Adam On…

An article by Andrea Foster titled “Increase in Stolen Laptops Endangers Data Security” will be appearing in the next issue of The Chronicle of Higher Education. The article outlines the dangers of laptop theft and details a few ways that other educational institutions are protecting data on laptops. The only problem with this article is that the data I have collected at Educational Security Incidents does not support the assumption that there has been an increase in stolen laptops recently.

Looking at the information from 2008, there have been 25 Theft type incidents. Of these 25 incidents, 8 were laptop thefts, 6 were desktops, 5 were documents, 3 were drives and 3 were tapes. As shown in the graph below, the laptop thefts, while the most often equipment reported as stolen, only comprises roughly 1/3 of all theft incidents.

How does this compare with previous years? Laptop thefts comprised 41% of thefts reported in 2007 and 57% of the thefts reported in 2006.

The interesting occurrence when looking at the data is that the number of total laptop thefts for 2007 and 2006 only differ by one incident. The decrease in percentage is due to the increased number of reports of the theft of other equipment types. Most notably equipment types such as Drives and Documents saw dramatic increases as shown below.

Unfortunately, it is not helpful to compare data from the first half of 2008 to that of all of 2006 and 2007. Looking at the first half of each year the data shows that reported laptop theft in the first half 2008 equals that of 2007. No increase to speak of. The same can be said for desktop thefts. However, there has been an increase in document and tape thefts.

The month in which the laptop thefts occur, as shown below, do not support the idea that there has been a sudden increase in laptop thefts within higher education which might give the perception that laptop thefts are occurring more often in the recent months.

Even when looking at the total number of records potentially exposed by these thefts, laptop thefts do not stand out dramatically, especially when compared to the desktop theft type incidents. When looking at those incidents where the number of records is known, laptop and desktop thefts in the first half of 2008 have potentially exposed almost the same number of records. The same can be said for the total counts for the two theft types in 2006. In 2007, desktops potentially exposed almost 3 times as many records.

Document theft has not only increased in the number of reported incidents by also the number of potential records exposed. However the real stand out thus far in 2008 is increase in backup tape theft and the massive potential loss of records by these stolen tapes.

Oh, the many ways that organizational information can be lost. Insiders, outsiders, mistakes, malicious actions, theft, loss, the list seems to going on and on. Yet, one area that tends to be overlooked quite often is contracted third-parties. However, as several colleges and universities have found out recently, third-party actions can have serious consequences for the campus community.

What am I talking about? Well, thus far in April several institutions have had confidential information lost and/or stolen from a trusted third-party. The University of Miami notified 47,000 patients after backup tapes were stolen from an off-site storage company. Northwest Missouri State University, Buffalo State College and four Connecticut State University System campuses have had to alert 1,100, 16,000 and 3,400 students respectively after a laptop belonging to a vendor was stolen.

As show above, as well as at the end of a previous post, third-party loss of college/university information is not unknown within higher education. As more and more educational institutions reach out to third-party companies for support and development, more internal information will be traveling outside of the institution’s control. Colleges and universities should start looking at ways to control this risk by placing control requirements into vendor agreements.

Some of the controls that should be considered are time limits on how long the information can be stored by the vendor, limitations on how many vendor employees and/or copies of the data can exists, as well as controls on data protection such as requiring encryption on portable equipment. One of my personal favorites is to ask vendors for a copy of internal security control procedures/policies as well as asking about what employee (at the vendor) is responsible for the safety and security of the information they are requesting.

We need to stop blinding trusting our vendors and make sure that they have controls in place to properly handle an incident and minimize the effects of a data breach/loss/theft when it occurs. After all, it is not a question of if by when such an event will happen to your institution.

Reading this blog one might get the impression that I do not hold educational institutions in high regard with respect to information security. However, nothing could be further from the truth. The reason I write about higher education on this site and track security incidents over at ESI is that I believe that these efforts (mostly ESI) will help educational institutions. I have dedicated most of my professional life to working in higher education and I want nothing more then to see this industry succeed.

This disire to see the industry succeed is why I am excited to see the manner in which Ohio University is handling the aftermath of the university’s breach back in 2006. Instead of reamining silent about this unfortunate incident, Ohio University is speaking out about what happened and what the university has learned from the incident. In a recent article in the Chronicle Of Higher Education (subscription required), Ohio University president Roderick McDavis describes the incident from the inside.

This is a great article and hopefully those reading this have access to the Chronicle. If not, The Athens Messenger has an overview of the article, but I feel it misses several key points. These key points include that “We don’t think” is not a good enough answer when determining if systems are at risk, that the university IT department (like many college/university IT departments) was “was significantly understaffed and that its future performance was not sustainable without further investment” and that the outsourcing the university was doing was not a good option for the future.

However, I will say that the overview does capture the best point of the article: “Share information openly - both positive and negative.” Perhaps there is a light at the end of the tunnel after all.

Want to hear more about the Ohio University incident? Ohio University will be talking about this incidient at the upcoming EDUCAUSE Security Professionals Conference during a preconference seminar titled “The Lifecycle of a Security Breach”. If you are going to the conference but not attending the preconference events, you can still learn about the breach at the “Keeping the Skillet Hot: Managing Security Between the Breaches” session where I have the pleasure of being on a panel with Matthew Dalton of Ohio University and Jack McCoy of the University of Colorado System.

Symantec’s Global Internet Security Threat Report was released recently. Can anyone guess what sector represented the “highest number of known data breaches that could lead to identity theft”? (If you’ve already seen the report, Shhhhh!)

With 24% of total for the second half of 2007 (drum roll, please) Education topped the list! The good news: 24% is down from the “30% of the total” Education received in the previous report. The bad news: Education was the top ranked sector then as well.

Give that ESI has seen an increase of breaches thus far in 2008 (a trend mirrored industry-wide according to the Identity Theft Resource Center), it appears that Education will unfortunately top the next Global Internet Security Threat Report.

However this is not the biggest news from the report. With average identity netting criminals $1-$15, apparently I’m not even worth as much as the pizza I ordered for dinner the other night!

The LA Times has a great article on the recent UCLA medical records breach. In the article, the woman accused of illegally accessing over 61 medical records, Lawanda Jackson, gives a reason for her snooping. What was the reasoning behind Lawanda Jackson’s actions? Was it a diabolical plot to destroy the place where Jackson has worked for over 30 years? Nope. Was Jackson just looking to score some quick cash selling dirt on celebrities? While claims have been made there is no proof of this (plus almost half of the records Jackson accessed did not belong to celebrities).

What possible reason could Jackson have had then if it wasn’t malicious intent?!? Simple, Jackson was prompted by nothing more then curiosity. According to statements made to the LA Times, Jackson would see a news story and wonder if the people involved came to the UCLA medical center. To quote Jackson from the story, “There was no intent to do anything bad.” Welcome to how insider threat is born.

Insiders are not always angry or disgruntled employees seeking to get even with their employer. Nor are insiders money-grabbing opportunists looking to make a quick buck at the expense of their employer. Instead, most insiders are individuals that generally enjoy what they do and where they do it. Above all, insiders are human.

Why does the fact that employees are human matter when it comes to insiders and the threat they pose to information security? It is important to always understand that your employees (ie insiders) are people and as such have all the failings of people. Some are lazy, some are manipulative, some are mean while others are nice. Above all, many are curious.

This curiosity can easily lead to security incidents if the organization does not take the necessary steps to restrict access. It is no longer enough for information security professionals to protect our organizations’ infrastructure from external attackers, we need to start thinking about how to protect our organizations’ data from unauthorized access or disclosure by our own employees.

In the first quarter of 2008, educational institutions have experienced 59 reported incidents. This is almost double the first quarter count from 2007 (32 incidents) and over three times as many as the first quarter 2006 (17 incidents). The 59 incidents reported is just shy of half (42%) of the total number of breaches reported in 2007.

The most common type of incident in the first quarter of 2008? Anyone familiar with the results of last year’s ESI YiR should find it no surprise that Unauthorized Disclosures tops the list. With 29 out of the 59 reported incidents, Unauthorized Disclosure easily beats out Theft (11 incidents), Penetration (9 incidents), Loss (4 incidents), Employee Fraud (3 incidents) and Impersonation (2 incidents).

It seems that this increase in breaches in not unique to higher education either. According to a press release by the Identity Theft Resource Center, breaches and security incidents reported in the first quarter of 2008 is more then double the number of incidents reported in the first quarter of 2007. In addition, the 2008 first quarter incident count is more then 1/3 of the total incidents reported in 2007.

The most common industries for a breach? Accord to the ITRC, Business tops the list with 35.9% of the reported incidents. Business is followed by Educational with 25.2%, Government/Military with 18%, Medical/Healthcare with 13.8%, and Banking/Credit/Financial with 7.2%.

(I should point out here that ESI has been able to identify incidents that were not contained in the ITRC count.)

There is an interesting article over at the Hollister Free Lance site about a potential security incident that may have occurred at Gavilan College. It seems that Tim Holliday, a former Student Trustee and Student Body Senator, is making noise about a Student Body laptop he claims contained personal information such as names, Social Security numbers and photos on 3,100 students, faculty and staff that went missing last year. Apparently, after reporting the missing laptop, Holliday is displeased with the lack of action by the college for more then a year and he is urging the college to notify affected students about the potential risk.

However, the college is taking a different view on the incident. According to the article, the college investigated the report and discovered that Kayed Asfour, a Gavilan student, was the last person to see the laptop. Apparently Asford assured the college that he deleted all of the Social Security numbers from the laptop before it went missing.

Satisfied with this the college choose not to report the incident. According to Gavilan President Steven Kinsella the college took the necessary precautions and that the college cannot verify that the laptop contained personal information. In addition, Kinsella points out that the Associated Student Body is independent organization. As Kinsella states in the article, it is not an issue to the college.

Um… what? I do not understand how the possible exposure of 3,100 records containing personal information not be an issue any college or university. If what Holliday claims is true, there are some serious questions that beg to be answered about this incident. Unfortunately, there is little more information online about this story beyond the article over at the Hollister Free Lance site.

I found this to be a very interesting story for a number of reasons. It strikes at the heart of what many organizations deal with when discussing what actions to take in the event of a suspected incident. There are contradicting stories, unclear information exposure and questions about authority and responsibility for notification. I hope that more of this story becomes known since I have so many unanswered questions about this incident

While there is not enough information available to draw any conclusions about this incident, here are some personal ideas about breach reporting.

1. I do not believe that notifying individuals only when personal information loss can be verified is best approach. When there is the possibility that personal information has been lost or exposed the should always strive to notify unless the organization can prove the information was not lost/exposed.

2. The assurances of one individual does not count as adequate proof to stop notifications, especially when these assurances are contradicted by another individual within the organization. ‘Tis better to err on the side of caution in my opinion.

3. Information lost by an independent entity does not absolve an organization of the responsibility to notify affected individuals, especially if the information was given to the independent entity by the organization for official use. After all, when Iron Mountain lost backup tapes belonging to the Louisiana Office of Student Financial Assistance, LOSFA immediately contacted the affected individuals to make them aware of the incident. The same held true when independent third-parties lost information given to them by Waseda University, the University of Akron, Kansas State University, and Berry College.

Update2: Ruth Shuman, Dean for Institutional Advancement at Lasell College, contacted me to let me know that Lasell College has established a call center with First Advantage Corporation where affected individuals can sign up for six months of free credit monitoring.

Update: I was contacted by Lasell College about this incident (see comment below). While I generally do not take kindly to threats, I am always willing to admit a mistake when I make one. It seems that Lasell College is offering free credit monitoring to the individuals affected by this incident. I am waiting to hear back from Lasell College to see if I can link to information about what is being offered to the students.

My apologies to anyone that thought this post was directly aimed at Lasell College’s handling of this incident. The goal was instead to point out to the many educational institutions that do not offer free credit monitoring that they are missing a great opportunity for good PR with the affected individuals.

Original Story: Earlier this month, Lasell College alerted 20,000 current and former students, faculty and staff that an employee illegally gained access to a database containing personal information such as names, Social Security numbers and addresses. In response to this incident, the college contacted law enforcement, sent out letters, and setup a web site and hotline to help answer questions. All of these steps are exactly what colleges and universities should do in the event of a security breach.

However, one move that Lasell, like many educational institutions, did not take was to offer free credit monitoring for the affected individuals. This is a move that continues to amaze me. Given the increasing rates of Identity Theft and the publics awareness of the threats, offering free monitoring just makes sense. (Please note that I don’t necessarily agree with the rise in “Identity Theft” given that to me Credit Card fraud does not equal ID Theft. Nor do I agree that credit monitoring is the ultimate solution, but more on these two topics to come.)

If nothing else, the offer of credit monitoring (opt-in of course) is a good way to gain some valuable PR when announcing a breach. Sure, your students/staff/faculty/alumni/donors might be miffed over the loss of their personal information, but what better way to soften the blow then with a years worth of free monitoring to show the college or university really does care about them?

Question the PR value of this? Think again. In the case of Lasell, IdentityTruth, a credit monitoring service, saw an opportunity for good PR and jumped on it. IdentityTruth decided to reach out to the individuals affected by the Lasell incident and offer them the first month of protection for only $1. For those keeping score, $1 is about a 90% discount. Of course IdentityTruth is most likely banking on the individuals remaining with the service after the discount period ends and the cost goes up to $9.99.

I am not saying that people should run to a credit monitoring service like IdentityTruth. Also, I am not saying that I believe services like IdentityTruth have value. Personally, I know nothing about IdentityTruth and thus am in no place to judge the quality or value of the service.

What I am saying is that IdentityTruth gained valuable PR (hey I’m talking about them aren’t I) while Lasell College now, at least to me, is in a position where it looks like a company not even connected with the college cares more about the protection of these individuals’ identities then the college does. Alright, that might be pushing it a little, but the point remains. If your institution is affected by a breach who would you rather see offering to protect you through credit monitoring your institution or some third-party company?

At the very least Lasell College could have gained some good PR by contacting a credit monitoring company and working out a deal where the college is charged a reduced rate based on the potential of signing up 20,000 accounts. The press release could then have at least read “IdentityTheft and Lasell College Reach Out To Alumni, Students and Faculty” instead of “IdentityTheft Reaches Out to Lasell College Alumni, Students and Faculty”.

Amazing how much can change just by moving a few simple words.

If you are involved with information security at a college or university and have not already, I strongly recommend that you head over to the EDUCAUSE site and sign up for the Security Discussion Group. This discussion group is an excellent source of information and provides an easy way to interact with fellow colleagues from other academic institutions.

A recent discussion on the Security list involves data classifications. There are several different approaches being used are here are a few of them. Northwestern follows a three-container system containing Public, Internal, Legally/Contractually Restricted classifications. The University of Massachusetts recently collapsed a five-container system into a three-container system containing Unclassified, Operational Use Only and Confidential. The University of Massachusetts also takes the stance that all PII falls within the Confidential container.

Gary Dobbins over at Notre Dame warns about the dangers of a “catch-all” middle-of-the-road classification. Instead, he moved Notre Dame from a three-container system to a four-container system containing a “Super-Top-Secret” class, an “Internal” class, a “Sensitive” class and a “Public” class. Gary further warns about staying away from “regulated” class due to differences in regulatory requirements.

Dr. Kees Leune is taking a different approach. Instead of relying upon a classification determined by content, he argues that there is a need to define discrete “chunks” of information and then address the needs of these chunks based upon the data owners needs and uses of the information. Each chunk is then given a rating based upon its required level of Confidentiality, Integrity and Availability.

Out of all of these approaches, my personal preference is closer to that of Gary Dobbins except that I still tend to lean toward a three-container system. I agree with everyone that overly complex classification systems are doomed to failure and a simple, pragmatic approach is best. I also like the approach of Dr. Leune in that there is a need to not only define these classification levels, but to also go out and talk with the data owners about the exact protections their data requires.

There are many more great discussion over on the Security Discussion Group, so head on over and register to become part of the solution.

So I spent a large part of Easter Sunday as well as over 4 hours this morning helping my father build a swing set for my nephew’s upcoming birthday. While I was happy to help, I am still miffed about how long it took us. Sure the temperature did not help (it was in the low to mid 20’s for most of the build) and we didn’t prepare as well as we should have. However, this is not what I am upset over.

The truly aggravating aspect of building the swing set (complete with monkey bars, a fort, a climbing wall, rope ladder and slide) was that nothing was labeled. Thats right, a 19 foot long, 7 foot wide wood structure with hundreds and hundreds of bolts, screws, nuts and washers and not one label to be found. While we (eventually) got through everything, there is no excuse for not having things properly labeled. Apparently the company thought that by providing only the bare essentials (the parts and a few pages of pictures) customers should have no problem getting everything going smoothly.

How absurd! Isn’t it? While I was truly annoyed by the lack of assistance through proper labeling, it stuck me as very similar to information security directives at many colleges and universities. Too often directives are delivered from “on-high” with no clear direction of how to implement or even the purpose behind them. The result is that just like my father and I, many departments are left struggling out in the cold for hours with little to no real progress.

The move away from Social Security numbers at most colleges and universities is a great example. Move away from SSNs to an internal student ID is a great move and one that I strongly support and recommend to any college or university. However, generally the only thing that is communicated to the campus is “No more Social Security numbers”. On the surface this is good, but looking deeper there are serious problems.

One of the first problems is what about situations where Social Security numbers are needed such as with Federal aid or employment? The organization needs to address how the departments should accept, store and transmit SSNs properly given the new edict. Also, the organization needs to make sure that is has addressed all SSN-required functions. After all, failing to address all functions leaves the organization in the dangerous position of having the perception of being SSN free not match reality.

Another, much larger problem is that often the cry of “No More Social Security numbers” is rarely followed by instructions on what to do with legacy data and systems. Yet, failing to address this legacy data is a serious oversight. The data contained in filing cabinets, legacy computer systems and workstation/laptop hard drives will most likely include SSNs since this was the student identification number used on campus. This data doesn’t know about the No SSN policy, so unless it is actually addressed, it will stay where it is waiting for a breach before it becomes known.

Reducing the use Social Security numbers is an excellent move and one I encourage all educational to make. Just make sure that you are actually addressing all instances of Social Security number use on the campus or else a No SSN policy will do little more then trick the institution into a false sense of security.