[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] what are the rules for SSNs?

From: "Lavery, Oliver" <oliver@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] what are the rules for SSNs?
Date: Fri, 11 Jul 2008 13:41:05 -0500
------_=_NextPart_001_01C8E385.ACF1C874
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

GLBA probably has the most teeth when it comes to protecting non-public =
personal information like SSNs. Fwiw, financial institutions we've =
worked with in the past seem to realize that GLBA applies as much to =
insider threats as to outsiders (it is certainly open to =
interpretation). The FTC site seems to be describing the minimum =
measures that should be taken.

However encrypting stored SSNs and other PII is probably not the best =
option for insider threats. As someone else mentioned, the biggest bang =
for the buck tends to be effective authentication and access control =
reinforced by technical security measures. Layering in encryption as a =
secondary kind of access control isn't as useful as it might seem; even =
if you encrypt the PII it'll wind up spending a lot of time in the clear =
in some form or medium if you have any reason to store it in the first =
place.

Which isn't to say that encrypting archived PII data, for instance, =
isn't a fantastic idea. It just isn't necessarily as important as =
controlling access to the data, encrypted or otherwise. Sure, there are =
situations like a SQL database serving an internet facing web site where =
one could argue that encryption makes more sense due to current =
technical issues like SQL injection.

Back to the beginning of the thread, IANAL but it's perfectly legal to =
store masses of unencrypted SSNs in a database, but the GLBA safeguards =
rule would certainly apply if the database belongs to a financial =
institution.

Note that effectively encrypting 9 digit numbers in a database is tricky =
in and of itself.

Cheers,
~ol
----------
Oliver Lavery
Security Compass
http://www.securitycompass.com/

-----Original Message-----
From: Schmidt, Albert E [mailto:AES@ola.state.md.us]
Sent: Fri 7/11/2008 12:00 PM
To: Johannes B. Ullrich, Ph.D.; Licky Lindsay
Cc: WASC Forum
Subject: RE: [WEB SECURITY] what are the rules for SSNs?
=20
=20
The FTC summary is nice, but it does not address the threat of insiders =
- it seems to indicate that SSN's only need to be encrypted when they =
are outside an entities secured network.  I have not seen a network that =
I would say is 100% secure.  Security is best applied in layers.  It =
would be better to encrypt the data while it is in the network, then to =
rely on network security.

=20

=20


________________________________

From: Johannes B. Ullrich, Ph.D. [mailto:jullrich@sans.org]
Sent: Fri 7/11/2008 12:27 PM
To: Licky Lindsay
Cc: WASC Forum
Subject: Re: [WEB SECURITY] what are the rules for SSNs?




The FTC has a summary here:

http://www.ftc.gov/bcp/edu/microsites/idtheft/business/safeguards.html

However, the rules are not as specific as for example PCI.



----- Original Message -----
From: "Licky Lindsay" <noontar@gmail.com>
To: "WASC Forum" <websecurity@webappsec.org>
Sent: Friday, July 11, 2008 9:49:55 AM GMT -05:00 US/Canada Eastern
Subject: [WEB SECURITY] what are the rules for SSNs?

In the U.S., what laws, regulations, standards, etc control how handle
social security numbers?

For example, is it acceptable to store mass numbers of them
unencrypted in database?

Not asking if it's a good idea to do so.. asking if it's legal and in
compliance with standard practices. Realize those are not the same.

-------------------------------------------------------------------------=
---
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


-------------------------------------------------------------------------=
---
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA




-------------------------------------------------------------------------=
---
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:=20
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



------_=_NextPart_001_01C8E385.ACF1C874
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>RE: [WEB SECURITY] what are the rules for SSNs?</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=3D2>GLBA probably has the most teeth when it comes to =
protecting non-public personal information like SSNs. Fwiw, financial =
institutions we've worked with in the past seem to realize that GLBA =
applies as much to insider threats as to outsiders (it is certainly open =
to interpretation). The FTC site seems to be describing the minimum =
measures that should be taken.<BR>
<BR>
However encrypting stored SSNs and other PII is probably not the best =
option for insider threats. As someone else mentioned, the biggest bang =
for the buck tends to be effective authentication and access control =
reinforced by technical security measures. Layering in encryption as a =
secondary kind of access control isn't as useful as it might seem; even =
if you encrypt the PII it'll wind up spending a lot of time in the clear =
in some form or medium if you have any reason to store it in the first =
place.<BR>
<BR>
Which isn't to say that encrypting archived PII data, for instance, =
isn't a fantastic idea. It just isn't necessarily as important as =
controlling access to the data, encrypted or otherwise. Sure, there are =
situations like a SQL database serving an internet facing web site where =
one could argue that encryption makes more sense due to current =
technical issues like SQL injection.<BR>
<BR>
Back to the beginning of the thread, IANAL but it's perfectly legal to =
store masses of unencrypted SSNs in a database, but the GLBA safeguards =
rule would certainly apply if the database belongs to a financial =
institution.<BR>
<BR>
Note that effectively encrypting 9 digit numbers in a database is tricky =
in and of itself.<BR>
<BR>
Cheers,<BR>
~ol<BR>
----------<BR>
Oliver Lavery<BR>
Security Compass<BR>
<A =
HREF=3D"http://www.securitycompass.com/";>http://www.securitycompass.com/<=
/A><BR>
<BR>
-----Original Message-----<BR>
From: Schmidt, Albert E [<A =
HREF=3D"mailto:AES@ola.state.md.us";>mailto:AES@ola.state.md.us</A>]<BR>
Sent: Fri 7/11/2008 12:00 PM<BR>
To: Johannes B. Ullrich, Ph.D.; Licky Lindsay<BR>
Cc: WASC Forum<BR>
Subject: RE: [WEB SECURITY] what are the rules for SSNs?<BR>
<BR>
<BR>
The FTC summary is nice, but it does not address the threat of insiders =
- it seems to indicate that SSN's only need to be encrypted when they =
are outside an entities secured network.&nbsp; I have not seen a network =
that I would say is 100% secure.&nbsp; Security is best applied in =
layers.&nbsp; It would be better to encrypt the data while it is in the =
network, then to rely on network security.<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
________________________________<BR>
<BR>
From: Johannes B. Ullrich, Ph.D. [<A =
HREF=3D"mailto:jullrich@sans.org";>mailto:jullrich@sans.org</A>]<BR>
Sent: Fri 7/11/2008 12:27 PM<BR>
To: Licky Lindsay<BR>
Cc: WASC Forum<BR>
Subject: Re: [WEB SECURITY] what are the rules for SSNs?<BR>
<BR>
<BR>
<BR>
<BR>
The FTC has a summary here:<BR>
<BR>
<A =
HREF=3D"http://www.ftc.gov/bcp/edu/microsites/idtheft/business/safeguards=
.html">http://www.ftc.gov/bcp/edu/microsites/idtheft/business/safeguards.=
html</A><BR>
<BR>
However, the rules are not as specific as for example PCI.<BR>
<BR>
<BR>
<BR>
----- Original Message -----<BR>
From: &quot;Licky Lindsay&quot; &lt;noontar@gmail.com&gt;<BR>
To: &quot;WASC Forum&quot; &lt;websecurity@webappsec.org&gt;<BR>
Sent: Friday, July 11, 2008 9:49:55 AM GMT -05:00 US/Canada Eastern<BR>
Subject: [WEB SECURITY] what are the rules for SSNs?<BR>
<BR>
In the U.S., what laws, regulations, standards, etc control how =
handle<BR>
social security numbers?<BR>
<BR>
For example, is it acceptable to store mass numbers of them<BR>
unencrypted in database?<BR>
<BR>
Not asking if it's a good idea to do so.. asking if it's legal and =
in<BR>
compliance with standard practices. Realize those are not the same.<BR>
<BR>
-------------------------------------------------------------------------=
---<BR>
Join us on IRC: irc.freenode.net #webappsec<BR>
<BR>
Have a question? Search The Web Security Mailing List Archives:<BR>
<A =
HREF=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR>
<BR>
Subscribe via RSS:<BR>
<A =
HREF=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR>
<BR>
Join WASC on LinkedIn<BR>
<A =
HREF=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</A><BR>
<BR>
<BR>
-------------------------------------------------------------------------=
---<BR>
Join us on IRC: irc.freenode.net #webappsec<BR>
<BR>
Have a question? Search The Web Security Mailing List Archives:<BR>
<A =
HREF=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR>
<BR>
Subscribe via RSS:<BR>
<A =
HREF=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR>
<BR>
Join WASC on LinkedIn<BR>
<A =
HREF=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</A><BR>
<BR>
<BR>
<BR>
<BR>
-------------------------------------------------------------------------=
---<BR>
Join us on IRC: irc.freenode.net #webappsec<BR>
<BR>
Have a question? Search The Web Security Mailing List Archives:<BR>
<A =
HREF=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR>
<BR>
Subscribe via RSS:<BR>
<A =
HREF=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR>
<BR>
Join WASC on LinkedIn<BR>
<A =
HREF=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</A><BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C8E385.ACF1C874--
References:
- Re: [WEB SECURITY] what are the rules for SSNs?
  - From: Johannes B. Ullrich, Ph.D.
- RE: [WEB SECURITY] what are the rules for SSNs?
  - From: Schmidt, Albert E
Prev by Date: Re: [WEB SECURITY] Ways To Identify Returning Web Visitors
Next by Date: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Previous by thread: RE: [WEB SECURITY] what are the rules for SSNs?
Next by thread: RE: [WEB SECURITY] what are the rules for SSNs?
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site