Once More unto the Breach
The announcement earlier this month of a potential data security breach at the University of California, San Francisco (UCSF) may have come as a shock to the 46,000 individuals who received notification that their personal information might have been compromised. But for industry observers, this latest revelation was just another in a long string of security incidents impacting institutions of higher learning.
Higher ed isn't the only sector suffering from breaches in security, but it is, in some ways, in a unique predicament. Adam Thermos, founder of
Strategic Technology Group, said that universities typically implement standard security measures. "However," he said, "this is [academia].... Most of the problems are more out of negligence and less out of malice. Too much instability in operations, too many work study and graduate students in and out, too many cooks in the kitchen...."
Regardless of the causes--and it should be noted that the specific cause of the UCSF breach is not known publicly, if at all, as of this writing--data breaches in higher education are more common than in most other sectors. Are higher education institutions doing all that can be done to safeguard the personal data of their students, employees, and customers? And, when breaches do occur, are the universities doing everything they're supposed to be doing?
We spoke with a number of analysts and industry observers on this issue in light of the UCSF incident. For the most part, they agreed that higher education is doing well in many cases when it comes to responding to incidents; but efforts at safeguarding data leave something to be desired, especially given some obvious and relatively unobtrusive measures that could be adopted.
What Happened at UCSF?In March, UCSF discovered that a file server located at the University of California Office of the President in Oakland, CA might have been accessed electronically by an unauthorized, as-yet-unidentified entity. The server itself contained information on staff, students and faculty at UCSF and the UCSF Medical Center--including Social Security numbers and bank account information related to payroll and "reimbursement deposits."
According to UCSF, there was no patient information from the UCSF Medical Center on the server.
As of this writing, the university had not determined whether there had been any unauthorized access to the data (or had at least not shared such information with the public). And no incidents of identity theft as a result of the potential breach had been reported.
UCSF's ResponseThe university's response to the situation was, initially, to remove the system in question "immediately" from service so there would be no further possible risk. Following this, in April, UCSF then sent out notices to some 46,000 individuals who had ben associated with the university or the Medical Center over the last two years.
UCSF then set up an information page (inked below) and a hotline for those concerned about the incident. It also contracted with a security firm to audit the university's security practices and notified the FBI of the incident.
According to Corinna Kaarlela, news director for UCSF: "The University is committed to maintaining the privacy of personal information. UCSF and the University of California Office of the President are conducting an investigation of this incident, including what types of information, if any, were compromised and how computer security can be improved. The Federal Bureau of Investigation has been notified and will be involved in the investigation. Also, UCSF is hiring a company that specializes in electronic security to provide a thorough audit of our security practices, and the findings of that audit will be reported as they become available."
Reporting: 'Safe Harbor' in Encryption?UCSF's response was prompted by provisions in
California's SB 1386, which requires the reporting to interested parties any breaches in security that could lead to the unauthorized release of personal information of California residents.
In this respect, analysts seem to agree that UCSF's response to the incident was adequate.
"Basically the responded to the requirements of CA SB 1386, nothing more," said
Strategic Technology Group's Thermos
. "California SB 1386 mandates public disclosure of computer-security breaches in which confidential information of ANY California resident MAY have been compromised. To comply with California SB 1386, any organization that electronically stores confidential personal information about a California resident must immediately notify that individual upon discovering any breach to the computer system on which this information is stored. The law covers every enterprise, public or private, doing business with California residents. Organizations became bound by the law on July 1, 2003. Companies and organizations that fail to disclose computer-security breaches may become liable for civil damages or face class actions."
"As far as I am aware, UCSF's response was in accordance with CA SB 1386 and other laws with regards to timeliness," said Chris Parkerson, senior manager of the
Data Security Group at RSA, the security division at EMC. "In my opinion, they handled the reporting requirement well and in a timely fashion relative to other similar incidents at other organizations."
Some of these analysts are also agreed on how these sorts or incidents--and the mandated reporting of the incidents--could have been avoided.
"The biggest problem we see consistently is that organizations are not taking advantage of the 'safe harbor' provision in CA SB 1386 and other similar state laws that allow for a reporting exemption if all data in the protected classes is encrypted," said RSA's Parkerson. "This is because the legislators that worked on such laws understand that encrypted data is essentially useless even if it falls into mischievous hands. Financial services and the retail/hospitality sectors have been much more aggressive since SB 1386 at encouraging (and, in some cases, mandating) the use of encryption to protect this data. As the use of encryption increases in those industries, the number of breaches will decrease. A similar movement in higher education will be necessary in order to begin to stem this tide."
Said Alex Hart, Director of SLED Programs at
Symantec: "Higher education institutions share similar challenges with other large organizations, whether public or private, in effectively protecting personal data. Traditionally, computer security in many cases has been viewed as reactive, tackling each breach or vulnerability as it appears. The problem, unfortunately, is much more complex. It’s really not an issue of preventing sensitive information from leaking, but rather one of information protection. This means that the information--the data--has to be proactively protected wherever it may be: at rest (storage), in motion (messaging), or in use (Web applications, PCs, personal devices, etc.)."
"Proper use of encryption could have prevented the UCSF incident," said RSA's Parkerson. "Other companion technologies to encryption such as security event monitoring, content filtering, and application activity monitoring could have also lessened the risk. But, encryption is one of the only security technologies that have been proven consistently to significantly lessen risk."
A String of IncidentsThe UCSF is the latest in a long string of reported breaches in data security in higher education. The most notable recent example also occurred within the University of California system. In December 2006, the
University of California, Los Angeles reported that approximately 800,000 student, faculty, and staff records had ben compromised in a series of intrusions spanning 13 months (October 2005 through November 2006). This breach also involved Social Security numbers tied with names, birth dates, and other information.
This incident, owing to its magnitude, attracted more attention than most university security breaches. (This includes
attention from California legislators.)
The UCLA event was also more severe in the context of duration between the start of the breaches to the time the university notified people of the breach. One analyst we talked to said that this is owing to a lack of system management, consistency in process, risk evaluation, and monitoring.
"A prime example is the UCLA breach reported in December of last year where they had to alert 800,000 current and former students, faculty and staff that their names, social security numbers, home addresses, and birth dates were exposed during a year of data security breaches. The attacks started in October of 2005 and weren’t detected until November of 2006," said John DiMaria, manager of business continuity for
BSI Management Systems.
But there have been several other, less dramatic examples in recent years.
Symantec has conducted an Internet Security Threat Report (ISTR), concluding that "20 percent of data breaches that could lead to identity theft between July and December 2006 occurred in the education sector," according to Symantec's Hart. "It was second only to government, which had 25 percent."
According to the company, "The latest ISTR marks the first time that Symantec has tracked data breaches that have exposed information that could lead to identity theft and tracked the trade of stolen confidential information. Theft or loss of a computer or data storage medium (such as a USB memory key) made up 54 percent of all identity theft-related data breaches. Twenty-eight percent of identity theft-related data breaches were caused by insecure policy, which includes the failure to develop, implement, and/or comply with adequate security policy. Together, theft and loss along with insecure policy made up 82 percent of all data breaches. Captured confidential data is often sold on underground economy servers, which are used by criminals and criminal organizations to sell stolen information."
Other incidents in higher education, which range from hacking to physical theft of equipment containing personal data, are numerous. One site,
Educational Security Incidents, lists such security breaches by month. According to that site (which includes details on breaches and citations for sources of the information), there have been three in higher education this month; 10 in March; nine in February; and 13 in January. That's 35 so far this year.
Data Security: Approaches and StandardsBut the problem isn't all in education. And it doesn't seem to be exclusive the the UC system, although the two most prominent security breaches in higher education in recent memory have occurred at UC institutions.
"I do not think this is a systemic problem," said Jon B. Fisher, CEO of data security provider
Bharosa Inc. "I think the UC system is ahead of the curve regarding security. I think specific problems in data security include migrating from systems designed with communication in mind to systems designed with security in mind. The Internet is such a system. Some UC systems involve disparate philosophies/approaches tied to the different campuses that can make single sign-on application problematic [in terms of security]."
What can universities do? Most analysts and consultants we spoke with pointed toward both data encryption and a multi-faceted approach to securing data.
Said Bharosa's Fisher: "Many people think additional security means gadgets or smart cards or clumsiness or big changes to user experiences. These days, cutting edge security measures involve purely software-based approaches with no change to the user experience. For example, fraud detection technology enables authentication through identification of the user’s computer and/or user tendencies in addition to the simple username/password with the user noticing any change to the online experience."
John DiMaria of BSI said, "The problem is [symptomatic] of most organizations that have major breaches. It is not unique to colleges or universities. Breaches stem from poor or no risk analysis/management and no consistency of process. Most organizations think that technology is the answer to mitigating risk while they ignore the “Egg Shell” security problem (hard-core technology on the outside; firewalls, penetration testing, passwords, segmentation, etc., but no controls governing the information within the organization’s walls, lack of training and awareness, no classification of information, no formal controls, absence of or poor access and incident management, and so on). [It's] basically an “ad hoc” approach to security and risk management."
DiMaria also points to the adoption of security standards in higher education, such as ISO/IEC 27001. Georgia State University currently uses this system and, according to DiMaria, will become the only certified university in the United States.
"International Standards such as ISO 27001 exist and are used around the world and are
certifiable. ISO 27001 promotes the adoption of a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security management system (ISMS)," said DiMaria.
He broke the process down into four steps: Plan, Do, Check, Act. He explained:
Plan (establish the ISMS). Establish ISMS policy, objectives, processes and procedures relevant to managing risk (identifying the vulnerabilities and threats that exist and establishing controls as outlined in the standard) and improving information security to deliver results in accordance with an organization’s overall policies and objectives.
Do (implement and operate the ISMS). Implement and operate the ISMS policy, controls, processes and procedures.
Check (monitor and review the ISMS). Assess and, where applicable, measure process performance against ISMS policy, objectives, and practical experience, and report the results to management for review.
Act (maintain and improve the ISMS). Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
Nobody's perfectOf course, no system or combination of systems, policies, encryption, and people will ever be able to provide 100 percent protection of data, networked or otherwise. But by following best practices, risks can be minimized.
Said Symantec's Hart, "The solution requires more than technology. This is really an issue that requires the combination of people, process, and technology. It includes assessment, prioritization and plans for prevention and protection. Institutions must strike a balance between keeping data both secure and available. Employees must receive training so that policies and accountability can be enforced. Upper management support is essential.
"By following best practices, universities, as well as other large organizations, can reduce the likelihood of a data breach and the severity of damage when a breach does occur."
RSA's Parkerson offered these suggestions:
- Locate and classify the information in the protected classes in every system in which it is stored or communicated
- Determine whether having such data around for a particular application or system is really necessary; if not, lessen your risk by purging or truncating it.
- For the remaining data that must remain in full original form, acquire encryption solutions appropriate to the system type where the data exists (e.g. database encryption, storage encryption, laptop encryption, etc.).
- Ensure the solutions you acquire already include the necessary key management functionality, as managing keys on your own is too difficult.
The idea is to reduce the chances of your university having to do what UCSF had to do earlier this month: notify more than 40,000 people that their personal data had been compromised by one of its servers.
"Unfortunately, the damage is done," said BSI's DiMaria. "In conjunction with [notifying the public], they should immediately be reevaluating their processes (all inputs and outputs), not just technology (and we must recognize that they may in fact be doing this). While technological evaluation is important, the internal processes are equally important but far too often ignored. A full gap analysis against a recognized standard such as ISO 27001 is in order to identify opportunities for improvement. Using such a standard reduces the risk that something might be missed.
"Once these opportunities are identified," he continued, "immediate corrective action should be taken with a long-term plan following close behind to ensure the health of the system is continuously monitored and preventive actions are implemented on a regular basis."
We will keep you updated on developments in the UCSF incident as details become available. See the links below for more information.
Read More: