Security Basics mailing list archives
Re: The VA Stolen Laptop - Lessons Learned
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Wed, 13 Sep 2006 13:44:07 -0700
Gideon, This mandate was discussed on Security Basics ML a while back, especially the first bullet. See the following URL for the whole thread: http://www.full-disc-encryption.com/lurker/message/20060706.162817.48461b51.en.html On 9/12/06, lists () infostruct net <lists () infostruct net> wrote:
As security professionals most of you know the VA lost control of 26 million social security numbers when a laptop was stolen on May 3rd. Here are the lessons learned from my perspective: Lesson # 1 - Create a comprehensive remediation plan: The remediation plan has been identified in OMB directive M-06-16 (http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf): 1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing 2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access 3. Use a "time-out" function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity 4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required. 5. Follow a NIST a checklist for protection of remote information (included within the memo) These remediations are not adequate. The VA should also: 1. Eliminate the ability for an end user to download a database of social security numbers. Instead, use an application to provide a view into the database one SSN at a time. 2. Treat SSNs like credit card numbers. Use the Payment Card Industry standards as a baseline. https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf 3. Create unique identifiers for new service members. SSNs should be used for social security benefits. Lesson # 2 - If you have a compromise, notify your customers in a timely manner (and make sure they receive it): It took over three months to receive notification from the VA! I received a letter today. Apparently the first notification never made it. http://www.gideonrasmussen.com/docs/va-notification.jpg Lesson # 3 - Keep your commitments to your customers: Though an article states that the VA will "honor its promise of free credit monitoring for a year", the letter rescinds that commitment, stating that individual credit monitoring will not be necessary considering the FBI's high degree of confidence that the information was not compromised. Its no surprise that veterans groups have filed a class action suit. And one last thing... Don't loose control of my SSN again. Kind regards, Gideon Gideon T. Rasmussen CISSP, CISA, CISM, IAM Charlotte, NC http://www.gideonrasmussen.com/contact.html http://www.ussecurityawareness.org http://groups.yahoo.com/group/gideons-infosec-list http://groups.yahoo.com/group/insider-threat References: http://www.navy.mil/search/display.asp?story_id=24453 http://www.eweek.com/article2/0,1895,1972946,00.asp -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
-- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- The VA Stolen Laptop - Lessons Learned lists () infostruct net (Sep 13)
- Re: The VA Stolen Laptop - Lessons Learned Saqib Ali (Sep 13)
- RE: The VA Stolen Laptop - Lessons Learned evb (Sep 13)
- RE: The VA Stolen Laptop - Lessons Learned Isaac Van Name (Sep 14)
- Re: The VA Stolen Laptop - Lessons Learned George Toft (Sep 15)
- Re: The VA Stolen Laptop - Lessons Learned MandommGmail (Sep 18)
- Re: The VA Stolen Laptop - Lessons Learned security (Sep 19)
- Re: The VA Stolen Laptop - Lessons Learned Saqib Ali (Sep 20)
- RE: The VA Stolen Laptop - Lessons Learned Clement Dupuis (Sep 20)
- Re: The VA Stolen Laptop - Lessons Learned Saqib Ali (Sep 20)
- Re: The VA Stolen Laptop - Lessons Learned intel96 (Sep 20)
- Re: The VA Stolen Laptop - Lessons Learned Saqib Ali (Sep 21)