Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DHS Announces the Release of New Training Course: Workplace Sec

From: "Dr. Wole Akpose" <wole.akpose () MORGAN EDU>
Date: Wed, 27 Apr 2011 20:39:25 -0400
The Federal Government is both a monolith and not. SSN is not a DHS
identifier, it is an SSA/IRS identifier.

W. Akpose



On Wed, Apr 27, 2011 at 1:36 PM, Dexter Caldwell <Dexter.Caldwell () furman edu

wrote:



 Good point and I have to agree.  My biggest initial reaction about the
site was concern about why they needed me to enter an ssn just to give me
publicly helpful information in the first place.  I do see some irony in it,
but when I really think about it- it seems to me that most of the value over
time of the ssn has come from the fact that other non-federal entities have
decided that it's a great authenticator for their purposes and to same them
the trouble.  As a result of this trend, do we now expect the owner of the
identifier not to use it as they see fit for their purposes  because others
have attached value to it that was never intended?

Keep in mind this same thing is happening with sites using facebook logins
or google logins etc to attach services and marketing efficiency to their
credentials .  I agree the end result is that there is risk in being
careless with the id, but the owner of the id is not necessarily the one
increasing this liability in the case of the federal SSN unless they
themselves are pushing it as a universal id.  We should also consider the
fact that when use use or implement portals, deploy federated id management
systems, outsource email that uses our internal authentication directories
for authorization via the web and third-party companies, and deploy weak
applications that don't encrypt credentials, but want web presences- that we
are in effect doing a similar thing on a smaller scale in our own
organizations.  (Not that we- in InfoSec are necessarily the ones condoning
or sponsoring this...).

 In any event, how many of us think after we've done these things that it's
a good idea to recommend we start creating new id systems and logins just to
get simple individualized information on our networks when we want it?  I do
agree the SSN has gotten to the point where perhaps it's worthwhile to
consider alternatives, but that's essentially what happened a few years back
when Universities and other organizations began using a self-generated
"other id" that was correlated on the backend with the SSN if necessary for
government business but was otherwise independent.  I think it's simple
enough to let users know to use a SSN for government business and as little
else as possible- therefore I see it largely as a user ed issue.  The real
question I see here is why do I need to authenticate at this site rather
than why do they ask for my SSN.

D/C

*The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> writes:*
I think that the problem is that SSN is both a userid and a password.

If it is to be a universal ID then the ID number should be public.  If it
is to be a password then it should be private and

  (1) it should be changeable without leaving a trail from one to the next
(you may change your SSN but having the previous one gains access to the new
one)

  (2) it should be usable without exposure (you should not have to write
down your password on a form that is to be saved for years in someone's
files or in a database which you do not control) (changeability mitigates
this to a certain extent)

As the length of term of a password increases so does its value.  Since a
SSN is both a userid and a password, and since it lasts for the lifetime of
the owner, it is very valuable.  If the password were separated from the id
then worth of the ID would decrease to a value approaching zero, and if the
password were changeable then its value would decrease dramatically because
the owner could change it at their option.

Just my $.02 .

-Vik



On Apr 26, 2011, at 16:34 , McClenon, Braden wrote:


So we should come up with a different universal ID that in the end will

have the same security implication as SSN, sans exposure of your SS
information and benefits?  Or is the idea for the government to pepper us
with different identifiers until no one can keep them straight and we carry
them around in our wallets or tape them to our monitors.


I guess I agree with Walter too, and would need to hear what the better

solution is.



From: The EDUCAUSE Security Constituent Group Listserv [

mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On
Behalf Of Dr. Wole Akpose

Sent: Tuesday, April 26, 2011 12:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] DHS Announces the Release of New Training Course:

Workplace Security Awareness


To Brady:

" That’s the sole purpose for issuing you one."
Actually, no It is NOT.  The SSN is not intended as an Identifier for any

purpose beyond Social Security (and thus Taxes). True it has been misused by
various entities over the years, but most identity theft targeting
legislations, regulations and policies all address the need to limit its use
beyond its intended purposed.


"I’m lost on what the issue is here. "

The issue here is the message being sent, albeit inadvertently, by the

DHS. Requesting for people's SSN for an awareness course offered by DHS is a
signal to others, including all sorts of vendors, that SSN is Kosher as a
Unique ID. This is a lapse in judgement and expose a flaw in the thinking or
execution by those responsible for keeping us safe. If the educator can miss
a key component in the curriculum!


A careful review of the courses, not just for content, would have

revealed the contradiction here. We write policies and guidances  advising
people to not use  SSN for frivolous purposes. Yet we request it for,
perhaps, the most frivolous of them all.


If the DHS does require a unique identifier, there are several

alternatives that are both convenient and secure.


So yes, I do agree with Walter (Petruska) that we should try to help the

DHS, if we believe they bungled this well intentioned program. But we should
not loose sight of the implications of this lapse as we gear up for the
National Cyber Security Awareness Month in October. Security takes
vigilance!


W. Akpose

--
Visit http://msusac.morgan.edu for up to date discussions on Cyber

Security

Wole Akpose. CISSP, CGEIT, D.Eng, SS-BB
Planning & Information Technology
Morgan State University
1700 E. Cold Spring Lane
Baltimore, MD 21251.
p. 443.885.1850 / 443.885.3372
f. 443.885.8304 /443.885.8211

On Tue, Apr 26, 2011 at 11:40 AM, McClenon, Braden <mcclenbw () oneonta edu>

wrote:

I’m lost on what the issue is here.  Is it the federal government asking

for your SSN# to identify you?  That’s the sole purpose for issuing you one.



Am I the only one that files my taxes electronically?

Brady McClenon
Senior Server Administrator
SUNY Oneonta
607-436-3203

"My pontifications are much too deep to fit inside a fortune cookie." -

Confucius' brother





From: The EDUCAUSE Security Constituent Group Listserv [

mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On
Behalf Of Jones, Dan

Sent: Friday, April 22, 2011 5:22 PM

To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] DHS Announces the Release of New Training Course:

Workplace Security Awareness


The only thing better would be to also require users to accept a

self-signed certificate.


Dan Jones

----- Reply message -----
From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Fri, Apr 22, 2011 14:49
Subject: [SECURITY] DHS Announces the Release of New Training Course:

Workplace Security Awareness

To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>

If only we were at a point where we knew an email like this would have to

be a joke.

Unreal, just unreal.  Maybe this is their way to push for a federal

identifier, you know- a group of characters that will uniquely identify each
.... Oh wait a minute - never mind.

:-)

Have a great weekend everyone.


Kevin L. McLaughlin
AVP, Information Security & Special Projects
University of Cincinnati


On Apr 22, 2011, at 2:41 PM, "R J Cronk" <rjc06c () GMAIL COM> wrote:

oh the irony .......

On Fri, Apr 22, 2011 at 2:15 PM, Sarazen, Daniel <dsarazen () umassp edu>

wrote:

Hi All,

I took the test and they require your social security number.

"Please note that you will be required to enter your Social Security

number at the completion of this exam. This website and the testing system
meet federal guidelines for protecting Personally Identifiable Information.
However, if you do not wish to submit your Social Security number, you will
need to request an alternative ID number from the Independent Study program.
For directions on how to request an alternative ID number, please see our
Frequently Asked Questions:"


Does this concern anyone besides me?

Thanks

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [

mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] On
Behalf Of Valerie Vogel

Sent: Friday, April 22, 2011 12:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DHS Announces the Release of New Training Course:

Workplace Security Awareness


A new (no-cost) training course on Workplace Security Awareness is now

available from DHS: http://training.fema.gov/EMIWeb/IS/IS906.asp. More
details are provided below.


Thank you,
Valerie
_______________

Valerie M. Vogel
Program Manager, EDUCAUSE
office: (202) 331-5374
e-mail: vvogel () educause edu

------------------------

Sent on behalf of the Department of Homeland Security Office of

Infrastructure Protection


DHS Announces the Release of New Training Course Workplace Security

Awareness No-Cost Critical Infrastructure Workplace Security Training


The Department of Homeland Security announces the availability of IS-906,

Workplace Security Awareness, a no-cost training course developed by the
Office of Infrastructure Protection Sector-Specific Agency Executive
Management Office.


Access IS-906 on the Federal Emergency Management Agency Emergency

Management Institute Web site:
http://training.fema.gov/EMIWeb/IS/IS906.asp


The online training provides guidance to individuals and organizations on

how to improve security in the workplace.  The course is self-paced and
takes about an hour to complete. This comprehensive cross-sector training is
appropriate for a broad audience regardless of knowledge and skill level.
 The course promotes workplace security practices applicable across all 18
critical infrastructure sectors.   The training uses innovative multimedia
scenarios and modules to illustrate potential security threats.  Threat
scenarios include:


* Access & Security Control
* Criminal & Suspicious Activities
* Workplace Violence
* Cyber Threats

The course also features interactive knowledge reviews, employee tools,

and additional resources.


Upon completion of Workplace Security Awareness, employees will be able

to:

* Identify potential risks to workplace security
* Describe measures for improving workplace security
* Determine the actions to take in response to a security situation

A certificate is given to participants who complete the entire course.

For more information about Office of Infrastructure Protection training

courses, contact: IP_Education () hq dhs gov


For more information on the DHS Office of Infrastructure Protection:

www.dhs.gov/criticalinfrastructure







-Vik

Vik Solem, CISSP, Sr. Applications Risk Consultant
Tufts University, Information Security, vik.solem () tufts edu / 617-627-4326
InfoSec Team: information_security () tufts edu / 617-627-6070

Check Out the UIT Information Security Team blog
https://wikis.uit.tufts.edu/confluence/display/infosecteamblog
Previous By Date Next
Previous By Thread Next

Current thread: