http://www.collegian.psu.edu/archive/2008/02/26/security_of_data_analyzed_in_s.aspx By Elizabeth Murphy Collegian Staff Writer February 26, 2008 Information security breaches at colleges and universities are on the rise, according to a report released earlier this month. The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year. In September, the Social Security numbers of more than 10,500 marines were inadvertently posted on a Penn State Web site. The names and numbers were compiled for a research project being conducted at Penn State, according to the report. "My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university information is not as simple as network and/or computer attacks," Adam Dodge, ESI creator, wrote in an e-mail. The report indicated that there were a total 139 incidents at institutions during 2007, a 67.5 percent increase since 2006. The total number of institutions affected by data breaches also went up to 112, a 72.3 percent increase since 2006. The report also shows the majority of information breaches at colleges came from unintentional leaks, rather than hackers. But Penn State Information Technology Vice Provost Kevin Morooney said he isn't sure how deeply anyone should read into the report. "I'm ignoring the report," he said. "Hackers are a constant and daily threat at the university, and we have many things put in place to mitigate the risk." Morooney said the IT team at Penn State has many preventative measures in place, including the switch from Social Security numbers to student ID numbers as the primary identifier three years ago. Another potential data breach involved a laptop containing archived information, including Social Security numbers for 677 students who attended Penn State between 1999 and 2004, that was stolen from a faculty member while traveling in January. This incident was not included in ESI's 2007 report. Morooney said Penn State provides anti-virus software for faculty and students and utilizes an intrusion detection system that notifies Information Technology Services (ITS) if a computer is compromised. More recently, ITS has been scanning hundreds of computers in search of sensitive data to make them safer for faculty. "It comes down to people realizing how important it is as individuals to take individual action because it will breed institutional reaction as well," Morooney said. "I think there is a heightened sense of awareness, but it is not where it needs to be." Morooney said people have a heightened concern about privacy but don't take computer information as seriously. He said someone hacking into a person's computer is just like someone breaking into a person's home. Dodge said people need to protect their private digital information better by utilizing protection programs and just being knowledgeable about the risks. "In the end, the goal is to have technical and non-technical security programs that complement and reinforce each other," Dodge wrote. Dodge also wrote that data breaches will continue to happen, but it is now up to the colleges and universities to take the steps to make them few and far between. "One of the most important ways that colleges and universities can control breaches and data leakage is to educate employees about the risks and to ensure that employees understand that information security is everyone's responsibility," Dodge wrote. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Feb 26 2008 - 00:31:44 PST