[IS&T Security-FYI] SFYI Newsletter, April 24, 2009

Fri Apr 24 14:17:11 EDT 2009

In this issue:

1. Cybersecurity a Top National Issue
2. Cloud Computing: A Security Nightmare?
3. Breakdown of Data Breaches in Higher Education

------------------------------------------------
1. Cybersecurity a Top National Issue
------------------------------------------------

The White House is looking to ramp up the focus on cybersecurity.  
President Obama has made the issue of cybersecurity a top priority,  
equating it in significance with nuclear and biological weapons. A  
White House team reviewing cybersecurity policy has completed its  
recommendations, including the creation of a top White House  
cyberpolicy official. Details of that and other proposals are still  
under debate. A final decision from the president is expected soon.

Melissa Hathaway, the acting director for cyberspace for the National  
Security and Homeland Security Councils reminded the audience at the  
RSA security conference in San Francisco this week that the net had  
not been built with safety in mind. She just completed a review of  
cybersecurity for the president. The review covers coordinating cyber  
security efforts, getting the private sector to play a bigger role in  
security cyberspace, and assigning agencies to protect federal  
computer networks and systems.

"This poses one of the most serious challenges of the 21st Century,"  
she said. "Cyber space won't be secured overnight on the basis of one  
good plan. We need an agreed way forward based on common understanding  
and acceptance of the problem."

The biggest piece of the puzzle is coordinating efforts and creating  
partnerships. As Ms. Hathaway stated in San Francisco: ""Cybersecurity  
isn't only the responsiblitiy of governments and corporations, but  
that of individuals, including each of us here today, as well."

Read the full story here:
<http://news.bbc.co.uk/2/hi/technology/8011380.stm>
<http://online.wsj.com/article/SB124035738674441033.html>

-------------------------------------------------------
2. Cloud Computing: A Security Nightmare?
-------------------------------------------------------

Cloud computing is emerging as the latest hot new thing in cyber  
space. (For a definition of cloud computing: http://en.wikipedia.org/wiki/Cloud_computing 
  ) However, according to John Chambers, Chairman and CEO of Cisco  
Systems, who spoke during a keynote address at the annual RSA security  
conference this week, cloud computing is a "security nightmare and  
can't be handled in traditional ways."

Security experts see a lot of work ahead of them in terms of dealing  
with the security of cloud computing. "I think it's really going to be  
a focal point of a lot of our work in the cybersecurity area," said  
Ronald Rivest, an MIT computer science professor and noted  
cryptographer, speaking during a conference panel Tuesday.

"Cloud computing sounds so sweet and wonderful and safe... we should  
just be aware of the terminology. If we go around for a week calling  
it 'swamp computing' I think you might have the right mind-set."  
Rivest added that he was optimistic about cloud computing's future.

Read the full story here:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9131998 
 >

Related story here:
<http://news.zdnet.com/2100-9595_22-281727.html>

------------------------------------------------------------------
3. Breakdown of Data Breaches in Higher Education
------------------------------------------------------------------

In December I reported on the number of potential data breaches that  
occurred within higher education in the United States from the past  
year. In 2008, 173 incidents were reported with a potential 4.8  
million people affected. Below is further breakdown of what those  
incidents show.

The majority of incidents (49%) were due to employee mistakes. Data  
breaches due to loss and unauthorized disclosure (which is information  
exposure and/or loss related to release of information to the public  
and/or individuals not authorized to view such information) top the  
list of incidents, outnumbering hacking incidents by more than 2 to 1.  
Theft, penetration and impersonation together account for 45% of data  
incidents. The remaining 6% of incidents was due to employee fraud.

While unauthorized disclosure topped the list of methods by which  
these incidents occurred, theft accounted for the most records  
exposed. Unauthorized disclosure exposed 207,596 records, while theft  
exposed just over 4 million records (and also includes 7 incidents  
where the total number exposed was not reported). Penetration of  
network systems accounted for the second largest number of exposed  
records (552,785).

As is clear from these numbers, the majority of data breach incidents  
are not due to faulty technology (although those also account for data  
breaches, about 20% in 2008). They happen because of incorrect  
handling of data, and the systems that contain data, by those who have  
been given access. This failure to protect the data within our  
responsibility and reach can likely be traced back to a faulty data  
policy or business process.

Of the types of data exposed, educational, financial, medical and  
usernames and passwords are at the bottom of the list. Social Security  
numbers and personally identifiable information are at the top.

Numbers can also be misleading. Due to new state laws, we may see more  
incidents reported in 2009 than in 2008, not necessarily due to more  
incidents occurring, but partly due to the requirement, by law, to  
report these incidents to the public.

[Source: www.adamdodge.com/esi/]

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090424/6f47fbe5/attachment.htm