This is a topic that this blog has covered before: security in academia. Specifically, in our last post about Data Security in Higher Education, we referenced an SC Magazine article with several recommendations for data security in higher education. Those included:

• A centralized IT policy
• Understanding the culture & its risks
• Restricting access
• Identifying flaws in the system
• Automating security processes
• Adding real-time detection

CSO Online has published another article along these lines entitled “Six Essential Steps to Secure Academia“. This article was written in conjunction with Stan Gatewood, CISO for the University System of Georgia’s Board of Regents, who says the largest challenge to computer networks in the academic world is identity management - properly identifying and classifying individuals. Mobile security is also a growing issue in the academic world, and Gatewood outlines his six-point plan for security that Georgia runs by:

• Risk Management - create a formal plan, annually, starting with an inventory of machines & systems, considering risk levels to each, and countermeasures.
• Policy and Compliance Management - formalized, including ramifications for non-compliance
• Strategic Planning & Leadership - with leaders and goals
• Community Awareness Training & Education - of contractors, staff, students & faculty
• Proper Incident Response & Reporting - a standardized response plan for different risk levels
• Contingency Planning

Read the full article here. The article continues after these steps with some feedback from several security officers in the academic world.

Image: hmm360 @morguefile

A number of great articles have come to the forefront in the news of late about the risks of social networking and privacy. Specifically, privacy issues that are the result of users (mostly younger people) sharing too much information online.

Many teens would be astonished to know how much information about themselves that someone could glean from their Facebook profile, for example. Or how much additional information can be gleaned by using free tools like Canada411.com. Phone numbers, home addresses, schools - all of this information poses a security risk to young people when posted online. Not to mention all the photos. Identity theft becomes an issue, in addition to risks to ones reputation or even personal safety.

comScore indicates that nearly 17 million Canadians are on Facebook, and 4.5 million are on MySpace. The Globe and Mail recently completed a 2 month investigation of social networking sites to prove a point about the information a casual observer can gather on an individual.

Anastasia Goodstein, author of Totally Wired: What Teens and Tweens are Really Doing Online, believes that teens are pre-conditioned to sharing personal information because of a level of openness that is reflected to them in reality television. Attention is sought after, and part of that involves openly sharing minute details of one’s life, and privacy goes out the window.

That said, somewhere in the area of 30-40% of Facebook users actually read and modify their privacy settings, opposed to less than 1% on most other websites. In terms of privacy, 100% of people need to be aware of the privacy options available to them, and also of the risks associated with exposing certain types of information.

A whole new industry has sprung up to help people clean up information they have shared online. For example, parents will hire a company to clean up the social networking profiles of their kids as they graduate from university. Research indicates that 77% of employers check social networking profiles, so this isn’t a bad idea.

Continue reading more here or read about 5 ways to save face with Facebook here.

SC Magazine has published an article about data security and higher education, written by Josh Shaul of Application Security. The article examines the importance of balancing the need for the free exchange of information with data security risks. As Josh Shaul points out, enterprise security systems are not set up for university data systems and needs, which makes for unique challenges.

Recommendations for data security in higher education include:

• Move towards a centralized IT policy - departmental IT policies make it impossible to be proactive with data security
• Understand the culture & its risks - the demands for access to information by students, professors, administrators and more with few control policies is a culture issue that increases risks to inside breaches
• Restrict access - given that so many people must have access to data, put all high-value data into a secure protected database - a centralized place with restricted access & tight controls. Monitor activity in real time.
• Identify flaws in the system - look at unpatched systems, weak passwords, excessive user access & monitoring. Audit regularly.
• Automate - use a system that automates security process and reports, freeing up IT time for more proactive security measures
• Add real-time detection - have an alert system to deliver intrusion detection warnings in real time (in addition to real-time monitoring of user activity)

Many of these suggestions hold true in any industry, but understanding the culture of higher education and current IT policies, it’s clear that data security requires a fundamental overhaul for many institutions.

To learn how Absolute Software can help improve data security for higher education institutions, read here.

Image: darnok @morguefile ; Tags: database security, education, education security, it security, higher education, data security

Who Breached: University of Virginia (UVa)
Number Affected: 7,000
Information breached: Social Security Numbers
How: laptop theft

Daily Progress is reporting that the University of Virginia (UVa) has breached the information of 7,000 students, staff and faculty members as the result of a laptop theft. The laptop contained personally identifiable information including names and Social Security Numbers.

