[IP] more on Hacker Hits California University Computer

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] more on Hacker Hits California University Computer
From: David Farber <dave@xxxxxxxxxx>
Date: Wed, 20 Oct 2004 16:11:37 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Ross Stapleton-Gray <ross@xxxxxxxxxxxxxxxxxx>
Date: October 20, 2004 4:06:32 PM EDT
To: dave@xxxxxxxxxx
Subject: Re: [IP] Hacker Hits California University Computer

At 12:22 PM 10/20/2004, David Farber wrote:

SAN FRANCISCO (Reuters) - A computer hacker accessed names and Social
Security numbers of about 1.4 million Californians after breaking
into a University of California, Berkeley, computer system in perhaps
the worst attack of its kind ever suffered by the school, officials
said on Tuesday.

I used to be the IT Security Officer in the UC Office of the President;I was the first to fill the position, and it was eliminated about ayear later. UCOP can be said to manage the ten UC campuses, thoughpeople can also be said to "own" cats. :-) (Joking aside, there's afair amount of autonomy to each of the UC campuses... UC will have anoverarching IT security policy -- a major piece of it is here:http://www.ucop.edu/ucophome/policies/bfb/is3.pdf -- but each campuswill implement said policy, and its own policy or policies, as its ownorganization.)

As an ex-UC senior manager type, here are some comments and thoughts,both bearing on this current incident, and on academic computinggenerally.

Firstly, the most immediate and costly impact to UC occurs because ofstate law: SB 1386/AB 700 took effect July 1, 2003 (the start of theCalifornia fiscal year), and amended the state's Information PracticesAct to require that those affected by a breach of personal informationbe notified. The triggers include the combination of name and SSN(others would be name and CA driver's license number, or credit cardnumber *and* a password). So, presumably, Cal is on the hook to notifyanyone who might be exposed, and at *risk* of identity theft. Thisaspect of the law would incline the cautious organization to put inplace checks, e.g., egress monitoring, so that *if* there's a breach,one can know exactly what got exposed... there's a huge differencebetween "Someone cracked our system and copied out these 500 records,"and "Someone cracked our system and copied a megabyte or so from thisdatabase of a million individuals' records."

I was rather disappointed by how UC chose to implement policyamendments to respond to the changes in the law; so far as I saw theyconsisted largely of putting a patch on the existing security policy,when a more appropriate response, from my perspective, should have beento salvage an existing *records* policy that had seen years and yearsof neglect. The records policies already in force (though largelyunobserved) actually detailed how systems of records were to beaccounted for and overseen... one of the chief problems in respondingto breaches, as noted above, is in "knowing what you have and whathappened to it," and putting down new rules for whom to go to withalarms is only so effective if the information system inventory is ashambles. I think one could have left the security policies entirelyas they were, and simply hammered the records policies (and more, theirimplementation) back into compliance with reality.

Now on the other hand, any management of information systems in theuniversity environment needs to recognize its wildly decentralizednature. IS-3, the policy in the URL above, applies almost exclusivelyto *administrative* systems at UC, notwithstanding that the amendmentsto the IPA applied to *any* information held by UC. The articlesuggests that the compromised database was that of an academicresearcher; if this was some professor conducting an academic study,there's nothing in IS-3 to comment on his/her data security practices,or hold them to a given standard of competence. Likewise, IS-3 saysnothing about what happens over the residential networks (e.g.,networks serving the undergrad student dorms), though Cal wouldnecessarily have to be responsive to inquiries re infringement fromfile sharing abuses, etc., per other law.

A good campus IT security policy would recognize that the school is acommunity of communities; I'd actually start from thorough informationpolicies (e.g., recognizing the authorities responsible for any of theinformation collections, and the systems on which they reside, or overwhich they travel, across the administrative, academic, and residentialaspects of the university), and only then produce rather concise andsimple security policies.


Ross





-----

Ross Stapleton-Gray, Ph.D., CISSP
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Clinton To Hit Campaign Trail
Next by Date: [IP] more on new threat to our security: mail without complete addresses
Previous by thread: [IP] Clinton To Hit Campaign Trail
Next by thread: [IP] more on new threat to our security: mail without complete addresses
Index(es):
- Date
- Thread