INFOSEC: information security news from the University System of Georgia, May 2009 (Vol. 1, No. 2)

Information Security News from the University System of Georgia
V0l. 01 No. 02 May, 2009

INFOSEC WWW.USG.EDU/INFOSEC

CISO TIPS:
5 reasons why

the CEO or CIO

should listen

to you:

PG 3

Panic. You've just left the grocery store after a busy day of work, family,
and a half dozen other things that you need an extra 24 hours to handle. When you get back to your car though, you realize that you've left your phone slash PDA at the check out counter.

ERASING INFORMATION AND MEDIA DISPOSAL
Protecting confidential and sensitive data from accidental disclosure is very important, and we should all strive to properly handle data erasure and the disposal of media.
Data can be stored electronically in multiple formats and locations. Data sometimes includes sensitive documents or personally identifiable information such as a social security number, credit card information, or health-related information. For example, the initial information may be downloaded from a database and then copied to the computer's hard drive and subsequently backed up for disaster recovery purposes. In this example, there are two different storage mediums: hard drive and backup media. In addition, just viewing a file stored on the hard disk drive can create a temporary image of the information on the computer's hard drive as well.
>> cont., PG 2

You dash back inside and grab it from the check out counter with your heart beating well over 100 beats per minute. Sound familiar? PDAs, laptops, tablet PCs, and smart phones have become integral to so many of our lives because they are small and easily transported. But while these characteristics make them popular and convenient, they are also easily lost or ideal targets for thieves. Therefore, it is important to make sure you secure your portable devices to protect both the device and the information contained on the device.
So...what's at risk?
If your laptop/tablet PC, smart phone, or PDA is lost or stolen, the most obvious loss is the device itself. However, all of the information stored

on it is at risk as well. The data are often far more valuable than the portable device itself.
We've all read about lost or stolen portable devices that contain a host of confidential or sensitive information. Even if there isn't any sensitive or confidential information on your portable device, think of the other proprietary information that could be at risk: passwords, emails, contact information, etc. Below are tips to help you secure and protect your portable device.
before you leave the office/home
Password-protect your portable device: Make sure that you have to enter a strong password to log in to your device. This prevents someone
>> cont., PG 2

PODCAST

The USG Office of Information Security launched a series of podcasts covering a wide range of security-related topics. The first three podcasts in the series speak to the following topics:
Stan Gatewood's First 100 Days As Chief of Information Security What is Cyber-Security? Policy Standard Guidelines Website Security
Visit http://itunes.usg.edu/ for more information

GET RID OF IT
>> from PG 1
Deleting files does not erase the information. It only makes the space containing the files available to store additional data. The information can often be retrieved by using data forensic software/hardware or other recovery tools. As new computers are purchased, older computers may be surplused. You should assume that sensitive information may have been stored or viewed on all computers at some point in time. Before discarding your computer or portable storage devices thumb-drives, you need to be sure that that data have been erased or "wiped" or "sanitized".
What type of "wiping" or "sanitizing" program should be used?
First, seek support from your technical support group, they should be familiar with the correct process.
Read/writable media (including your hard drive) should be "wiped" using Department of Defense (DOD) compliant software. Software that meets DOD compliance standards can be downloaded from the Internet at no cost.
You need to be aware of some issues in wiping data including:
The wiping software needs to be used correctly with all the appropriate options and switches set properly. It may take a long time to rewrite the drive or media. You can't wipe a defective drive. And you can't un-wipe!
What about "Write Once" media, such as some CDs and DVDs?
Certain media can be read many times but can only be written once. This type of media, usually CD's or DVD's, cannot be overwritten to ensure the erasure of sensitive information. Therefore, this type of media should be physically destroyed. Certain types of shredders are capable of shredding CD's and DVD's. If this type of shredder is not available then safely breaking the device into four or more pieces would be an appropriate destruction measure.
I've heard of "degaussing", but what is it?
Degaussing is the erasure of information through the use of a very strong magnet generally used for erasing of magnetic tape media. This type of storage media is used by organizations with large data processing operations.
What about a defective drive that is under warranty?
Most warranties require the buyer to return the defective drive in order for a replacement to be provided under a warranty program. Check to be sure that your vendor has a policy that these "defective" drives are physically destroyed. There have been reports that these drives are sometimes fixed and resold without the removal of the data. Be careful in these situations. Balance the risk of information being compromised versus the cost of the hard drive.

PORTABLE >> from PG 1
from booting up your laptop with a different Operating System on a CD, floppy disk, or flash drive. Have your laptop configured to boot from the hard drive first: By forcing your laptop to boot from the hard drive first, it prevents someone from rebooting your laptop from another drive e.g. floppy drive, CD, flash drive. Install and maintain firewall and anti-virus software: Protect portable devices from unauthorized access and malicious code the same way you protect your computer when at work. Install antivirus and firewall software and keep them updated. Be sure all critical information is backed up: Portable devices should not be the only place important information is stored. Remove information that is not needed: Don't carry around sensitive and personal information on your laptop/tablet or other portable device that is not necessary to you or your work. Store your portable devices securely: When not in use, store portable devices out of sight and, whenever possible, in a locked drawer or file cabinet.
Steps To Protect Data:
Encrypt files or the full disk: By encrypting files or using whole disk encryption, you reduce the risk of unauthorized individuals viewing sensitive data.
Consider storing important data separately: By saving your data on removable media and storing it in a different location (e.g., on a lanyard around your neck instead of in your laptop bag), you can protect your data even if your laptop/tablet is stolen. If you store data separately you should also encrypt any confidential or sensitive data on that removable media.
Steps to take when traveling:
When traveling by car: If it is necessary to leave a portable device in a car, lock it in the trunk or other location where it is out of sight. Never leave electronic devices in cars for extended periods during either very hot or very cold weather. Never leave the vehicle unlocked when unattended, even for a minute. Do not leave the portable device in the vehicle overnight. When traveling by air or rail: Always keep your portable device with you or as carry-on luggage. Watch your device carefully as it goes through the screening process - this is an opportune time for a thief to take it. Make sure you have your portable device with you each time you board or egress. In the hotel room: If a room safe is available, lock the device with other valuables in the safe. If it does not fit in the room safe, ask the hotel staff for the use of the hotel safe. If this is not practicable, store the
>> cont., PG 3

PORTABLE >> from PG 2
portable device out of sight when you leave the room. At conferences and trade shows: Be especially wary at conferences, large meetings, and trade shows. These are common venues for thieves.
steps to take if your laptop or other portable device is lost or stolen:
Report the loss or theft to the appropriate authorities as soon as possible. These parties may include representatives from the following: Local law enforcement agencies Your organization's security office or Help Desk. They can then inform the appropriate parties to help protect any services that may be at risk.

CISO TIPS: 5 reasons why your CEO/CIO should listen to you

Because to every CEO/CIO there are no competing business priority to staying in business and staying out of the newspaper.

Because in today's global economy, it's secure or perish.

Because it makes good business sense.

Because CEOs/CIOs have arrived at the same nearparalyzing epiphany. [i.e., the realization that "... companies simply can't continue operating under the same business security model."]

DATA BREACHES - May
METRO NASHVILLE SCHOOL
April 8, 2009 Metro Nashville students' names, Social Security numbers, addresses, dates of birth, and parents' demographic information were available by searching Google when a private contractor unintentionally put student data on a computer Web server that wasn't secure. The data was available online from Dec. 28 to March 31. Number of records exposed: 18,000
MORE INFORMATION...
USG Office of Information Security

Because "insanity is doing the same thing over and over, and expecting a different result." Albert Einstein

Penn State Erie/Behrend College
April 9, 2009 On March 23, the University confirmed that 10,868 Social Security numbers in historical data on a computer may have been breached. Longstanding security measures, designed to protect the network and systems from malicious software, alerted the University to the potential breach and the responsible system was immediately taken off line. Data were examined and information was removed. Number of records exposed: 10,868

Irving Independent School District
April 13, 2009 Identity thieves using the names and Social Security numbers of Irving Independent School District employees have made thousands of dollars in credit card purchases. At least 64 of the 3,400 teachers and other employees names were on an old benefits report that somehow ended up in the trash. Number of records exposed: Unknown
Source: Privacy Rights Clearinghouse (www.privacyrights.org)

Stan S. Gatewood, Chief of Information Security 706-583-2001 or 888-875-3697 www.usg.edu/infosec