Adam On…

Symantec’s Global Internet Security Threat Report was released recently. Can anyone guess what sector represented the “highest number of known data breaches that could lead to identity theft”? (If you’ve already seen the report, Shhhhh!)

With 24% of total for the second half of 2007 (drum roll, please) Education topped the list! The good news: 24% is down from the “30% of the total” Education received in the previous report. The bad news: Education was the top ranked sector then as well.

Give that ESI has seen an increase of breaches thus far in 2008 (a trend mirrored industry-wide according to the Identity Theft Resource Center), it appears that Education will unfortunately top the next Global Internet Security Threat Report.

However this is not the biggest news from the report. With average identity netting criminals $1-$15, apparently I’m not even worth as much as the pizza I ordered for dinner the other night!

The LA Times has a great article on the recent UCLA medical records breach. In the article, the woman accused of illegally accessing over 61 medical records, Lawanda Jackson, gives a reason for her snooping. What was the reasoning behind Lawanda Jackson’s actions? Was it a diabolical plot to destroy the place where Jackson has worked for over 30 years? Nope. Was Jackson just looking to score some quick cash selling dirt on celebrities? While claims have been made there is no proof of this (plus almost half of the records Jackson accessed did not belong to celebrities).

What possible reason could Jackson have had then if it wasn’t malicious intent?!? Simple, Jackson was prompted by nothing more then curiosity. According to statements made to the LA Times, Jackson would see a news story and wonder if the people involved came to the UCLA medical center. To quote Jackson from the story, “There was no intent to do anything bad.” Welcome to how insider threat is born.

Insiders are not always angry or disgruntled employees seeking to get even with their employer. Nor are insiders money-grabbing opportunists looking to make a quick buck at the expense of their employer. Instead, most insiders are individuals that generally enjoy what they do and where they do it. Above all, insiders are human.

Why does the fact that employees are human matter when it comes to insiders and the threat they pose to information security? It is important to always understand that your employees (ie insiders) are people and as such have all the failings of people. Some are lazy, some are manipulative, some are mean while others are nice. Above all, many are curious.

This curiosity can easily lead to security incidents if the organization does not take the necessary steps to restrict access. It is no longer enough for information security professionals to protect our organizations’ infrastructure from external attackers, we need to start thinking about how to protect our organizations’ data from unauthorized access or disclosure by our own employees.

Dark Reading had an interesting article up yesterday about a study done by Palo Alto networks that will be released next week. The study is apparently data from 20 different enterprises that was gathered during vulnerability assessments done to help with development of Palo Alto’s new firewall product.

Apparently Palo Alto discovered some disturbing but not too shocking statistics about the use of unauthorized applications by users. According to Palo Alto Vice President of Marketing, Steve Mullaney, here is some of the information in the study:

• 80% of organizations allow the use of proxies by users
• 50% of the organizations support the use of TOR or other encrypted communications by users
• 90% of HTTP traffic was not for browsing, but for web based application use
• There was little difference in this behavior between organizations with strict policies and lack policies

In short, users are bypassing technical controls and ignoring organizational policies to access the applications they want to run.

Personally, I think that the reason for this was summed up in the article nicely with the following quote from Mullaney:

“Up to now, the security guy has always been the guy who said ‘no’ to everything”

Yes this study was done by a company developing a product to combat this issues. Yes this quote was from an individual in marketing at Palo Alto. Yes Palo Alto is hoping that this study will help it sell its new next firewall product. However, this quote strikes at the heart of the reason that users usually try to circumvent current security controls.

Too often the answer to user requests is “No”. Even I have to fight the urge to immediately deny requests, especially requests that create serious security problems. Yet, saying “No” is the wrong action to take. Instead we should be asking “Why?”

When we deny requests, the assumption tends to be that the issue is resolved. Request denied. Case Closed. However, we need to remember that people just want to do their jobs, preferably in the easiest manner possible. Simple rejection, even with an explanation as to why it will not be allowed, is simply driving our users to circumvent the very controls keeping our organizations safe. After all, where there is a will, there is a way.

Yet by asking why users want this new application or feature or access we understand what they are trying to do. By asking why users are unable to achieve their objective within the current environment we understand what problems the users are experiencing. By asking why instead of telling them no, we can a better understanding of how the organizations information and information systems are being used. This understanding helps place us in a better position to protect the organizaiton.

After all, if security is everyones responsibility do we not owe it to our users to help make sure they are able to do their jobs in the most efficient and secure manner?

In the first quarter of 2008, educational institutions have experienced 59 reported incidents. This is almost double the first quarter count from 2007 (32 incidents) and over three times as many as the first quarter 2006 (17 incidents). The 59 incidents reported is just shy of half (42%) of the total number of breaches reported in 2007.