The laptop was stolen from an employee at an “undisclosed location” off-campus in Albemarle County. Carol Wood, UVa spokeswoman, said that letters have been mailed to those affected by the data breach.

Students have been expressing their concern and frustration that their personal data would be left on an unsecured laptop despite the myriad of data breaches caused by such negligence.

The University of Virginia experienced a data breach in June, 2007 that was the result of a hacker accessing 5,735 faculty records over a two-year period. The University claims that the use of Social Security Numbers as a personal identification number was being phased out. Obviously, not soon enough.

Other notable data breaches this week:

• Joliet West High School hacked, breaches data for “about every student”
• New York-Presbyterian Hospital/Weill Cornell Medical Center finds 40,000 person breach in audit, likely stolen by an employee

hat tip to Attrition.org ; Tags: laptop theft, laptop security, data breach, breach, security breach, education breach, identity theft, id theft, breach notification

Educational Security Incidents (ESI) Year in Review for 2007 has published a document outlining the security breaches affecting the education market for the year.

So far in 2008, nearly half of the data breaches have occurred in the educational community, mostly at the college campus level. In recorded breach history, higher education has accounted for just over 25% of all breaches, so the start of 2008 has not been very promising for this market.

In 2007, there were 139 breaches, totaling more than 1.2 million records, affecting 112 institutions - numbers that have gone up by more than 50% since 2006. More security incidents were the result of employee errors in 2007 than in 2006.

Highlights from the ESY Year in Review 2007 Report:

• Information Security incidents were the result of: 
  • Unauthorized Disclosure - 38%
  • Theft - 28%
  • Penetration 22%
    
• Type of Information exposed: 
  • Personally Identifiable Information - 129 incidents & 1,244,851 records
  • Social Security Numbers - 103 incidents & 1,085,708 records

The report gives details on all the educational security incidents in 2007, and breaks that data down in many different ways.

You can download the full report here [PDF]

Via The Dunning Letter, ESI Tags: data breaches, breach, breaches, education, education industry, education field, data security, it security, data loss

Who Breached: Georgetown University
Number Affected: 38,000
Information breached: personal information (unspecified) from billing data
How: hard drive theft

38,000 Georgetown University students, alumni and staff have been exposed to potential identity theft after an unencrypted hard drive (used for back-ups) was stolen from the Student Affairs office during the winter holiday break. The theft was realized on January 3rd, but students were not notified until this week. They claim this delay was the result of determining the nature of the information stolen from the original files on the desktop computer.

“That system contained an enormous amount of detailed information, all of which had to be reviewed in an attempt to determine what kind of information might have been on there. That process is very staff-heavy and takes a significant amount of time.” - David Lambert, VP and CIO for University Information Services

Students are having a difficult time rationalizing why this assessment would take as long as it did. The hard drive contained billing information for various student services. The breach affected 55% of current students at Georgetown as well as alumni who were enrolled between 1998 and 2006.

Georgetown experienced a large data breach in 2006 that affected 41,000 people. Lambert says that the University Information Services has been “developing an information security program… to protect confidential information.” It is interesting that this program is still in the development phase after two years.

The letter to students indicates that Georgetown is “actively reducing” the use of Social Security Numbers as student identifiers, assigning GoCard and NetIDs instead. However, it is unclear if SSNs were purged from the data files dating back to 1998.

If you scroll down the comments here, you can have a read at the email sent to all students. The comments are quite heated on this news article, nearly all critical of the way that the University has handled the situation. They would like to know how the situation came to be if the University was following the “best practices” it was claiming to uphold.

Via the hoya Tags: data breach, education, data security, it security, identity theft, security policy, breach, georgetown, georgetown university

MySpace is undergoing scrutiny for a series of recent security breaches and oversights. The sequence of events, as reported on Wired.com, is as follows:

• January 15 reported - MySpace issues press release announcing new safety measures after a year of looking at safety issues on the site 
  • 49 states joined with MySpace to help eliminate online predators
  • MySpace profiles for those under age 16 will be set to private
• January 17 reported - ‘private’ MySpace teen photos leaked  
  • A bug allowed anyone access to see photos of users with private profiles, including users under the age of 16
  • Photos made their way to message boards, including those of pedophiles
  • Knowledge of the bug, and how to exploit it, circulated on message boards for months
  • Websites were created to automatically exploit the bug for anyone who entered a Friend ID into a search field
  • This is not the first time a bug of this sort has exploited private photos
• January 18 reported - MySpace fixed the bug  
  • No public acknowledgement of the bug or the fix
• January 24 reported - more than half a million images from private MySpace profiles leaked to BitTorrent 
  • 17-gigabyte file of images lifted from MySpace profiles during the period of the access bug was uploaded to BitTorrent (peer-to-peer file sharing)

The appearance of the file on BitTorrent signals this as one of the largest privacy breaches MySpace has had so far. MySpace has yet to acknowledge this issue.

In 2006, MySpace had to react to privacy issues surrounding registered sex offenders using MySpace to prey on minors.

We used special software to expose hundreds of registered sex offenders with accounts on MySpace. That prompted the social network to run its own computerized search, which turned up at least 29,000 registered sex offenders.

Wired was partly responsible for triggering a year-long investigation into safety issues on MySpace - but this photo-hack was missed. A bug that should have been found through testing or online monitoring of MySpace privacy issues. The January 17 Wired.com story triggered the fix of this bug that either went unnoticed or was ignored by MySpace. However, the privacy concern has not gone away. That file has made its way online in a permanent way.

Particularly for youth, and their parents & teachers, it should be cautioned not to trust the privacy settings of social networking sites like MySpace and Facebook. If there is a photo or video you don’t want anyone to see, don’t put it online. Period.

Via CNet, Wired (1, 2, 3)Tags: myspace, privacy, online information, online privacy, social networking, facebook, myspace profiles

Who Breached: City University of New York (CUNY)
Number Affected: 23,000
Information breached: Social Security Numbers
How: laptop theft

The City University of New York (CUNY) has notified 23,000 current and former students that their personal data has been breached following a laptop theft from a locked financial-aid office in Midtown.

CUNY sent letters to affected students on October 19th indicating the laptop was stolen around October 15th; representatives are not sure how access was gained to the secured room. Harvey Shifter, a spokesperson for CUNY’s Financial Aid office, said the laptop was non-functioning (a blue screen at activation) and password-protected. Despite this assurance, it is still possible to access the data via an external hard disk and to break the password.

Students were urged to contact their credit card companies and take other steps to protect their identities by initiating a fraud alert. No compensation is being offered in the form of credit monitoring services.

With no leads, the police have closed the case.

What is most worrying about this data breach is the response of school officials. It seems as though officials assume the data was safeguarded with a password.

Students have been unhappy with the response time of school officials in notifying them of the breach and in subsequent queries. Students have placed calls to the official noted in the breach notification that have gone unanswered.

Via SCMagazine, NY Post, the ticker Tags: cuny, data breach, city university of new york, data loss, identity theft, stolen laptop, laptop security

A laptop has been stolen from the University of Iowa, putting 184 students and graduates at risk for identity theft.

A former teaching assistant had the names, grades, and Social Security numbers for 184 students on a laptop, which was subsequently stolen from his home in Arizona. Only 100 of the names are suspected to have Social Security numbers attached to the files.

The students and graduates affected took “Philosophy and Human Nature,” “Philosophy and the Just Society,” or “Principles of Reasoning” taught by Tuomas Manninen some time between 2002 and 2006.

School officials say that identity theft is “unlikely”, since the Social Security numbers are “difficult to locate” in the files.

The University of Iowa is getting attention for this data breach. Although the breach only affects 184 students, a similar data breach occurred in 2006 when a professor’s laptop was stolen. At the time of the 2006 breach, the University of Iowa said they were trying to reduce the use of Social Security numbers.

Via wcfcourier ; Tags: university of iowa, data breach, data security, university security, social security numbers

Here is another great list of back-to-school technology essentials for high school or college students. The Vancouver Sun’s top 10 list of techno-savvy gear includes:

1. Laptop computer - as low as $399. Back-to-school bundles often include extra software or price reductions.
2. Software - A good Office set, anti-virus (set to auto-update), locking cables, and a product such as Absolute’s Lojack
3. Printer - consider just black & white to save on ink costs
4. Communications - cell phone, Skype account
5. Music & Entertainment - iPod with speakers
6. Memory Drives - flash drives.
7. Backpacks - suited for laptops
8. Camera - to capture memories of a once-in-a-lifetime school experience
9. Flat-Panel Monitor - can double as a tv
10. Extras - wireless mouse, keyboard

All of this technology should come with security education. It is important to teach teens about Internet Safety, about protecting personally identifiable information, and preventing laptop theft.

Tags: technology, student technology, school, back to school