more on Hacker Hits California University Computer

[David Farber <dave () farber net>]

Begin forwarded message:

From: Ross Stapleton-Gray <ross () stapleton-gray com>
Date: October 20, 2004 4:06:32 PM EDT
To: dave () farber net
Subject: Re: [IP] Hacker Hits California University Computer

At 12:22 PM 10/20/2004, David Farber wrote:
> SAN FRANCISCO (Reuters) - A computer hacker accessed names and Social
> Security numbers of about 1.4 million Californians after breaking
> into a University of California, Berkeley, computer system in perhaps
> the worst attack of its kind ever suffered by the school, officials
> said on Tuesday.

I used to be the IT Security Officer in the UC Office of the President; 
I was the first to fill the position, and it was eliminated about a 
year later.  UCOP can be said to manage the ten UC campuses, though 
people can also be said to "own" cats. :-)  (Joking aside, there's a 
fair amount of autonomy to each of the UC campuses... UC will have an 
overarching IT security policy -- a major piece of it is here: 
http://www.ucop.edu/ucophome/policies/bfb/is3.pdf -- but each campus 
will implement said policy, and its own policy or policies, as its own 
organization.)

As an ex-UC senior manager type, here are some comments and thoughts, 
both bearing on this current incident, and on academic computing 
generally.

Firstly, the most immediate and costly impact to UC occurs because of 
state law: SB 1386/AB 700 took effect July 1, 2003 (the start of the 
California fiscal year), and amended the state's Information Practices 
Act to require that those affected by a breach of personal information 
be notified.  The triggers include the combination of name and SSN 
(others would be name and CA driver's license number, or credit card 
number *and* a password).  So, presumably, Cal is on the hook to notify 
anyone who might be exposed, and at *risk* of identity theft.  This 
aspect of the law would incline the cautious organization to put in 
place checks, e.g., egress monitoring, so that *if* there's a breach, 
one can know exactly what got exposed... there's a huge difference 
between "Someone cracked our system and copied out these 500 records," 
and "Someone cracked our system and copied a megabyte or so from this 
database of a million individuals' records."

I was rather disappointed by how UC chose to implement policy 
amendments to respond to the changes in the law; so far as I saw they 
consisted largely of putting a patch on the existing security policy, 
when a more appropriate response, from my perspective, should have been 
to salvage an existing *records* policy that had seen years and years 
of neglect.  The records policies already in force (though largely 
unobserved) actually detailed how systems of records were to be 
accounted for and overseen... one of the chief problems in responding 
to breaches, as noted above, is in "knowing what you have and what 
happened to it," and putting down new rules for whom to go to with 
alarms is only so effective if the information system inventory is a 
shambles.  I think one could have left the security policies entirely 
as they were, and simply hammered the records policies (and more, their 
implementation) back into compliance with reality.

Now on the other hand, any management of information systems in the 
university environment needs to recognize its wildly decentralized 
nature.  IS-3, the policy in the URL above, applies almost exclusively 
to *administrative* systems at UC, notwithstanding that the amendments 
to the IPA applied to *any* information held by UC.  The article 
suggests that the compromised database was that of an academic 
researcher; if this was some professor conducting an academic study, 
there's nothing in IS-3 to comment on his/her data security practices, 
or hold them to a given standard of competence.  Likewise, IS-3 says 
nothing about what happens over the residential networks (e.g., 
networks serving the undergrad student dorms), though Cal would 
necessarily have to be responsive to inquiries re infringement from 
file sharing abuses, etc., per other law.

A good campus IT security policy would recognize that the school is a 
community of communities; I'd actually start from thorough information 
policies (e.g., recognizing the authorities responsible for any of the 
information collections, and the systems on which they reside, or over 
which they travel, across the administrative, academic, and residential 
aspects of the university), and only then produce rather concise and 
simple security policies.

Ross





-----

Ross Stapleton-Gray, Ph.D., CISSP
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/