Heartbleed — The ”Data Map” Lesson — Intro

The Heartbleed vulnerability is, by now, an item about which we have all assuredly heard a lot.   To get caught up on your reading on the technology aspects of this issue, see the linked articles I have compiled in the ”To Learn More” section at the end of this post.    Note, though, that one key lesson is much more of a common-sense, communication and organizational one.  Most every organization could readily beef up its information-security by creating and then maintaining an up-to-date chart or “ data map” of the who/what/when/why/where of its electronically stored information (ESI).

  Where’s Your Organization’s Data?

In the 1960's, a local New York City TV station came up with the phrase “It’s 10 PM. Do you know where your children are?“   In the 21st century, any organization would do itself a favor by asking the same question about its electronically stored information (ESI).  No matter its shape or size, many a company diffuses its information-management and information-security among various people, systems and locations.   So, generating a chart listing every key vat inside and outside the company’s physical and virtual walls is a must.

A simple spreadsheet is better than nothing and also better than having a disparate set of protocols/lists.   There should be a row for each key repository, e.g., each:

• Database
• Website
• Cloud environment

And the columns (some of which would entail YES/NO) could include:

• System Name
• Content Type
• In-House or Cloud
• Owner Name (point of contact)
• Owner Contact Info.
• Encrypted at Rest
• Encrypted in Transit
• Retention/Deletion Rule(s)
• Back-up Schedules
• DR/BC Status (Disaster-Recovery/Business-Continuity)

For Cloud-stored data, additional columns could be:

• Segregation from Others’ Data
• Notice-of-Breach Duty Shifted

Finally, to paraphrase George Orwell in “Animal Farm,” some data is more private than other data.  Several categories of information thus warrant special in-the-trenches attention once their locations have been idenitfied:

• Personally identiable information (PII)
• Protected health information (PHI)
• Payment card industry information (PCI)

Now, it’s time to begin charting . . . and to start mapping . . .

To Learn More

Some resources as to ESI data-mapping:

–  Brownstone, Electronic Records Retention, Nat’l Const. Confs. Webinar Slides, at 25 (Mar. 20, 2014)

–  Stephenson, Streamline electronic discovery using a data map, Lawyers USA (Jan. 12, 2012) [quoting me :) ]

–  Brownstone, Data-Mapping & Electronic Information Management, Lorman Webinar Slides (Nov. 4, 2009)

                                        And even more as to “Heartbleed”:

–  Codenomicon, The Heartbleed Bug (last visited 5/6/14)

–  Qualys, SSL Server Test (last visited 5/6/14)

–  Valsorda, Heartbleed test (last visited 5/6/14)

–  Goodin, Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too, ars technica (4/16/14)

–  Lee, Here’s why it took 2 years for anyone to notice the Heartbleed bug, Vox (4/12/14)

–  Geuss, Private crypto keys are accessible to Heartbleed hackers, new data shows, ars technica (4/12/14)

–  Schneier, Heartbleed is a catastrophic bug in OpenSSL, Schneier on Security (4/11/14)

–  Felten, How to protect yourself from Heartbleed, Freedom to Tinker (4/11/14)

–  Grant, The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, EFF (4/10/14)

–  Cipriani, Heartbleed bug: Check which sites have been patched, CNET (4/9/14)

–  Shankland, ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords, CNET (4/8/14)

–  Kumparak, Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet, TechCrunch (4/7/14)

–  Timson, Who is Robin Seggelmann and did his Heartbleed break the internet?  Sidney Morning Herald (4/11/14)