Jaime Chanaga, CISSP, CISA

The White House Office of Management and Budget (OMB) has given federal agencies a 120-day deadline for developing a security breach notification policy.   This mandate (http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf) also requires federal agencies to rethink their use of personally identifiable information (PII), such as social security numbers.  Federal agencies are instructed to rethink their requirements for PII including the unnecessary use of information including social security numbers.

With recent security breaches highlighting the need for better protection of PII, the White House OMB is taking information security and privacy for electronic data seriously.

Stony Brook University has disclosed (www.stonybrook.edu/disclosure) a Health Sciences Center library web site had accidentally exposed a data file that contained the names, Social Security numbers, university ID numbers, for 89,853 Faculty, Staff, Students, Alumni, and other members of the University community.   

Although the university believes the data disclosure was accidental this incident is very troubling.  Why did the university keep this sensitive information in one computer file without any data encryption?   Why did the university keep such sensitive information (computer file) on a web server?   

Perhaps this incident at Stony Brook University will help other institutions of higher learning to rethink their information security governance and privacy initiatives.   How many more incidents like these will happen before the U.S. Congress mandates stricter information security and privacy measures for educational institutions?

The University of Colorado at Boulder has announced (http://www.colorado.edu/news/releases/2007/224.html) a data breach that has placed the names and Social Security numbers of 44,998 students at risk for identity theft (ID theft). 

The intrusion on the computer server for the College of Arts and Science's Academic Advising Center, was discovered on May 12 by university IT security staff.   Initial review indicated that an intruder was able to install a malicious program, known as a computer worm, on the affected computer server.   At this time the university does not believe the personal information including social security numbers were accessed by the intruder.   However, the university is providing a website with additional information for those affected students at: http://www.colorado.edu/its/security/aac052007/.

I agree, universities should foster a culture of openness and sharing, but must also balance the need for openness with robust information security governance and privacy protection programs.

A donor solicitation mailing by the University of Pittsburgh Medical Center (UPMC) exposed the Social Security numbers for 6,000 former patients.  According to the Post-Gazette (http://www.post-gazette.com/pg/07142/787898-28.stm) the mailing included donor response cards with each patient's social security number embedded in a tracking code.   The tracking code could then be visible in the window of the response envelope that could be mailed back to UPMC.    Last week, UPMC apologized to those affected and has offered one (1) year of free credit monitoring for those patients who are affected by this incident. 

In recent years, health care institutions have faced increasing challenges in complying with regulatory requirements for information security and privacy.   However, they should do more to protect the personal information of their patients.  In the U.S., health care institutions have not made information security and privacy areas of serious consideration or investment.  Most health care institutions seek to meet regulatory requirements, but fail to look beyond the myopia of regulatory compliance.

The Illinois Department of Financial and Professional Regulation (IDFPR) has acknowledged (http://www.idfpr.com/breachinformation.asp)  a data security breach that occurred in January 2007 and which was confirmed on May 3, 2007, at which time the IDFPR referred the incident to State and Federal law enforcement agencies.

This data breach incident is troubling because it has exposed the personal information including Social Security numbers for over 300,000 realtors, mortgage brokers, and loan originators licensed to operate in the State of Illinois.  The IDFPR delayed notifying the public at the request of the law enforcement agencies working on the case.  Although, as a consumer I don't agree 100%, as a security professional, I'll extend the benefit of the doubt to the law enforcement community because they may have good reasons to delay public disclosure in an attempt to bring those responsible for this crime to justice.   

Regardless of the outcome of criminal investigation of this incident, there should be more accountability, resources, and technology within state and local governments to better protect the information of all citizens.  If state and local governments fail to protect our personal information from being placed at risk for fraud and abuse, we will not as a nation or as local communities be able to meet the challenges of homeland security effectively.

On Friday May 18, Alcatel-Lucent (Euronext Paris and NYSE: ALU) acknowledged that a CD-Rom computer data disk containing the personal information including names, addresses, Social Security numbers, birth dates and salary information for several thousand employees and Lucent retirees and their dependents has been lost while being shipped via courier.   Alcatel-Lucent has stated the data only affects employees of Lucent Technologies before the merger with Alcatel.  The company is offering one (1) year of free identity theft protection and credit monitoring for affected employees.

Every week we read or hear news stories about data loses incurred by organizations of all sizes.  Most headlines fail to highlight the steps organizations can take to safeguard the information they are entrusted with.  In this case, Alcatel-Lucent made an error in judgment in failing to implement basic information security technologies, such as data encryption, to protect the personal information on employees stored on any computer media leaving their facilities.   This incident illustrates the fact that even technology savvy organizations can fail to protect sensitive information by ignoring the proper use of information security controls such as data encryption.

It is time for organizations to make the security and protection of sensitive information a forethought and not an afterthought. 

Alcatel Press Release
Alcatel-Lucent Notifies Employees and Retirees of Former Lucent Technologies of Missing Computer Disk Containing Personal Information

Imagine driving down the intersection of Interstates 287 and 684 in Weschester County in New York and seeing a few computer backup data tapes falling from the back of a truck.  This happened when a contractor was using the truck to transport computer equipment between IBM (NYSE:IBM) offices.  Although the incident occurred in late February 2007, to this date, the missing computer tapes have not been recovered.

IBM has quietly offered a reward for the return of the missing computer backup data tapes through ads in a few local New York newspapers.  IBM has confirmed that the missing computer backup data tapes contain sensitive personal information including, names, addresses, dates of birth, social security numbers, and employment service dates for an unspecified number of current and mostly former IBM employees.  IBM is offering affected employees free credit monitoring services for one (1) year.

IBM is a leading company in the information security services industry.   However this incident demonstrates the fact that all organizations are at risk for security lapses.   IBM is a large sophisticated organization with a broad and deep understanding of information security but has publicly acknowledged that some of the missing computer backup data tapes may have not been encrypted to protect the data they contained.

Data encryption is a basic information security control which can protect data from accidental disclosure.  Perhaps other organizations can learn from IBM's actions in this case and implement basic information security protection measures such as data encryption to protect all computer data backups.

Computerworld - IBM contractor loses employee data in transit
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019518&intsrc=hm_list

In surprising action, the State of California Secretary of State has ordered a comprehensive review of the security mechanisms of the electronic voting machines certified for use in California.  While politicians in Washington D.C. have largely ignored the issue or played lip service only to the security and integrity risks inherent in electronic voting (e-voting) systems, California's Secretary of State Debra Bowen has taken a commendable step in the correct direction. 

The "Top-To-Bottom Review" requested by the California Secretary of State's Office is being done through a contract with the University of California (UC), experts from both private and public universities, and private sector companies throughout the United States.   

The list of technology and security experts who are initially named to conduct this research is quite impressive.  Some of those experts are:

• Matthew Bishop, Professor in the Department of Computer Science and Co-Director of the Computer Security Laboratory at UC Davis
• David Wagner, Associate Professor in the Computer Science Division at UC Berkeley
• Matt Blaze, Associate Professor of Computer Science, University of Pennsylvania
• Ed Felten, Professor of Computer Science and Public Affairs, Princeton University; Director of Center for Information Technology Policy, Princeton University
• Eric Rescorla, Chief Scientist of Network Resonance, Inc.
• Mark McLarnon, RABA Technologies
• Harri Hursti, Independent Computer Security Consultant
• Giovanni Vigna, Associate Professor, Computer Security Group, Department of Computer Science, UC Santa Barbara
• Deirdre K. Mulligan, Director of the Samuelson Law, Technology & Public Policy Clinic, a Clinical Professor of Law at the UC Berkeley School of Law (Boalt Hall)
• Candice Hoke, Associate Professor of Law and Director, Center for Election Integrity, Cleveland State University
• Joseph Lorenzo Hall, MA, MIMS, Ph.D. candidate in the Department of Information Management and Systems, UC Berkeley
• Noel Runyan, electrical engineer and computer scientist with over 33 years experience

This initial list of experts is quite impressive and commendable.  I wish all of these researchers and those yet to be added to their ranks success in their endeavors to help find and fix the vulnerabilities with the electronic voting systems used in California's elections.  To the researcher's, thank you for your experience and talents in safeguarding our democracy.

With public concern in our democracy for fair, accessible, and accurate political elections, I only have to wonder why the federal government has not taken the lead in doing the kind of research California's Secretary of State has requested.   Maybe it is time that those in positions of public trust in Washington D.C. at the federal level, follow California's lead in ensuring that every citizen's vote is secure, accurate, reliable, and accessible.

One last closing thought, California is embarking on this ambitious research well ahead of the 2008 U.S. Presidential Election.  Will anyone in the United States Congress review California's research ahead of the U.S. Presidential Elections and pass national legislation to safeguard every citizen's vote that is cast on electronic voting machines?

For more information on the State of California's Secretary of State's Top-To-Bottom Review please visit: 
http://www.ss.ca.gov/elections/elections_vsr.htm

Goshen College (www.goshen.edu) suffered a computer network security breach by an apparent attacker attempting to use Goshen's computer systems for distributing spam e-mail. 

The attack may have exposed the personal information of 7,300 students.   According to Goshen's public statements, the potential data breach may have included "names, addresses, birth dates, Social Security numbers and phone numbers of students and some information on some parents".

Goshen issued an advisory (http://www.goshen.edu/news/pressarchive/05-11-07-security.html) on Friday May 11, 2007.

When will educational institutions learn to protect the personal information of students, faculty, and staff?  How many more data breach incidents will we as a society have to suffer for organizations to do the right thing in protecting our personal information?

Visa International is urging payment software application vendors to conform to Visa's "Payment Application Best Practices"  or PABP.   Although most financial institutions and merchants already follow the "Payment Card Industry" (PCI) data security standards, Visa is taking the issue of credit card holder data security one step further. 

Recently Visa sent out a letter strongly urging financial institutions to stop using software from six vendors, who at this time provide software applications for credit card processing that do not meet the security guidelines of the PABP.   It is important to note that following the PABP is a voluntary step for software application vendors at this time.   While not mandatory, there are already over 155 payment software applications from 83 vendors that Visa has already certified under the PABP guidelines.

For a long time, information security professionals have been urging the need to implement stronger software application security.  Visa's actions in developing the PABP and encouraging software application security guidelines is commendable.

If your business is using payment processing software applications that are not certified under PABP, per Visa's stance your business will fail PCI compliance status.   With fines up to $500,000 (USD) for each incident of non-compliance with PCI guidelines, it is in the best interest of all businesses subject to PCI compliance to heed the PCI and PABP guidelines.

For more information including a list of certified applications under the PABP please visit: http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html