Ramblings on Higher Education, Information Security and other Topics Du Jour
Archive for March 2008
Today is another travel day for me. As I get ready to leave the civilization of New York state and head back to the cornfields of Illinois I just wanted to point this article by Bruce Schneier. Here I thought I was unique in that I constantly think about how I could shoplift from stores as soon as I enter and that I immediately look at see where the video cameras are located. I guess I am not a beautiful and unique snowflake after all.
If you are involved with information security at a college or university and have not already, I strongly recommend that you head over to the EDUCAUSE site and sign up for the Security Discussion Group. This discussion group is an excellent source of information and provides an easy way to interact with fellow colleagues from other academic institutions.
A recent discussion on the Security list involves data classifications. There are several different approaches being used are here are a few of them. Northwestern follows a three-container system containing Public, Internal, Legally/Contractually Restricted classifications. The University of Massachusetts recently collapsed a five-container system into a three-container system containing Unclassified, Operational Use Only and Confidential. The University of Massachusetts also takes the stance that all PII falls within the Confidential container.
Gary Dobbins over at Notre Dame warns about the dangers of a “catch-all” middle-of-the-road classification. Instead, he moved Notre Dame from a three-container system to a four-container system containing a “Super-Top-Secret” class, an “Internal” class, a “Sensitive” class and a “Public” class. Gary further warns about staying away from “regulated” class due to differences in regulatory requirements.
Dr. Kees Leune is taking a different approach. Instead of relying upon a classification determined by content, he argues that there is a need to define discrete “chunks” of information and then address the needs of these chunks based upon the data owners needs and uses of the information. Each chunk is then given a rating based upon its required level of Confidentiality, Integrity and Availability.
Out of all of these approaches, my personal preference is closer to that of Gary Dobbins except that I still tend to lean toward a three-container system. I agree with everyone that overly complex classification systems are doomed to failure and a simple, pragmatic approach is best. I also like the approach of Dr. Leune in that there is a need to not only define these classification levels, but to also go out and talk with the data owners about the exact protections their data requires.
There are many more great discussion over on the Security Discussion Group, so head on over and register to become part of the solution.
So I spent a large part of Easter Sunday as well as over 4 hours this morning helping my father build a swing set for my nephew’s upcoming birthday. While I was happy to help, I am still miffed about how long it took us. Sure the temperature did not help (it was in the low to mid 20’s for most of the build) and we didn’t prepare as well as we should have. However, this is not what I am upset over.
The truly aggravating aspect of building the swing set (complete with monkey bars, a fort, a climbing wall, rope ladder and slide) was that nothing was labeled. Thats right, a 19 foot long, 7 foot wide wood structure with hundreds and hundreds of bolts, screws, nuts and washers and not one label to be found. While we (eventually) got through everything, there is no excuse for not having things properly labeled. Apparently the company thought that by providing only the bare essentials (the parts and a few pages of pictures) customers should have no problem getting everything going smoothly.
How absurd! Isn’t it? While I was truly annoyed by the lack of assistance through proper labeling, it stuck me as very similar to information security directives at many colleges and universities. Too often directives are delivered from “on-high” with no clear direction of how to implement or even the purpose behind them. The result is that just like my father and I, many departments are left struggling out in the cold for hours with little to no real progress.
The move away from Social Security numbers at most colleges and universities is a great example. Move away from SSNs to an internal student ID is a great move and one that I strongly support and recommend to any college or university. However, generally the only thing that is communicated to the campus is “No more Social Security numbers”. On the surface this is good, but looking deeper there are serious problems.
One of the first problems is what about situations where Social Security numbers are needed such as with Federal aid or employment? The organization needs to address how the departments should accept, store and transmit SSNs properly given the new edict. Also, the organization needs to make sure that is has addressed all SSN-required functions. After all, failing to address all functions leaves the organization in the dangerous position of having the perception of being SSN free not match reality.
Another, much larger problem is that often the cry of “No More Social Security numbers” is rarely followed by instructions on what to do with legacy data and systems. Yet, failing to address this legacy data is a serious oversight. The data contained in filing cabinets, legacy computer systems and workstation/laptop hard drives will most likely include SSNs since this was the student identification number used on campus. This data doesn’t know about the No SSN policy, so unless it is actually addressed, it will stay where it is waiting for a breach before it becomes known.
Reducing the use Social Security numbers is an excellent move and one I encourage all educational to make. Just make sure that you are actually addressing all instances of Social Security number use on the campus or else a No SSN policy will do little more then trick the institution into a false sense of security.
I’ve been traveling a bit recently and now visiting family over the Eastern weekend. I plan to get back to posting by Monday so keep an eye on the RSS feed.
If you are interested, head on over here and take a look a the Poster Session I recently presented at the EDUCAUSE Midwest Regional Conference. The presentation is available in both PDF and MOV format. (Special thanks to Christy Kilgore-Hadley for making this presentation look amazing!)
For the record, please allow to me to introduce this concept to those that are not familiar with it: Breach notification letters are completely different from press releases about an incident. Therefore, each needs to be crafted differently.
Breach notifications are intended to alert an individual that their personal information is now in the hands of an unauthorized individual. These notifications tend to follow a similar format: Greet the individual. Introduce the problem. Explain the issues/data lost. Apologize for the event. Offer/Don’t offer credit monitoring for one year. Include phone numbers/web sites/e-mail address with more information. Apologize again. Wash. Rise. Repeat.
Press releases are a different beast and are a way for an organization to give input to the news reports about the incident. Breach press releases generally tend to go into greater detail then a notification. Explaining what happened, with or without quotes from the organization. Information on completed or ongoing investigations are included. The obligatory high level apology is included as well as a promise that “changes are being taken to prevent such an event in the future”.
However, some organizations intermix these two formulas with mixed results. Adding breach notification information, such where to get more information, with press releases? It can work. Adding press release information to breach notifications? This is where I have a problem.
Why? Generally, most organizations want to include the “we are making changes to prevent breaches in the future” tag line to breach notifications. For example, it seems that Duke university’s physics department took this approach in letter to students over a recent incident. (Note: Duke is not alone in this and is only included as a recent example.) My question to anyone that agrees with this approach is this: What exactly is the point?
How does it help me to learn that the organization taking steps to protect against future breaches? My data has already been lost. It is out there regardless of whether or not a future breach occurs. Not to be self-centered but upon first learning that my personal information has been lost, the furthest thing from my mind is the protection of other individuals in the future. So please, please, please stop including this information in the breach notification, I just don’t care. Oh, and as I’ve talked about in the past, don’t tell me there is no evidence of misuse three days after the breach.
I agree that it is a good step for organizations to talk about the changes being made to prevent future breaches. After all, its shows that the breach is a learning opportunity for the organization. Just keep it out of the breach notification, OK?
Back in mid-February, Harvard University suffered a computer breach. Nothing earth shattering in this. After all, over 25 incidents had already occurred at colleges and universities in 2008 before the Harvard incident. Sure “kaboom73″ uploaded the files stolen from the Harvard server to a torrent on Pirate Bay. Then, a month later, Harvard announces that the stolen data contained information on 10,000 applicants.
All of this makes for a juicy story, I’ll admit. You’ve got a big name school, compromised site, mocking messages, p2p, Pirate Bay, thousands of individuals. However, is it “hundreds of news articles in the past week” juicy? Seriously, this story is showing up all over the place: Major news outlets. Local news outlets. Even international news outlets.
I’m still scratching my head over the reason for all the attention. After all, it isn’t the only or even first web site compromise of 2008. Nor is the Harvard incident the largest of 2008. There have been other internationally-known schools involved in breaches this year. Yet none of these other stories have garnered the news interest that the Harvard story has sparked. I guess the only thing I can say is that Harvard story has got legs.
