Jaime Chanaga, CISSP, CISA

The Associated Press is reporting (link) that Harvard University has suffered a serious data breach.  Harvard has acknowledged that a hacker breached on of their computer servers. The server contained the personal information on approximately 10,000 graduate school applicants.   The data contained approximately 6,600 social security numbers of some of the applicants and students.

Harvard Graduate School of Arts and Sciences
http://www.news.harvard.edu/gazette/2008/03.13/99-hacked.html

Boston Globe - Harvard student, applicant files breached
http://www.boston.com/news/education/higher/articles/2008/03/13/harvard_student_applicant_files_breached/

Tenet Healthcare Corporation (NYSE: THC) has mailed letters to 40,000 patients at 54 hospitals nationwide that their personal information including social security numbers may have been stolen by an ex-employee, Terrance Brooks, at Tenet's billing center in Frisco, Texas. 

Terrance Brooks, convicted of this identity theft crime had access to Tenet's billing systems which stored patient's personal data including birth data and social security numbers.  According to some news reports, the Brooks was arrested on November 25 after attempting to open a credit card account at a Costco store.  In his possession were data records on 90 patients.  Tenet called those patients immediately and has taken the precautionary step of informing the 40,000 patients who's data could have been accessed by Brooks during his employment.

No company can prevent 100% of insider attacks on their information systems or data by employees.  However, companies can do more and increase their employee education, monitoring, and implement stronger policies and controls to ensure that these types of incidents are minimized.

South Florida Sun-Sentinel
http://www.sun-sentinel.com/news/local/palmbeach/sfl-flpfraud0214sbfeb14,0,42801.story

Darkreading
http://www.darkreading.com/document.asp?doc_id=146095

Google, Inc. (NASDAQ: GOOG) announced (http://www.google.com/intl/en/press/pressrel/20080205_securityservices.html) several new security services for e-mail powered by Postini™. The new services provide inbound and outbound message filtering, encryption, and message archiving capabilities for business.

Services start at $3 per user per year.  Providing enterprise level security products at affordable prices for small businesses is a major benefit of these service offerings by Google. 

For more information see: http://www.google.com/a/security

Georgetown University in Washington, D.C. has alerted the public via a press release (http://explore.georgetown.edu/news/?ID=30979) of a data breach incident stemming from the loss of an external computer hard drive.  The lost hard drive contained the personally identifiable information including names and social security numbers for approximately 38,000 current and former students, faculty, and staff.

Georgetown is offering free credit monitoring for those affected by this data loss incident.  A toll-free telephone number (866-740-2458) has been setup to handle questions by those who may be affected by this information security breach.   Georgetown is taking the correct steps in recovering from this incident. 

However, it is still amazing to me with the current proliferation of portable storage devices such as external hard drives and USB memory sticks, that organizations don't put into place and enforce stronger IT policies to prevent storage of such sensitive data without any encryption on removable disks and/or memory media.

When will organizations learn to better protect the personally identifiable information they have been entrusted with by their clients, business partners, and employees?  It is my hope this lesson is learned and these types of data loss incidents don't keep occurring.

ChoicePoint Inc. (NYSE: CPS) is paying $10 million to settle a class-action lawsuit related to a data breach incident from 2005.   In the related data breach, the personal information of 160,000 consumers was put at risk. 

The $10 million payment if approved by the U.S. District Court in Georgia, would settle the lawsuit brought by shareholders against named defendants ChoicePoint and certain of its officers.  As part of the settlement, ChoicePoint will admit no liability in the data breach incident.

Score one for big business and shareholders.  However, consumers today still don't have comprehensive federal legislation to protect their data privacy allow impose stiff financial penalties on companies that put their personal information at risk.

Computerworld
http://computerworld.com/action/article.do?command=printArticleBasic&articleId=9059659

GE Money USA, a company that provides credit card processing services for retailers, has suffered a data breach potentially affecting the credit card details for approximately 650,000 consumers.  A backup tape has been missing since October from an Iron Mountain Inc. (NYSE: IRM) secure storage facility.

GE Money has publicly only identified one retailer, J.C. Penny Co. (NYSE: JCP) as being one of the affected retailers whose data was compromised on the lost backup tape.   In addition GE Money has stated that approximately 150,000 social security numbers for customers of retailers were stored on the backup tape.

