Security Watch
U.S. Government Mandates Laptop Security
Plus new coalition forms I.D. protection center, medical records stolen, more.
The U.S. president has mandated that controls outlined by the U.S. NIST Special Publication 800-53 (Recommended Security Controls for Federal Information Systems) be fully implemented within 45 days. It has also been mandated that all sensitive data contained on mobile computers/devices be encrypted, two factor authentication be used for remote access with one factor not residing on the computer itself, 30-minute inactivity time-outs on remote access, and database extracts be tracked and deleted within 90 days of last use. (See
this PDF for more information.)
The memo suggests that most agencies have already implemented these guidelines. Clearly that was not the case with the U.S. Veterans Administration.
The advice offered here is in line with Cybertrust Essential Practices and long overdue -- we'll have to wait and see whether the auditing of compliance shows that agencies have heeded the call.
Medical Excess Loses Records on 1 Million Customers
?Medical Excess, an AIG Company, recently had a file server stolen from one of its offices. The file server contained the names, Social Security numbers and birthdates for approximately 970,000 customers. It also contained medical and disability information on an undisclosed number of people. The file server was stolen together with a camera and several laptops. Medical Excess has stated, as part of a letter sent to those affected, that it does not think the information has been misused.
Once again the privacy alert goes out, yet it would appear obvious the goal of the thefts was hardware. Medical Excess stated that the file server was password protected, and while it's certainly possible to bypass such protection, it is unlikely that criminals seeking to sell stolen hardware are going to bother to do so.
??Until reports surface that some number of these affected individuals has had their private information abused as a result of the theft, something which is not easily discernable, this remains just another office theft of hardware.
Coalition Launches I.D. Theft Prevention Center
Utica College has created the Center for Identity Management and Information Protection, a project intended to become a clearinghouse for identity-related research projects. It has partnered with LexisNexis and IBM, as well as the U.S. FBI and Secret Service. Several other academic institutions have also committed their support.
The group has stated that its goal is to do more than simply provide access to research. It says it wants to see the research acted upon, in the form of best practices, new policies, regulations and legislation. The broad base of support for the effort suggests the group may actually be able to achieve what it's set out to do. Maybe it’ll even be able to educate the media on the difference between ID “theft” and ID “fraud”: For something to be stolen, I have to be denied the use of it. So, if I suffer ID “theft,” I can no longer prove that I am whom I say I am. If I can still use my ID, albeit with trouble or financial losses, then I’ve experienced ID “fraud.”
Cybersecurity Chief's Contract Questioned
According to the Associated Press, Donald “Andy” Purdy is being paid $245,481 by the U.S. government, and an additional $43,320 by Carnegie Melon University. Purdy is on loan from the university to fill the missing position within the U.S. Department of Homeland Security.
Well, the story smacks of sour grapes over a highly paid individual. Purdy, a lawyer with experience managing in government agencies, says he could easily receive as much or more working in the private sector -- no doubt true. The real question is whether or not he has provided the U.S. citizen with value for the money received.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.