I’ll be at the EDUCAUSE Midwest Regional Conference up in Chicago from Monday through Wednesday morning. I’m presenting a Poster Session on Tuesday from 1:30 - 2:30 on the Seventh Floor of the hotel. If any of you are going to be there, stop on by my table.
Just a quick note. ESI is back up and working again, no more blank page!
The state of Illinois has teamed up with the Meth Project to produce a number of unbelievably shocking Public Service Announcements to help combat what appears to be a serious Meth problem in the state.
Coming from an era of the “I learned it by watching you!” anti-drug PSA’s, I have to say these new style anti-drug advertisements are incredibly raw. The Meth Project television ads include a young girl in a shower with blood coming out of her future “Meth” self and a young boy in a laundromat watching scared as his future “Meth” self robs the other customers. Intrigued, I decided to visit the Illinois Meth Project web site to check out all the goings on.
The web site itself is exactly what I would have expected from an anti-drug site. I found these two print ads to be even more powerful then the television ads, of course it could just be that I am more familiar with the television ads so the impact is a bit reduced. Then I ran across a something that was so obviously a lie it made me question why it was included in the site.
Under the Meth Info section is are “Real Stories”, supposed true life encounters from either people involved with meth or people with family/friends involved with meth. Why supposed? Everything was going fine until I got to the story titled “I wish I never went to that party with my friend” by a 13 year old Female. Here are just a few of the more outrageous parts of this “real” story:
Yeah, I’m just gonna stop right there. While I haven’t done the appropriate research into this, I’m going to call BS on this “real” story. The inclusion of what is obviously at the very least an extreme exaggeration is confusing. The whole point of this site is to show just how addictive and dangerous meth can be. Why include a lie?
Proving that he uses his head for more the just showing off that fantastic mane of hair, David Mortman discusses user awareness training over on Securosis. Go read the post, I’ll wait.
One aspect of the post that I truly enjoyed was the discussion of the financial institution that found most of the PII data sent offsite was not through malicious intent. The reason? From the post:
These security breaches were from unintentional or accidental causes. Not realizing that recipients of the email were not inside the company, or that the file contained PII, were by far the two most common reasons that this sort of data was leaving the company.
In other words simple employee mistakes causing security headaches. Sound familiar? It should if you are a regular over at Educational Security Incidents. Last year employee mistakes outnumbered external computer and/or network attacks 2:1. In addition, employees accidentally leaking data through web sites, e-mails, trash cans, etc accounted more the one third of all security incidents (38%) and ended up exposing a total of 396,000 records for an average exposure of almost 7,500 records per mistake.
If we take the Ponemon estimate of $197 per record cost, average employee mistakes leading to security incidents last year cost colleges and universities a lot of money. Even taking business costs such as lost business, customer acquisition problems (65% or $125) out, colleges and universities could still face a cost of $72 per record lost. Using this reduced figure, simple mistakes can still end up costing educational institutions over half a million. Even if the actual costs end up being only a fraction of this estimate, the costs of employees unaware of the mistakes they make can still be tens of thousands of dollars.
However, perhaps you are not a fan of ROI/ROSI and see the above is nothing more then a fancy numbers game with no real backing. Fair enough. The fact still remains that one out of every three security incidents at colleges and universities (as reported in the media) was a result of an employee mistake. Of all mistake, accidentally placing sensitive and/or internal information online was by far the most common mistake, comprising 31 of the 53 unauthorized disclosure- type incidents reported last year.
Misunderstanding of the safety and security of online files is one of the most common reasons for employees placing sensitive and/or internal information online. For example, an internal report containing student information was recently found available to the public through an Ave Maria web site. When asked about why this information was placed online, Vice President of Academic Affairs Jack Sites stated he believed the information was only available to those individuals that knew the exact URL. Misunderstanding creating a security incident. Misunderstanding that can be easily addressed through security awareness and training programs.
Given all of this, even the most modest of reductions in occurrence due to increased awareness of risk would make user awareness training an attractive addition to college and university information security programs.