The most common type of incident in the first quarter of 2008? Anyone familiar with the results of last year’s ESI YiR should find it no surprise that Unauthorized Disclosures tops the list. With 29 out of the 59 reported incidents, Unauthorized Disclosure easily beats out Theft (11 incidents), Penetration (9 incidents), Loss (4 incidents), Employee Fraud (3 incidents) and Impersonation (2 incidents).

It seems that this increase in breaches in not unique to higher education either. According to a press release by the Identity Theft Resource Center, breaches and security incidents reported in the first quarter of 2008 is more then double the number of incidents reported in the first quarter of 2007. In addition, the 2008 first quarter incident count is more then 1/3 of the total incidents reported in 2007.

The most common industries for a breach? Accord to the ITRC, Business tops the list with 35.9% of the reported incidents. Business is followed by Educational with 25.2%, Government/Military with 18%, Medical/Healthcare with 13.8%, and Banking/Credit/Financial with 7.2%.

(I should point out here that ESI has been able to identify incidents that were not contained in the ITRC count.)

There is an interesting article over at the Hollister Free Lance site about a potential security incident that may have occurred at Gavilan College. It seems that Tim Holliday, a former Student Trustee and Student Body Senator, is making noise about a Student Body laptop he claims contained personal information such as names, Social Security numbers and photos on 3,100 students, faculty and staff that went missing last year. Apparently, after reporting the missing laptop, Holliday is displeased with the lack of action by the college for more then a year and he is urging the college to notify affected students about the potential risk.

However, the college is taking a different view on the incident. According to the article, the college investigated the report and discovered that Kayed Asfour, a Gavilan student, was the last person to see the laptop. Apparently Asford assured the college that he deleted all of the Social Security numbers from the laptop before it went missing.

Satisfied with this the college choose not to report the incident. According to Gavilan President Steven Kinsella the college took the necessary precautions and that the college cannot verify that the laptop contained personal information. In addition, Kinsella points out that the Associated Student Body is independent organization. As Kinsella states in the article, it is not an issue to the college.

Um… what? I do not understand how the possible exposure of 3,100 records containing personal information not be an issue any college or university. If what Holliday claims is true, there are some serious questions that beg to be answered about this incident. Unfortunately, there is little more information online about this story beyond the article over at the Hollister Free Lance site.

I found this to be a very interesting story for a number of reasons. It strikes at the heart of what many organizations deal with when discussing what actions to take in the event of a suspected incident. There are contradicting stories, unclear information exposure and questions about authority and responsibility for notification. I hope that more of this story becomes known since I have so many unanswered questions about this incident

While there is not enough information available to draw any conclusions about this incident, here are some personal ideas about breach reporting.

1. I do not believe that notifying individuals only when personal information loss can be verified is best approach. When there is the possibility that personal information has been lost or exposed the should always strive to notify unless the organization can prove the information was not lost/exposed.

2. The assurances of one individual does not count as adequate proof to stop notifications, especially when these assurances are contradicted by another individual within the organization. ‘Tis better to err on the side of caution in my opinion.

3. Information lost by an independent entity does not absolve an organization of the responsibility to notify affected individuals, especially if the information was given to the independent entity by the organization for official use. After all, when Iron Mountain lost backup tapes belonging to the Louisiana Office of Student Financial Assistance, LOSFA immediately contacted the affected individuals to make them aware of the incident. The same held true when independent third-parties lost information given to them by Waseda University, the University of Akron, Kansas State University, and Berry College.

Update2: Ruth Shuman, Dean for Institutional Advancement at Lasell College, contacted me to let me know that Lasell College has established a call center with First Advantage Corporation where affected individuals can sign up for six months of free credit monitoring.

Update: I was contacted by Lasell College about this incident (see comment below). While I generally do not take kindly to threats, I am always willing to admit a mistake when I make one. It seems that Lasell College is offering free credit monitoring to the individuals affected by this incident. I am waiting to hear back from Lasell College to see if I can link to information about what is being offered to the students.

My apologies to anyone that thought this post was directly aimed at Lasell College’s handling of this incident. The goal was instead to point out to the many educational institutions that do not offer free credit monitoring that they are missing a great opportunity for good PR with the affected individuals.

Original Story: Earlier this month, Lasell College alerted 20,000 current and former students, faculty and staff that an employee illegally gained access to a database containing personal information such as names, Social Security numbers and addresses. In response to this incident, the college contacted law enforcement, sent out letters, and setup a web site and hotline to help answer questions. All of these steps are exactly what colleges and universities should do in the event of a security breach.

However, one move that Lasell, like many educational institutions, did not take was to offer free credit monitoring for the affected individuals. This is a move that continues to amaze me. Given the increasing rates of Identity Theft and the publics awareness of the threats, offering free monitoring just makes sense. (Please note that I don’t necessarily agree with the rise in “Identity Theft” given that to me Credit Card fraud does not equal ID Theft. Nor do I agree that credit monitoring is the ultimate solution, but more on these two topics to come.)

If nothing else, the offer of credit monitoring (opt-in of course) is a good way to gain some valuable PR when announcing a breach. Sure, your students/staff/faculty/alumni/donors might be miffed over the loss of their personal information, but what better way to soften the blow then with a years worth of free monitoring to show the college or university really does care about them?

Question the PR value of this? Think again. In the case of Lasell, IdentityTruth, a credit monitoring service, saw an opportunity for good PR and jumped on it. IdentityTruth decided to reach out to the individuals affected by the Lasell incident and offer them the first month of protection for only $1. For those keeping score, $1 is about a 90% discount. Of course IdentityTruth is most likely banking on the individuals remaining with the service after the discount period ends and the cost goes up to $9.99.

I am not saying that people should run to a credit monitoring service like IdentityTruth. Also, I am not saying that I believe services like IdentityTruth have value. Personally, I know nothing about IdentityTruth and thus am in no place to judge the quality or value of the service.

What I am saying is that IdentityTruth gained valuable PR (hey I’m talking about them aren’t I) while Lasell College now, at least to me, is in a position where it looks like a company not even connected with the college cares more about the protection of these individuals’ identities then the college does. Alright, that might be pushing it a little, but the point remains. If your institution is affected by a breach who would you rather see offering to protect you through credit monitoring your institution or some third-party company?

At the very least Lasell College could have gained some good PR by contacting a credit monitoring company and working out a deal where the college is charged a reduced rate based on the potential of signing up 20,000 accounts. The press release could then have at least read “IdentityTheft and Lasell College Reach Out To Alumni, Students and Faculty” instead of “IdentityTheft Reaches Out to Lasell College Alumni, Students and Faculty”.

Amazing how much can change just by moving a few simple words.

If you are involved with information security at a college or university and have not already, I strongly recommend that you head over to the EDUCAUSE site and sign up for the Security Discussion Group. This discussion group is an excellent source of information and provides an easy way to interact with fellow colleagues from other academic institutions.

A recent discussion on the Security list involves data classifications. There are several different approaches being used are here are a few of them. Northwestern follows a three-container system containing Public, Internal, Legally/Contractually Restricted classifications. The University of Massachusetts recently collapsed a five-container system into a three-container system containing Unclassified, Operational Use Only and Confidential. The University of Massachusetts also takes the stance that all PII falls within the Confidential container.

Gary Dobbins over at Notre Dame warns about the dangers of a “catch-all” middle-of-the-road classification. Instead, he moved Notre Dame from a three-container system to a four-container system containing a “Super-Top-Secret” class, an “Internal” class, a “Sensitive” class and a “Public” class. Gary further warns about staying away from “regulated” class due to differences in regulatory requirements.

Dr. Kees Leune is taking a different approach. Instead of relying upon a classification determined by content, he argues that there is a need to define discrete “chunks” of information and then address the needs of these chunks based upon the data owners needs and uses of the information. Each chunk is then given a rating based upon its required level of Confidentiality, Integrity and Availability.

Out of all of these approaches, my personal preference is closer to that of Gary Dobbins except that I still tend to lean toward a three-container system. I agree with everyone that overly complex classification systems are doomed to failure and a simple, pragmatic approach is best. I also like the approach of Dr. Leune in that there is a need to not only define these classification levels, but to also go out and talk with the data owners about the exact protections their data requires.

There are many more great discussion over on the Security Discussion Group, so head on over and register to become part of the solution.

So I spent a large part of Easter Sunday as well as over 4 hours this morning helping my father build a swing set for my nephew’s upcoming birthday. While I was happy to help, I am still miffed about how long it took us. Sure the temperature did not help (it was in the low to mid 20’s for most of the build) and we didn’t prepare as well as we should have. However, this is not what I am upset over.

The truly aggravating aspect of building the swing set (complete with monkey bars, a fort, a climbing wall, rope ladder and slide) was that nothing was labeled. Thats right, a 19 foot long, 7 foot wide wood structure with hundreds and hundreds of bolts, screws, nuts and washers and not one label to be found. While we (eventually) got through everything, there is no excuse for not having things properly labeled. Apparently the company thought that by providing only the bare essentials (the parts and a few pages of pictures) customers should have no problem getting everything going smoothly.