GE Money is providing free credit monitoring for one year to those consumers affected and has informed consumers via letters mailed starting in early December 2007.

Data Breach Affects 650k Customers of 230 Retailers
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=311724

GE Money Backup Tape With 650,000 Records Missing At Iron Mountain
http://www.informationweek.com/story/showArticle.jhtml?articleID=205901244

Recently a friend suggested that I consider renaming this blog and its associated domain name.  In considering this suggestion, I ran across an interesting service on-line--PickyDomains.com. 

PickyDomains.com, a domain naming company, has added an interesting twist to what has been a traditional marketing discipline.  I will try their services and report back at a later date on the results of this exercise in weblog and domain naming.

If you my readers have any recommendations on a new blog and domain name for this blog, your suggestions are welcome!   Thank you in advance for any suggestions.

Concerned about cyber security threats to our national security, President Bush has signed (on January 8, 2008) a classified executive order (the "National Security Presidential Directive 54/Homeland Security Presidential Directive 23") directing the U.S. National Security Agency (NSA), Central Intelligence Agency (CIA), and the Federal Bureau of Investigation's (FBI) Cyber Division to monitor the computer networks of all federal agencies.

The task force will be coordinated by the Office of the Director of National Intelligence (ODNI).  Under the auspices of the ODNI, the Department of Homeland Security (DHS) will coordinate protection efforts for the cyber security of the computer networks for all federal agencies.  The Pentagon will be in charge of coordinating strategic defensive and offensive responses to cyber attacks.

Although this order attempts to centralize the federal efforts to protect our federal agencies from cyber security threats both foreign and domestic, it falls short on one key element.  That element is the inclusion of the public sector industries that are part of our national critical infrastructure such as energy companies, telecommunications providers, and health care organizations such as hospitals, etc.  Failure to include the money and resources for these industries to better protect their critical information networks and assets is detrimental to our national security posture. 

I'm in agreement we need to protect federal agencies from cyber security threats.  However the Federal government must do more than pay lip service to private sector and provide some real economic incentives, technology transfers, research, and coordination efforts with private sector to protect industries critical to our national infrastructure and security.

Washington Post
Bush Order Expands Network Monitoring

On January 17, 2008, the U.S. Federal Energy Regulatory Commission approved eight mandatory reliability standards for cyber security designed to help guard the United States national power grid from cyber security threats and attacks.

The new standards were developed by the North American Electric Reliability Corporation (NERC).  However NERC is charged to manage future development of these standards and also follow the guidance of the National Institute of Standards and Technology (NIST) on issues of cyber security.  This move is a particularly smart move on the part of FERC to ensure that future cyber security standards developed and maintained by NERC are relevant and current to changes in technology and the field of cyber security research.

According to a FERC press release (See: http://www.ferc.gov/news/news-releases/2008/2008-1/01-17-08-E-2.asp) the eight new cyber security standards address the following topics:

• Critical Cyber Asset Identification;
• Security Management Controls;
• Personnel and Training;
• Electronic Security Perimeters;
• Physical Security of Critical Cyber Assets;
• Systems Security Management;
• Incident Reporting and Response Planning; and
• Recovery Plans for Critical Cyber Assets.

Recently we have seen news reports about other countries like China enhance their cyber security and warfare capabilities within their own government and military forces.   However, I'm glad FERC is creating these standards for critical infrastructure protection (CIP) of our nation's power grid to counter the potential threats from other governments and those who would choose to do our country harm.

I hope the power grid operators and electric utility companies quickly implement these standards and help contribute more investment dollars towards the protection of our critical infrastructure assets from cyber and physical security threats.

Early morning on Friday, January 4, 2008, the Commonwealth of Pennsylvania government website was infected with a computer virus.  In order to prevent the spread of the computer virus, system administrators began a coordinated effort to shutdown other commonwealth agency websites in order to prevent the spread of the computer virus infection.  System administrators and IT security staff were able to preliminary identify the source of the data breach--a domain name registered in China.

The fact that this attack may have originated in China is not surprising.   As early as 2006, the U.S.-China Economic and Security Review Commission (USCC), a U.S. Congressional Commission, warned about China's cyber threat capabilities.  According to the 2006 USCC annual report (http://www.uscc.gov/annual_report/2006/chapter3_sec1.pdf), China is creating military information warfare units and shifting its cyberwarefare to become offensive in an effort to disrupt enemy networks and information systems.

