Security of data analyzed in study

[InfoSec News <alerts () infosecnews org>]

http://www.collegian.psu.edu/archive/2008/02/26/security_of_data_analyzed_in_s.aspx

By Elizabeth Murphy 
Collegian Staff Writer
February 26, 2008

Information security breaches at colleges and universities are on the 
rise, according to a report released earlier this month.

The report, Educational Security Incidents (ESI) Year in Review, 
spotlights institutions worldwide, and Penn State was included in the 
report with one data breach last year.

In September, the Social Security numbers of more than 10,500 marines 
were inadvertently posted on a Penn State Web site. The names and 
numbers were compiled for a research project being conducted at Penn 
State, according to the report.

"My goal with ESI is to, hopefully, increase awareness within higher 
education that not only is information security a concern, but that the 
threats to college and university information is not as simple as 
network and/or computer attacks," Adam Dodge, ESI creator, wrote in an 
e-mail.

The report indicated that there were a total 139 incidents at 
institutions during 2007, a 67.5 percent increase since 2006. The total 
number of institutions affected by data breaches also went up to 112, a 
72.3 percent increase since 2006.

The report also shows the majority of information breaches at colleges 
came from unintentional leaks, rather than hackers. But Penn State 
Information Technology Vice Provost Kevin Morooney said he isn't sure 
how deeply anyone should read into the report.

"I'm ignoring the report," he said. "Hackers are a constant and daily 
threat at the university, and we have many things put in place to 
mitigate the risk."

Morooney said the IT team at Penn State has many preventative measures 
in place, including the switch from Social Security numbers to student 
ID numbers as the primary identifier three years ago.

Another potential data breach involved a laptop containing archived 
information, including Social Security numbers for 677 students who 
attended Penn State between 1999 and 2004, that was stolen from a 
faculty member while traveling in January. This incident was not 
included in ESI's 2007 report.

Morooney said Penn State provides anti-virus software for faculty and 
students and utilizes an intrusion detection system that notifies 
Information Technology Services (ITS) if a computer is compromised. More 
recently, ITS has been scanning hundreds of computers in search of 
sensitive data to make them safer for faculty.

"It comes down to people realizing how important it is as individuals to 
take individual action because it will breed institutional reaction as 
well," Morooney said. "I think there is a heightened sense of awareness, 
but it is not where it needs to be."

Morooney said people have a heightened concern about privacy but don't 
take computer information as seriously. He said someone hacking into a 
person's computer is just like someone breaking into a person's home.

Dodge said people need to protect their private digital information 
better by utilizing protection programs and just being knowledgeable 
about the risks.

"In the end, the goal is to have technical and non-technical security 
programs that complement and reinforce each other," Dodge wrote.

Dodge also wrote that data breaches will continue to happen, but it is 
now up to the colleges and universities to take the steps to make them 
few and far between.

"One of the most important ways that colleges and universities can 
control breaches and data leakage is to educate employees about the 
risks and to ensure that employees understand that information security 
is everyone's responsibility," Dodge wrote.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn