Educause Security Discussion mailing list archives
Re: 'Porn-surfing hits taxpayer IDs'
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 15 Jun 2006 09:46:59 -0400
Another option would be to provide bootable CDs to the untrusted third parties and have them use those to boot their untrusted machines and access your constituents' sensitive data. I know it sounds a bit crazy but with some planning, I think it would be practical. If they need to save data, it could be saved to an encrypted, authenticated USB key. ( Its got to be better than saving it to the local machine running untrusted software. ) One needs to be cognizant, though, of people saving sensitive data from servers locally though so this capability should be provided only if absolutely necessary. The browser could have its user-agent fiddled with to provide the server some capability of verifying the CD environment. Or PKI could be used. Shoot, the CDs could be serialized with different PKI material providing a simple form of two factor. None of these will keep a determined person from bypassing it but by golly, if they go that far to subvert security and policy, maybe termination should start being looked at more strongly as an option...before a data breach rather than afterwards. Only the future can tell how much disclosure constituents will put up with before being amenable to more stringent, less convenient policies and controls. I got my letter from the VA a couple days ago. Virginia counties are putting land records with SSN and other sensitive data online to make accessing county records more convenient. For whom, I don't know. Personally, I could do with a little less convenience. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: 'Porn-surfing hits taxpayer IDs' Gary Flynn (Jun 15)