Do the media brush over the facts in articles regarding loss of data in order not to obscure the story e.g. when the 'lost' data is encrypted.....Ian McKinnon who is a member of the ISAF committee has writted an item on just this subject for our Blog.  Read and enjoy. Ed

There has been a spate of data loss incidents in the past 12 months which have been widely reported in the media. This has created a considerable amount of disquiet amongst both data controllers, data processors and not least data subjects themselves.

 

However the poor reporting of these incidents often makes it very difficult for even IT security professionals to determine the realistic level of threat to the data lost. The general public have precious little chance to comprehend the implications of a specific incident.

 

An incident where a laptop containing personal data is lost can present considerably different risks depending on a number of factors. These factors are often complex and journalists have a natural tendency to gloss over them, either due to ignorance or possibly because they don’t want the facts to get in the way of a good story.

 

When a report states that “data was protected with a password” that covers a wide range of possibilities including: The password was simply a windows password; the data was encrypted with access controlled using the password; the data resides on an encrypted partition of the disk with access controlled using the password; the whole disk was encrypted using the password or the whole disk was encrypted using a password which also controls the entire boot process.

 

As you can see, there are a vast range of differing options, some obvious and others more subtle, that could be reported as “password protection” and the list above is by no means exhaustive. The reality is that at one end of the security scale an enthusiastic but relatively inexperienced amateur could gain access to the data in less than a few hours, whilst a highly motivated and well funded professional adversary would gain access in a matter of minutes. At the other end of the scale, an amateur would have effectively zero chance of gaining access to the data and a professional adversary would need millions of years to break the encryption using very specialised and expensive hardware. The simple way to determine the correct strength for encryption is to ensure that the cost to break the encryption should be considerably more than the value of the data.

 

For cryptographers the rather fuzzy phrase that summarises an acceptable level of protection is that breaking the encryption must be “computationally infeasible”. This is because encryption relies on the secrecy of a key and that key is simply a very, very, very big number chosen at random (randomness is another serious problem in cryptography but let’s not go there!). It is therefore always possible to break any type of encryption by simply trying all the possible keys – called a brute force attack. As a consequence, it is not possible to say that any type of encryption is unbreakable. This is because there is always a possibility, albeit an infinitesimally small possibility, that an attacker could guess the correct key on their first attempt.

 

This gives rise to another term used in cryptography “cover time”. Understanding that all encryption can be broken using brute force attacks, the “cover time” is defined as the time taken to try half of the possible keys. Once you have tried 50% of the available keys, probability dictates that you are likely to have found the right one. Cover time is therefore the period for which the data is expected to remain secret in the face of a technically competent, highly motivated and well funded adversary.

 

If personal data is properly protected using encryption when “at rest” then the fact that your details will only be compromised a few hundred thousand years after you have died should bring the risk into focus. Data that is properly encrypted using high grade encryption is not really lost if the asset that it is stored on falls into the wrong hands.

 

Conversely, if personal data is stored on a mobile device and exclusively protected using a basic password the potential for full compromise is high. The reporting of such an incident should point out that this weak level of protection is verging on the criminally negligent.

 

It is essential that reporting of data losses provides an adequate level of detail to determine what risk of compromise exists. Without an accurate estimation of the actual risk, the stakeholders will have a tendency to react to the situation based on the style of the reporting rather than the substance of the report.

 

There is significant potential for news reports to over inflate the risk causing fear and outrage in the general public which is likely to result in calls for inappropriate and disproportionate responses. We must demand better of our journalists.

 

In the mean time individuals who are entrusted with personal data on mobile devices must be made aware of the risks and personally take precautions to ensure its safety. The businesses they work for need to be aware that the theft or loss of mobile devices is inevitable and plan carefully for this eventuality. When challenged about the security of personal data stored on a stolen mobile device simply saying it was “password protected” will not absolve them of blame.

 

Permalink:
http://www.infosecurityadviser.com/view_message?id=90