[ISN] It's Time to Protect Students' Data

From: InfoSec News (alerts@private)
Date: Tue Jul 11 2006 - 01:05:32 PDT


By Scott Olson
JULY 10, 2006

A third of all data leaks are at universities. Academia should be held to 
stricter record confidentiality standards

It pains me to say it: I am advocating government intervention and new 
regulations. But, as they say, special circumstances apply. 

As an alumnus of the University of Texas at Austin, specifically its 
McCombs School of Business, I was chagrined to learn that hackers recently 
gained access to some of the school's 197,000 recordssome of which 
included my Social Security number (SSN) and other personal information, 
as well as that of many other alums. 

I've signed up with a credit-monitoring bureau and requested that the 
three main credit-reporting agencies put a fraud alert on my records. So 
the hackers have already made off with quite a lot: my time, my money, and 
my already fragile peace of mind. 

WAKEUP CALL.  It can sometimes take an incident like this to jolt you out 
of the theoretical. I've been in the network security industry for nearly 
two decades and am familiar with the latest technology, trends, and 
what-have-you. But this time, it's hitting home. And certainly not just 
for UT alumni: Data thieves are helping themselves to personal data at 
schools across the nation, as the recent penetration of three Ohio 
University servers holding the SSNs of 137,000 people, attests. 

It got me thinking: Colleges and universities should be held to the same 
government compliance standards as companies that operate in health care 
or financial services. 

After all, a third of all data leaks are at universities, according to 
CNET Networks (CNET ). That's not surprising, as universities walk a fine 
line between ensuring that users, many of whom are using personal laptops 
and other devices, have continuous access to network resources, while 
keeping those same resources safe from infections and unauthorized access. 
All too often, security gets shoved to the back burner in favor of keeping 
networks open and users productive. Cybercrooks, recognizing a good thing 
when they see it, are making hay while the sun shines. 

HACKER HEAVEN.  The proliferation and ease of use of wireless technology 
certainly haven't helped. I've talked to network administrators at some of 
my company's university customers; they report students doing everything 
from setting up unsecured wireless networks from dorm rooms to maliciously 
distributing worms that create a back door into the data files of infected 
systems. And once students are done wreaking their havoc, the chinks 
they've created in the network's security provide cybercriminals with yet 
another avenue into the network interior. 

Clearly, it's time for some guidelines for the protection of sensitive 
personal information in this overly dynamic environment. And I think it's 
going to take a government mandate. Don't get me wrong. I am in favor of 
market-driven initiatives. But the realist in me can't believe that, with 
their resources already stretched thin, the constituents of this 
splintered and diverse market can impose and enforce their own 
data-integrity regulations. 

Naturally, this brings to mind the government-enforced regulatory alphabet 
soupCFR Part 11, GLBA, HIPAA, etc.that, among other things, provides rules 
to protect record confidentiality. 

Health Insurance Portability & Accountability Act, which is designed to 
ensure that health-insurance coverage is available for people who lose or 
change jobs. This rule, which also establishes standards for the 
maintenance of patient records, has had some very positive outcomes. 

My health-insurance card, for instance, now bears a member I.D. number 
that differs from my SSN (a valid comparison when you consider that many 
universities use a student's SSN as a "student I.D. number," which means 
that the SSN is repeated on just about every scrap of information about 
that student). I'd say that's a change for the better. 

But the HIPAA experience has certainly not been all positive. Written in 
1996, and made effective in 2003, this well-intentioned act has spawned 
its own industry: Books, Web sites, e-mail newsletters, and the like 
proliferate, thanks to HIPAA's sheer complexity. Just googling "HIPAA 
Consulting" will generate in excess of 22,000 hits. The plethora of HIPAA 
consultants, methods, and approaches underscores just how challenging 
meeting these requirements can be. 

LEARNING FROM HEALTH CARE.  Even the HIPAA agreement you sign at the 
doctor's office reflects this. Here's a favorite quote of mine, pulled 
from a real HIPAA form: "If you do not object to these disclosures or we 
can infer from the circumstances that you do not object or we determine, 
in the exercise of our professional judgment, that it is in your best 
interest for us to make disclosure of information that is directly 
relevant to the person's involvement with your care, we may disclose your 
protected health information as described." 

I'm sure this is not what those at the Health & Human Services Dept. had 
in mind when they crafted HIPAA. 

So let's learn from HIPAA and its letter-happy brethren. Surely we can 
craft regulations for higher education that discourage the use of SSNs 
without creating too onerous a burden. 

Let's try something simple, that mandates that colleges and universities 
have, say, one year to protect personal information by insulating it from 
the general network. Stage 2 could allow five years to phase out use of 
SSNs as the key identifier for anyone for whom that organization retains 
personal information, not just students and faculty. 

Stage 3 could call for authentication methods that require a unique 
identifier other than SSN to allow interaction such as student 
registration, faculty study guide posting, and supplier order access. The 
negative reinforcement could take the shape of a publicly available, 
government-maintained Web site that identifies those universities and 
colleges who fail to take the privacy of their stakeholders as seriously 
as they ought. 

Of course, nothing in life is quite that simple. But if we start with the 
idea that this can be an exercise in common sense, then we should be able 
to arrive at a solution that solves more problems than it causes. 

Copyright 2000- 2006 by The McGraw-Hill Companies Inc. 

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 01:11:51 PDT