I generally don't comment on popular news, especially tragic ones. But one of my RSS feeds on "information leaks" picked up on the death of Brittany Murphy, and wanted to note that, sometimes, it doesn't matter how much you've spent on data security like laptop encryption software; you will still have a data breach.
It's common knowledge by now that Ms. Murphy is deceased. Many also know that she had a "virtual pharmacopoeia of drugs, including potent painkillers and medicine for depression" in her possession. Now, that latter bit was not information for public consumption. Such details were only known because of a leak from the L.A. coroner's office. The detailed notes, including the presence of powerful prescription medication, were taken by L.A. police and handed over to the Coroner's office, where it was stored on a password-protected computer. Normally I would be pointing out how password-protection doesn't really protect information. Unlike encryption software, password-protection on computers is easy to bypass without providing a password--by swapping out a computer's hard drive, for example. In the above case, though, I find it unlikely that the details were accessed in this way. More than likely is the scenario that someone who had access to the computer just accessed the contents of the computer.
It's common knowledge by now that Ms. Murphy is deceased. Many also know that she had a "virtual pharmacopoeia of drugs, including potent painkillers and medicine for depression" in her possession.
Now, that latter bit was not information for public consumption. Such details were only known because of a leak from the L.A. coroner's office. The detailed notes, including the presence of powerful prescription medication, were taken by L.A. police and handed over to the Coroner's office, where it was stored on a password-protected computer.
Normally I would be pointing out how password-protection doesn't really protect information. Unlike encryption software, password-protection on computers is easy to bypass without providing a password--by swapping out a computer's hard drive, for example. In the above case, though, I find it unlikely that the details were accessed in this way.
More than likely is the scenario that someone who had access to the computer just accessed the contents of the computer.
This was an internal leak, and the informant probably knew that the origin of the leak would be traced back to the Coroner's office. Even with that knowledge, the informant went ahead and made the information public (my euphemism for "probably sold the thing to tabloids"). And therein lies the ultimate crux about information security: as long as someone has access to the information, it's not 100% secure. However, if no one has access to the information, so that 100% security is reached, what's the use? Why protect it in the first place? Just get rid of it. (While 100% computer data security couldn't actually be reached, one could get super close to it by using encryption. It's just a matter of encrypting the information and losing the encryption key. At that point, having a password doesn't even matter anymore. The chances of winning the lottery twice are probably higher than the chances of accessing the protected data.) The point is not to just rely on technology when it comes to data security, but to also put other tools in place so that errors and deficiencies can be corrected when found. For example, if there was software on the coroner's computer that kept track of who logged on, with separate passwords for individuals, it would be possible to at least pare down the list of suspects. If said software also kept track of user's activities--which files were opened and the like--it may have been possible to pinpoint the actual informant. How can this correct errors and deficiencies? By following up with the informant--firing him, bringing a lawsuit against him, etc.--it sends a message to other employees that, yes, we will find you and right any wrongs. While data security products like AlertBoot go a long way towards securing information, you can never discount the importance of the human element.
This was an internal leak, and the informant probably knew that the origin of the leak would be traced back to the Coroner's office. Even with that knowledge, the informant went ahead and made the information public (my euphemism for "probably sold the thing to tabloids").
And therein lies the ultimate crux about information security: as long as someone has access to the information, it's not 100% secure. However, if no one has access to the information, so that 100% security is reached, what's the use? Why protect it in the first place? Just get rid of it.
(While 100% computer data security couldn't actually be reached, one could get super close to it by using encryption. It's just a matter of encrypting the information and losing the encryption key. At that point, having a password doesn't even matter anymore. The chances of winning the lottery twice are probably higher than the chances of accessing the protected data.)
The point is not to just rely on technology when it comes to data security, but to also put other tools in place so that errors and deficiencies can be corrected when found. For example, if there was software on the coroner's computer that kept track of who logged on, with separate passwords for individuals, it would be possible to at least pare down the list of suspects. If said software also kept track of user's activities--which files were opened and the like--it may have been possible to pinpoint the actual informant.
How can this correct errors and deficiencies? By following up with the informant--firing him, bringing a lawsuit against him, etc.--it sends a message to other employees that, yes, we will find you and right any wrongs. While data security products like AlertBoot go a long way towards securing information, you can never discount the importance of the human element.
Related Articles and Sites:http://www.theimproper.com/?p=1989