Adam On…

Adam Shostack has a very interesting post about the decision by Maryland to post the state’s Information Security Breach Notices online. New Hampshire also joins Maryland in placing Notices of Security Breach online for everyone to access.

What is interesting about the Maryland posts, as pointed out by Adam, is that Maryland also includes the case ID in the online list. The inclusion of a unique identifier for each breach listed is a possible way to cross-correlate breaches between various tacking sites such as Attrition.org, Pogo Was Right, SSNBreach.org, ID Theft Resource Center, PRC, Chris Walsh’s Data Breach Primacy Sources, ESI, etc. Adam brings up an excellent point in that a common identification system (much like CVE) which would allow everyone to see what breaches are being discussed where and which breaches are not.

Personally, I fully support this idea. Part of my “routine” when preparing the ESI YiR is to visit all of the sites listed above and search for breaches that I may have missed during the year. As much as I strive to stay on top of breaches within higher education, I will miss a few. This last sanity check on my list of breaches helps me to make a best effort to include as many publicized breaches as possible. A common identification system would definitly cut down on the time it takes to review the other sites.

So to start things off, let me pose this question: What do “we” need to start things moving towards a CBE of sorts?

A few quick thoughts would be:

• A common lexicon for classification of breach type as well as data lost/expose
• A way to allow state’s and/or organizations to submit their own submissions
• A central group responsible for reviewing/verifying CBE submissions

A call on anyone interested in this topic to start thinking about this. Let’s get the discussion rolling…

An article by Andrea Foster titled “Increase in Stolen Laptops Endangers Data Security” will be appearing in the next issue of The Chronicle of Higher Education. The article outlines the dangers of laptop theft and details a few ways that other educational institutions are protecting data on laptops. The only problem with this article is that the data I have collected at Educational Security Incidents does not support the assumption that there has been an increase in stolen laptops recently.

Looking at the information from 2008, there have been 25 Theft type incidents. Of these 25 incidents, 8 were laptop thefts, 6 were desktops, 5 were documents, 3 were drives and 3 were tapes. As shown in the graph below, the laptop thefts, while the most often equipment reported as stolen, only comprises roughly 1/3 of all theft incidents.

How does this compare with previous years? Laptop thefts comprised 41% of thefts reported in 2007 and 57% of the thefts reported in 2006.

The interesting occurrence when looking at the data is that the number of total laptop thefts for 2007 and 2006 only differ by one incident. The decrease in percentage is due to the increased number of reports of the theft of other equipment types. Most notably equipment types such as Drives and Documents saw dramatic increases as shown below.

Unfortunately, it is not helpful to compare data from the first half of 2008 to that of all of 2006 and 2007. Looking at the first half of each year the data shows that reported laptop theft in the first half 2008 equals that of 2007. No increase to speak of. The same can be said for desktop thefts. However, there has been an increase in document and tape thefts.

The month in which the laptop thefts occur, as shown below, do not support the idea that there has been a sudden increase in laptop thefts within higher education which might give the perception that laptop thefts are occurring more often in the recent months.

Even when looking at the total number of records potentially exposed by these thefts, laptop thefts do not stand out dramatically, especially when compared to the desktop theft type incidents. When looking at those incidents where the number of records is known, laptop and desktop thefts in the first half of 2008 have potentially exposed almost the same number of records. The same can be said for the total counts for the two theft types in 2006. In 2007, desktops potentially exposed almost 3 times as many records.

Document theft has not only increased in the number of reported incidents by also the number of potential records exposed. However the real stand out thus far in 2008 is increase in backup tape theft and the massive potential loss of records by these stolen tapes.

The Rockford Illinois Policie Department contacted the Rockford Family Community Resource Center (FCRC) on February 29, 2008 after the police discovered 12 boxes of FCRC files in the basement of a local residence. According to a May 6, 2008 letter [pdf] from the Illinois Department of Human Services to the Illionis General Assembly, when DHS Dision of Human Capital Development (HCD) was able to access these boxes on March 4, 2008 HCD employees determined the boxes contained 1450 customers’ case files. These case files contained names, addresses, Social Security numbers and “in many cases” confidential medical information.

One of the residents in the home where the files were found was an HCD employee. This employee was suspended pending judicial judgement. Rockford police discovered the files while investigating the occupants of the residence as part of an unspecified investigation.

According to the letter, removing case files from the FCRC was against HCD policy and DHS Administrative Directives as well as an FCRC directive that all boxes being removed from the office be examined. In response to this incident, no boxes can be brought in or taken from the FCRC office and security staff will begin searching all duffel bags, book bags, etc as staff leave the office.

[This letter was obtained through a FOIA request with the State of Illinois]

So I had planned on doing a response to the CISSP Dead/Not Dead debate. However, I see no need now when I can just as easily point you to the amazing discussion going on over at the Security Catalyst Community on this topic. In the time it took me to put my thoughts together, this forum discussion has taken off. If you found yourself interested in the posts by Dre, Allen, or Kevin, head over to the forum post.

Registration is required if you are not an SCC member already, but it is free and gives you access to a lot of great content.

So last week I commented on Alan Shimel’s post about the “security sales conundrum“. Alan responded in a comment asking me what my thoughts were on fixing this problem. I’ve been thinking about this problem. After all, what is the best way to pitch new and existing customers or at least make them aware of new products that might meet their needs?

While I’ve been thinking this over, I received an interesting sales pitch last night. I received a package at home (even though the package was addressed to my office). Inside was a t-shirt and coffee cup from Lancope. Accompanying the swag was a letter inviting me to participate in a free webinar detailing how Lancope was able to help a university gain better visibility into their network. The package also included some marketing material that was targeted at universities.

While it was odd to receive a 3 pound package I was not expecting (I kept wondering if I had made any enemies lately that might wish me harm), I am happy to see this type of marketing my Lancope. No, I’m not talking about the t-shirt and cup. I’m talking about knowing the industry in which I work. While I may not be interested in the product, I guarantee I will at least look over the material if you show me you understand the issues that I am dealing with.

A few other thoughts on sales pitches:

• Please don’t pitch me a product my organization already purchases from your company (this happens more then you would think)
• Engage me on the phone, ask about any current projects where your product might help. If there are not any, don’t keep pitching me.
• I don’t mind phone calls, but I would prefer e-mail. I don’t mind reading over sales material, but I want to do it on my time.
• Understand the limitations that I am under. Public institutions have purchasing regulations. Be aware before you contact me.
• I’ll talk to you but I’d prefer to talk to another educational institution. Personally, I’m a sucker for case studies.

That’s about it for today I think… now back to my regularly scheduled morning coffee.

Alan Shimel over at (big, big breath here) Still Secure, After All These Years (and exhale) has a post about a particular annoyance of mine, overeager, overzealous security sales individuals. While I’ve only been with my current company for a year, it didn’t take the sales calls to start rolling in. And roll in they have.

It is getting to the point where, like many security pros out there, I allow telephone calls from odd area codes/external numbers to go to voice mail. Alas, this doesn’t always save me. There are some vendors that call the main office and ask to be transferred. There are some vendors that call the main switchboard and ask to be put through.

There is even one vendor (I’m assuming since I never answer) that calls at least twice a day. Now the calls, while a bit excessive, can be understood. However, what is inexcusable is that the caller doesn’t hang up during my voice mail greeting. Instead the caller leaves 1-2 second blank voice mails causing my VM light to turn on and the message waiting sound to start chiming away happily… Oh to get a few moments alone with this thoughtful and persistent caller.

However, none of this compairs to the extreme annoyance of companies not returning phone calls or e-mail messages inquiring after products. We’ve all dealt with it. A company you were not interested in won’t leave you alone yet a bit later that same company ignores your inquiries when you are interested. It leads one to believe that there is something horribly wrong with the world when companies you will not give money never leave you alone, while companies you want to give money don’t seem to care.

Or perhaps it is something a bit worse. Perhaps these sales individuals are told to pitch X number of individuals per day/hour/month/week/etc. Perhaps the individuals you want to give money are too busy pitching others. Not because there is a better chance for a sale with these other potential customers, but because the company has outdated or, at the very least, broken sales procedures. Perhaps I have no idea what I am talking about.

One thing that I do know is that it is heartening to see companies like StillSecure reaching out to their customers and see how the company can attempt to address the problem many of us have with sales calls.

Over the past week there has been much talk by a group of Chinese hackers about attacking CNN web sites as part of a protest of what the group claims has been anti-China news coverage by CNN. The Dark Visitor site (where I presonally became aware of this whole incident) has done a great job of covering the whole saga.

After calling off the attack after attack details became public, it seems that the group decided to go through with the attack after all. Offering words of encouragement and automated tools for those without the technical skills for manual attacks, the group launched an attack that appeared to be successful. Even now sites like sports.si.cnn.com remain offline causing individuals to boast about the success of the attack on sites such as twitter.

Yet, there is one small problem. The site attacked, the “Sports Network” is not part of the CNN/SI family of sites. Instead the Sports Network is a privately held Pennsylvania company that has been taken offline by these attacks. As of this writing the web site for the Sports Network still displays a note about the attack and that the Sports Network is working to get everything back up and running.

