Re: DHS Announces the Release of New Training Course: Workplace Security Awareness

["Solem, Vik P." <Vik.Solem () TUFTS EDU>]

I think that the problem is that SSN is both a userid and a password.

If it is to be a universal ID then the ID number should be public.  If it is to be a password then it should be private 
and

  (1) it should be changeable without leaving a trail from one to the next (you may change your SSN but having the 
previous one gains access to the new one)

  (2) it should be usable without exposure (you should not have to write down your password on a form that is to be 
saved for years in someone's files or in a database which you do not control) (changeability mitigates this to a 
certain extent)

As the length of term of a password increases so does its value.  Since a SSN is both a userid and a password, and 
since it lasts for the lifetime of the owner, it is very valuable.  If the password were separated from the id then 
worth of the ID would decrease to a value approaching zero, and if the password were changeable then its value would 
decrease dramatically because the owner could change it at their option.

Just my $.02 .

-Vik



On Apr 26, 2011, at 16:34 , McClenon, Braden wrote:

> So we should come up with a different universal ID that in the end will have the same security implication as SSN, 
> sans exposure of your SS information and benefits?  Or is the idea for the government to pepper us with different 
> identifiers until no one can keep them straight and we carry them around in our wallets or tape them to our monitors.
>  
> I guess I agree with Walter too, and would need to hear what the better solution is.
>  
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dr. 
> Wole Akpose
> Sent: Tuesday, April 26, 2011 12:31 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] DHS Announces the Release of New Training Course: Workplace Security Awareness
>  
> To Brady:
>
> " That’s the sole purpose for issuing you one."   
> Actually, no It is NOT.  The SSN is not intended as an Identifier for any purpose beyond Social Security (and thus 
> Taxes). True it has been misused by various entities over the years, but most identity theft targeting legislations, 
> regulations and policies all address the need to limit its use beyond its intended purposed.
>
> "I’m lost on what the issue is here. " 
>
> The issue here is the message being sent, albeit inadvertently, by the DHS. Requesting for people's SSN for an 
> awareness course offered by DHS is a signal to others, including all sorts of vendors, that SSN is Kosher as a Unique 
> ID. This is a lapse in judgement and expose a flaw in the thinking or execution by those responsible for keeping us 
> safe. If the educator can miss a key component in the curriculum! 
>
> A careful review of the courses, not just for content, would have revealed the contradiction here. We write policies 
> and guidances  advising people to not use  SSN for frivolous purposes. Yet we request it for, perhaps, the most 
> frivolous of them all.
>
> If the DHS does require a unique identifier, there are several alternatives that are both convenient and secure.
>
> So yes, I do agree with Walter (Petruska) that we should try to help the DHS, if we believe they bungled this well 
> intentioned program. But we should not loose sight of the implications of this lapse as we gear up for the National 
> Cyber Security Awareness Month in October. Security takes vigilance!
>
> W. Akpose
>
> -- 
> Visit http://msusac.morgan.edu for up to date discussions on Cyber Security
> Wole Akpose. CISSP, CGEIT, D.Eng, SS-BB
> Planning & Information Technology
> Morgan State University
> 1700 E. Cold Spring Lane
> Baltimore, MD 21251.
> p. 443.885.1850 / 443.885.3372
> f. 443.885.8304 /443.885.8211
>
> On Tue, Apr 26, 2011 at 11:40 AM, McClenon, Braden <mcclenbw () oneonta edu> wrote:
> I’m lost on what the issue is here.  Is it the federal government asking for your SSN# to identify you?  That’s the 
> sole purpose for issuing you one. 
>  
> Am I the only one that files my taxes electronically?
>  
> Brady McClenon
> Senior Server Administrator
> SUNY Oneonta
> 607-436-3203
>  
> "My pontifications are much too deep to fit inside a fortune cookie." - Confucius' brother
>  
>  
>  
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, 
> Dan
> Sent: Friday, April 22, 2011 5:22 PM
>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] DHS Announces the Release of New Training Course: Workplace Security Awareness
>  
> The only thing better would be to also require users to accept a self-signed certificate.  
>
> Dan Jones
>
> ----- Reply message -----
> From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
> Date: Fri, Apr 22, 2011 14:49
> Subject: [SECURITY] DHS Announces the Release of New Training Course: Workplace Security Awareness
> To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
>
> If only we were at a point where we knew an email like this would have to be a joke.
> Unreal, just unreal.  Maybe this is their way to push for a federal identifier, you know- a group of characters that 
> will uniquely identify each .... Oh wait a minute - never mind.  
> :-)
>  
> Have a great weekend everyone.
>
>
> Kevin L. McLaughlin
> AVP, Information Security & Special Projects
> University of Cincinnati
>  
>
> On Apr 22, 2011, at 2:41 PM, "R J Cronk" <rjc06c () GMAIL COM> wrote:
>
> oh the irony .......
>
> On Fri, Apr 22, 2011 at 2:15 PM, Sarazen, Daniel <dsarazen () umassp edu> wrote:
> Hi All,
>
> I took the test and they require your social security number.
>
> "Please note that you will be required to enter your Social Security number at the completion of this exam. This 
> website and the testing system meet federal guidelines for protecting Personally Identifiable Information. However, 
> if you do not wish to submit your Social Security number, you will need to request an alternative ID number from the 
> Independent Study program. For directions on how to request an alternative ID number, please see our Frequently Asked 
> Questions:"
>
> Does this concern anyone besides me?
>
> Thanks
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Valerie Vogel
> Sent: Friday, April 22, 2011 12:47 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] DHS Announces the Release of New Training Course: Workplace Security Awareness
>
> A new (no-cost) training course on Workplace Security Awareness is now available from DHS: 
> http://training.fema.gov/EMIWeb/IS/IS906.asp. More details are provided below.
>
> Thank you,
> Valerie
> _______________
>
> Valerie M. Vogel
> Program Manager, EDUCAUSE
> office: (202) 331-5374
> e-mail: vvogel () educause edu
>
> ------------------------
>
> Sent on behalf of the Department of Homeland Security Office of Infrastructure Protection
>
> DHS Announces the Release of New Training Course Workplace Security Awareness No-Cost Critical Infrastructure 
> Workplace Security Training
>
> The Department of Homeland Security announces the availability of IS-906, Workplace Security Awareness, a no-cost 
> training course developed by the Office of Infrastructure Protection Sector-Specific Agency Executive Management 
> Office.  
>
> Access IS-906 on the Federal Emergency Management Agency Emergency Management Institute Web site: 
> http://training.fema.gov/EMIWeb/IS/IS906.asp
>
> The online training provides guidance to individuals and organizations on how to improve security in the workplace.  
> The course is self-paced and takes about an hour to complete. This comprehensive cross-sector training is appropriate 
> for a broad audience regardless of knowledge and skill level.  The course promotes workplace security practices 
> applicable across all 18 critical infrastructure sectors.   The training uses innovative multimedia scenarios and 
> modules to illustrate potential security threats.  Threat scenarios include:
>
> * Access & Security Control
> * Criminal & Suspicious Activities
> * Workplace Violence
> * Cyber Threats
>
> The course also features interactive knowledge reviews, employee tools, and additional resources. 
>
> Upon completion of Workplace Security Awareness, employees will be able to:
> * Identify potential risks to workplace security
> * Describe measures for improving workplace security
> * Determine the actions to take in response to a security situation
>
> A certificate is given to participants who complete the entire course. 
>
> For more information about Office of Infrastructure Protection training courses, contact: IP_Education () hq dhs gov
>
> For more information on the DHS Office of Infrastructure Protection: www.dhs.gov/criticalinfrastructure
>  
>  


-Vik

Vik Solem, CISSP, Sr. Applications Risk Consultant
Tufts University, Information Security, vik.solem () tufts edu / 617-627-4326
InfoSec Team: information_security () tufts edu / 617-627-6070

Check Out the UIT Information Security Team blog
https://wikis.uit.tufts.edu/confluence/display/infosecteamblog