Adam On…

Adam Shostack has a very interesting post about the decision by Maryland to post the state’s Information Security Breach Notices online. New Hampshire also joins Maryland in placing Notices of Security Breach online for everyone to access.

What is interesting about the Maryland posts, as pointed out by Adam, is that Maryland also includes the case ID in the online list. The inclusion of a unique identifier for each breach listed is a possible way to cross-correlate breaches between various tacking sites such as Attrition.org, Pogo Was Right, SSNBreach.org, ID Theft Resource Center, PRC, Chris Walsh’s Data Breach Primacy Sources, ESI, etc. Adam brings up an excellent point in that a common identification system (much like CVE) which would allow everyone to see what breaches are being discussed where and which breaches are not.

Personally, I fully support this idea. Part of my “routine” when preparing the ESI YiR is to visit all of the sites listed above and search for breaches that I may have missed during the year. As much as I strive to stay on top of breaches within higher education, I will miss a few. This last sanity check on my list of breaches helps me to make a best effort to include as many publicized breaches as possible. A common identification system would definitly cut down on the time it takes to review the other sites.

So to start things off, let me pose this question: What do “we” need to start things moving towards a CBE of sorts?

A few quick thoughts would be:

• A common lexicon for classification of breach type as well as data lost/expose
• A way to allow state’s and/or organizations to submit their own submissions
• A central group responsible for reviewing/verifying CBE submissions

A call on anyone interested in this topic to start thinking about this. Let’s get the discussion rolling…

An article by Andrea Foster titled “Increase in Stolen Laptops Endangers Data Security” will be appearing in the next issue of The Chronicle of Higher Education. The article outlines the dangers of laptop theft and details a few ways that other educational institutions are protecting data on laptops. The only problem with this article is that the data I have collected at Educational Security Incidents does not support the assumption that there has been an increase in stolen laptops recently.

Looking at the information from 2008, there have been 25 Theft type incidents. Of these 25 incidents, 8 were laptop thefts, 6 were desktops, 5 were documents, 3 were drives and 3 were tapes. As shown in the graph below, the laptop thefts, while the most often equipment reported as stolen, only comprises roughly 1/3 of all theft incidents.

How does this compare with previous years? Laptop thefts comprised 41% of thefts reported in 2007 and 57% of the thefts reported in 2006.

The interesting occurrence when looking at the data is that the number of total laptop thefts for 2007 and 2006 only differ by one incident. The decrease in percentage is due to the increased number of reports of the theft of other equipment types. Most notably equipment types such as Drives and Documents saw dramatic increases as shown below.

Unfortunately, it is not helpful to compare data from the first half of 2008 to that of all of 2006 and 2007. Looking at the first half of each year the data shows that reported laptop theft in the first half 2008 equals that of 2007. No increase to speak of. The same can be said for desktop thefts. However, there has been an increase in document and tape thefts.

The month in which the laptop thefts occur, as shown below, do not support the idea that there has been a sudden increase in laptop thefts within higher education which might give the perception that laptop thefts are occurring more often in the recent months.

Even when looking at the total number of records potentially exposed by these thefts, laptop thefts do not stand out dramatically, especially when compared to the desktop theft type incidents. When looking at those incidents where the number of records is known, laptop and desktop thefts in the first half of 2008 have potentially exposed almost the same number of records. The same can be said for the total counts for the two theft types in 2006. In 2007, desktops potentially exposed almost 3 times as many records.

Document theft has not only increased in the number of reported incidents by also the number of potential records exposed. However the real stand out thus far in 2008 is increase in backup tape theft and the massive potential loss of records by these stolen tapes.

The Rockford Illinois Policie Department contacted the Rockford Family Community Resource Center (FCRC) on February 29, 2008 after the police discovered 12 boxes of FCRC files in the basement of a local residence. According to a May 6, 2008 letter [pdf] from the Illinois Department of Human Services to the Illionis General Assembly, when DHS Dision of Human Capital Development (HCD) was able to access these boxes on March 4, 2008 HCD employees determined the boxes contained 1450 customers’ case files. These case files contained names, addresses, Social Security numbers and “in many cases” confidential medical information.

One of the residents in the home where the files were found was an HCD employee. This employee was suspended pending judicial judgement. Rockford police discovered the files while investigating the occupants of the residence as part of an unspecified investigation.

According to the letter, removing case files from the FCRC was against HCD policy and DHS Administrative Directives as well as an FCRC directive that all boxes being removed from the office be examined. In response to this incident, no boxes can be brought in or taken from the FCRC office and security staff will begin searching all duffel bags, book bags, etc as staff leave the office.

[This letter was obtained through a FOIA request with the State of Illinois]

So I had planned on doing a response to the CISSP Dead/Not Dead debate. However, I see no need now when I can just as easily point you to the amazing discussion going on over at the Security Catalyst Community on this topic. In the time it took me to put my thoughts together, this forum discussion has taken off. If you found yourself interested in the posts by Dre, Allen, or Kevin, head over to the forum post.

Registration is required if you are not an SCC member already, but it is free and gives you access to a lot of great content.

So last week I commented on Alan Shimel’s post about the “security sales conundrum“. Alan responded in a comment asking me what my thoughts were on fixing this problem. I’ve been thinking about this problem. After all, what is the best way to pitch new and existing customers or at least make them aware of new products that might meet their needs?

While I’ve been thinking this over, I received an interesting sales pitch last night. I received a package at home (even though the package was addressed to my office). Inside was a t-shirt and coffee cup from Lancope. Accompanying the swag was a letter inviting me to participate in a free webinar detailing how Lancope was able to help a university gain better visibility into their network. The package also included some marketing material that was targeted at universities.

While it was odd to receive a 3 pound package I was not expecting (I kept wondering if I had made any enemies lately that might wish me harm), I am happy to see this type of marketing my Lancope. No, I’m not talking about the t-shirt and cup. I’m talking about knowing the industry in which I work. While I may not be interested in the product, I guarantee I will at least look over the material if you show me you understand the issues that I am dealing with.

A few other thoughts on sales pitches:

• Please don’t pitch me a product my organization already purchases from your company (this happens more then you would think)
• Engage me on the phone, ask about any current projects where your product might help. If there are not any, don’t keep pitching me.
• I don’t mind phone calls, but I would prefer e-mail. I don’t mind reading over sales material, but I want to do it on my time.
• Understand the limitations that I am under. Public institutions have purchasing regulations. Be aware before you contact me.
• I’ll talk to you but I’d prefer to talk to another educational institution. Personally, I’m a sucker for case studies.

That’s about it for today I think… now back to my regularly scheduled morning coffee.

Alan Shimel over at (big, big breath here) Still Secure, After All These Years (and exhale) has a post about a particular annoyance of mine, overeager, overzealous security sales individuals. While I’ve only been with my current company for a year, it didn’t take the sales calls to start rolling in. And roll in they have.

It is getting to the point where, like many security pros out there, I allow telephone calls from odd area codes/external numbers to go to voice mail. Alas, this doesn’t always save me. There are some vendors that call the main office and ask to be transferred. There are some vendors that call the main switchboard and ask to be put through.

There is even one vendor (I’m assuming since I never answer) that calls at least twice a day. Now the calls, while a bit excessive, can be understood. However, what is inexcusable is that the caller doesn’t hang up during my voice mail greeting. Instead the caller leaves 1-2 second blank voice mails causing my VM light to turn on and the message waiting sound to start chiming away happily… Oh to get a few moments alone with this thoughtful and persistent caller.

However, none of this compairs to the extreme annoyance of companies not returning phone calls or e-mail messages inquiring after products. We’ve all dealt with it. A company you were not interested in won’t leave you alone yet a bit later that same company ignores your inquiries when you are interested. It leads one to believe that there is something horribly wrong with the world when companies you will not give money never leave you alone, while companies you want to give money don’t seem to care.

Or perhaps it is something a bit worse. Perhaps these sales individuals are told to pitch X number of individuals per day/hour/month/week/etc. Perhaps the individuals you want to give money are too busy pitching others. Not because there is a better chance for a sale with these other potential customers, but because the company has outdated or, at the very least, broken sales procedures. Perhaps I have no idea what I am talking about.

One thing that I do know is that it is heartening to see companies like StillSecure reaching out to their customers and see how the company can attempt to address the problem many of us have with sales calls.

Okay so after a very long period being down I am happy to report that Adam On is back up and running. I want to assure all of my 2 loyal viewers (Hi Mom and Dad!) that the problem was very involved and in no way was as simple as forgetting to properly set the permissions to the new theme… You buying that?

