VAnishing confidence

Security Strategies This newsletter is sponsored by Nevis Networks Inside the industry's largest public NAC test Get an independent review of Cisco's CNAC and the Trusted Computing Group's TNC network access control frameworks via Network World's latest Editorial Briefing "Implementing NAC." Get the real scoop and go inside the industry's largest public test of available NAC products. Network World's Security Strategies Newsletter, 06/21/07 VAnishing confidence By M. E. Kabay In this brief series of articles, I’ve been recounting the tale of data losses at the Department of Veterans Affairs (VA). The next column will be the last in the series. On Monday, August 7, 2006, Secretary Nicholson announced that a Unisys subcontractor working for the VA offices in Philadelphia and Pittsburgh had reported that his desktop computer was missing. The computer contained PII for 18,000 and possibly up to 38,000 veterans. A week later (August 14), the VA announced that it would spend $3.7 million on encryption software and would encrypt data on all the department’s computers and external data storage media or devices. Installation would being Friday Aug. 18. Securing Data in Any Format, Wherever It Goes InfoWorld's Enterprise Data Protection Executive Forum, June 26 in New York City, is the premiere event for IT professionals looking to streamline their data protection strategy. Best practices, tactical guidance, reviews of new security requirements, and success stories from the experts are all designed to help you secure your data in any format, wherever it goes.. Register today at http://www.EDPExecutiveForum.com In mid-September, the stolen Unisys desktop computer with VA data was located and a temporary employee working on subcontract to Unisys was arrested and charged in the theft. In October 2006, the Congressional Committee on Oversight and Government Reform published a report on data losses in U.S. government agencies since January 1, 2003. There were 788 incidents in 19 agencies – in addition to hundreds of incidents at the VA. The report’s findings included these bald assertions: 1. Data loss is a government-wide occurrence. . . . 2. Agencies do not always know what has been lost. The letters received by the Committee demonstrate that, in many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete. For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, “the Department did not track the content of lost, stolen, or otherwise compromised devices.” 3. Physical security of data is essential. Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees. 4. Contractors are responsible for many of the reported breaches. Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors. Alas, the best-laid plans of VA administrators gang oft agley, and on October 31, 2006, VA officials informed 1,400 veterans that their PII had been lost on unencrypted data disks sent by mail from the VA clinic in Muskogee, OK on May 10, June 10 and July 10 were lost. A spokesperson for the hospital explained the three-month delay as being due to the “wait for officials in Washington to approve the wording of the letter.” Approval arrived October 26th. There was no explanation of why the data were unencrypted nor why two additional disks were mailed out after the May 10 disk was lost. A report on this incident dated Nov 3, 2006 by Rick Maze in the _Federal Times_ also indicated that a laptop computer from the VA hospital in Manhattan was stolen on September 8 from a computer locked to a cart in a locked room in a locked corridor – and that the data on the stolen machine was deliberately not encrypted despite policy because “a decision had been made not to encrypt data being used for medical purposes.” And more was to come in February 2007, but that’s for next time.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. Linux version of Microsoft browser plug-in 2. California gets Microsoft to change Vista 3. Lawyers show how to side-step immigration law 4. 'Italian job' Web attack hits 10K sites 5. Linux Foundation: Microsoft won't sue 6. The case of the 500-mile e-mail 7. Microsoft flaw opened door to scammers 8. Cisco's Chambers: Telecom entering 'Phase II' 9. Vista over the WAN: good but not great 10. Gartner to IT: Avoid Apple's iPhone MOST-READ REVIEW: Open source management-tool alternatives hit the mark

Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Nevis Networks Inside the industry's largest public NAC test Get an independent review of Cisco's CNAC and the Trusted Computing Group's TNC network access control frameworks via Network World's latest Editorial Briefing "Implementing NAC." Get the real scoop and go inside the industry's largest public test of available NAC products. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007