All laptops are to be encrypted… but is that enough?
US space agency NASA has ordered a crack down on laptop security after one containing sensitive information went missing.
The organisation has ordered all laptops be encrypted and until that process is complete none are to leave its facilities.
The most recent breach occurred at the end of October, when a laptop containing sensitive information was stolen from an employee’s car parked at its Washington DC office. The laptop was password protected but the data was not encrypted.
Information contained on the device was "sensitive personally identifiable information," according to the BBC, but no further details were given. However it seems a significant number of people were impacted by the theft. According to the SpaceRef website, NASA has warned workers to be on the guard against bogus calls from people with stolen NASA credentials.
Warning that a "large" number of people were at risk, NASA sent a memo to employees saying: "NASA has contracted with a data breach specialist, ID Experts, who will be sending letters to affected individuals, informing them that their sensitive PII was stored on the stolen laptop and they could be impacted by the breach."
"All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it. NASA and ID Experts will not be contacting employees to ask for or confirm personal information. If you receive such a communication, please do not provide any personal information," the memo added.
It could take up to two months to notify all affected individuals, NASA said.
This incident is the latest in a long line of security failures at the agency and it is now taking steps to improve its security procedures. No NASA-issued laptops can be taken out of the organisation’s facilities unless it has full disk encryption or each sensitive file is individually encrypted.
The company has given itself a deadline of December 21st to complete the encryption process. Any laptops not protected by then will be removed from service, NASA said.
However some in the security industry have questioned whether encrypting the laptops goes far enough. Mark Bower, data protection expert and VP at Voltage Security, said encrypting hard drives solves only "a fraction" of data breach risk.
"Data moves to and from laptops – in emails, files, and as data to and from applications and servers. So while encrypting a laptop might be a first reaction, with attackers going after data in flight and the risk of accidental breach through multiple channels (whether its data at rest, in use or in motion), wherever there’s a security gap with data in the clear, it’s vulnerable to compromise," Bower said.
The issue with just encryption is that sensitive files do not just reside on a hard drive; they may be on a mail server as well, therefore accessible from a smartphone or web browser, Bower said.
"Then it might also be on backup tapes, and in the IT systems and networks accessible to more than just the intended recipients – such as internal IT or outsourced operations, and anyone sniffing the network," he added. "If that data happened to be shared as a file among employees and contractors, then it’s going to propagate to a lot of places beyond the laptop."