[IS&T Security-FYI] SFYI Newsletter, February 1, 2010

Monique Yeaton myeaton at MIT.EDU
Mon Feb 1 12:16:17 EST 2010 

In this issue:

1. Follow Up to Adobe PDF Protection

Last week's issue included an article about some of the security  
features in the Adobe Acrobat product that are meant to protect PDF  
documents containing sensitive information. In this day and age of  
data protection requirements and regulations, having a way to protect  
a single document seems like a great idea.

However, there is a catch (as there is with anything to do with  
security). I should have pointed out in last week's article that  
whenever there's a claim about a product having some incredible  
security features, there must always be some skepticism on the part of  
the user. No security tool is fail-safe and security risks can not be  
resolved with just one product.

Regarding the Adobe security features, namely protecting a PDF  
document from access, alteration or printing, and redacting sensitive  
data in the files, several of my readers shared with me ways a  
determined hacker can circumvent the protections Adobe put in place.

Without going into the details of how one can do this, I recommend we  
always objectively consider whether using built-in protection in a  
product gives us a false sense of security. When using security tools,  
remember there is likely a smarter person out there who can remove the  
security we put into place.

Think about an alarm system on a building. The alarm is there to deter  
thieves from breaking in, but if someone really wants to get in, an  
experienced thief can likely find a way to disable the alarm and get  
in undetected, no matter how good the security technology. However, we  
can increase the likelihood that the thief will stop trying if we  
added other features, such as a guard dog, a high, locked fence, a  
moat, and more locks on the building. This is how we must think about  
securing data as well.

Here are some quick tips on establishing good data protection:

Use full disk encryption with a product such as PGP to encrypt all  
documents on a computer. If a computer has documents on it you may not  
realize contain sensitive data, they will ALL be protected.
Don't electronically share documents that you know should not be  
forwarded along to others, should not be printed because of sensitive  
data, or should not be modified. Instead, print the documents out,  
redact the data you deem sensitive with a marker, and then send it as  
a hard copy to the person who needs to review it.
If you want to be extra safe when redacting, cross out the sensitive  
numbers (social security numbers, credit card numbers, etc) with a  
marker, then make a copy of the document on a copier. This should  
prevent anyone from "reading through" the marker. Or you can cut the  
numbers out with a scissor or hole-punch.
If you have many records in an excel file with sensitive data  
included, and need to share the records, remove the column with the  
sensitive data before sending it along. Many times the information  
others need from the file is not the social security numbers or the  
account numbers but all the other fields, which don't contain the  
sensitive data.
It is a good idea to not send any files containing sensitive data  
through email. Instead upload the file to a shared server to which  
others can be given limited access. Remember to remove a person's  
access if the he/she no longer needs it for business reasons.

If you need more information, you can go to <http://web.mit.edu/infoprotect/ 
 > for various resources. You can also find some tips at <http://ist.mit.edu/security/support/protect 
 >.

An in-person information session covering what is considered sensitive  
data and how to handle this type of information at MIT can be  
requested by contacting Allison Dolan (adolan at mit.edu).

Thank you for doing your part in "providing the MIT community with  
accurate, reliable information to authorized recipients and to  
preserve vital records." (MIT Policy 13.2.2, see <http://web.mit.edu/policies/13/13.2.html 
 >)

= 
= 
= 
========================================================================

Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB 
 >


Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100201/2dbe35da/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100201/2dbe35da/attachment.bin

More information about the ist-security-fyi mailing list