[IS&T Security-FYI] SFYI Newsletter, December 29, 2008

Monique Yeaton myeaton at MIT.EDU
Mon Dec 29 15:40:06 EST 2008 

To wrap up 2008, here are a few articles that summarize some of the  
interesting IT security issues that have come to light this year.  
Happy New Year to you all and see you in 2009!

In this issue:

1. Top 10 Security Breaches of 2008
2. How Safe are Schools' Data?
3. MIT Students Will Work With MBTA


----------------------------------------------
1. Top 10 Security Breaches of 2008
----------------------------------------------

 From Hannaford to Countrywide to the Bank of New York Mellon, 2008  
has been a year of high-profile security breaches in or impacting the  
financial services industry. Here's a list of the top 10 -- and  
lessons that should be learned, so we aren't back revisiting these  
issues in '09.

The top 10 list can be found here:
<http://www.bankinfosecurity.com/articles.php?art_id=1120>


----------------------------------------
2. How Safe are Schools' Data?
----------------------------------------

J. Campana & Associates, LLC released a study titled "How Safe Are We  
in Our Schools?" in November 2008. This study, produced by Dr. Joseph  
E. Campana, analyzed the Privacy Rights Clearinghouse Chronology of  
Data Breaches from January 2005 through October 2008 and found that  
the Education sector accounted for nearly one third of all reported  
breaches. Here is some more interesting information from the study:

Higher Education accounted for 79% of all education-related breaches
Higher Education accounted for 78% of all compromised consumer  
profiles in the Education sector
The Education sector only accounts for between 0.6% and 13% of all  
entities in the United States

Another way to review these statistics is using the The Adam Dodge  
website, Educational Security Incidents (ESI). It reported 162  
potential data breaches at universities in the United States just in  
2008 alone, with a potential 4.8 million people affected.

What stands out for me is that many of the lost records came from  
university hospitals, for instance in June of this year, the  
University of Utah Hospitals and Clinics had backup tapes stolen  
containing at least 1.5 million patient records. They were later  
recovered but the university did notify all affected individuals at  
the time of the theft.

Educational Security Incidents (ESI): <http://www.adamdodge.com/esi/>

Obviously, schools still have a long way to go to learn to affectively  
protect their data. To find out what you should know about protecting  
sensitive files at MIT, attend the upcoming IAP seminar on Handling  
Sensitive Data, held on the following dates in 2009: 1/13, 1/14, and  
1/22.

More details on this seminar can be found here:
<http://student.mit.edu/searchiap/iap-8809.html>

For those interested in reading the study by Dr. Compana, it can be  
downloaded here:
<http://web.mit.edu/myeaton/Public/EducationSectorDataBreachStudy.pdf>


------------------------------------------------
3. MIT Students Will Work With MBTA
------------------------------------------------

The three MIT students who earlier this year faced legal action from  
the Massachusetts Bay Transit Authority (MBTA) are now working with  
the MBTA to improve the security of its electronic fare system.  Zack  
Anderson, RJ Ryan, and Alessandro Chiesa had planned to present their  
findings about weaknesses in the MBTA's Charlie Card system at a  
conference last summer.  The MBTA obtained a gag order preventing them  
from making their presentation, but a judge threw out the order  
several days later, and the case was settled in early October.

The announcement brings to a close a high profile case that pitted the  
rights of security researchers to freely discuss their findings  
against the concerns of one of the country's largest transit systems,  
which worried that this type of information could lead to widespread  
ticket fraud.

The full story can be found here:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124183 
 >


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20081229/e70f31d5/attachment.htm

More information about the ist-security-fyi mailing list