Adam On…

An article by Andrea Foster titled “Increase in Stolen Laptops Endangers Data Security” will be appearing in the next issue of The Chronicle of Higher Education. The article outlines the dangers of laptop theft and details a few ways that other educational institutions are protecting data on laptops. The only problem with this article is that the data I have collected at Educational Security Incidents does not support the assumption that there has been an increase in stolen laptops recently.

Looking at the information from 2008, there have been 25 Theft type incidents. Of these 25 incidents, 8 were laptop thefts, 6 were desktops, 5 were documents, 3 were drives and 3 were tapes. As shown in the graph below, the laptop thefts, while the most often equipment reported as stolen, only comprises roughly 1/3 of all theft incidents.

How does this compare with previous years? Laptop thefts comprised 41% of thefts reported in 2007 and 57% of the thefts reported in 2006.

The interesting occurrence when looking at the data is that the number of total laptop thefts for 2007 and 2006 only differ by one incident. The decrease in percentage is due to the increased number of reports of the theft of other equipment types. Most notably equipment types such as Drives and Documents saw dramatic increases as shown below.

Unfortunately, it is not helpful to compare data from the first half of 2008 to that of all of 2006 and 2007. Looking at the first half of each year the data shows that reported laptop theft in the first half 2008 equals that of 2007. No increase to speak of. The same can be said for desktop thefts. However, there has been an increase in document and tape thefts.

The month in which the laptop thefts occur, as shown below, do not support the idea that there has been a sudden increase in laptop thefts within higher education which might give the perception that laptop thefts are occurring more often in the recent months.

Even when looking at the total number of records potentially exposed by these thefts, laptop thefts do not stand out dramatically, especially when compared to the desktop theft type incidents. When looking at those incidents where the number of records is known, laptop and desktop thefts in the first half of 2008 have potentially exposed almost the same number of records. The same can be said for the total counts for the two theft types in 2006. In 2007, desktops potentially exposed almost 3 times as many records.

Document theft has not only increased in the number of reported incidents by also the number of potential records exposed. However the real stand out thus far in 2008 is increase in backup tape theft and the massive potential loss of records by these stolen tapes.

The Rockford Illinois Policie Department contacted the Rockford Family Community Resource Center (FCRC) on February 29, 2008 after the police discovered 12 boxes of FCRC files in the basement of a local residence. According to a May 6, 2008 letter [pdf] from the Illinois Department of Human Services to the Illionis General Assembly, when DHS Dision of Human Capital Development (HCD) was able to access these boxes on March 4, 2008 HCD employees determined the boxes contained 1450 customers’ case files. These case files contained names, addresses, Social Security numbers and “in many cases” confidential medical information.

One of the residents in the home where the files were found was an HCD employee. This employee was suspended pending judicial judgement. Rockford police discovered the files while investigating the occupants of the residence as part of an unspecified investigation.

According to the letter, removing case files from the FCRC was against HCD policy and DHS Administrative Directives as well as an FCRC directive that all boxes being removed from the office be examined. In response to this incident, no boxes can be brought in or taken from the FCRC office and security staff will begin searching all duffel bags, book bags, etc as staff leave the office.

[This letter was obtained through a FOIA request with the State of Illinois]

So I had planned on doing a response to the CISSP Dead/Not Dead debate. However, I see no need now when I can just as easily point you to the amazing discussion going on over at the Security Catalyst Community on this topic. In the time it took me to put my thoughts together, this forum discussion has taken off. If you found yourself interested in the posts by Dre, Allen, or Kevin, head over to the forum post.

Registration is required if you are not an SCC member already, but it is free and gives you access to a lot of great content.

So last week I commented on Alan Shimel’s post about the “security sales conundrum“. Alan responded in a comment asking me what my thoughts were on fixing this problem. I’ve been thinking about this problem. After all, what is the best way to pitch new and existing customers or at least make them aware of new products that might meet their needs?

While I’ve been thinking this over, I received an interesting sales pitch last night. I received a package at home (even though the package was addressed to my office). Inside was a t-shirt and coffee cup from Lancope. Accompanying the swag was a letter inviting me to participate in a free webinar detailing how Lancope was able to help a university gain better visibility into their network. The package also included some marketing material that was targeted at universities.

While it was odd to receive a 3 pound package I was not expecting (I kept wondering if I had made any enemies lately that might wish me harm), I am happy to see this type of marketing my Lancope. No, I’m not talking about the t-shirt and cup. I’m talking about knowing the industry in which I work. While I may not be interested in the product, I guarantee I will at least look over the material if you show me you understand the issues that I am dealing with.

A few other thoughts on sales pitches:

• Please don’t pitch me a product my organization already purchases from your company (this happens more then you would think)
• Engage me on the phone, ask about any current projects where your product might help. If there are not any, don’t keep pitching me.
• I don’t mind phone calls, but I would prefer e-mail. I don’t mind reading over sales material, but I want to do it on my time.
• Understand the limitations that I am under. Public institutions have purchasing regulations. Be aware before you contact me.
• I’ll talk to you but I’d prefer to talk to another educational institution. Personally, I’m a sucker for case studies.

That’s about it for today I think… now back to my regularly scheduled morning coffee.

Alan Shimel over at (big, big breath here) Still Secure, After All These Years (and exhale) has a post about a particular annoyance of mine, overeager, overzealous security sales individuals. While I’ve only been with my current company for a year, it didn’t take the sales calls to start rolling in. And roll in they have.

It is getting to the point where, like many security pros out there, I allow telephone calls from odd area codes/external numbers to go to voice mail. Alas, this doesn’t always save me. There are some vendors that call the main office and ask to be transferred. There are some vendors that call the main switchboard and ask to be put through.

There is even one vendor (I’m assuming since I never answer) that calls at least twice a day. Now the calls, while a bit excessive, can be understood. However, what is inexcusable is that the caller doesn’t hang up during my voice mail greeting. Instead the caller leaves 1-2 second blank voice mails causing my VM light to turn on and the message waiting sound to start chiming away happily… Oh to get a few moments alone with this thoughtful and persistent caller.

However, none of this compairs to the extreme annoyance of companies not returning phone calls or e-mail messages inquiring after products. We’ve all dealt with it. A company you were not interested in won’t leave you alone yet a bit later that same company ignores your inquiries when you are interested. It leads one to believe that there is something horribly wrong with the world when companies you will not give money never leave you alone, while companies you want to give money don’t seem to care.

Or perhaps it is something a bit worse. Perhaps these sales individuals are told to pitch X number of individuals per day/hour/month/week/etc. Perhaps the individuals you want to give money are too busy pitching others. Not because there is a better chance for a sale with these other potential customers, but because the company has outdated or, at the very least, broken sales procedures. Perhaps I have no idea what I am talking about.

One thing that I do know is that it is heartening to see companies like StillSecure reaching out to their customers and see how the company can attempt to address the problem many of us have with sales calls.

Okay so after a very long period being down I am happy to report that Adam On is back up and running. I want to assure all of my 2 loyal viewers (Hi Mom and Dad!) that the problem was very involved and in no way was as simple as forgetting to properly set the permissions to the new theme… You buying that?

Anyway to celebrate the return of the blog I wanted to point out a new post I have over at the Security Catalyst blog. I am fortunate enough to have Micheal Santarcangelo take some pity on me and agree to post some of my more coherent dilusions. I should post over at Security Catlayst on a monthly basis and I will get back to updating this site on a much more frequent basis.

If you’ll now excuse me I think I’m going to go hide from the shame of how easy the fix was and how looooooooong it took me to figure out.