How absurd! Isn’t it? While I was truly annoyed by the lack of assistance through proper labeling, it stuck me as very similar to information security directives at many colleges and universities. Too often directives are delivered from “on-high” with no clear direction of how to implement or even the purpose behind them. The result is that just like my father and I, many departments are left struggling out in the cold for hours with little to no real progress.

The move away from Social Security numbers at most colleges and universities is a great example. Move away from SSNs to an internal student ID is a great move and one that I strongly support and recommend to any college or university. However, generally the only thing that is communicated to the campus is “No more Social Security numbers”. On the surface this is good, but looking deeper there are serious problems.

One of the first problems is what about situations where Social Security numbers are needed such as with Federal aid or employment? The organization needs to address how the departments should accept, store and transmit SSNs properly given the new edict. Also, the organization needs to make sure that is has addressed all SSN-required functions. After all, failing to address all functions leaves the organization in the dangerous position of having the perception of being SSN free not match reality.

Another, much larger problem is that often the cry of “No More Social Security numbers” is rarely followed by instructions on what to do with legacy data and systems. Yet, failing to address this legacy data is a serious oversight. The data contained in filing cabinets, legacy computer systems and workstation/laptop hard drives will most likely include SSNs since this was the student identification number used on campus. This data doesn’t know about the No SSN policy, so unless it is actually addressed, it will stay where it is waiting for a breach before it becomes known.

Reducing the use Social Security numbers is an excellent move and one I encourage all educational to make. Just make sure that you are actually addressing all instances of Social Security number use on the campus or else a No SSN policy will do little more then trick the institution into a false sense of security.

For the record, please allow to me to introduce this concept to those that are not familiar with it: Breach notification letters are completely different from press releases about an incident. Therefore, each needs to be crafted differently.

Breach notifications are intended to alert an individual that their personal information is now in the hands of an unauthorized individual. These notifications tend to follow a similar format: Greet the individual. Introduce the problem. Explain the issues/data lost. Apologize for the event. Offer/Don’t offer credit monitoring for one year. Include phone numbers/web sites/e-mail address with more information. Apologize again. Wash. Rise. Repeat.

Press releases are a different beast and are a way for an organization to give input to the news reports about the incident. Breach press releases generally tend to go into greater detail then a notification. Explaining what happened, with or without quotes from the organization. Information on completed or ongoing investigations are included. The obligatory high level apology is included as well as a promise that “changes are being taken to prevent such an event in the future”.

However, some organizations intermix these two formulas with mixed results. Adding breach notification information, such where to get more information, with press releases? It can work. Adding press release information to breach notifications? This is where I have a problem.

Why? Generally, most organizations want to include the “we are making changes to prevent breaches in the future” tag line to breach notifications. For example, it seems that Duke university’s physics department took this approach in letter to students over a recent incident. (Note: Duke is not alone in this and is only included as a recent example.) My question to anyone that agrees with this approach is this: What exactly is the point?

How does it help me to learn that the organization taking steps to protect against future breaches? My data has already been lost. It is out there regardless of whether or not a future breach occurs. Not to be self-centered but upon first learning that my personal information has been lost, the furthest thing from my mind is the protection of other individuals in the future. So please, please, please stop including this information in the breach notification, I just don’t care. Oh, and as I’ve talked about in the past, don’t tell me there is no evidence of misuse three days after the breach.

I agree that it is a good step for organizations to talk about the changes being made to prevent future breaches. After all, its shows that the breach is a learning opportunity for the organization. Just keep it out of the breach notification, OK?

Back in mid-February, Harvard University suffered a computer breach. Nothing earth shattering in this. After all, over 25 incidents had already occurred at colleges and universities in 2008 before the Harvard incident. Sure “kaboom73″ uploaded the files stolen from the Harvard server to a torrent on Pirate Bay. Then, a month later, Harvard announces that the stolen data contained information on 10,000 applicants.

All of this makes for a juicy story, I’ll admit. You’ve got a big name school, compromised site, mocking messages, p2p, Pirate Bay, thousands of individuals. However, is it “hundreds of news articles in the past week” juicy? Seriously, this story is showing up all over the place: Major news outlets. Local news outlets. Even international news outlets.

I’m still scratching my head over the reason for all the attention. After all, it isn’t the only or even first web site compromise of 2008. Nor is the Harvard incident the largest of 2008. There have been other internationally-known schools involved in breaches this year. Yet none of these other stories have garnered the news interest that the Harvard story has sparked. I guess the only thing I can say is that Harvard story has got legs.