in

This Blog

Syndication

Tags

AlertBoot Endpoint Security

Written Rules Are Worthless When It Comes To Ensuring Data Security

While scanning the latest data security breach stories, I have noticed that a lot of them involve institutions of higher learning.  Most of them involve theft of digital devices, mostly laptops.  It’s only now that I’ve realized that a new school year has started just recently.  Most of these cases are trivial, if you will.  After all, computers were stolen when I was an undergrad, which was sometime ago.  I’m sure computers will be stolen as well when my grandkids are in college.

 

A small number of these are not so trivial, since they point out errors, lack of precaution, or mismanagement of sensitive data in an academic setting.  One of the more salient cases in some time is the case at Western Oregon University. 

 

To recap, a student discovered a file with personal data in a publicly-accessible university server. He downloaded a copy on the end it over to the campus newspaper.  The editor of the paper made another copy—apparently as evidence for a story that was subsequently published—and alerted the university about the security breach.  Investigations ensued, the editor was fired, and the student narrowly escaped expulsion.

 

The student, Brian Loving, had a disciplinary hearing because he “was found to have broken a university computer use policy that prohibits unauthorized people from accessing confidential files that may have been inadvertently placed in a publicly accessible location.” (From Computerworld article)

 

Catch-22, anyone?   How is one to know whether a file is confidential and hence shouldn’t be accessed without opening it?  Do they actually name the files “confidential?”   And do they also add the names of people who are authorized to open it?  Or perhaps they name the files based on what’s actually in it: “Confidential file – Student Social Security Numbers for Freshman Year Students To Be Opened By Billing Department Only.”  Because if they do, that’s a surefire way of attracting a hacker’s attention once the network is breached—not that it would have been hard since, remember, the file was in a publicly accessible server.  Plus, since the student and the editor were able to see the contents of the file, it’s safe to assume that the file was unencrypted.

 

On a side note, this rule is also laughable because it implies that confidential files placed on purpose in a publicly accessible location wouldn’t be an issue (read again: policy that prohibits unauthorized people from accessing confidential files that may have been inadvertently placed in a publicly accessible location).  I hope there are other rules shoring up this particular one, or that somebody writing the article made a mistake.

 

Legal and verbal wrangling aside, the bigger issue is that unencrypted files with sensitive data were placed in a publicly accessible location.  This means that anyone could have accessed it, be it a curious university student or some guy working for the Russian mafia.  The University might be able to use the above rule to punish students, but what kind of hold do they have over someone that isn’t part of a university setting?  The answer is none. 

 

Rules like these are created for one reason: to deter insiders from snooping around in the network.  A valid goal, that one; however, if the rule is truly worded as in the above example, the ultimate goal is to covers one’s mistakes and assign blame to others because the network was not secure (aka, CYA rules).  Think about it: in a secure network with good practices, this rule would never come into effect.  The key to data security is preventing breaches, not going after the bad guys after a breach.

 

What could WOU have done to prevent this?  To begin with, they could have used AlertBoot’s content encryption services to ensure that files are encrypted.  This way, even if a file was inadvertently placed in an unsecured, public server, there would be no damage.  The drama regarding the data breach, the whistleblowing, and the ensuing public relations humiliation could have been avoided.

 

I imagine that this will not be the end of this particular incident.  As pointed out in an earlier blog post of mine, Oregon has laws in place were a whistleblower cannot be terminated just because she’s a whistleblower.  Technically, the editor’s contract was not renewed, but I’m sure she can get a lawyer to argue on her behalf on why it wasn’t renewed.  Plus, there’s already a furor in the freedom of speech community.  You can expect more developments there as well.  The problem with journalism is that you need evidence to back up your stories (unless you’re working for a tabloid, it seems), and the most conclusive proof in this case is having a copy of the file in question.  Which means CYA rules have to be broken to secure the evidence.

 

Data breaches: they’re the gift that keep on giving.

Published Oct 12 2007, 11:55 AM by sang_lee
Filed under: , , , ,
 
<Previous Next>

Full Disk Encryption By Itself Is Partial Protection, but AlertBoot Provides COMPLETE PROTECTION

Is Disk Encryption Effective When A Trusted Employee Is Involved In The Crime?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.