Re: DHS Announces the Release of New Training Course: Workplace Sec

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

Good point and I have to agree.  My biggest initial reaction about the
site was concern about why they needed me to enter an ssn just to give me
publicly helpful information in the first place.  I do see some irony in
it, but when I really think about it- it seems to me that most of the
value over time of the ssn has come from the fact that other non-federal
entities have decided that it's a great authenticator for their purposes
and to same them the trouble.  As a result of this trend, do we now expect
the owner of the identifier not to use it as they see fit for their
purposes  because others have attached value to it that was never
intended?  

Keep in mind this same thing is happening with sites using facebook logins
or google logins etc to attach services and marketing efficiency to their
credentials .  I agree the end result is that there is risk in being
careless with the id, but the owner of the id is not necessarily the one
increasing this liability in the case of the federal SSN unless they
themselves are pushing it as a universal id.  We should also consider the
fact that when use use or implement portals, deploy federated id
management systems, outsource email that uses our internal authentication
directories for authorization via the web and third-party companies, and
deploy weak applications that don't encrypt credentials, but want web
presences- that we are in effect doing a similar thing on a smaller scale
in our own organizations.  (Not that we- in InfoSec are necessarily the
ones condoning or sponsoring this...). 

 In any event, how many of us think after we've done these things that
it's a good idea to recommend we start creating new id systems and logins
just to get simple individualized information on our networks when we want
it?  I do agree the SSN has gotten to the point where perhaps it's
worthwhile to consider alternatives, but that's essentially what happened
a few years back when Universities and other organizations began using a
self-generated "other id" that was correlated on the backend with the SSN
if necessary for government business but was otherwise independent.  I
think it's simple enough to let users know to use a SSN for government
business and as little else as possible- therefore I see it largely as a
user ed issue.  The real question I see here is why do I need to
authenticate at this site rather than why do they ask for my SSN.

D/C

The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> I think that the problem is that SSN is both a userid and a password.
>
> If it is to be a universal ID then the ID number should be public.  If it
> is to be a password then it should be private and
>
>  (1) it should be changeable without leaving a trail from one to the
> next (you may change your SSN but having the previous one gains access to
> the new one)
>
>  (2) it should be usable without exposure (you should not have to write
> down your password on a form that is to be saved for years in someone's
> files or in a database which you do not control) (changeability mitigates
> this to a certain extent)
>
> As the length of term of a password increases so does its value.  Since a
> SSN is both a userid and a password, and since it lasts for the lifetime
> of the owner, it is very valuable.  If the password were separated from
> the id then worth of the ID would decrease to a value approaching zero,
> and if the password were changeable then its value would decrease
> dramatically because the owner could change it at their option.
>
> Just my $.02 .
>
> -Vik
>
>
>
> On Apr 26, 2011, at 16:34 , McClenon, Braden wrote:
>
> > So we should come up with a different universal ID that in the end will
> have the same security implication as SSN, sans exposure of your SS
> information and benefits?  Or is the idea for the government to pepper us
> with different identifiers until no one can keep them straight and we
> carry them around in our wallets or tape them to our monitors.
> >  
> > I guess I agree with Walter too, and would need to hear what the better
> solution is.
> >  
> >  
> > From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dr. Wole Akpose
> > Sent: Tuesday, April 26, 2011 12:31 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] DHS Announces the Release of New Training
> Course: Workplace Security Awareness
> >  
> > To Brady:
> >
> > " That’s the sole purpose for issuing you one."   
> > Actually, no It is NOT.  The SSN is not intended as an Identifier for
> any purpose beyond Social Security (and thus Taxes). True it has been
> misused by various entities over the years, but most identity theft
> targeting legislations, regulations and policies all address the need to
> limit its use beyond its intended purposed.
> > "I’m lost on what the issue is here. " 
> >
> > The issue here is the message being sent, albeit inadvertently, by the
> DHS. Requesting for people's SSN for an awareness course offered by DHS
> is a signal to others, including all sorts of vendors, that SSN is Kosher
> as a Unique ID. This is a lapse in judgement and expose a flaw in the
> thinking or execution by those responsible for keeping us safe. If the
> educator can miss a key component in the curriculum! 
> > A careful review of the courses, not just for content, would have
> revealed the contradiction here. We write policies and guidances 
> advising people to not use  SSN for frivolous purposes. Yet we request it
> for, perhaps, the most frivolous of them all.
> > If the DHS does require a unique identifier, there are several
> alternatives that are both convenient and secure.
> > So yes, I do agree with Walter (Petruska) that we should try to help
> the DHS, if we believe they bungled this well intentioned program. But we
> should not loose sight of the implications of this lapse as we gear up
> for the National Cyber Security Awareness Month in October. Security
> takes vigilance!
> > W. Akpose
> >
> > -- 
> > Visit http://msusac.morgan.edu for up to date discussions on Cyber
> Security
> > Wole Akpose. CISSP, CGEIT, D.Eng, SS-BB
> > Planning & Information Technology
> > Morgan State University
> > 1700 E. Cold Spring Lane
> > Baltimore, MD 21251.
> > p. 443.885.1850 / 443.885.3372
> > f. 443.885.8304 /443.885.8211
> >
> > On Tue, Apr 26, 2011 at 11:40 AM, McClenon, Braden
> <mcclenbw () oneonta edu> wrote:
> > I’m lost on what the issue is here.  Is it the federal government
> asking for your SSN# to identify you?  That’s the sole purpose for
> issuing you one. 
> >  
> > Am I the only one that files my taxes electronically?
> >  
> > Brady McClenon
> > Senior Server Administrator
> > SUNY Oneonta
> > 607-436-3203
> >  
> > "My pontifications are much too deep to fit inside a fortune cookie." -
> Confucius' brother
> >  
> >  
> >  
> >  
> > From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Dan
> > Sent: Friday, April 22, 2011 5:22 PM
> >
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] DHS Announces the Release of New Training
> Course: Workplace Security Awareness
> >  
> > The only thing better would be to also require users to accept a
> self-signed certificate.  
> > Dan Jones
> >
> > ----- Reply message -----
> > From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
> > Date: Fri, Apr 22, 2011 14:49
> > Subject: [SECURITY] DHS Announces the Release of New Training Course:
> Workplace Security Awareness
> > To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> >
> > If only we were at a point where we knew an email like this would have
> to be a joke.
> > Unreal, just unreal.  Maybe this is their way to push for a federal
> identifier, you know- a group of characters that will uniquely identify
> each .... Oh wait a minute - never mind.  
> > :-)
> >  
> > Have a great weekend everyone.
> >
> >
> > Kevin L. McLaughlin
> > AVP, Information Security & Special Projects
> > University of Cincinnati
> >  
> >
> > On Apr 22, 2011, at 2:41 PM, "R J Cronk" <rjc06c () GMAIL COM> wrote:
> >
> > oh the irony .......
> >
> > On Fri, Apr 22, 2011 at 2:15 PM, Sarazen, Daniel <dsarazen () umassp edu>
> wrote:
> > Hi All,
> >
> > I took the test and they require your social security number.
> >
> > "Please note that you will be required to enter your Social Security
> number at the completion of this exam. This website and the testing
> system meet federal guidelines for protecting Personally Identifiable
> Information. However, if you do not wish to submit your Social Security
> number, you will need to request an alternative ID number from the
> Independent Study program. For directions on how to request an
> alternative ID number, please see our Frequently Asked Questions:"
> > Does this concern anyone besides me?
> >
> > Thanks
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valerie Vogel
> > Sent: Friday, April 22, 2011 12:47 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] DHS Announces the Release of New Training Course:
> Workplace Security Awareness
> > A new (no-cost) training course on Workplace Security Awareness is now
> available from DHS: http://training.fema.gov/EMIWeb/IS/IS906.asp. More
> details are provided below.
> > Thank you,
> > Valerie
> > _______________
> >
> > Valerie M. Vogel
> > Program Manager, EDUCAUSE
> > office: (202) 331-5374
> > e-mail: vvogel () educause edu
> >
> > ------------------------
> >
> > Sent on behalf of the Department of Homeland Security Office of
> Infrastructure Protection
> > DHS Announces the Release of New Training Course Workplace Security
> Awareness No-Cost Critical Infrastructure Workplace Security Training
> > The Department of Homeland Security announces the availability of
> IS-906, Workplace Security Awareness, a no-cost training course developed
> by the Office of Infrastructure Protection Sector-Specific Agency
> Executive Management Office.  
> > Access IS-906 on the Federal Emergency Management Agency Emergency
> Management Institute Web site:
> http://training.fema.gov/EMIWeb/IS/IS906.asp
> > The online training provides guidance to individuals and organizations
> on how to improve security in the workplace.  The course is self-paced
> and takes about an hour to complete. This comprehensive cross-sector
> training is appropriate for a broad audience regardless of knowledge and
> skill level.  The course promotes workplace security practices applicable
> across all 18 critical infrastructure sectors.   The training uses
> innovative multimedia scenarios and modules to illustrate potential
> security threats.  Threat scenarios include:
> > * Access & Security Control
> > * Criminal & Suspicious Activities
> > * Workplace Violence
> > * Cyber Threats
> >
> > The course also features interactive knowledge reviews, employee tools,
> and additional resources. 
> > Upon completion of Workplace Security Awareness, employees will be able
> to:
> > * Identify potential risks to workplace security
> > * Describe measures for improving workplace security
> > * Determine the actions to take in response to a security situation
> >
> > A certificate is given to participants who complete the entire course. 
> >
> > For more information about Office of Infrastructure Protection training
> courses, contact: IP_Education () hq dhs gov
> > For more information on the DHS Office of Infrastructure Protection:
> www.dhs.gov/criticalinfrastructure
> >  
> >  
>
>
> -Vik
>
> Vik Solem, CISSP, Sr. Applications Risk Consultant
> Tufts University, Information Security, vik.solem () tufts edu / 617-627-4326
> InfoSec Team: information_security () tufts edu / 617-627-6070
>
> Check Out the UIT Information Security Team blog
> https://wikis.uit.tufts.edu/confluence/display/infosecteamblog