Security Basics mailing list archives
Re: The VA Stolen Laptop - Lessons Learned
From: Rockit <speech_freedom2002 () yahoo com>
Date: Sat, 16 Sep 2006 00:51:35 -0700 (PDT)
26.5 million Vet records. According to the US census records page there are only 25.5 million LIVING Vets. So...what was on that hdd was EVERY vets record from pre-WW1. Gov't purchased laptop (lowest bid) Guy that 'lost' laptop had been taking it home for over 3 years with this info... Ok, Gov't purchase, AND 3 year old laptop... Best case would be a 100gig HDD...... 26.5 million Vet records on a laptop 100gig hdd ??????? You following the math yet ? The 3rd letter I rcvd from the VA states:"Given the FBI's high degree of confidence that the information was not compromised,..." *Just laughs* The information may not of been compromised...but there are just too many untruthes to believe that any security measures will ever be undertaken to prevent a repeat of this in the future ! Perhaps you didn't catch the story of 35,000 records on a laptop stolen from the Philly VA hospital that happened about 3 weeks ago ???? Why the hell are Gov't employees being allowed to take confidential information home to begin with ? Encryption would only be a small step in correcting some of this problem. ( I hope I don't need to remind anyone here that any encryption sold on the commercial market here in the states is allowed by the Gov't soley because it's been compromised already ?....lowest bid Gov't purchase remember?) Proper IT security STARTS with physical security. --- "lists () infostruct net" <lists () infostruct net> wrote:
As security professionals most of you know the VA lost control of 26 million social security numbers when a laptop was stolen on May 3rd. Here are the lessons learned from my perspective: Lesson # 1 - Create a comprehensive remediation plan: The remediation plan has been identified in OMB directive M-06-16 (http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf): 1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing 2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access 3. Use a time-out function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity 4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required. 5. Follow a NIST a checklist for protection of remote information (included within the memo) These remediations are not adequate. The VA should also: 1. Eliminate the ability for an end user to download a database of social security numbers. Instead, use an application to provide a view into the database one SSN at a time. 2. Treat SSNs like credit card numbers. Use the Payment Card Industry standards as a baseline. https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf 3. Create unique identifiers for new service members. SSNs should be used for social security benefits. Lesson # 2 - If you have a compromise, notify your customers in a timely manner (and make sure they receive it): It took over three months to receive notification from the VA! I received a letter today. Apparently the first notification never made it. http://www.gideonrasmussen.com/docs/va-notification.jpg Lesson # 3 - Keep your commitments to your customers: Though an article states that the VA will "honor its promise of free credit monitoring for a year", the letter rescinds that commitment, stating that individual credit monitoring will not be necessary considering the FBI's high degree of confidence that the information was not compromised. Its no surprise that veterans groups have filed a class action suit. And one last thing... Don't loose control of my SSN again. Kind regards, Gideon Gideon T. Rasmussen CISSP, CISA, CISM, IAM Charlotte, NC http://www.gideonrasmussen.com/contact.html http://www.ussecurityawareness.org http://groups.yahoo.com/group/gideons-infosec-list http://groups.yahoo.com/group/insider-threat References: http://www.navy.mil/search/display.asp?story_id=24453 http://www.eweek.com/article2/0,1895,1972946,00.asp -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
---------------------------------------------------------------------------
This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
www.interz0ne.com Grayarea.info interz0newest.com pgp: E645 8A9E 85E4 3309 DB35 F76F 7178 0F22 5FFF D4BB __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: The VA Stolen Laptop - Lessons Learned, (continued)
- Re: The VA Stolen Laptop - Lessons Learned George Toft (Sep 15)
- Re: The VA Stolen Laptop - Lessons Learned MandommGmail (Sep 18)
- Re: The VA Stolen Laptop - Lessons Learned security (Sep 19)
- Re: The VA Stolen Laptop - Lessons Learned Saqib Ali (Sep 20)
- RE: The VA Stolen Laptop - Lessons Learned Clement Dupuis (Sep 20)
- Re: The VA Stolen Laptop - Lessons Learned Saqib Ali (Sep 20)
- Re: The VA Stolen Laptop - Lessons Learned intel96 (Sep 20)
- Re: The VA Stolen Laptop - Lessons Learned Saqib Ali (Sep 21)
- RE: The VA Stolen Laptop - Lessons Learned Pranav Lal (Sep 25)
- Re: The VA Stolen Laptop - Lessons Learned George Toft (Sep 15)
- Re: The VA Stolen Laptop - Lessons Learned MandommGmail (Sep 19)
- RE: The VA Stolen Laptop - Lessons Learned Isaac Van Name (Sep 15)