Cord Blood Registry breach – encryption controls and media controls

Archive for the ‘Physical Security’ Category

Cord Blood Registry breach – encryption controls and media controls

Posted by

Backup Files Put Database Information At Risk
Cord Blood Registry breach a cautionary tale in the need for encryption, key management, and secure physical transport of database back-up media.

Kelly explains that step No. 1 to keep this database information secure is implementing strong encryption practices and key management. J. Wolfgang Goerlich, a network security manager at a financial services firm, concurs. He says the risk of misplaced backup information is at the top of his list of worries.

“Encryption is the No. 1 control to prevent scenarios such as the Cord Blood Registry breach. Encryption does require time for configuration and ongoing maintenance, but it has a very low fixed cost,” Goerlich says. “In the Cord Blood Registry scenario, three areas that should have been encrypted: the laptop hard drive, the database backup file, and the LTO4 backup tapes. If encrypted, the stolen media would be all but useless. The personal information of 300,000 people would be unreadable and unrecognizable.”

He also believes organizations need to do a better job instituting tape media procedural controls as well. “These ensure that the storage tapes are transported in a manner that is physically secure. From the initial reports, it looks like Cord Blood Registry did not have these in place,” he says. “A solid procedure would prevent transporting sensitive backup tapes using an employee’s vehicle and prevent leaving those tapes unattended in a parking lot.”

Miss the basics, miss the boat – Core Blood Registry

Posted by

“The Cord Blood Registry earlier this week began notifying some 300,000 registrants that their personal data might be at risk. (…) a report on the Office of Inadequate Security website indicates that the breach was the result of the theft of data backup tapes from an employee’s car.”

— darkreading.com

The breach is a good reminder of the basics. If it moves, encrypt it. If it rests, encrypt it. If you are moving tapes, have basic media controls in place to keep unsecured tapes from sitting in someone’s car. Miss the basics, miss the boat.

HVAC Security Controls

Posted by

I have received a few responses from my haiku idea. One came from a fellow, whose poetic skills I admire, and poked a little fun at me. He offered the following as an example:

The servers are hot!
The data center is warm!
What will happen now?

It made me smile and, actually, was rather timely. As data centers in the northern hemisphere move into the summer months, our attention turns towards air conditioning. HVAC (Heating, Ventilation, and Air-conditioning) falls under physical security. Returning to the haiku, the servers are hot. What will happen now? A denial of service.

Some basic controls can be built around HVAC systems to prevent a DoS. The first few revolve around redundancy. HVAC systems should be dedicated and spec’d with ample capacity to cool the room in question. Internal redundancy can be achieved by dual compressors and controllers. External redundancy can be achieved by dedicate n+1 power lines and dual intake vents. Speaking of intakes, these should be in a protected space to prevent tampering or build up of debris. The HVAC itself should be in a physically secure location.

In summary, here is a checklist of items for an InfoSec pro to audit with his facilities personnel:

  • Dedicated HVAC
  • n+1 tonnage capacity
  • Internal redundancy
  • External redundancy (power/air feeds)
  • Positive pressurization (vent the area of dust, debris, and possible smoke)
  • Physical security of the HVAC unit
  • Physical security of the HVAC intake vents
  • Clear supply and return vents

Regards and keep cool,

J Wolfgang Goerlich