Educause Security Discussion mailing list archives
Re: DHS Announces the Release of New Training Course: Workplace Sec
From: "Dr. Wole Akpose" <wole.akpose () MORGAN EDU>
Date: Wed, 27 Apr 2011 20:39:25 -0400
The Federal Government is both a monolith and not. SSN is not a DHS identifier, it is an SSA/IRS identifier. W. Akpose On Wed, Apr 27, 2011 at 1:36 PM, Dexter Caldwell <Dexter.Caldwell () furman edu
wrote:
Good point and I have to agree. My biggest initial reaction about the site was concern about why they needed me to enter an ssn just to give me publicly helpful information in the first place. I do see some irony in it, but when I really think about it- it seems to me that most of the value over time of the ssn has come from the fact that other non-federal entities have decided that it's a great authenticator for their purposes and to same them the trouble. As a result of this trend, do we now expect the owner of the identifier not to use it as they see fit for their purposes because others have attached value to it that was never intended? Keep in mind this same thing is happening with sites using facebook logins or google logins etc to attach services and marketing efficiency to their credentials . I agree the end result is that there is risk in being careless with the id, but the owner of the id is not necessarily the one increasing this liability in the case of the federal SSN unless they themselves are pushing it as a universal id. We should also consider the fact that when use use or implement portals, deploy federated id management systems, outsource email that uses our internal authentication directories for authorization via the web and third-party companies, and deploy weak applications that don't encrypt credentials, but want web presences- that we are in effect doing a similar thing on a smaller scale in our own organizations. (Not that we- in InfoSec are necessarily the ones condoning or sponsoring this...). In any event, how many of us think after we've done these things that it's a good idea to recommend we start creating new id systems and logins just to get simple individualized information on our networks when we want it? I do agree the SSN has gotten to the point where perhaps it's worthwhile to consider alternatives, but that's essentially what happened a few years back when Universities and other organizations began using a self-generated "other id" that was correlated on the backend with the SSN if necessary for government business but was otherwise independent. I think it's simple enough to let users know to use a SSN for government business and as little else as possible- therefore I see it largely as a user ed issue. The real question I see here is why do I need to authenticate at this site rather than why do they ask for my SSN. D/C *The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> writes:* I think that the problem is that SSN is both a userid and a password. If it is to be a universal ID then the ID number should be public. If it is to be a password then it should be private and (1) it should be changeable without leaving a trail from one to the next (you may change your SSN but having the previous one gains access to the new one) (2) it should be usable without exposure (you should not have to write down your password on a form that is to be saved for years in someone's files or in a database which you do not control) (changeability mitigates this to a certain extent) As the length of term of a password increases so does its value. Since a SSN is both a userid and a password, and since it lasts for the lifetime of the owner, it is very valuable. If the password were separated from the id then worth of the ID would decrease to a value approaching zero, and if the password were changeable then its value would decrease dramatically because the owner could change it at their option. Just my $.02 . -Vik On Apr 26, 2011, at 16:34 , McClenon, Braden wrote:So we should come up with a different universal ID that in the end willhave the same security implication as SSN, sans exposure of your SS information and benefits? Or is the idea for the government to pepper us with different identifiers until no one can keep them straight and we carry them around in our wallets or tape them to our monitors.I guess I agree with Walter too, and would need to hear what the bettersolution is.From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Dr. Wole AkposeSent: Tuesday, April 26, 2011 12:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] DHS Announces the Release of New Training Course:Workplace Security AwarenessTo Brady: " That’s the sole purpose for issuing you one." Actually, no It is NOT. The SSN is not intended as an Identifier for anypurpose beyond Social Security (and thus Taxes). True it has been misused by various entities over the years, but most identity theft targeting legislations, regulations and policies all address the need to limit its use beyond its intended purposed."I’m lost on what the issue is here. " The issue here is the message being sent, albeit inadvertently, by theDHS. Requesting for people's SSN for an awareness course offered by DHS is a signal to others, including all sorts of vendors, that SSN is Kosher as a Unique ID. This is a lapse in judgement and expose a flaw in the thinking or execution by those responsible for keeping us safe. If the educator can miss a key component in the curriculum!A careful review of the courses, not just for content, would haverevealed the contradiction here. We write policies and guidances advising people to not use SSN for frivolous purposes. Yet we request it for, perhaps, the most frivolous of them all.If the DHS does require a unique identifier, there are severalalternatives that are both convenient and secure.So yes, I do agree with Walter (Petruska) that we should try to help theDHS, if we believe they bungled this well intentioned program. But we should not loose sight of the implications of this lapse as we gear up for the National Cyber Security Awareness Month in October. Security takes vigilance!W. Akpose -- Visit http://msusac.morgan.edu for up to date discussions on CyberSecurityWole Akpose. CISSP, CGEIT, D.Eng, SS-BB Planning & Information Technology Morgan State University 1700 E. Cold Spring Lane Baltimore, MD 21251. p. 443.885.1850 / 443.885.3372 f. 443.885.8304 /443.885.8211 On Tue, Apr 26, 2011 at 11:40 AM, McClenon, Braden <mcclenbw () oneonta edu>wrote:I’m lost on what the issue is here. Is it the federal government askingfor your SSN# to identify you? That’s the sole purpose for issuing you one.Am I the only one that files my taxes electronically? Brady McClenon Senior Server Administrator SUNY Oneonta 607-436-3203 "My pontifications are much too deep to fit inside a fortune cookie." -Confucius' brotherFrom: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Jones, DanSent: Friday, April 22, 2011 5:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] DHS Announces the Release of New Training Course:Workplace Security AwarenessThe only thing better would be to also require users to accept aself-signed certificate.Dan Jones ----- Reply message ----- From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU> Date: Fri, Apr 22, 2011 14:49 Subject: [SECURITY] DHS Announces the Release of New Training Course:Workplace Security AwarenessTo: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> If only we were at a point where we knew an email like this would have tobe a joke.Unreal, just unreal. Maybe this is their way to push for a federalidentifier, you know- a group of characters that will uniquely identify each .... Oh wait a minute - never mind.:-) Have a great weekend everyone. Kevin L. McLaughlin AVP, Information Security & Special Projects University of Cincinnati On Apr 22, 2011, at 2:41 PM, "R J Cronk" <rjc06c () GMAIL COM> wrote: oh the irony ....... On Fri, Apr 22, 2011 at 2:15 PM, Sarazen, Daniel <dsarazen () umassp edu>wrote:Hi All, I took the test and they require your social security number. "Please note that you will be required to enter your Social Securitynumber at the completion of this exam. This website and the testing system meet federal guidelines for protecting Personally Identifiable Information. However, if you do not wish to submit your Social Security number, you will need to request an alternative ID number from the Independent Study program. For directions on how to request an alternative ID number, please see our Frequently Asked Questions:"Does this concern anyone besides me? Thanks -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Valerie VogelSent: Friday, April 22, 2011 12:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] DHS Announces the Release of New Training Course:Workplace Security AwarenessA new (no-cost) training course on Workplace Security Awareness is nowavailable from DHS: http://training.fema.gov/EMIWeb/IS/IS906.asp. More details are provided below.Thank you, Valerie _______________ Valerie M. Vogel Program Manager, EDUCAUSE office: (202) 331-5374 e-mail: vvogel () educause edu ------------------------ Sent on behalf of the Department of Homeland Security Office ofInfrastructure ProtectionDHS Announces the Release of New Training Course Workplace SecurityAwareness No-Cost Critical Infrastructure Workplace Security TrainingThe Department of Homeland Security announces the availability of IS-906,Workplace Security Awareness, a no-cost training course developed by the Office of Infrastructure Protection Sector-Specific Agency Executive Management Office.Access IS-906 on the Federal Emergency Management Agency EmergencyManagement Institute Web site: http://training.fema.gov/EMIWeb/IS/IS906.aspThe online training provides guidance to individuals and organizations onhow to improve security in the workplace. The course is self-paced and takes about an hour to complete. This comprehensive cross-sector training is appropriate for a broad audience regardless of knowledge and skill level. The course promotes workplace security practices applicable across all 18 critical infrastructure sectors. The training uses innovative multimedia scenarios and modules to illustrate potential security threats. Threat scenarios include:* Access & Security Control * Criminal & Suspicious Activities * Workplace Violence * Cyber Threats The course also features interactive knowledge reviews, employee tools,and additional resources.Upon completion of Workplace Security Awareness, employees will be ableto:* Identify potential risks to workplace security * Describe measures for improving workplace security * Determine the actions to take in response to a security situation A certificate is given to participants who complete the entire course. For more information about Office of Infrastructure Protection trainingcourses, contact: IP_Education () hq dhs govFor more information on the DHS Office of Infrastructure Protection:www.dhs.gov/criticalinfrastructure-Vik Vik Solem, CISSP, Sr. Applications Risk Consultant Tufts University, Information Security, vik.solem () tufts edu / 617-627-4326 InfoSec Team: information_security () tufts edu / 617-627-6070 Check Out the UIT Information Security Team blog https://wikis.uit.tufts.edu/confluence/display/infosecteamblog
Current thread:
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness, (continued)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness McClenon, Braden (Apr 26)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness Valdis Kletnieks (Apr 26)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness Basgen, Brian (Apr 26)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness Dr. Wole Akpose (Apr 26)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness McClenon, Braden (Apr 26)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness Mclaughlin, Kevin (mclaugkl) (Apr 26)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness Greg Schaffer (Apr 26)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness Solem, Vik P. (Apr 26)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness Mclaughlin, Kevin (mclaugkl) (Apr 26)
- Re: DHS Announces the Release of New Training Course: Workplace Sec Dexter Caldwell (Apr 27)
- Re: DHS Announces the Release of New Training Course: Workplace Sec Dr. Wole Akpose (Apr 27)
- Re: DHS Announces the Release of New Training Course: Workplace Security Awareness McClenon, Braden (Apr 26)