Re: The VA Stolen Laptop - Lessons Learned

[Rockit <speech_freedom2002 () yahoo com>]

26.5 million Vet records.
According to the US census records page there are only 25.5 million 
LIVING Vets. So...what was on that hdd was EVERY vets record from
pre-WW1.

Gov't purchased laptop (lowest bid)
Guy that 'lost' laptop had been taking it home for over 3 years with 
this info...
Ok, Gov't purchase, AND 3 year old laptop...
Best case would be a 100gig HDD......

26.5 million Vet records

on a laptop 100gig hdd ???????

You following the math yet ?

The 3rd letter I rcvd from the VA states:"Given the FBI's high degree 
of confidence that the information was not compromised,..."

*Just laughs*

The information may not of been compromised...but there are just too 
many untruthes to believe that any security measures will ever be 
undertaken to prevent a repeat of this in the future ! Perhaps you
didn't 
catch the story of 35,000 
records on a laptop stolen from the Philly VA hospital that happened 
about 3
weeks ago ????

Why the hell are Gov't employees being allowed to take confidential 
information home to begin with ? 

Encryption would only be a small step in correcting some of this 
problem.
( I hope I don't need to remind anyone here that any encryption sold on

the commercial market here in the states is allowed by the Gov't soley 
because it's been compromised already ?....lowest bid Gov't purchase 
remember?)

Proper IT security STARTS with physical security.

--- "lists () infostruct net" <lists () infostruct net> wrote:

> As security professionals most of you know the VA lost control of 26
> million social security numbers when a laptop was stolen on May 3rd.
> Here
> are the lessons learned from my perspective:
>
> Lesson # 1 - Create a comprehensive remediation plan:
>
> The remediation plan has been identified in OMB directive M-06-16
> (http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf):
>
> 1. Encrypt all data on mobile computers/devices which carry agency
> data
> unless the data is determined to be non-sensitive, in writing, by
> your
> Deputy Secretary or an individual he/she may designate in writing 
>
> 2. Allow remote access only with two-factor authentication where one
> of the
> factors is provided by a device separate from the computer gaining
> access
>
> 3. Use a “time-out” function for remote access and mobile devices
> requiring
> user re-authentication after 30 minutes inactivity
>
> 4. Log all computer-readable data extracts from databases holding
> sensitive
> information and verify each extract including sensitive data has been
> erased within 90 days or its use is still required.
>
> 5. Follow a NIST a checklist for protection of remote information
> (included
> within the memo)
>
> These remediations are not adequate. The VA should also:
>
> 1. Eliminate the ability for an end user to download a database of
> social
> security numbers. Instead, use an application to provide a view into
> the
> database one SSN at a time.
>
> 2. Treat SSNs like credit card numbers. Use the Payment Card Industry
> standards as a baseline.
>
> https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
>
> 3. Create unique identifiers for new service members. SSNs should be
> used
> for social security benefits.  
>
> Lesson # 2 - If you have a compromise, notify your customers in a
> timely
> manner (and make sure they receive it):
>
> It took over three months to receive notification from the VA! I
> received a
> letter today. Apparently the first notification never made it.
>
> http://www.gideonrasmussen.com/docs/va-notification.jpg
>
> Lesson # 3 - Keep your commitments to your customers:
>
> Though an article states that the VA will "honor its promise of free
> credit
> monitoring for a year", the letter rescinds that commitment, stating
> that
> individual credit monitoring will not be necessary considering the
> FBI's
> high degree of confidence that the information was not compromised.
> Its no
> surprise that veterans groups have filed a class action suit.
>
> And one last thing... Don't loose control of my SSN again.
>
> Kind regards,
>
> Gideon
>
> Gideon T. Rasmussen
> CISSP, CISA, CISM, IAM
> Charlotte, NC
> http://www.gideonrasmussen.com/contact.html
>
> http://www.ussecurityawareness.org
> http://groups.yahoo.com/group/gideons-infosec-list
> http://groups.yahoo.com/group/insider-threat
>
> References:
> http://www.navy.mil/search/display.asp?story_id=24453
> http://www.eweek.com/article2/0,1895,1972946,00.asp
>
>
> --------------------------------------------------------------------
> mail2web - Check your email from the web at
> http://mail2web.com/ .
---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence
> in Information Security. Our program offers unparalleled Infosec
> management
> education and the case study affords you unmatched consulting
> experience.
> Using interactive e-Learning technology, you can earn this esteemed
> degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
>


www.interz0ne.com
Grayarea.info
interz0newest.com

pgp: E645 8A9E 85E4 3309 DB35  F76F 7178 0F22 5FFF D4BB

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------