[IS&T Security-FYI] SFYI Newsletter, April 24, 2009
Monique Yeaton
myeaton at MIT.EDU
Fri Apr 24 14:17:11 EDT 2009
In this issue:
1. Cybersecurity a Top National Issue
2. Cloud Computing: A Security Nightmare?
3. Breakdown of Data Breaches in Higher Education
------------------------------------------------
1. Cybersecurity a Top National Issue
------------------------------------------------
The White House is looking to ramp up the focus on cybersecurity.
President Obama has made the issue of cybersecurity a top priority,
equating it in significance with nuclear and biological weapons. A
White House team reviewing cybersecurity policy has completed its
recommendations, including the creation of a top White House
cyberpolicy official. Details of that and other proposals are still
under debate. A final decision from the president is expected soon.
Melissa Hathaway, the acting director for cyberspace for the National
Security and Homeland Security Councils reminded the audience at the
RSA security conference in San Francisco this week that the net had
not been built with safety in mind. She just completed a review of
cybersecurity for the president. The review covers coordinating cyber
security efforts, getting the private sector to play a bigger role in
security cyberspace, and assigning agencies to protect federal
computer networks and systems.
"This poses one of the most serious challenges of the 21st Century,"
she said. "Cyber space won't be secured overnight on the basis of one
good plan. We need an agreed way forward based on common understanding
and acceptance of the problem."
The biggest piece of the puzzle is coordinating efforts and creating
partnerships. As Ms. Hathaway stated in San Francisco: ""Cybersecurity
isn't only the responsiblitiy of governments and corporations, but
that of individuals, including each of us here today, as well."
Read the full story here:
<http://news.bbc.co.uk/2/hi/technology/8011380.stm>
<http://online.wsj.com/article/SB124035738674441033.html>
-------------------------------------------------------
2. Cloud Computing: A Security Nightmare?
-------------------------------------------------------
Cloud computing is emerging as the latest hot new thing in cyber
space. (For a definition of cloud computing: http://en.wikipedia.org/wiki/Cloud_computing
) However, according to John Chambers, Chairman and CEO of Cisco
Systems, who spoke during a keynote address at the annual RSA security
conference this week, cloud computing is a "security nightmare and
can't be handled in traditional ways."
Security experts see a lot of work ahead of them in terms of dealing
with the security of cloud computing. "I think it's really going to be
a focal point of a lot of our work in the cybersecurity area," said
Ronald Rivest, an MIT computer science professor and noted
cryptographer, speaking during a conference panel Tuesday.
"Cloud computing sounds so sweet and wonderful and safe... we should
just be aware of the terminology. If we go around for a week calling
it 'swamp computing' I think you might have the right mind-set."
Rivest added that he was optimistic about cloud computing's future.
Read the full story here:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9131998
>
Related story here:
<http://news.zdnet.com/2100-9595_22-281727.html>
------------------------------------------------------------------
3. Breakdown of Data Breaches in Higher Education
------------------------------------------------------------------
In December I reported on the number of potential data breaches that
occurred within higher education in the United States from the past
year. In 2008, 173 incidents were reported with a potential 4.8
million people affected. Below is further breakdown of what those
incidents show.
The majority of incidents (49%) were due to employee mistakes. Data
breaches due to loss and unauthorized disclosure (which is information
exposure and/or loss related to release of information to the public
and/or individuals not authorized to view such information) top the
list of incidents, outnumbering hacking incidents by more than 2 to 1.
Theft, penetration and impersonation together account for 45% of data
incidents. The remaining 6% of incidents was due to employee fraud.
While unauthorized disclosure topped the list of methods by which
these incidents occurred, theft accounted for the most records
exposed. Unauthorized disclosure exposed 207,596 records, while theft
exposed just over 4 million records (and also includes 7 incidents
where the total number exposed was not reported). Penetration of
network systems accounted for the second largest number of exposed
records (552,785).
As is clear from these numbers, the majority of data breach incidents
are not due to faulty technology (although those also account for data
breaches, about 20% in 2008). They happen because of incorrect
handling of data, and the systems that contain data, by those who have
been given access. This failure to protect the data within our
responsibility and reach can likely be traced back to a faulty data
policy or business process.
Of the types of data exposed, educational, financial, medical and
usernames and passwords are at the bottom of the list. Social Security
numbers and personally identifiable information are at the top.
Numbers can also be misleading. Due to new state laws, we may see more
incidents reported in 2009 than in 2008, not necessarily due to more
incidents occurring, but partly due to the requirement, by law, to
report these incidents to the public.
[Source: www.adamdodge.com/esi/]
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you
for your password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090424/6f47fbe5/attachment.htm
More information about the ist-security-fyi
mailing list