The Sorry State Of Security

I'm a proud Bobcat (aka Ohio University alum), much the same way that GovernmentVAR editor Larry Walsh is a proud veteran of the U.S. Army. So imagine our surprise when we both got word that our personal information had been exposed—his from a Veterans Affairs' laptop and mine from an Alumni Affairs database.

The VA incident involved an employee whose laptop was stolen from his home. The computer contained the personal information of 26 million veterans—including Larry's. As for Ohio U., a multitude of systems were hacked, exposing the Social Security numbers of alumni, the personal records of current and past students that visited the university health center, and a handful of credit-card numbers. And it gets better; apparently, hackers also accessed IRS tax documents of 2,480 vendors and contractors for calendar years 2004 and 2005. That's right—even the channel got hit.

So how does the handling of these two incidents compare?

VA got flack for not notifying Congress or the veterans until 11 days after the theft. Compare that to Ohio U., which didn't even know that its systems were under attack until the FBI discovered that someone had remotely taken over the school's servers—an entire year after at least one was penetrated. Once the VA breach was discovered, the FBI investigated and recovered the stolen laptop through a tip from someone seeking a $50,000 reward. No arrests have been made. Ohio U., however, has given no indication whether the hackers were identified, although investigators do know they reside both in the United States and overseas.

id
unit-1659132512259
type
Sponsored post

As for response, the White House withdrew its request for $160.5 million to fund a free credit-monitoring service for veterans after the FBI concluded that there was little chance the data was accessed—a decision that troubles many, including Larry. Ohio U. did little to rectify the situation either, posting a Web site with recommendations for monitoring credit, but offering no services to those at risk. On a positive note, the university did bring in consultants from Atlanta-based Internet Security Systems to assist with a security audit, and is investing between $6 million and $8 million in IT security enhancements. The university will also limit the use of Social Security numbers, encrypting those that are required, and is reorganizing the central IT department. Employees have been laid off, and the CIO resigned.

So who's worse off, Larry or I? I think I am, given that there's no question my info was accessed. But more important is that both instances speak volumes about the state of security in both segments. On the one hand, we have a violation of process (bringing home confidential files); on the other, we have malicious tampering with systems.

And don't think either incident is the first or last of its kind. Less than a month before the Ohio U. breach, a man was charged with hacking into the University of Southern California's online application system and stealing personal data from prospective students, and only a month after the VA debacle, an Internal Revenue Service employee lost an agency laptop that contained sensitive personal information on 291 workers and job applicants.

The fact is, these are distinct issues that relate to how federal workers treat sensitive data and how universities lock down their systems. Blame it on a lack of policy enforcement for the former. The director of the U.S. Government Accountability Office recently told Congress that most agencies lack departmentwide security programs for managing risk, developing security policies, assigning responsibilities and monitoring computer-related control's effectiveness.

As for higher education, a Gartner analyst was reported as saying that an estimated one-third of all data leaks occur at universities. That's because their systems typically house information popular for identity thieves, information needs to be kept free-flowing, and security is not properly addressed.

So, to the channel community: Strike while the iron's hot. Whether it's a consultant providing federal agencies with proper procedures to ensure security or an integrator offering universities IT safeguards, opportunities abound. Larry and I, and everyone else who is now forced to monitor their credit reports, will be oh, so thankful.