, that doesn't mean "your clients can go poking around the rest of your SCP server". Furthermore, there are many alternatives to chroot, including vserver and AppArmor.
chroot cages are built in
There are plenty of webdav implementations that do not come with chroot.
I'm sorry, but a little knowledge is dangerous when it comes to security, and your blind faith in chroot is dangerous. Chroot is neither necessary nor sufficient for ensuring security.
Re:PGP (Score:5, Informative)
Yes, these people can and routinely do crack military grade encryption, if the data is valuable enough. This data is valuable enough.
Highly unlikely.
What they (the attackers) are probably doing is either:
1) Man in the Middle (MITM) attack where the source/destination players (Alice & BoB) don't properly authenticate their encryption keys. Which lets them read all of the traffic by pretending to be the other end of the stream to each player.
2) Attacking the weak point of any encryption system - key management. Either by keylogging to obtain the passphrase, or other rootkit / cracking work to steal the private keys. Which then allows them to decrypt the messages. Getting key management correct is HARD (the devil is in the details).
3) Suborning either Alice or Bob (i.e. bribery or social engineering). Or simply via the lead lined rubber hose attack.
There's an awful lot of very very smart people out there who are looking at the current algorithms in use (AES, RSA, etc). If there were known weaknesses in the algorithms, we would have heard about them. Something that is encrypted with today's 256bit symmetric encryption algorithms is extremely secure for the foreseeable future (40+ years?). At least, as long as the encryption key is not leaked through some other fashion.
Re:PGP (Score:2, Informative)
if this is just a oneshot deal, its probably easier to provide them with a password protected archive and give them the password verbally (over the phone) - good choices here are anything that uses 256 bit aes or the equivalent, so rar, winzip and 7z (which is opensource/free) are good choices.
Re:PGP (Score:3, Informative)
What I meant is that every extra bit doubles the effort, i.e. going from 128 to 256 bits is not doubling the effort, it is squaring it.
You need a security policy. (Score:3, Informative)
I can't stress this enough. You need a company information security policy.
Your information security policy should at a minimum cover the following items:
I plan to write a blog post today or tomorrow at our blog, http://securitymusings.com [securitymusings.com] which will go into a little more detail on this.
Now for a direct answer to your question: strongly encrypt the data using a 128-bit (or longer) standard encryption algorithm such as 3DES, AES, or Blowfish. If you are using password-based encryption, use a long and random password, such as those generated by any good password generation application. (GRC has a web-based one. [grc.com]) Use at least 20 random characters to create a sufficiently entropic password. Communicate the password out-of-band, such as via telephone, fax, or mail/fedex. There are lots of available tools to do proper encryption, such as PGP/GPG, WinZip, etc. Use one, don't write your own.
Re:PGP (Score:4, Informative)
No practical encryption, that is. One-time pads are uncrackable. However, your statement is misleading -- for many types of encryption, "sufficient time" is longer than multiple human lifespans, even with access to a large amount of computing power. It's generally the non-encryption parts of a security system that fail.
Re:hold it (Score:4, Informative)
Not SFTP (Score:3, Informative)
I have no expertise with setting up VPNs, but a similar situation may arise.