[ISN] Army command laptop missing

From: InfoSec News (alerts@private)
Date: Thu Nov 02 2006 - 22:31:38 PST


http://www.gcn.com/online/vol1_no1/42491-1.html

By Jason Miller
GCN Staff
11/02/06

The Armys Accessions Command in Ft. Monroe, Va., reported a laptop 
computer with personal information on 4,600 scholarship applicants for 
the Reserve Officer Training Corps went missing Oct. 23.

The command just yesterday let the House Government Reform Committee 
know that the notebook went missing. The committee asked all agencies to 
report all data breaches since Jan. 1, 2003. Agencies had until July 24 
to report their information, but the committee still is receiving 
reports of data breaches.

Paul Boyce, an Army spokesman, said the data was password protected 
using the Common Access Card. This means whoever allegedly stole the 
laptop would need the card and the users personal identification number 
to access the computer. However, the data itself was not encrypted.

This was the first time the Army has reported a data breach, according 
to committee chairman Rep. Tom Davis (R-Va.).

Davis, speaking today at an IT security event in Falls Church, Va., 
sponsored by the Information Technology Association of America, an 
industry trade organization in Arlington, Va., said the Army either has 
been that good or lucky or their information is incomplete.

The Veterans Affairs Department incident earlier this year, when the 
laptop was stolen, "raised the threshold of awareness to just how 
vulnerable we are."

"There is a need for proactive breach reporting requirements," Davis 
said. "The history of withholding [news of] these events has to stop."

An amendment spelling out reporting requirements was included in the VA 
bill passed by the House just before the election recess, he added.

The lost laptop comes about a month after Army CIO Lt. Gen. Stephen 
Boutelle signed a memo outlining steps commands should take to protect 
personal information.

In a memo to members of Congress about the missing laptop, the Army said 
the notebook contained social security numbers, addresses, dates of 
birth and other personal identifiable information of ROTC applicants.

The Army said there is an ongoing investigation by the Criminal 
Investigation Command as well as a Commanders inquiry. Additionally, the 
Training and Doctrine Command reviewed physical security measures and 
implemented new ones to help prevent a recurrence, the statement to 
Congress said.

TRADOC also will send out a letter notifying applicants of possible data 
breach as well as monitoring and protective steps that can be taken 
against identity theft.

In the memo to Army commands, Boutelle directed them to immediately 
implement data-at-rest remediation procedures for all mobile information 
systems. These include:
    
* Identifying and labeling laptops and USB devices designed for travel 
  support, and securing the most vulnerable users and systems first.
    
* Extend existing encryption capabilities to all systems at risk.
    
* If a command does not have encryption capabilities, use Microsoft 
  Corp.s Windows XP Pro Encrypting File System functions coupled with 
  the commands Active Directory management structure to secure data 
  through a centrally managed certificate issuance encrypting file 
  system.
    
* If the command does not have Microsofts product, the should use either 
  whole disk encryption tools or file system encryption tools from 
  Credant Technologies Inc. of Addison, Texas, or PointSec Mobile 
  Technologies of Lisle, Ill., which are approved products.


Boutelle also said the pilot data encryption program going on in the 
headquarters department will help develop the requirements and business 
case for a contract for an interim enterprise solution that addresses 
all users and systems by Jan. 1, 2007. This could be an enterprisewide 
licensing deal with Credant, PointSec, Microsoft or all three.

The Army has been very proactive in this, said Pete Morrison, Credants 
director of federal operations. The have done a good job in providing 
guidance. This has been important to them before [the Office of 
Management and Budget] mandate or the guy at the VA lost the laptop. The 
Army takes this stuff seriously.

GCN senior writer Patience Wait contributed to this story.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Nov 02 2006 - 22:39:29 PST