Evidence Management Data Security and Infrastructure Overview – Part 1
July 21, 2021
Is your agency’s data at risk? In this webinar, we dove into the topic of data security. More than ever, the focus on the protection of sensitive and critical data is a result of growing cyber risks and increasingly stringent data security regulations.
Ben Townsend, the Founder and CEO of Tracker Products, began the conversation by saying, “Today we’re going to talk about data security and infrastructure; the never-ending pursuit of perfection. This is not meant to be an exhaustive overview of data security. I want to give a little bit of information that I think will be good for people to hear. It may help you to think about how you handle data on your end, which either puts your organization in a good position or a bad position as it relates to security.
I’m going to spend time talking about Tracker’s infrastructure because that’s what I’m familiar with. I’m going to use it to explain how we go about doing security in our world. I mean, this is my world: information security and network and web-based systems.
Generally, the single greatest security threat to any organization is you (and me) along with human error and bad practices. When you take any one of those components and begin to put it together, you have a foundation for problems.
I want to give you an example of this because I’m here to talk about information security today. I would like to think that I know a little bit about the topic; it’s what we do as a company. But, it wasn’t very long ago that I was sitting at my work computer and I had a text message on my phone that said it was an alert. It was telling me that the post office had a package for me.
I looked at it and could tell that the link was not right. I have never received a text message from the postal service and every fiber in my being was activated to avoid clicking on that link. But, honestly… I was tempted. Thankfully, I did a little bit of research and found out quickly that this was a new scam.
You’re probably all very aware that text messaging and sending out spam alerts and phishing attacks are happening all the time now. I’m sure you all received election notifications via text messaging, and you were probably wondering, How do these people get my cell phone number?
One of the things I like to do within our company is when these things pop up, I’ll send out an email to everybody in the company as a constant reminder and alert: Hey, you have to be vigilant about things you’re receiving because this right here is how the problems really begin.
To me, one of the greatest security risks in the world are people. Bad practices, when it comes to password management, is a huge problem. Our company uses a product called LastPass. That’s where we store all of our passwords. People are encouraged – if not required, within our company – to be using a different complex password for everything they log into. I probably have 500 different websites that I use, and I have a different complex password for every one of them. The point of doing that is, if any one of those passwords is compromised it doesn’t compromise everything.
There is no doubt that there are people listening to this here today that use the same password for everything they log into. They’re one step away from everything that they log into being compromised. As an example, one of the sites I log into is Wayfair. This program that I use (LastPass) will allow me to generate as long a password as I want. So, if it’s a very sensitive system, I may have a 20 digit password that will be stored and encrypted.”
Ben addressed another security topic: Learning from failures. He said, “What can we learn from known failures? You don’t have to go very far or do many Google searches to find some really bad things out there when it comes to data and security breaches. I’m in the Cincinnati area. It wasn’t very long ago that one of the RMS systems called Pamet, that 20 different departments – including the City of Cincinnati and Hamilton County – were using, lost all their data.
Any security breach is bad, but there’s a difference between somebody gaining access to your data and losing all of your data. So, for 20 departments in and around Cincinnati, they actually got the worst part of it. Pamet was storing all of their data and it is now all gone. Hearing about situations like that, really makes you think… What happens if somebody called me and said, We lost your data. It’s gone. It is unrecoverable.
Something that has become really big over the last couple of years is…Your data is encrypted remotely by somebody, but instead of trying to delete your data, or stealing it and sending it to somebody else, they encrypt it. And the only way you can get it back is to pay them to un-encrypt it.
There are cities and law enforcement agencies that have been hit by this. And, they may be looking at hundreds of thousands of dollars. Either a) they don’t get their data back or b) they can pay this company (in Bitcoin by the way), and they will give you the un-encrypted key and they immediately have all their data back.
These things are really bad when they hit, because not only are they a publicity nightmare, but it makes them look incompetent.
Some of these threats begin by simply clicking on links in emails or clicking on something that you know you shouldn’t be, but you do it anyway. It opens up a potential Pandora’s Box.
And, if you store sensitive data on a device like a thumb drive, with a single point of failure, it can lose all of your data.
I cannot tell you how many departments I’ve run into where they store all their body cam video on a single USB drive that is sitting out in the open and people have access to it. I mean, somebody can steal that device, but even more likely, that thing fails and you lose all of the data. So anytime you have a device with a single point of failure, you are seriously running the risk of losing everything.
Another really big one is you’re not backing up your sensitive data. More importantly, testing the restore. Going back to that Pamet situation, where 20 organizations lost all their data. Pamet had servers in place with data redundancy and they were doing backups, but guess what? Nobody ever tested the restore of that backup to find out if there was a problem with it. Generally, when things like that go down, there are multiple degrees of incompetence that are coming together at once, creating the situation.
Another thing is… people generally don’t plan for something going wrong. They don’t sit down and ask themselves, What happens if that device fails? Because if they did, they would probably say, Wait a minute, that’s a big problem. Do we want to risk that? Just planning for something to go wrong is incredibly important.
All right, now I’m going to dig into our infrastructure and talk about our software for a minute. The purpose of this is not to promote our product. I try to avoid that when I do these webinars. I’m trying to convey information that I think is important, and sometimes it just happens to be best conveyed with an example from our software. But, what I’m explaining could be applied to any web-based system that is out there. These are things you may need to be aware of so that you can ask the right questions.
As far as Tracker goes… we have security information documents on our website. Most of the organizations that do what we do have a white paper or security document that really digs into all the weeds of what they do. My purpose is to lightly overview the things that are in here and put you in a position to ask good questions with different software vendors you might be considering.
To me, the basis for security is compliance. In 2020, we hired our first compliance manager. I mean, we’re in a world now where law enforcement agencies are becoming far more aware of security threats that can be avoided by adhering to compliance and standards.
So, one of our big pushes in 2020 was to become compliant with SOC2 and CJIS because when an organization is looking at our software, especially if they know what they’re doing, they may have 500 different questions they want to ask. How do you handle corruption? How do your firewalls work? Who has access to all your data? Again, 500 different questions. CJIS compliance is 500 individual standards. So, in the end, we can either answer 500 questions or we could be SOC2 compliant.
Most people are like, Oh, okay. I know what SOC2 compliance means. I know what CJIS is. If you are compliant in that regard, I feel a lot better about working with you.
The next level is simply the infrastructure of where all of this stuff is housed. Infrastructure could be that USB drive that is sitting in your intake evidence room and all of the officer’s walking in and downloading all their body cam onto it. But that’s only one aspect of infrastructure. Infrastructure can get much larger and much more expansive.
In our case, the infrastructure on Amazon Web Services is a large infrastructure. There is a lot going on in there. It is important to understand some of this infrastructure… Where is your data stored? Who has access to that data? Here’s an image that gives you a very general overview of what the network infrastructure looks like on Amazon.
The most important thing I want to convey is data redundancy in everything. Tracker doesn’t have a single database, where if something goes wrong the whole thing goes down. We have multiple database infrastructures in place. We store media… I mean, we have hundreds and hundreds of clients that are uploading media into our infrastructure. And all of that is stored in Amazon S3.
I’m going to show a really cool statistic about that in Part 2 of this article, but I just want everybody to be aware that our cloud-based infrastructure has multiple layers of redundancy across different regions of a system that the Pamet system did not. So, when it failed, it failed colossally.”
Tracker Products and The Evidence Management Institute want to give you something productive to think about during this time of uncertainty… a series of free evidence management training and panel discussions. Watch and comment on the webinars here. Or – to get in on the discussion, with nearly 600 other evidence custodians – join the Evidence Management Community Forum on Facebook.
Tracker Product’s SAFE evidence tracking software is more than just barcodes and inventory control, it’s end-to-end chain of custody software for physical and digital evidence, resolving each of the critical issues facing evidence management today. To learn more about Tracker Products, CLICK HERE.
Or, if you’re interested in Evidence Management Training from our partner company, VISIT EMI HERE.