Jaime Chanaga, CISSP, CISA

Georgetown University in Washington, D.C. has alerted the public via a press release (http://explore.georgetown.edu/news/?ID=30979) of a data breach incident stemming from the loss of an external computer hard drive.  The lost hard drive contained the personally identifiable information including names and social security numbers for approximately 38,000 current and former students, faculty, and staff.

Georgetown is offering free credit monitoring for those affected by this data loss incident.  A toll-free telephone number (866-740-2458) has been setup to handle questions by those who may be affected by this information security breach.   Georgetown is taking the correct steps in recovering from this incident. 

However, it is still amazing to me with the current proliferation of portable storage devices such as external hard drives and USB memory sticks, that organizations don't put into place and enforce stronger IT policies to prevent storage of such sensitive data without any encryption on removable disks and/or memory media.

When will organizations learn to better protect the personally identifiable information they have been entrusted with by their clients, business partners, and employees?  It is my hope this lesson is learned and these types of data loss incidents don't keep occurring.

ChoicePoint Inc. (NYSE: CPS) is paying $10 million to settle a class-action lawsuit related to a data breach incident from 2005.   In the related data breach, the personal information of 160,000 consumers was put at risk. 

The $10 million payment if approved by the U.S. District Court in Georgia, would settle the lawsuit brought by shareholders against named defendants ChoicePoint and certain of its officers.  As part of the settlement, ChoicePoint will admit no liability in the data breach incident.

Score one for big business and shareholders.  However, consumers today still don't have comprehensive federal legislation to protect their data privacy allow impose stiff financial penalties on companies that put their personal information at risk.

Computerworld
http://computerworld.com/action/article.do?command=printArticleBasic&articleId=9059659

GE Money USA, a company that provides credit card processing services for retailers, has suffered a data breach potentially affecting the credit card details for approximately 650,000 consumers.  A backup tape has been missing since October from an Iron Mountain Inc. (NYSE: IRM) secure storage facility.

GE Money has publicly only identified one retailer, J.C. Penny Co. (NYSE: JCP) as being one of the affected retailers whose data was compromised on the lost backup tape.   In addition GE Money has stated that approximately 150,000 social security numbers for customers of retailers were stored on the backup tape.

GE Money is providing free credit monitoring for one year to those consumers affected and has informed consumers via letters mailed starting in early December 2007.

Data Breach Affects 650k Customers of 230 Retailers
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=311724

GE Money Backup Tape With 650,000 Records Missing At Iron Mountain
http://www.informationweek.com/story/showArticle.jhtml?articleID=205901244

Recently a friend suggested that I consider renaming this blog and its associated domain name.  In considering this suggestion, I ran across an interesting service on-line--PickyDomains.com. 

PickyDomains.com, a domain naming company, has added an interesting twist to what has been a traditional marketing discipline.  I will try their services and report back at a later date on the results of this exercise in weblog and domain naming.

If you my readers have any recommendations on a new blog and domain name for this blog, your suggestions are welcome!   Thank you in advance for any suggestions.

Concerned about cyber security threats to our national security, President Bush has signed (on January 8, 2008) a classified executive order (the "National Security Presidential Directive 54/Homeland Security Presidential Directive 23") directing the U.S. National Security Agency (NSA), Central Intelligence Agency (CIA), and the Federal Bureau of Investigation's (FBI) Cyber Division to monitor the computer networks of all federal agencies.

The task force will be coordinated by the Office of the Director of National Intelligence (ODNI).  Under the auspices of the ODNI, the Department of Homeland Security (DHS) will coordinate protection efforts for the cyber security of the computer networks for all federal agencies.  The Pentagon will be in charge of coordinating strategic defensive and offensive responses to cyber attacks.

Although this order attempts to centralize the federal efforts to protect our federal agencies from cyber security threats both foreign and domestic, it falls short on one key element.  That element is the inclusion of the public sector industries that are part of our national critical infrastructure such as energy companies, telecommunications providers, and health care organizations such as hospitals, etc.  Failure to include the money and resources for these industries to better protect their critical information networks and assets is detrimental to our national security posture. 

I'm in agreement we need to protect federal agencies from cyber security threats.  However the Federal government must do more than pay lip service to private sector and provide some real economic incentives, technology transfers, research, and coordination efforts with private sector to protect industries critical to our national infrastructure and security.

Washington Post
Bush Order Expands Network Monitoring

On January 17, 2008, the U.S. Federal Energy Regulatory Commission approved eight mandatory reliability standards for cyber security designed to help guard the United States national power grid from cyber security threats and attacks.

The new standards were developed by the North American Electric Reliability Corporation (NERC).  However NERC is charged to manage future development of these standards and also follow the guidance of the National Institute of Standards and Technology (NIST) on issues of cyber security.  This move is a particularly smart move on the part of FERC to ensure that future cyber security standards developed and maintained by NERC are relevant and current to changes in technology and the field of cyber security research.

According to a FERC press release (See: http://www.ferc.gov/news/news-releases/2008/2008-1/01-17-08-E-2.asp) the eight new cyber security standards address the following topics:

• Critical Cyber Asset Identification;
• Security Management Controls;
• Personnel and Training;
• Electronic Security Perimeters;
• Physical Security of Critical Cyber Assets;
• Systems Security Management;
• Incident Reporting and Response Planning; and
• Recovery Plans for Critical Cyber Assets.

Recently we have seen news reports about other countries like China enhance their cyber security and warfare capabilities within their own government and military forces.   However, I'm glad FERC is creating these standards for critical infrastructure protection (CIP) of our nation's power grid to counter the potential threats from other governments and those who would choose to do our country harm.

I hope the power grid operators and electric utility companies quickly implement these standards and help contribute more investment dollars towards the protection of our critical infrastructure assets from cyber and physical security threats.

Early morning on Friday, January 4, 2008, the Commonwealth of Pennsylvania government website was infected with a computer virus.  In order to prevent the spread of the computer virus, system administrators began a coordinated effort to shutdown other commonwealth agency websites in order to prevent the spread of the computer virus infection.  System administrators and IT security staff were able to preliminary identify the source of the data breach--a domain name registered in China.

The fact that this attack may have originated in China is not surprising.   As early as 2006, the U.S.-China Economic and Security Review Commission (USCC), a U.S. Congressional Commission, warned about China's cyber threat capabilities.  According to the 2006 USCC annual report (http://www.uscc.gov/annual_report/2006/chapter3_sec1.pdf), China is creating military information warfare units and shifting its cyberwarefare to become offensive in an effort to disrupt enemy networks and information systems.

The U.S. Government is not alone in its assessment that China poses a major threat in terms of cyberwarefare capabilities.  Recently the United Kingdom's counter-intelligence and security service, MI5, warned that China is sponsoring cyber espionage against key industries in the British economy.

When nations with unlimited resources, like China, decide to integrate cyberwarefare capabilities into their military forces, this fact should cause both private industry and governments around the world to take notice and rethink their views about cyber security.  In the next few years, we will see that state sponsored cyberwarefare will increasingly become a major threat of national security importance.  In order to effectively counter this threat, there must be better cooperation and research between private industry and government.

State Web sites back after hack attack
http://www.mcall.com/news/local/all-a1_5web.6214422jan05,0,2068262.story

Hackers Force Pa. to Shut State Web Site
http://ap.google.com/article/ALeqM5iGKgY3SpKw7_p7A8MGHpTfSpN8mAD8TVE5SG0