The U.S. Government is not alone in its assessment that China poses a major threat in terms of cyberwarefare capabilities.  Recently the United Kingdom's counter-intelligence and security service, MI5, warned that China is sponsoring cyber espionage against key industries in the British economy.

When nations with unlimited resources, like China, decide to integrate cyberwarefare capabilities into their military forces, this fact should cause both private industry and governments around the world to take notice and rethink their views about cyber security.  In the next few years, we will see that state sponsored cyberwarefare will increasingly become a major threat of national security importance.  In order to effectively counter this threat, there must be better cooperation and research between private industry and government.

State Web sites back after hack attack
http://www.mcall.com/news/local/all-a1_5web.6214422jan05,0,2068262.story

Hackers Force Pa. to Shut State Web Site
http://ap.google.com/article/ALeqM5iGKgY3SpKw7_p7A8MGHpTfSpN8mAD8TVE5SG0

Recently Chinese state sponsored hackers managed to penetrate the computer networks of Rolls Royce and Royal Dutch Shell in the UK (See article:  Secrets of Shell and Rolls-Royce come under attack from China’s spies).   

The seriousness of the Rolls Royce and Royal Dutch Shell incidents and the increased level of state sponsored hacker attacks have prompted MI5, the United Kingdom's counter-intelligence and security service, to warn other companies to be vigilant against this type of industrial espionage.

State sponsored cyber espionage is a serious threat to the national security of all nations.

TJX (NYSE: TJX) has paid $40.9 million in restitution to Visa Inc. to settle all claims related to the data breach that compromised nearly 46 million credit cards.  Visa Inc. has also recently settled fines against Fifth Third Bancorp (NASDAQ: FITB) - (See: http://blog.csoboard.com/cso/2007/11/fifth-third-ban.html).

Retail merchants and financial institutions are waking up to the reality that they must work together to better protect the integrity, security, and privacy of their customers' financial information.   Let's all hope as consumers that industry can achieve those lofty goals.

For more information see:

• Boston Globe - TJX agrees to reimburse banks
• New York Times - Retailer to Pay $40 Million

Computer "botnets" estimated of generating over $20 million in economic loses for businesses and consumers are disrupted by the U.S. Federal Bureau of Investigation (FBI), U.S. Secret Service, U.S. Immigrations Customs Enforcement and New Zealand Police.  (FBI Press Release: http://www.fbi.gov/pressrel/pressrel07/botroast112907.htm)

"Operation Bot Roast II" is an excellent example of interagency cooperation by U.S. Federal and international law enforcement agencies in the fight against cyber crime.

While the law enforcement community has done their part, it is time for us as consumers to do our part prevent cyber crime.  If you have not already done so, please install anti-virus, anti-spyware, firewall, and wireless encryption defenses to protect your personal computer and networks.   In doing so, each of us can do our part to prevent cyber crime by following basic computer security precautions.

For more information:

• OnGuardOnline.gov
  http://onguardonline.gov/botnet.html
• See my June 13, 2007 blog post
  1 Million Computers Affected by Botnet; FBI Announces

This holiday season, some of us may do some of our shopping online.  Before doing our shopping online, we should follow basic security steps to guard our personal and financial information from fraud and identity theft.

Here are some tips for safe holiday shopping online:

1. Make sure your security software is up-to-date.  Update your anti-virus, anti-spyware, and firewall software to minimize the risk of falling victim to malicious threats like trojans or computer viruses that could attempt to steal your personal information or provide hackers access to your computer.
2. Don't conduct any online shopping on public computers such as those found at cybercafes, public libraries, etc.    The public computer you use, could have spyware or other malicious software installed that in turn could compromise your personal and financial information.
3. When in doubt about a retailer, check them out.  Do an online search on a retailer and read comments from other customers.  Contact the Better Business Bureau and find any additional information they may have on the company.
4. Monitor your credit.  Make it a habit to monitor your credit regularly with the major credit bureaus.

Here are some additional resources for safe online shopping this holiday season.

• The National Cyber Security Alliance
  http://www.staysafeonline.info/basics/shoppingTips.html
• Yahoo! Shopping
  http://docs.yahoo.com/docs/info/consumertips.html

Fifth Third Bancorp (NASDAQ: FITB) has been fined $880,000 by Visa Inc. for FITB's role in the data breach at TJX Companies Inc. (NYSE: TJX).  (Click here for article by Boston Globe)  In recent years, banks, merchants, and credit card issuers have been at odds over who should be responsible for protecting credit card data.   

