Laptop Encryption: SEC Staff Take Unencrypted Laptops To Hacker Conference, Gets Busted By Inspector General.
According to numerous sources, staff at the SEC were busted taking their laptops to the Black Hat Security Briefings conference in Las Vegas. They should have stopped by AlertBoot, we who offer full disk laptop encryption software because — aside from being headquartered in Sin City (like Zappos, the shoe guys) — they apparently needed FDE: the staffers’ laptops, full of “system architecture and technology maps of both the New York Stock Exchange and the Nasdaq, information about their key data centers, their emergency plans,” according to foxbusiness.com, were unencrypted.
At a hacker conference.
That’s not a good idea, especially when you consider that Black Hat is notorious for pulling security pranks like setting up compromised Wi-Fi networks (unofficial internet hotspots) to trap the less-than-security minded.
Violation of SEC Policy
The SEC’s inspector general discovered the data breach — lugging around unencrypted laptops full of critical data is a violation of SEC policy and considered data breach, even if data has not been compromised — when it conducted an investigation.
An anonymous source noted that the system architectures, network maps, and other information was “virtually everything you need to know if you were a terrorist looking to sabotage the U.S. capital markets.”
Thankfully, nothing happened:
“The Inspector general found that four staff members had used unencrypted laptop computers in violation of SEC policy,” said SEC spokesman Jon Nester. “Although we found no evidence that data was compromised, the problem was fixed and the two staffers responsible for maintaining and configuring the equipment are no longer with the agency.”[foxbusiness.com]
According to techweekeurope.co.uk,
The degree to which the information was ever at risk is unclear. However, the agency did hire a third-party security firm to conduct an audit of the information and found no evidence that it had been improperly accessed…. The cost of the audit was $200,000 (£125,000). The responsible staffers have been disciplined for their actions.
Trust, but Verify
The SEC staffers did something really dumb. I wouldn’t approach a Black Hat conference with anything electronic on my person, even if that’s bordering a little on this side of paranoia. A laptop with blueprints to America’s exchanges? That either takes cojones or the knowledge that you know what you’re doing. The lack of encryption indirectly suggests the latter is not it. It’s also dubious whether “large ones” are to be celebrated in such situations. I’d prefer that the information was secured in a way that most agree is secure.
Which is why I have to turn my gaze past the staff towards the SEC, though. Why are they handing out company computers without laptop encryption in place? Did someone in the IT department make a mistake and hand out four laptops that were not properly secured? An oversight? Or were employees trusted to be prudent and discreet in how and where they use their laptops?
You’ve got to trust your employees to do the right thing. However, when you consider the vicissitudes of life, it only makes sense to secure those things that need securing because things can hit the proverbial fan.
Related Articles and Sites: