Adam On…

Back in mid-February, Harvard University suffered a computer breach. Nothing earth shattering in this. After all, over 25 incidents had already occurred at colleges and universities in 2008 before the Harvard incident. Sure “kaboom73″ uploaded the files stolen from the Harvard server to a torrent on Pirate Bay. Then, a month later, Harvard announces that the stolen data contained information on 10,000 applicants.

All of this makes for a juicy story, I’ll admit. You’ve got a big name school, compromised site, mocking messages, p2p, Pirate Bay, thousands of individuals. However, is it “hundreds of news articles in the past week” juicy? Seriously, this story is showing up all over the place: Major news outlets. Local news outlets. Even international news outlets.

I’m still scratching my head over the reason for all the attention. After all, it isn’t the only or even first web site compromise of 2008. Nor is the Harvard incident the largest of 2008. There have been other internationally-known schools involved in breaches this year. Yet none of these other stories have garnered the news interest that the Harvard story has sparked. I guess the only thing I can say is that Harvard story has got legs.

Proving that he uses his head for more the just showing off that fantastic mane of hair, David Mortman discusses user awareness training over on Securosis. Go read the post, I’ll wait.

One aspect of the post that I truly enjoyed was the discussion of the financial institution that found most of the PII data sent offsite was not through malicious intent. The reason? From the post:

These security breaches were from unintentional or accidental causes. Not realizing that recipients of the email were not inside the company, or that the file contained PII, were by far the two most common reasons that this sort of data was leaving the company.

In other words simple employee mistakes causing security headaches. Sound familiar? It should if you are a regular over at Educational Security Incidents. Last year employee mistakes outnumbered external computer and/or network attacks 2:1. In addition, employees accidentally leaking data through web sites, e-mails, trash cans, etc accounted more the one third of all security incidents (38%) and ended up exposing a total of 396,000 records for an average exposure of almost 7,500 records per mistake.

If we take the Ponemon estimate of $197 per record cost, average employee mistakes leading to security incidents last year cost colleges and universities a lot of money. Even taking business costs such as lost business, customer acquisition problems (65% or $125) out, colleges and universities could still face a cost of $72 per record lost. Using this reduced figure, simple mistakes can still end up costing educational institutions over half a million. Even if the actual costs end up being only a fraction of this estimate, the costs of employees unaware of the mistakes they make can still be tens of thousands of dollars.

However, perhaps you are not a fan of ROI/ROSI and see the above is nothing more then a fancy numbers game with no real backing. Fair enough. The fact still remains that one out of every three security incidents at colleges and universities (as reported in the media) was a result of an employee mistake. Of all mistake, accidentally placing sensitive and/or internal information online was by far the most common mistake, comprising 31 of the 53 unauthorized disclosure- type incidents reported last year.

Misunderstanding of the safety and security of online files is one of the most common reasons for employees placing sensitive and/or internal information online. For example, an internal report containing student information was recently found available to the public through an Ave Maria web site. When asked about why this information was placed online, Vice President of Academic Affairs Jack Sites stated he believed the information was only available to those individuals that knew the exact URL. Misunderstanding creating a security incident. Misunderstanding that can be easily addressed through security awareness and training programs.

Given all of this, even the most modest of reductions in occurrence due to increased awareness of risk would make user awareness training an attractive addition to college and university information security programs.

It seems Memorial University is banning instant messaging from University owned machines to help prevent possible breaches. Apparently this move was in response to the recent breaches caused by p2p software at several Newfoundland and Labrador government agencies. However, the move by Memorial doesn’t track for several reason.

First, there is simply no way you can rate p2p software and IM software as introducing the same level of risk to an organization. By its very nature, p2p software exists to share data between individuals. Internal files and folders are automatically opened to anyone running the program. IM on the other hand is a communications tools that just happens to have file sharing capabilities. Even this ability to share is more limited then p2p since it has to be user initiated. There are no “public” or “shared” folders in IM clients. The risks of sharing files through IM is no greater then that of e-mail. Does Memorial plan to ban the use of e-mail as well?

Second, Graham Mowbray, director of Computing and Communications at Memorial, is apparently also concerned over the fact that IM conversations traverse several servers between sender and receipent. According to the article, Mowbray states, “…if you are I are exchanging messages, that message goes through Memorial’s firewall, down to some server the in the States, then back up through Memorial’s firewall to you.” Um… yup. This is the way the Internet does indeed work. Again, IM adds no additional risks to the university so why the ban?

Last, this ban appears to be a knee-jerk reaction to recent news articles. According to Mowbray, the reaction was so quick the University didn’t have time to reach out to the university community or consider any alternatives. The result? Apparently there is some “discontentment” among that students and staff. It’s no wonder. A massive change is implemented with almost no attempt to discuss the changes with those directly affected and no plan to offer a viable alternative? I can not think of a more efficient way of ensuring significant push back from users.