[ISN] Massive data breach puts VA's IT policies under a microscope

[InfoSec News]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000787

By Jaikumar Vijayan
May 26, 2006 
Computerworld

Tim O'Pry, his wife and his son are all veterans, and they're among
the 26.5 million vets whose personal data was stolen this month from
the home of a U.S. Department of Veterans Affairs employee. What O'Pry
has a hard time understanding as an IT professional is why the
incident happened when technology and process controls are widely
available to mitigate such risks.

"Why the hell was someone allowed to have all that data at home?"  
asked O'Pry, who is chief technology officer at The Henssler Financial
Group in Kennesaw, Ga. "Surely, they must have had policies and
procedures to prevent that. If they didn't, why not? And if they did,
what sort of checks and balances did they have?"

O'Pry's sentiments were echoed by several other IT managers in the
wake of the VA's disclosure last week that "electronic data"  
containing the unencrypted names, Social Security numbers and birth
dates of all U.S. veterans discharged since 1975 was stolen during a
burglary at the Maryland home of a data analyst who works for the
agency.

VA officials said the analyst had legitimate access to the data at
work but wasn't authorized to take it home. The agency didn't specify
what kind of IT equipment was stolen, but the FBI and the VA inspector
general's office jointly identified it as a laptop and an external
hard drive.

The theft is one of the biggest data breaches reported thus far. But
aside from its massive scope, the incident at the VA is no different
from countless other compromises, and it points to a continuing
failure by many organizations to implement well-understood controls on
data transmission, access and storage, IT managers and security
analysts said.

"What it comes down to is information life-cycle management," said
Robert Garigue, chief security executive and vice president of
information integrity at Bell Canada in Montreal. Far too often,
companies focus solely on protecting their technology infrastructures,
to the exclusion of ensuring that the information stored within them
is safe from being illegally accessed or compromised, Garigue said.

The lack of attention paid to protecting data is especially dangerous
because of the widely distributed nature of corporate information and
the myriad ways in which it can be accessed, he added.

"I don't know if anybody can honestly say they have thought of every
single way someone can pilfer data," O'Pry conceded. But it pays to
put controls around some of the more obvious ones, he said.

One of the simplest steps is encrypting sensitive data on all
removable and archival storage media to protect against compromises if
devices are lost or stolen, said Eric Beasley, an IT security manager
at a bank in the Midwest that he asked not be named.

The VA "should have made it so easy and inexpensive for employees to
encrypt data on their PCs and have had such a high penalty for not
doing it that everyone would have [complied]," said Alan Paller,
director of research at the SANS Institute, an IT security research
and training firm in Bethesda, Md.

O'Pry said that restricting the ability of end users to attach
removable media, such as USB thumb drives, external hard disks, and
DVD and CD burners, to their systems is another relatively
straightforward way to lessen the risk of information leaks. "Every
company faces removable media issues," he noted.

In addition to adopting such restrictions, Henssler Financial has
installed network filters to ensure that sensitive information isnt
leaking out in e-mail messages or chat sessions and other peer-to-peer
applications, O'Pry said.

The financial services firm is also using a database auditing tool
from Acton, Mass.-based Lumigent Inc. to monitor database activity and
alert administrators to suspicious activity such as someone trying to
download unusually large amounts of data.

Locking down a network against external attacks alone does little to
protect enterprise data against accidental and malicious compromises
from insiders, said Lloyd Hession, chief information security officer
at New York-based BT Radianz, which provides telecommunications
services to the financial industry.

In environments where end users can get access to huge databases
containing confidential information, there have to be many checks and
balances in place, Hession said. Equally crucial is the need for
security education and training, he added.

Lapses such as the one at the VA often happen because end users simply
don't know how to handle sensitive information, according to Hession.  
"The No. 1 tool really is awareness," he said.