Thanks in part to the collaboration by credit card issuers like Visa and MasterCard, today the PCI (Payment Card Industry) Security Standards Council, an independent organization, is leading efforts and developing industry standards for data security that banks, merchants, and credit card issuers can all agree to adopt as baseline for the protection of consumers' credit card data.  Despite all of these efforts data breaches have occurred because of the reluctance by organizations to implement appropriate data security measures.

It is my hope that the motivation for banks and merchants to act to protect consumers' personal and financial information is not only driven by self-regulatory industry actions.

The Associated Press (AP) is reporting the Personnel Department of the State of Nevada has lost track of at least 470 compact discs (CDs) containing the social security numbers and payroll information for state employees during the past three years.  The Personnel Department has sent more than 13,000 CDs to 80 agencies for processing every-two week pay period during the past three years.

The State of Nevada is enacting changes to ensure this type of data loss does not happen again including:

• Discs will be signed for and returned to the Personnel Department after every pay period
• Passwords will be required to read data stored on CDs
• State employee information will be correlated to unique employee ID numbers instead of social security numbers

In my opinion, these public relation driven policy changes are window dressing rather than substantive data security, access, and audit controls to prevent the misuse of sensitive personal and financial information for state employees.

It is time government agencies do a better job of protecting our personal and financial information.

Australian IT is reporting (to see article click here) that on-line CRM services company Salesforce.com (NYSE: CRM) suffered an IT security breach.   Salesforce has admitted the cause of the incident as being attributed to an employee being duped by a "phishing scam".

The company has admitted customer account information including passwords may have been compromised by non-authorized parties.  According to the article by Australian IT there are more than 1,000 subscribers to Salesforce.com may have been affected in Australia alone.

Here we go again.  This time Administaff, Inc. is reporting the theft of a laptop containing the names, addresses and social security numbers for 96,000 former and 63,000 current employees.

For more information go to: http://www.administaff.com/idprotection/

When will organizations get serious and do something about the lax policies and procedures in their corporate culture to prevent incidents like these? 

Technology solutions such as data encryption and password protection are only a part of the solution in protecting confidential information.  Organizations must do a better job at defining good corporate policies and procedures for ensuring that confidential information is protected appropriately.  Organizations must do a better job at educating their workforce on the policies, procedures, and risks faced in protecting confidential information.

The Federation of American Scientists (www.fas.org) Project on Government Secrecy has recently commented regarding Comcast's (NASDAQ: CMCSA) support for law enforcement investigation and domestic surveillance activities.

The "Comcast Cable Law Enforcement Handbook," (download PDF at: http://www.fas.org/blog/secrecy/docs/handbook.pdf) while supportive of U.S. law enforcement community, sets clear guidelines for protecting the privacy of Comcast customers.  Comcast is also requiring $1,000.00 as a setup fee and an ongoing $750.00 monthly fee, to install any device to comply with law enforcement surveillance requests that are authorized under the Foreign Intelligence Surveillance Act (FISA).

The FAS comments:

"The role of telecommunications companies in intelligence surveillance is under increased scrutiny as the Bush Administration seeks to shield the companies from any liability associated with their cooperation in what may be illegal warrantless surveillance." (see blog: http://www.fas.org/blog/secrecy/2007/10/implementing_domestic_intellig.html)

As a law abiding U.S. Citizen, I find it encouraging to see Comcast follow the law in requiring the law enforcement community to adhere to the letter of the law when fulfilling investigative requests, instead of blindly following the U.S. executive branch in support of any warrantless surveillance programs.

For more information see:

• Electronic Frontier Foundation - NSA Spying
• American Civil Liberties Union v. NSA
• Wikipedia - NSA Warrantless Surveillance Controversy

Montana State University issued a press release on October 12, 2007 regarding a data security breach possibly affecting 1,400 people "who enrolled online for MSU Extended University courses during the last two years."

MSU states they have encryption technology controls on the stored data which may have been exposed.  The exposed data may include credit card and social security numbers. 

MSU has setup a dedicated web site with more information on this incident at: http://eu.montana.edu/security/