[SecurityRatty] tag: scholarship

A Niche to a Niche is Still Hard to Staff

Thu, 10 Jul 2008 08:59:36 +0000

I’ve touched on this about a bazillion times, let me start today with a very simple statement: due to the scale of the US Government, we cannot find enough skilled security people.

Part of the problem is that good security people need to know the following skills:

IT technology: since the data more often than not is in a computer, you need to understand them
People technology: policies and procedures for managing people
Business sense: understanding that you’re supporting business goals
And for Government: politics

Back when I was PFC Rybolov, my battalion commander told me something along the lines of “The intelligence world is a hard job, you have to be able to out-infantry the infantry, out-mechanic the mechanics, out-radio the radio guys, and you need to know a language.” Security is pretty much the same thing–you have to out-techie the techies, out-business the MBAs, and out-jerkify the auditors. =)

Sound complicated? Yes, it is, and it’s hard to find people who can do all this. IT is an employment niche, IT security is a niche to a niche. And there isn’t enough people who have the experience to do it.

So how do we mitigate the staffing shortage? Here is what we are doing today in the Government:

CyberCorps scholarship program for undergrads and graduate students with a minimum government service obligation.
Using other career fields in “crossover roles”–yes, accountants can be used for some light security tasks. Some things that we think of as security are really Quality Assurance and Change Control jobs that we have a vested interest in making work.
Using contractors in some roles such as ISSO, ISSM, etc.
Automation as much as possible. Technical is easier, the policy and procedures side takes longer. What you’ll find out eventually is that good IT management is good security management.
Hanging on methodologies to “automate” the process side of security.

Now this is cool and all, but it’s hard to sustain and really hard to justify as a long-term solution. In order to support the Government, we need to create more people. Cybercorps is a start, but the need is so much larger than the supply that we have to consider better ways to create Government security dweebs.

Do we need Security Awareness and Training? Yes we do, but much more than what is being provided (think system administrator training and procurement specialist training, not end-user training), and as an internal recruiting pipeline. Still, I don’t think that we can recruit enough people to “the dark side” and that we need to look outside the Beltway for people. Problem is that DC is such an insular community and we don’t speak the same language as the rest of the world.

Bookmark to:

CollegeInvest external hard drive goes missing

Wed, 30 Apr 2008 10:10:46 +0000

Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
State of Colorado

Contractor/Consultant/Branch:
Department of Higher Education
CollegeInvest*

*"As a nonprofit division of the Department of Higher Education, CollegeInvest helps students and families finance college through student savings accounts, loans and scholarships."

Victims:
Customers**

**CollegeInvest Education Loan Borrowers January 2002 - August 2007:

Student Loan Borrower
Parent Loan Borrower
Consolidation Loan Borrower

CollegeInvest 529 College Savings Program

Direct Portfolio College Savings - Account Owner, Beneficiary
Stable Value Plus College Savings - Account Owner, Beneficiary & Account Successor
Prepaid Tuition Fund - Account Owner, Beneficiary & Account Successor

CollegeInvest Scholarship Programs

Early Achievers Scholarship Program - All Participants
College In Colorado Scholarship Program - All Participants
College Opportunity Fund (COF) Participants - Paper Applications Mailed In Only

Number Affected:
~200,000

Types of Data:
Loan, savings account and scholarship information, including names, addresses and Social Security numbers

Breach Description:
"CollegeInvest moved to a new office space the weekend of March 28th using the international moving firm Graebel. Although Graebel specializes in office relocations and has specialists in moving computer equipment, CollegeInvest discovered while unpacking at the new location that a hard drive with the personal data of some customers was missing. Despite an extensive internal investigation, the hard drive has not been found."

Reference URL:
CollegeInvest Data Privacy Information Frequently Asked Questions
The Gazette (Colorado Springs)
Colorado Fox News
The Denver Post

Report Credit:
CollegeInvest

Response:
From the online sources cited above:

CollegeInvest moved to a new office space the weekend of March 28th using the international moving firm Graebel. Although Graebel specializes in office relocations and has specialists in moving computer equipment, CollegeInvest discovered while unpacking at the new location that a hard drive with the personal data of some customers was missing. Despite an extensive internal investigation, the hard drive has not been found.
[Evan] Is this an attempt to push some of the blame onto Graebel?

About 200,000 CollegeInvest clients - including its entire list of student-loan recipients - had personal information stored on a computer hard drive that the agency said is missing.
[Evan] Really? This was an external hard drive being used as a backup device. Not necessarily a recommended practice (without encryption and good key management).

Roughly 23 percent of its client base was affected

CollegeInvest sent out letters this week to clients informing them that their names, addresses and Social Security numbers may be at risk.

"We feel pretty confident the data itself will not be accessed," spokeswoman Jennifer Robinson said
[Evan] Why is that?

She said it is encoded and password protected.
[Evan] Encoded? How? The Denver post claims that Jennifer Robinson states that the hard drive was encrypted. None of the other sources (including CollegeInvest) are clear on this issue. Clarity in an incident response is very important.

CollegeInvest believes it is unlikely that any of the personal information has been compromised because the data is in a format that would be very difficult to access. Recovery of the data would require significant technical expertise and specialized software tools.
[Evan] We have read statements like this before. Who is to judge?

The company has not received any calls from clients saying their identities have been stolen

The lost data were stored on an external hard drive used to back up files.

CollegeInvest discovered the drive was missing after it moved into its new Denver offices.

The Colorado Bureau of Investigation has been asked to determine if the drive was stolen or lost.

CollegeInvest has recommended its customers monitor bank statements and credit reports. It will also pay for one year of free credit monitoring for those affected.

We know that consumers are very focused on maintaining the confidentiality of their personal data and we want to assure them that we take this responsibility very seriously. CollegeInvest deeply regrets any inconvenience to customers that this may cause and wants to ensure that our customers get all their questions answered and their concerns addressed.

Commentary:
It's difficult to comment much on this breach due to the lack of clarity in the response. Lack of clarity in the response is a problem by itself.

How much could credit monitoring cost (hypothetically)? List price for Triple Alert costs $10.45 for a one-year subscription; FamilySecure costs $29.95 for one year. 200,000 victims x $10.45 = $2,090,000. 200,000 victims x $29.95 = $5,990,000. So a simple lost or stolen hard drive has the potential to cost $2 - 6 million in credit monitoring costs only. No cost to the victims right? Well, not unless you happen to be a taxpayer. Somebody always pays the price.

We all know that a significant number of victims will not sign up for credit monitoring. We also know that CollegeInvest will not be charged full list price for the service. Nevertheless, the costs no matter what they are are significant.

Past Breaches:
Unknown

Laptop stolen from BGSU music professor

Mon, 31 Mar 2008 03:48:50 +0000

Technorati Tag: Security Breach

Date Reported:
3/27/08

Organization:
Bowling Green State University

Contractor/Consultant/Branch:
None

Victims:
"students and scholarship recipients"

Number Affected:
Unknown

Types of Data:
"personal information"

Breach Description:
"A MacBook Pro laptop containing personal information on students and scholarship recipients from "all over the world" was reported stolen on Tuesday, according to campus police reports."

Reference URL:
The BG News

Report Credit:
The BG News

Response:
From the online source cited above:

Laptop with personal info. reported stolen

A MacBook Pro laptop containing personal information on students and scholarship recipients from "all over the world" was reported stolen on Tuesday, according to campus police reports.
[Evan] Why was personal information stored on a laptop?

Music Professor Mary Natvig reported her computer stolen on Tuesday sometime between 1:15 and 1:25 p.m. from her unlocked office in the Moore Musical Arts Center.
[Evan] Why does a music professor need to access and store personal information beyond names, student IDs, and grades?

Further information was not available at press time.

Commentary:
I think this is the most abbreviated information security breach to date on The Breach Blog. Preliminary online searches turned up no additional information. All we can do is speculate.

Was the information encrypted? Doubtful. I know of some file encryption utilities for Macs, but I do not know of a full-disk solution.

What was the "personal information"? This is anyone's guess.

Past Breaches:
Unknown