By Adam Dodge
While I was compiling the Educational Security Incidents (ESI) Year in Review 2006, I noticed something interesting. Of the 83 information security incidents in 2006 reported by colleges and universities, 20 such incidents were due to Unauthorized Disclosure. Unauthorized Disclosure on ESI is defined as incidents involving the release of information to unknown and/or unauthorized individuals. In other words, Unauthorized Disclosure tends to involve employee or organizational mistakes at some level.
Looking back then at the 2006 incidents, these 20 incidents exposed about 232,000 records, or roughly 8.6% of all information exposed by colleges and universities last year. However, these 20 incidents account for about 25% of the total number of reported incidents. Since Unauthorized Disclosure incidents correspond to mistakes, we have one quarter of all incidents reported being caused not by external attackers, malicious users or even a run-of-the-mill thieves but by simple, preventable mistakes.
As I begin to look over the incidents report 2007, I unfortunately see the same trend emerging. Of the 47 incidents thus far, 16 incidents, or 34% of all incidents reported, have been Unauthorized Disclosures. An added twist this year is that 69% of these Unauthorized Disclosures (11 of the 16 incidents) occurred when private and/or personal information was placed on publicly accessible Web sites. Worse still, some of these incidents span years of unauthorized disclosure. For example:
– City College of San Francisco had student information available to anyone on the Internet for seven years
– University of Nebraska-Lincoln had student and faculty information on a public Web page for two years
– University of Pittsburghâ€™s Medical Center found a presentation containing patient information online in 2005 and removed it, only to have the same presentation show up again earlier this month.
As an individual working in Higher Education, I find this to be an alarming trend. We see incidents cause by external attackers such as the Ohio University fiasco or the UCLA database breach as wakeup calls for action. Cries are raised to â€œTighten security controlsâ€ and â€œWatch for those evil hackersâ€, but we are overlooking the damage we are doing to ourselves. While it is extremely difficult to find a â€œone size fits allâ€ solution to Information Security, there are some general steps each institution can take to help reduce the risk accidentally exposing student, faculty and/or staff information on a Web site.
Remove all personal information that is not needed
Okay, this one might seem a bit obvious, but it will significantly help to reduce the impact of information accidentally placed on public Web sites. Even internally, there are many instances where personal information (for example Social Security numbers as a unique ID) remain attached to a file simply because it is part of the record used to generate the file. Many (alright, most) times this level of detail is not needed and is simply left attached because it was the way the file was generated. Removing this information, or better yet replacing it with an internal unique ID, will help to limit the impact should such information make its way to the Web.
Stop using the web as a â€œtemporaryâ€ file transfer medium
At one time or another most of us have been guilty of do this. After all, there is a temptation to utilize Web space to transfer files. It is easy, requires few steps and is something with which we are all intimately familiar. However, too often such information is not removed from this â€œtemporaryâ€ holding space and thus becomes a â€œpermanentâ€ addition to the organizationâ€™s Web site. Worse yet, if this information becomes part of an Internet cache (i.e. Google Cache or the Wayback Machine) such information will remain on the Internet long after the original file is removed.
Periodically check the organizationâ€™s Web site for such information
Despite all efforts, there is a very good chance that personal information will end up, at some point in the future, on a public Web site. The reason for this is simple. Mistakes happen. After all, â€œto err is humanâ€. Therefore, it is important that each institution begin scanning Web sites of information such as Social Security and Credit Card numbers. The good news is that, since this information follows a standard format, scanning should not be all that difficult. In fact, there have been some good discussions of scanning for such information on the UNISOG and Educause mailing lists. The difficultly with scanning is determining how often such scans should occur. In the end, this discussion comes down what the institution feels is acceptable. If the institution has no problem with such information residing on the Web for a year, then annual scans will do. If a year is too long, then perhaps quarterly or monthly scans are in order.
In the end, we all need to be aware that simple employee errors cause a surprisingly large number of security breaches.