|Keka, a 7zip compression AND encryption utility for Mac OS X+|
- Use 7zip to compress and encrypt (using a password) your files, either individually or en masse (like a folder). 7zip employs AES-256 encryption for its password security (of course, you have to have a tough to crack password).
Consider this piece of information: 7-Zip also supports encryption with AES-256 algorithm. This algorithm uses cipher key with length of 256 bits. To create that key 7-Zip uses derivation function based on SHA-256 hash algorithm. A key derivation function produces a derived key from text password defined by user. For increasing the cost of exhaustive search for passwords 7-Zip uses big number of iterations to produce cipher key from text password. (Read Source)
Here are some specific suggestions for 7zip programs (all free, open source):
- On Windows, use 7zip.org compression tool.
- On Macintosh, use Keka, a wonderfully “new” 7zip tool for Macintosh that should replace your compression utilities.
- Use TrueCrypt.org to create a “locked” box of any size you wish. Into this locked box, you can place sensitive files and protect them. This works for Windows, Macintosh and Linux.
- Give AESCrypt.com a try. This is my favorite solution for quickly encrypting files, especially on Windows since it has right-click possibilities. Unfortunately, you will have to use the command line on Linux and Mac…as such, Mac users clinging to their precious GUI 😉 may want to stick with Keka or Truecrypt.
How do you handle principals who backup ALL their work data to an external USB drive, take it home, without really giving thought to the fact that they are storing confidential data unencrypted on that drive?
In one school district I happened to work in, securing confidential data was a powerpoint presentation like the following one embedded in a Moodle course management system. Is such a presentation sufficient? You be the judge. In the meantime, what has YOUR district/school done?
Some quick facts that have only gotten worse with time:
- More than 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in losses and totaling an estimated $5.4 billion in theft of proprietary information. **Source**: Safeware Insurance, 2004
- 73% of companies do not have specific security policies for their laptop computers. **Source**: Gartner Group, 2003
- Informal surveys show that thieves are intent on selling the data in 10 to 15 percent of laptop thefts. **Source**: Securityfocus.com, 07/30/2001).
- 97% of stolen computers are never recovered. **Source**: FBI
- According to 2003 statistics, Texas ranks fourth per capita among all states for identity theft with about 93 of every 100,000 Texans being a victim. More than 20,000 Texans were victimized in 2003. Source: Texas ID Theft Statistics, 2003
- Name, address and birth date. This information can be used in combination with other data to impersonate you.
- Documents with social security numbers in them.
- Documents with credit card numbers, bank account information, etc.
- Any information that might be considered confidential. This can be your spouse or child’s medical information, house insurance, etc.
- FERPA data – Not sure what that is? Read this blog entry on the subject.
- Move all confidential data files into a common folder.
- Use one of the aforementioned 7zip compression option to create ONE, compressed AND encrypted file with confidential data.
- Make a backup of the compressed,encrypted file to external USB drive (e.g. 120gig or PenDrive, etc.). Include a copy of the program you did the encryption with.
Some other tips are included in this blog entry for school administrators.
2) What response plan does your District have in place to deal with a data breach?
Your response to this question really depends on whether you’ve answered question #1 well. For example, did you know that if data is encrypted, even if the storage device it’s on is stolen, you are not required to report that confidential data was on the device? Think of the embarrassment this would save your organization!
Again, if your laptop’s confidential data is encrypted, you report the theft of the laptop, but not the loss of data. That’s because the data is encrypted…note that passwording a computer via it’s BIOS or screensaver isn’t sufficient.
But what happens if the worst has happened and the lost data was not encrypted? Move quickly to notify affected individuals. Some steps recommended by this government web site:
- Notify law enforcement
- Notify affected businesses such as bank and credit issuers.
- Develop a strategy that will provide affected individuals protection through Equifax, Experian, TransUnion
- Notify individuals affected in concert with law enforcement, designating an organization contact person and setting up a web site with frequently asked questions (FAQ).
MODEL LETTER FOR THE
COMPROMISE OF SOCIAL SECURITY NUMBERS
We are contacting you about a potential problem involving identity theft.
[Describe the information compromise and how you are responding to it.]
We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review.
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call [insert contact information for law enforcement] and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at http://www.ftc.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations.
We have enclosed a copy of Take Charge: Fighting Back Against Identity Theft, a comprehensive guide from the FTC to help you guard against and deal with identity theft.
Enter your email address:
Delivered by FeedBurner