mailing list archives
Federal departments consider banning USB keys in wake of dozens of security breaches
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 1 Jan 2014 18:44:46 -0700
A USB key handed out to an employee in the federal department that helps
Canadian companies compete for domestic and foreign security contracts
vanished early in 2013.
A week-long trail of emails, phone calls led security officials to conclude
it was “impossible to assess [the] compromise” related to the loss of the
device. Nor was it clear who was telling the truth about the number of
hands the one small device passed through: Employees pointed fingers at
each other, with none knowing where the USB key ended up.
Another USB key that was neither password protected nor encrypted was found
on a downtown Ottawa sidewalk by a Good Samaritan. It contained protected
information — albeit out-of-date details — of a federal project.
The two instances are among dozens of security incidents logged by Public
Works and Government Services Canada over the past year in the capital,
which has the largest slice proportionally of public servants in the
country. The USB key losses are two of four investigated in 2013 by Public
Works, not including the six lost BlackBerry phones, two lost laptops and
the possible theft of an iPad.
Multiple departments have looked to ban or limit the use of USB keys and
portable data devices in the wake of high-profile data breaches in 2013,
including the loss of a USB key at Employment and Social Development Canada
that contained sensitive information on more than 5,000 Canada Pension Plan
disability applicants. If USB keys are being used, departments are opting
for encrypted devices.
“I can’t but shake my head that they’ve taken a step forward, but they’re
still miles away,” said Tony Busseri, CEO of Toronto-based Route1 security.
“Don’t have the data go walking beyond the firewall of the network. You
don’t need the USB key,” he said.
One route is to have departments keep data on secure servers, and have
users connect remotely. Information never has to leave the confines of
government services, and cuts down the risk of an employee or consultant
losing a portable data device, Mr. Busseri said.
“It can’t get stolen, it can’t get lost,” he said.
Among the potential security and privacy breaches investigated in 2013 was
one where a financial analyst at Aboriginal Affairs and Northern
Development Canada was accidentally given access to pay details for
employees at Natural Resources Canada. None of the affected employees was
told about the mistake because the “threat of a privacy [breach] is almost
nil,” reads an internal report, after the financial analyst alerted her
superiors about the problem.
“Due to the circumstances, there is no point … to inform the NRCan
employees that their names and pay info have been sent to a third-party
office,” the report says.
Workers were given reminders to be careful in the future, and the case was
“We do a very poor job of authenticating people before we give them access
to data,” Mr. Busseri said. His company has lobbied the government to use
smart-cards for workers to access information: Workers need the card and a
unique password to access data, much like a credit card with a chip needs a
proper PIN to confirm purchases.
Copies of the security incident list and the final reports themselves were
released to Postmedia News under the access to information law. The names
of the employees at the centre of each incident have been redacted from the
In most cases, the department’s investigations list notes that sensitive
government information was never put at risk.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
- Federal departments consider banning USB keys in wake of dozens of security breaches Audrey McNeil (Jan 02)