Anyway to celebrate the return of the blog I wanted to point out a new post I have over at the Security Catalyst blog. I am fortunate enough to have Micheal Santarcangelo take some pity on me and agree to post some of my more coherent dilusions. I should post over at Security Catlayst on a monthly basis and I will get back to updating this site on a much more frequent basis.

If you’ll now excuse me I think I’m going to go hide from the shame of how easy the fix was and how looooooooong it took me to figure out.

Over the past week there has been much talk by a group of Chinese hackers about attacking CNN web sites as part of a protest of what the group claims has been anti-China news coverage by CNN. The Dark Visitor site (where I presonally became aware of this whole incident) has done a great job of covering the whole saga.

After calling off the attack after attack details became public, it seems that the group decided to go through with the attack after all. Offering words of encouragement and automated tools for those without the technical skills for manual attacks, the group launched an attack that appeared to be successful. Even now sites like sports.si.cnn.com remain offline causing individuals to boast about the success of the attack on sites such as twitter.

Yet, there is one small problem. The site attacked, the “Sports Network” is not part of the CNN/SI family of sites. Instead the Sports Network is a privately held Pennsylvania company that has been taken offline by these attacks. As of this writing the web site for the Sports Network still displays a note about the attack and that the Sports Network is working to get everything back up and running.

This was an odd story to watch unfold and I wish the best of luck to the staff over at the Sports Network in getting everything back online and avoiding future attacks.

Why I love the Internet, Reason #2:

You Never Know What You Will Find

The ability to follow your train of thought on the Internet is amazing. I can, and often do, jump from topic to topic to topic as different web sites trigger different memories. During these journeys, I often run across some amazing stuff that without the Internet I would never have found. I had one of these journeys as recently as last night.

For some odd reason I started thinking about Dungeons and Dragons and wanted to find some fan fiction I remember reading years and years ago. Yep, you read that right. I played D&D, I have read fan fiction, and I did indeed spend my Friday night alone, searching for D&D fan fiction online. Hello, my name is Adam and I am a geek.

Anyway this D&D fan fiction quest lead to me trying to remember the names of the different AD&D realms I used to play (Dragonlance, Forgotten Realms and Dark Sun for anyone interested). Remembering the different realms had me looking up all of the fantasy authors I used to love reading such as Weis and Hickman (I was a super fanboy not only the Dragonlance chronicles but also the Rose of the Prophet, Darksword and Death Gate Cycle series)  as well as Ed Greenwood. 

Then I came across “What It’s Like to Play D&D“ by Roger M. Wilcox and I was again reminded of why I loved the Internet. This essay is quite funny and I urge anyone who still plays or used to play some D&D go read it.

The ability to go from looking up information on Forgotten Realm fan fiction, to reminiscing about some great book I’ve read, to discovering a humorous essay on D&D in an easy, smooth manner is another reason that I love the Internet.

Oh, the many ways that organizational information can be lost. Insiders, outsiders, mistakes, malicious actions, theft, loss, the list seems to going on and on. Yet, one area that tends to be overlooked quite often is contracted third-parties. However, as several colleges and universities have found out recently, third-party actions can have serious consequences for the campus community.

What am I talking about? Well, thus far in April several institutions have had confidential information lost and/or stolen from a trusted third-party. The University of Miami notified 47,000 patients after backup tapes were stolen from an off-site storage company. Northwest Missouri State University, Buffalo State College and four Connecticut State University System campuses have had to alert 1,100, 16,000 and 3,400 students respectively after a laptop belonging to a vendor was stolen.

As show above, as well as at the end of a previous post, third-party loss of college/university information is not unknown within higher education. As more and more educational institutions reach out to third-party companies for support and development, more internal information will be traveling outside of the institution’s control. Colleges and universities should start looking at ways to control this risk by placing control requirements into vendor agreements.

Some of the controls that should be considered are time limits on how long the information can be stored by the vendor, limitations on how many vendor employees and/or copies of the data can exists, as well as controls on data protection such as requiring encryption on portable equipment. One of my personal favorites is to ask vendors for a copy of internal security control procedures/policies as well as asking about what employee (at the vendor) is responsible for the safety and security of the information they are requesting.

We need to stop blinding trusting our vendors and make sure that they have controls in place to properly handle an incident and minimize the effects of a data breach/loss/theft when it occurs. After all, it is not a question of if by when such an event will happen to your institution.