This was an odd story to watch unfold and I wish the best of luck to the staff over at the Sports Network in getting everything back online and avoiding future attacks.

Oh, the many ways that organizational information can be lost. Insiders, outsiders, mistakes, malicious actions, theft, loss, the list seems to going on and on. Yet, one area that tends to be overlooked quite often is contracted third-parties. However, as several colleges and universities have found out recently, third-party actions can have serious consequences for the campus community.

What am I talking about? Well, thus far in April several institutions have had confidential information lost and/or stolen from a trusted third-party. The University of Miami notified 47,000 patients after backup tapes were stolen from an off-site storage company. Northwest Missouri State University, Buffalo State College and four Connecticut State University System campuses have had to alert 1,100, 16,000 and 3,400 students respectively after a laptop belonging to a vendor was stolen.

As show above, as well as at the end of a previous post, third-party loss of college/university information is not unknown within higher education. As more and more educational institutions reach out to third-party companies for support and development, more internal information will be traveling outside of the institution’s control. Colleges and universities should start looking at ways to control this risk by placing control requirements into vendor agreements.

Some of the controls that should be considered are time limits on how long the information can be stored by the vendor, limitations on how many vendor employees and/or copies of the data can exists, as well as controls on data protection such as requiring encryption on portable equipment. One of my personal favorites is to ask vendors for a copy of internal security control procedures/policies as well as asking about what employee (at the vendor) is responsible for the safety and security of the information they are requesting.

We need to stop blinding trusting our vendors and make sure that they have controls in place to properly handle an incident and minimize the effects of a data breach/loss/theft when it occurs. After all, it is not a question of if by when such an event will happen to your institution.

Reading this blog one might get the impression that I do not hold educational institutions in high regard with respect to information security. However, nothing could be further from the truth. The reason I write about higher education on this site and track security incidents over at ESI is that I believe that these efforts (mostly ESI) will help educational institutions. I have dedicated most of my professional life to working in higher education and I want nothing more then to see this industry succeed.

This disire to see the industry succeed is why I am excited to see the manner in which Ohio University is handling the aftermath of the university’s breach back in 2006. Instead of reamining silent about this unfortunate incident, Ohio University is speaking out about what happened and what the university has learned from the incident. In a recent article in the Chronicle Of Higher Education (subscription required), Ohio University president Roderick McDavis describes the incident from the inside.

This is a great article and hopefully those reading this have access to the Chronicle. If not, The Athens Messenger has an overview of the article, but I feel it misses several key points. These key points include that “We don’t think” is not a good enough answer when determining if systems are at risk, that the university IT department (like many college/university IT departments) was “was significantly understaffed and that its future performance was not sustainable without further investment” and that the outsourcing the university was doing was not a good option for the future.

However, I will say that the overview does capture the best point of the article: “Share information openly - both positive and negative.” Perhaps there is a light at the end of the tunnel after all.

Want to hear more about the Ohio University incident? Ohio University will be talking about this incidient at the upcoming EDUCAUSE Security Professionals Conference during a preconference seminar titled “The Lifecycle of a Security Breach”. If you are going to the conference but not attending the preconference events, you can still learn about the breach at the “Keeping the Skillet Hot: Managing Security Between the Breaches” session where I have the pleasure of being on a panel with Matthew Dalton of Ohio University and Jack McCoy of the University of Colorado System.

Anyone that has attended a security training at my organization knows that I hate passwords. Why you might ask? It is simple. Passwords are a pain! Just us take a look at my daily password entry:

• Password #1: Log into my personal laptop in the morning
• Password #2: Log into personal e-mail account
• Password #3: Log into ESI web site, check logs/stats and update if needed
• Password #4: Log into AdamOn, check logs/stats and update if needed
• Password #5: Log into FeedBurner and check stats
• Password #6: Log into work computer
• Password #7: Log into work e-mail
• Password #8: Open encrypted disk at work

Yup, thats right, I type in 8 different passwords before 8am in the morning! Is it any wonder I hate passwords? Oh, each of these passwords is different then the others. This is a typical morning for me and does not require that I sign into other services such as IM or Twitter or any of my servers. (Doing so can add up to 5 more unique passwords to my daily log on procedures.)

Each day I face a growing contempt for these passwords. They are in my way, preventing me from doing my job in the most efficient manner possible. It is no wonder that people write down passwords, use similar/the same passwords over and over again and use applications to store passwords. Passwords just suck!

It might sound strange to some people that a security professional doesn’t like passwords, but I am not alone. Dr. M.E. Kabay, CTO of the School of Graduate Studies at Norwich University and Program Director for the university’s Masters of Science in Information Assurance, has an excellent set of articles over at Network World about passwords.

The bottom line is that we need a better solution.