Damage Control: When Your Security Incident Hits the 6 o’clock News Marilu Goodyear CIO, University of Kansas Robert Clark, Jr. Director of Internal Auditing, Ga Tech Dan Updegrove VP for IT, The U of Texas at Austin Educause 2003, Anaheim, California Nov 5, 2003
Goodyear/Clark/Updegrove2 Educause 2003 Abstract Even carefully deployed security systems aren’t 100% safe. While we work to reduce security exposures, we must also prepare for the day an incident hits the headlines. One way to prepare is to study lessons learned by those who have “been there, done that” —what worked, what didn’t, surprises encountered, surviving the crisis.
When in crisis, plan Marilu Goodyear Vice Provost for Information Services and CIO University of Kansas
Nov 5, 2003Goodyear/Clark/Updegrove4 KU INS Data Incident January 21, 2003 tech staff member reports a compromise on the machine being used to compile SEVIS data for submission KU Immediately launched technical investigation, determined next day that the SEVIS test file had been taken (as well as rogue activity relating to movies and music) File contained data from Student Information System extract matching on: –Country of permanent address –Presence of visa information Included some US students due to mismatches 1,900 records with this info: Name, Student ID No., Social Security No., Passport No., Country of Origin, Visa Status
Nov 5, 2003Goodyear/Clark/Updegrove5 Planning in a Crisis Defined Successful Outcome –Protect our students –University acts, and is viewed as, a responsible organization Mind map to get major areas of concern Just kept determining next steps Based on personal planning model –David Allen, Getting Things Done –
Nov 5, 2003Goodyear/Clark/Updegrove6 Organization of Response Team – Overall Strategy –Vice Provost/CIO –Coordinator of IT Policy –External Relations Staff IT External Relations Officer Director of University Relations Team - Technical –Associate Vice Provost –IT Security Officer –Technical staff who work on system
Nov 5, 2003Goodyear/Clark/Updegrove7 Organization of Response Teams – Student Support –Director of Office of International Students and Scholars –Staff in office building INS file –Academic Computing for communication support Teams – Legal –Provost –Head, University Counsel –VP/CIO –Coordinator of IT Policy and Planning
Nov 5, 2003Goodyear/Clark/Updegrove8 Response Activities Communication with FBI and INS US Attorney called us after public Notified State of Kansas Security Officer Press release, waited to see if it had “legs”, then called a press conference Student communication: , Web, one phone number to call for support Communication with software vendors and SEVIS technical staff
Nov 5, 2003Goodyear/Clark/Updegrove9 What we did right Took care of the students –Notified students quickly (four hours) –Provided personal communication for students –Legal Services for Students for identity theft assistance Open communication strategy –Provost support –Went public quickly (five hours) –Had media savvy admin assistants to deal with phones –Press conference to help deliver our message –Involved students in the press conference
Nov 5, 2003Goodyear/Clark/Updegrove10 What we did right Structure of our approach –Involvement of campus players, good team of individuals –Dynamic communication structure of activities and next actions Technical –Kept vendor name out of press announcements –Notification of other IT professionals about their risk –Work with software vendor to improve system security Human resources approach: Reward staff for reporting Failed Forward: Had meetings to review actions, second guess and learn
Nov 5, 2003Goodyear/Clark/Updegrove11 What we could have done better Communication with law enforcement Attention to open records issues in documenting the incident Incident response procedures more specific Communication internally to own staff Staff assumptions of system security Language with press: Tech, English, Media translation table Call them, don’t wait until they call you
Nov 5, 2003Goodyear/Clark/Updegrove12 Recommendations Preparation Activities –Crisis communication plan –Policy on whether and how to notify individuals affected –Protocol for working with University Relations, Legal Counsel –Prepare communication materials In the heat of the moment –Determine outcomes –Plan –Act –Communicate
I’m from Internal Auditing, and I’m here to help you… Robert N. Clark, Jr. Director of Internal Auditing Georgia Institute of Technology
Nov 5, 2003Goodyear/Clark/Updegrove14 Responding to Info Security Incidents Information on an incident may come from a variety of sources: –OHR – personnel-related complaint –Legal Affairs – person seeking legal advice –Financial Services – questionable transaction(s) –Campus Police – allegation of illegal behavior –Information Security – analysis of questionable traffic or use, spurious bandwidth usage, intrusion detection reports, etc. –Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc. –Unit management with concerns over activity, etc.
Nov 5, 2003Goodyear/Clark/Updegrove15 Responding to Info Security Incidents Challenge: ensuring a consistent approach to dealing with incidents Risk: If investigation not handled appropriately or consistently, puts Institute at risk Solution: IA recommended creation of ad-hoc task force and procedure to address Info Security incidents
Nov 5, 2003Goodyear/Clark/Updegrove16
Nov 5, 2003Goodyear/Clark/Updegrove17 Step 1 Incident is brought to attention of member of mgmt He/She convenes Ad-Hoc Group [CIO, Chief Audit Executive, Chief Legal Advisor, Director of Information Security, AVP- OHR, Director Homeland Security] “What do we know now?” Group shares info to determine other resources that may need to be involved (e.g., AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.) Group determines needed resources
Nov 5, 2003Goodyear/Clark/Updegrove18 Step 2 Group makes a determination on the potential outcome –E.g., if the situation/allegations are proven true, will this likely result in (1) legal action, or (2) administrative/personnel action only? –This determines procedures to be followed in conducting the investigation and standard of evidence to which we should adhere –Also determines whether law enforcement should be notified and/or involved
Nov 5, 2003Goodyear/Clark/Updegrove19 Step 3 Group determines who will take the lead in facilitating the investigation. This person: –Coordinates efforts, arranges meetings, initiates status reporting –Initiates status reporting to the Office of the President –Determines appropriate custodian of investigation data –Facilitates reporting at the end of investigation
Nov 5, 2003Goodyear/Clark/Updegrove20 Step 4 Investigation is conducted following appropriate procedures agreed-to by Group Regular communication with Group on status, observations, noteworthy issues Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues
Nov 5, 2003Goodyear/Clark/Updegrove21 Step 5 Group re-convenes to: –Evaluate effectiveness of process; –Document “lessons learned”; –Track total cost of incident in time and resources; and –Discuss ways the situation may be prevented in the future, e.g., Additional audit steps to examine for this elsewhere? Need for policy enhancement? Need for additional education/awareness?
Handling a Breach in Security Dan Updegrove VP for Information Technology The University of Texas at Austin
Nov 5, 2003Goodyear/Clark/Updegrove23 UT Austin SSN Data Theft Chronology Sun, Mar 2, 7:20 p.m.: Initial observation of high-volume database access from off-campus Mar 3, a.m.: Law enforcement contacted Mar 4, p.m.: Evidence points to UT student Mar 5, p.m.: Two residences searched: Austin, Houston Mar 5, p.m.: Austin American-Statesman breaks story; UT datatheft website deployedUT datatheft website Mar 14: UT undergraduate student charged Nov 5: Federal case still pending …
Nov 5, 2003Goodyear/Clark/Updegrove24 UT Austin SSN: What Happened? An insecure interface to a UT mainframe database provided access to over 1 million records A rogue program was written to input 2.6 million sequential SSNs against this interface. Of these, ~ 50,000 matched, disclosing names of current/former UT Austin students, faculty, staff, admission & job applicants, library patrons; current/former fac/staff at other UT campuses No evidence to date that SSNs, names misused or disseminated – but it’s impossible to “prove a negative” UT has attempted to contact all individuals affected
Nov 5, 2003Goodyear/Clark/Updegrove25 UT Austin SSN: Communications –UT’s public statement –Links to US Attorney statements –Link to over 2,000 –Link to data form: over 6,500 –Toll-free hotline: over 3,000 Press conference, same day story broke in A A-S U.S. mail to all for whom UT can obtain addresses Confusion, concern re “data theft” vs. “identity theft” Total costs of incident exceed $120,000
Nov 5, 2003Goodyear/Clark/Updegrove26 UT SSN: Issues, Aftermath Highlights risk of SSN as University ID –UT Austin Cmte had been addressing this issue Web front-ends remove “security by obscurity” Downside of integrated databases All UT System (15 campuses) central & mission-critical applications undergoing security review UT System has launched a Security Advisory Cmte and a SSN Task Force
Nov 5, 2003Goodyear/Clark/Updegrove27 What & When to Disclose? Should individuals be advised if their data exposed? What constitutes a “security breach?” –Does any access to root compromise all data on system? –What if all evidence points away from personal data? Potential for needless panic, versus Potential for further damage to individuals – and institution – if “data theft” becomes “identify theft” Public relations implications Ethical implications Legal requirements: none in Texas currently, but this may change if current California law is adopted elsewhere
Nov 5, 2003Goodyear/Clark/Updegrove28 California Civil Code (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Nov 5, 2003Goodyear/Clark/Updegrove29 California (Cont’d) (e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: –(1) Social security number. –(2) Driver's license or California ID Card number. –(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Nov 5, 2003Goodyear/Clark/Updegrove30 California (Cont’d) g) For purposes of this section, "notice" may be provided by one of the following methods: –(1) Written notice, –(2) Electronic notice, –(3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of: (A) (B) Conspicuous posting of the notice on the agency's Web site page (C) Notification to major statewide media
Nov 5, 2003Goodyear/Clark/Updegrove31 UC System Response to University of California System requries its campuses to take these steps to comply with the new state law that requires notification of people after a hacker/intruder has viewed their personal data: Data Inventory ~ Set up a process to identify: –Where personal information is used and stored. –Who has authority to gain access to and use the data. –The custodian of the data. –An acceptable level of security protection for the data.
Nov 5, 2003Goodyear/Clark/Updegrove32 UC System Response (Cont’d) Reporting Requirements: –Campuses must report immediately in writing to UC Assoc VP for Info Res & Communication: Anytime there has been a security breach. –When the incident is closed. The report should provide a description of the incident, the response process, the notification process, and the actions taken to prevent further breaches of security. Source: Chronicle of HE, June 6, 2003Chronicle of HE, June 6, 2003 See also: Full text of UC policyFull text of UC policy
Nov 5, 2003Goodyear/Clark/Updegrove33 Likely Federal Legislation? Sen. Feinstein (D-CA) has introduced legislationSen. Feinstein (D-CA) has introduced legislation, “Notification of Risk to Personal Data Act” -- modeled after the California law, with its ambiguitiesNotification of Risk to Personal Data Act HB 2262, which amends the 1996 Fair Credit Reporting Act, passed in the House of Representatives Sept. 10, awaits action in the Senate, weaker than some state laws, would reduce individual rights, says PIRG in Daily Texan, 9/25/03Daily Texan, 9/25/03 “You have no privacy; get over it,” S. McNeely, CEO, Sun, 1999
Nov 5, 2003Goodyear/Clark/Updegrove34 Existing Federal Legislation The Privacy Act of 1974 (5 U.S.C. 552A) Family Educational Rights & Privacy Act (FERPA) of 1974 Electronic Communications Privacy Act (ECPA) of 1986 Health Insurance Portability and Accountability Act (HIPPA) of 1996 Gramm-Leach-Bliley Act, "Privacy of Consumer Financial Information" of 1999 USA Patriot Act of 2001
Nov 5, 2003Goodyear/Clark/Updegrove35 Resources Ga Tech, “New security measures protect your information,” KU, “Protecting your identity:” UT, datatheft site: Educause-Internet2 Security Task Force: Privacy Rights Clearinghouse identity theft resources: Chronicle of Higher Education: