Adam On…

Reading this blog one might get the impression that I do not hold educational institutions in high regard with respect to information security. However, nothing could be further from the truth. The reason I write about higher education on this site and track security incidents over at ESI is that I believe that these efforts (mostly ESI) will help educational institutions. I have dedicated most of my professional life to working in higher education and I want nothing more then to see this industry succeed.

This disire to see the industry succeed is why I am excited to see the manner in which Ohio University is handling the aftermath of the university’s breach back in 2006. Instead of reamining silent about this unfortunate incident, Ohio University is speaking out about what happened and what the university has learned from the incident. In a recent article in the Chronicle Of Higher Education (subscription required), Ohio University president Roderick McDavis describes the incident from the inside.

This is a great article and hopefully those reading this have access to the Chronicle. If not, The Athens Messenger has an overview of the article, but I feel it misses several key points. These key points include that “We don’t think” is not a good enough answer when determining if systems are at risk, that the university IT department (like many college/university IT departments) was “was significantly understaffed and that its future performance was not sustainable without further investment” and that the outsourcing the university was doing was not a good option for the future.

However, I will say that the overview does capture the best point of the article: “Share information openly - both positive and negative.” Perhaps there is a light at the end of the tunnel after all.

Want to hear more about the Ohio University incident? Ohio University will be talking about this incidient at the upcoming EDUCAUSE Security Professionals Conference during a preconference seminar titled “The Lifecycle of a Security Breach”. If you are going to the conference but not attending the preconference events, you can still learn about the breach at the “Keeping the Skillet Hot: Managing Security Between the Breaches” session where I have the pleasure of being on a panel with Matthew Dalton of Ohio University and Jack McCoy of the University of Colorado System.

Anyone that has attended a security training at my organization knows that I hate passwords. Why you might ask? It is simple. Passwords are a pain! Just us take a look at my daily password entry:

• Password #1: Log into my personal laptop in the morning
• Password #2: Log into personal e-mail account
• Password #3: Log into ESI web site, check logs/stats and update if needed
• Password #4: Log into AdamOn, check logs/stats and update if needed
• Password #5: Log into FeedBurner and check stats
• Password #6: Log into work computer
• Password #7: Log into work e-mail
• Password #8: Open encrypted disk at work

Yup, thats right, I type in 8 different passwords before 8am in the morning! Is it any wonder I hate passwords? Oh, each of these passwords is different then the others. This is a typical morning for me and does not require that I sign into other services such as IM or Twitter or any of my servers. (Doing so can add up to 5 more unique passwords to my daily log on procedures.)

Each day I face a growing contempt for these passwords. They are in my way, preventing me from doing my job in the most efficient manner possible. It is no wonder that people write down passwords, use similar/the same passwords over and over again and use applications to store passwords. Passwords just suck!

It might sound strange to some people that a security professional doesn’t like passwords, but I am not alone. Dr. M.E. Kabay, CTO of the School of Graduate Studies at Norwich University and Program Director for the university’s Masters of Science in Information Assurance, has an excellent set of articles over at Network World about passwords.

The bottom line is that we need a better solution.

It’s no secret that I love technology. Yet, this obsession has lessened over the past few years. For some reason I just couldn’t make myself get excited over minor improvements in power consumption or the inevitable increase in processing power. This has all changed, however, thanks to a couple of new pieces of technology that are in the pipeline.

What are these wondrous creations that have me all atwitter?

The first is OCZ’s Neural Impulse Actuator. The ability to control my computer using only my brain, eyes and facial muscles? Hell yes! Even if the NIA only works half as well as advertised I’m going to be picking one up.

The second piece of technology that has reduced me to fanboy mentality is Brother Industries Head-mountable Retinal Scanning Technology. I have been a fan of head-mounted displays for years and I can barely contain my joy over the possibility of using this product.
I can’t wait to pick up either of these devices and give them a whirl.

Update: Looks like this was a belated April Fools joke and I fell for it. Great job! Now excuse me while I wipe the egg off my face…

Today is a solemn and sad day over at AdamDodge.com. Attrition.org announced today that it is no longer going to be updating the DLDOS site or the DLDOS feed. I completely understand the reasoning behind this move. I have noticed for a while now certain for-profit outfits using the ESI feed for their services so I can only imagine that the type of outright theft and plagiarism that sites like Attrition.org and PogoWasRight.org deal with. (Dissent over at PogoWasRight.org has a great post up about this whole situation.)

One of the first decisions I made with ESI was to ensure that I not only gave credit to the news source where I pulled the Abstract, but that I also gave a nod to the site where I found the news story. If I found it on my own, I list ESI as the source. However, if I find it on a site like Attrition.org or PogoWasRight.org I make damn sure I give them the credit. I run a breach disclosure web site so I understand how much time it takes to find and catalog these incidents.

The fact that companies and organizations out there feel the need to steal and repackage work done by others without attributing credit is a despicable practice and I urge anyone that uses such a service to reconsider the fact that you are paying for content that A) is being delivered through unethical and possibly illegal means and B) is most likely available from the original source for free.

I too understand the pressure to ensure that posts are mistake free. I have made a number of mistakes on ESI and I always feel horrible when I discover them. I always make sure to update the story to not only correct the mistake but to also point out that I did make a mistake. Given the lack of ethics the vultures that rip my content without permission and/or attribution display, I often worry that they never bother to correct these mistakes. So for everyone using these services that are not worried about ethics or the fact that they are paying for content that is freely available elsewhere, consider the fact that you may be paying for information that is not correct.

I want to thank Attrition.org for the hard work in running this amazing resource. I know that I for one will greatly miss the DLDOS.

Symantec’s Global Internet Security Threat Report was released recently. Can anyone guess what sector represented the “highest number of known data breaches that could lead to identity theft”? (If you’ve already seen the report, Shhhhh!)

With 24% of total for the second half of 2007 (drum roll, please) Education topped the list! The good news: 24% is down from the “30% of the total” Education received in the previous report. The bad news: Education was the top ranked sector then as well.

Give that ESI has seen an increase of breaches thus far in 2008 (a trend mirrored industry-wide according to the Identity Theft Resource Center), it appears that Education will unfortunately top the next Global Internet Security Threat Report.

However this is not the biggest news from the report. With average identity netting criminals $1-$15, apparently I’m not even worth as much as the pizza I ordered for dinner the other night!

The LA Times has a great article on the recent UCLA medical records breach. In the article, the woman accused of illegally accessing over 61 medical records, Lawanda Jackson, gives a reason for her snooping. What was the reasoning behind Lawanda Jackson’s actions? Was it a diabolical plot to destroy the place where Jackson has worked for over 30 years? Nope. Was Jackson just looking to score some quick cash selling dirt on celebrities? While claims have been made there is no proof of this (plus almost half of the records Jackson accessed did not belong to celebrities).

What possible reason could Jackson have had then if it wasn’t malicious intent?!? Simple, Jackson was prompted by nothing more then curiosity. According to statements made to the LA Times, Jackson would see a news story and wonder if the people involved came to the UCLA medical center. To quote Jackson from the story, “There was no intent to do anything bad.” Welcome to how insider threat is born.

Insiders are not always angry or disgruntled employees seeking to get even with their employer. Nor are insiders money-grabbing opportunists looking to make a quick buck at the expense of their employer. Instead, most insiders are individuals that generally enjoy what they do and where they do it. Above all, insiders are human.

Why does the fact that employees are human matter when it comes to insiders and the threat they pose to information security? It is important to always understand that your employees (ie insiders) are people and as such have all the failings of people. Some are lazy, some are manipulative, some are mean while others are nice. Above all, many are curious.

This curiosity can easily lead to security incidents if the organization does not take the necessary steps to restrict access. It is no longer enough for information security professionals to protect our organizations’ infrastructure from external attackers, we need to start thinking about how to protect our organizations’ data from unauthorized access or disclosure by our own employees.

It seems that Hannaford supermarket has pulled all of its advertising off at lease one television station claiming the reporting on the recent security breach has been too “aggressive”. Attempts by the television station to get more information from Hannaford have gone unanswered according to the article. (Please note that I have not seen any of the reporting so I am going off the cuff here.)

This seems to be an odd move. Now Hannaford has every right to choose where it advertises its stores, but it seems a bit odd that they would pull advertising simply because they were unhappy with news coverage. Apparently there are no factual errors in the television station’s reports of the incident. It simply seems that Hannaford is hurt by the “aggressive” reporting

Why is this odd you ask? This move by Hannaford smacks of an attempt to control the news stories report about the company. While this may not be the reason the advertisements were pulled, it certainly looks like that.

Is this really a possible perception the company wants the public to have following the recent breach?

Why I love the Internet, Reason #1:

User Generated Content

That’s right, I did say user generated content. Sure there is a mind numbing amount of content that is pure trash. I often find myself willing to write off the entire genre because of this mountain of mediocrity. Just when I’ve had to stomach about as much garbage as I can take I stumble across something that sucks me back in.

The latest such video was Daft Bodies - Harder, Better, Faster, Stronger. This video is absolutely brilliant. Great idea, skillfully executed, simply awesome.

As long as users keep creating content that exhibits this level of creativity I know I’ll always love the Internet.

Dark Reading had an interesting article up yesterday about a study done by Palo Alto networks that will be released next week. The study is apparently data from 20 different enterprises that was gathered during vulnerability assessments done to help with development of Palo Alto’s new firewall product.

Apparently Palo Alto discovered some disturbing but not too shocking statistics about the use of unauthorized applications by users. According to Palo Alto Vice President of Marketing, Steve Mullaney, here is some of the information in the study:

• 80% of organizations allow the use of proxies by users
• 50% of the organizations support the use of TOR or other encrypted communications by users
• 90% of HTTP traffic was not for browsing, but for web based application use
• There was little difference in this behavior between organizations with strict policies and lack policies

In short, users are bypassing technical controls and ignoring organizational policies to access the applications they want to run.

Personally, I think that the reason for this was summed up in the article nicely with the following quote from Mullaney:

“Up to now, the security guy has always been the guy who said ‘no’ to everything”

Yes this study was done by a company developing a product to combat this issues. Yes this quote was from an individual in marketing at Palo Alto. Yes Palo Alto is hoping that this study will help it sell its new next firewall product. However, this quote strikes at the heart of the reason that users usually try to circumvent current security controls.

Too often the answer to user requests is “No”. Even I have to fight the urge to immediately deny requests, especially requests that create serious security problems. Yet, saying “No” is the wrong action to take. Instead we should be asking “Why?”

When we deny requests, the assumption tends to be that the issue is resolved. Request denied. Case Closed. However, we need to remember that people just want to do their jobs, preferably in the easiest manner possible. Simple rejection, even with an explanation as to why it will not be allowed, is simply driving our users to circumvent the very controls keeping our organizations safe. After all, where there is a will, there is a way.

Yet by asking why users want this new application or feature or access we understand what they are trying to do. By asking why users are unable to achieve their objective within the current environment we understand what problems the users are experiencing. By asking why instead of telling them no, we can a better understanding of how the organizations information and information systems are being used. This understanding helps place us in a better position to protect the organizaiton.

After all, if security is everyones responsibility do we not owe it to our users to help make sure they are able to do their jobs in the most efficient and secure manner?

In the first quarter of 2008, educational institutions have experienced 59 reported incidents. This is almost double the first quarter count from 2007 (32 incidents) and over three times as many as the first quarter 2006 (17 incidents). The 59 incidents reported is just shy of half (42%) of the total number of breaches reported in 2007.

The most common type of incident in the first quarter of 2008? Anyone familiar with the results of last year’s ESI YiR should find it no surprise that Unauthorized Disclosures tops the list. With 29 out of the 59 reported incidents, Unauthorized Disclosure easily beats out Theft (11 incidents), Penetration (9 incidents), Loss (4 incidents), Employee Fraud (3 incidents) and Impersonation (2 incidents).

It seems that this increase in breaches in not unique to higher education either. According to a press release by the Identity Theft Resource Center, breaches and security incidents reported in the first quarter of 2008 is more then double the number of incidents reported in the first quarter of 2007. In addition, the 2008 first quarter incident count is more then 1/3 of the total incidents reported in 2007.

The most common industries for a breach? Accord to the ITRC, Business tops the list with 35.9% of the reported incidents. Business is followed by Educational with 25.2%, Government/Military with 18%, Medical/Healthcare with 13.8%, and Banking/Credit/Financial with 7.2%.

(I should point out here that ESI has been able to identify incidents that were not contained in the ITRC count.)