Heartbleed — The ”Data Map” Lesson — Intro
The Heartbleed vulnerability is, by now, an item about which we have all assuredly heard a lot. To get caught up on your reading on the technology aspects of this issue, see the linked articles I have compiled in the ”To Learn More” section at the end of this post. Note, though, that one key lesson is much more of a common-sense, communication and organizational one. Most every organization could readily beef up its information-security by creating and then maintaining an up-to-date chart or “ data map” of the who/what/when/why/where of its electronically stored information (ESI).
Where’s Your Organization’s Data?
In the 1960's, a local New York City TV station came up with the phrase “It’s 10 PM. Do you know where your children are?“ In the 21st century, any organization would do itself a favor by asking the same question about its electronically stored information (ESI). No matter its shape or size, many a company diffuses its information-management and information-security among various people, systems and locations. So, generating a chart listing every key vat inside and outside the company’s physical and virtual walls is a must.
A simple spreadsheet is better than nothing and also better than having a disparate set of protocols/lists. There should be a row for each key repository, e.g., each:
-
Database
-
Website
-
Cloud environment
And the columns (some of which would entail YES/NO) could include:
-
System Name
-
Content Type
-
In-House or Cloud
-
Owner Name (point of contact)
-
Owner Contact Info.
-
Encrypted at Rest
-
Encrypted in Transit
-
Retention/Deletion Rule(s)
-
Back-up Schedules
-
DR/BC Status (Disaster-Recovery/Business-Continuity)
For Cloud-stored data, additional columns could be:
-
Segregation from Others’ Data
-
Notice-of-Breach Duty Shifted
Finally, to paraphrase George Orwell in “Animal Farm,” some data is more private than other data. Several categories of information thus warrant special in-the-trenches attention once their locations have been idenitfied:
-
Personally identiable information (PII)
-
Protected health information (PHI)
-
Payment card industry information (PCI)
Now, it’s time to begin charting . . . and to start mapping . . .
To Learn More
Some resources as to ESI data-mapping:
– Brownstone, Electronic Records Retention, Nat’l Const. Confs. Webinar Slides, at 25 (Mar. 20, 2014)
– Stephenson, Streamline electronic discovery using a data map, Lawyers USA (Jan. 12, 2012) [quoting me :) ]
– Brownstone, Data-Mapping & Electronic Information Management, Lorman Webinar Slides (Nov. 4, 2009)
And even more as to “Heartbleed”:
– Codenomicon, The Heartbleed Bug (last visited 5/6/14)
– Qualys, SSL Server Test (last visited 5/6/14)
– Valsorda, Heartbleed test (last visited 5/6/14)
– Goodin, Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too, ars technica (4/16/14)
– Lee, Here’s why it took 2 years for anyone to notice the Heartbleed bug, Vox (4/12/14)
– Geuss, Private crypto keys are accessible to Heartbleed hackers, new data shows, ars technica (4/12/14)
– Schneier, Heartbleed is a catastrophic bug in OpenSSL, Schneier on Security (4/11/14)
– Felten, How to protect yourself from Heartbleed, Freedom to Tinker (4/11/14)
– Grant, The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, EFF (4/10/14)
– Cipriani, Heartbleed bug: Check which sites have been patched, CNET (4/9/14)
– Shankland, ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords, CNET (4/8/14)
– Kumparak, Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet, TechCrunch (4/7/14)
– Timson, Who is Robin Seggelmann and did his Heartbleed break the internet? Sidney Morning Herald (4/11/14)