IT Best Practices and Compliance Reporting Information

Today is tax day in the United States. Procrastinators will be spending time wrapping up their returns, either on-line or racing to the local post office.

But, is the information you provide the IRS secure?

According to a recent article in Computerworld, your information is probably not as protected as we’d like to think. “In an audit by the Treasury Inspector General for Tax Administration, found that between January 2, 2003, and June 13, 2006, a ‘large number’ of laptops were stolen from the vehicles and homes of IRS employees, while 111 were stolen from various agency facilities”, according to the story.

A separate test on laptop computers currently in use by employees found 44% contained unencrypted sensitive data, including taxpayer data and employee personnel data. Most disappointing is these findings mirror those found in a similar July 2003 report.

As the report indicated, “the IRS had not taken adequate corrective actions.” The article includes a response from IRS Commissioner Mark Everson where he says, “Our systems have extensive protection from outside penetration”, but that seems to indicate a failure to recognize the threat of not only laptops theft, but other insider data threats.

The IRS expects a great deal from taxpayers when we prepare our returns. It’s time for taxpayers to expect more from the IRS when it comes to protecting our privileged information.

Many companies are still taking a “wait and see” attitude on upgrading their Microsoft desktops and laptops to the Vista operating system. The most heavily touted improvements in Vista are focused around security.

We’ve all seen the Apple commercial poking fun at the constant security-related questions asked in Vista. So, what is the scoop on Vista security? Is it an improvement? Where does it still have room to improve.

This month’s ISSA Journal has the first of a multi-part overview of Windows Vista Security from Edward Ray and E. Eugene Schultz. The first installment focuses on User Account Control (UAC), Windows Defender, and Windows Firewall.

With UAC, Windows Vista provides a method of separating Standard user privileges and tasks from those requiring Administrative access. According to Ray and Schultz, while this feature is not quite as good as simply logging on as a normal user, it is an additional layer of protection previously unavailable in Windows XP or Windows Server 2003.

One drawback to the UAC feature is it requires every interaction involving installation or execution of external code to be approved whether is was initiated by the user or a potentially malicious website. This leads users to face a litany of boxes to click continue or reject. Meanwhile, all other access freezes and the screen darkens until you’ve completely gone through the series of dialogue boxes. Pretty annoying, especially if you’re the user trying to get something installed.

Windows Defender, also available for use with Windows XP or 2003, helps protect against pop-up ads, slow performance, and security threats due to spyware, adware, keyloggers and other unwanted software. Defender monitors in real time protected areas within the Windows Vista operating system that this unwanted intruder software targets, such as the Startup folder and the Autorun entries in the registry. However, in a test using a sample set of 25 spyware and malicious code samples, Defender failed to identify 84% of them. Organizations should in no way consider Windows Defender a substitute for third-party anti-spyware solutions.

Windows Firewall, the third area Ray and Schultz focused on, is configured by default in Vista to help protect user’s computers as soon as Windows Vista boots. Unlike Windows XP, the Vista firewall can restrict both inbound and outbound traffic, although outbound filtering needs to be configured manually or using Group Policy. Like Windows Defender, Windows Firewall should be seen as a complement to third-party solutions, not a replacement.

Lisa Vaas has addressed these concerns in articles of the print edition of eWeek. March 5th, in an article entitled “Vista’s security called into question”, she wrote about how social engineering can derail the effectiveness of the UAC. In the March 19th edition, she addressed all of the security features mentioned in “Will Vista Swat Bugs?” She also touched on the Windows Security Center and BitLocker Drive Encryption.

As Ray and Schultz point out, Microsoft is moving in the right direction with Vista, but there are still questions. The biggest challenge is usability. Will the myriad of security prompts lead users to opt out of having to approve software downloads and other potentially dangerous events?

My hunch is they will…until Microsoft can find a way to distinguish where the request is originating from, so the process isn’t such a pain.

Gary Min is the 43 year-old former senior scientist from DuPont who pled guilty to misappropriating $400 million worth of proprietary information. Min was due in court this past Thursday to receive his sentence.

In a Computerworld story, Jaikumar Vijayan identifies six steps to take to mitigate the risks of insider threats and keep track of what’s going on inside the firewall.

1. Get a handle on the data
2. Monitor content in motion
3. Keep an eye on databases
4. Limit user privileges
5. Cover those endpoints
6. Centralize your intellectual property data

Clearly, a list like this simplifies the real challenge each point represents, but it does remind us that we need to know what we have for data, when it changes, who can access it, and where it’s located. All of this requires constant visibility into your enterprise, down to the configuration level.

In the case of Min, it is now known that he downloaded and accessed more than 15 times as many documents as the next most active user of the system. Information like this can and should be tracked far sooner than it was in the DuPont’s case. Min’s activities were not discovered until he was already working for a rival company.

Read Vijayan’s article and see how well you’re doing following his six points…and how many more you might add to his list!

A research paper due to be released this summer predicts that the two billionth data loss will take place by the end of 2007. In a story posted on ScienceDaily.com, Phil Howard, an Associate Professor of Communications at the University of Washington states that “electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year.”

Howard, along with Kris Erickson, a UW doctoral candidate in geography, will have their work published in the July edition of the Journal of Computer-Mediated Communication.

Howard and Erickson don’t place the blame for the escalation in data loss on hackers though; they put the blame on the shoulders of corporate America, citing research studies showing three out of every five data losses involving personal information are tied to corporate malfeasance.

A couple things to note. The numbers cited in the study were compiled from media stories. As Erickson indicates, this probably means their numbers are conservative. It certainly doesn’t cover unreported data loss or smaller incidents that may not have made headline news. Also, Erickson also acknowledges the role the California Notice of Security Breach law has played in increasing the number of breaches that have been publicized in the last couple years. That appears to be clearly indicated by the increase between their 2006 and 2007 numbers.

With these ominous statistics, it won’t be long before everyone in America has had their personal information compromised at least once.

Yesterday I called out the lack of action the Federal Trade Commission has taken against company’s who suffered a breach, in part due to gaps in the security controls in their infrastructure.

Seems only fair that I would give the FTC their due when warranted. A few weeks ago, the agency released a 24 page book entitled “Protecting Personal Information: A Guide for Business.” According to a post by Rebecca Herold, the free guide focuses on the following five themes:

“TAKE STOCK. Know what personal information you have in your files and on your computers.

SCALE DOWN. Keep only what you need for business.

LOCK IT. Protect the information you keep.

PITCH IT. Properly dispose of what you no longer need.

PLAN AHEAD. Create a plan to respond to security incidents.”

As Herold indicates, “this is a very good PII(personally identifiable information) protection primer.”

Mike Rothman also highlighted the guidance the guide gives to help organizations be pro-active about preparing for potential security incidents.

The FTC has come up with a beneficial free (using taxpayer money) tool that will give you some clear, basic guidance related to information security. A great start for anyone new to information security and a reasonable baseline for more experienced infosec professionals to cross-check their efforts against.