Damage Control: When Your Security Incident Hits the 6 o’clock News Marilu Goodyear CIO, University of Kansas Robert Clark, Jr. Director of Internal Auditing,

Damage Control: When Your Security Incident Hits the 6 o’clock News

Marilu Goodyear CIO, University of KansasRobert Clark, Jr. Director of Internal Auditing, Ga TechDan Updegrove VP for IT, The U of Texas at Austin

Educause 2003, Anaheim, CaliforniaNov 5, 2003

Nov 5, 2003 Goodyear/Clark/Updegrove 2

Educause 2003 Abstract

Even carefully deployed security systems aren’t 100%

safe. While we work to reduce security exposures, we

must also prepare for the day an incident hits the

headlines. One way to prepare is to study lessons

learned by those who have “been there, done that”

—what worked, what didn’t, surprises encountered,

surviving the crisis.

When in crisis, plan

Marilu GoodyearVice Provost for Information Services and CIO

University of [email protected]

mailto:[email protected]


KU INS Data Incident

• January 21, 2003 tech staff member reports a compromise on the machine being used to compile SEVIS data for submission

• KU Immediately launched technical investigation, determined next day that the SEVIS test file had been taken (as well as rogue activity relating to movies and music)

• File contained data from Student Information System extract matching on:– Country of permanent address– Presence of visa information

• Included some US students due to mismatches• 1,900 records with this info: Name, Student ID No.,

Social Security No., Passport No., Country of Origin, Visa Status


Planning in a Crisis

• Defined Successful Outcome

– Protect our students

– University acts, and is viewed as, a responsible organization

• Mind map to get major areas of concern

• Just kept determining next steps

• Based on personal planning model

– David Allen, Getting Things Done

– www.davidco.com


Organization of Response

• Team – Overall Strategy

– Vice Provost/CIO

– Coordinator of IT Policy

– External Relations Staff

• IT External Relations Officer

• Director of University Relations

• Team - Technical

– Associate Vice Provost

– IT Security Officer

– Technical staff who work on system


Organization of Response

• Teams – Student Support

– Director of Office of International Students and Scholars

– Staff in office building INS file

– Academic Computing for e-mail communication support

• Teams – Legal

– Provost

– Head, University Counsel

– VP/CIO

– Coordinator of IT Policy and Planning


Response Activities

• Communication with FBI and INS

• US Attorney called us after public

• Notified State of Kansas Security Officer

• Press release, waited to see if it had “legs”, then called a press conference

• Student communication: e-mail, Web, one phone number to call for support

• Communication with software vendors and SEVIS technical staff


What we did right

• Took care of the students– Notified students quickly (four hours)– Provided personal communication for students– Legal Services for Students for identity theft assistance

• Open communication strategy – Provost support– Went public quickly (five hours)– Had media savvy admin assistants to deal with phones– Press conference to help deliver our message– Involved students in the press conference


What we did right• Structure of our approach

– Involvement of campus players, good team of individuals

– Dynamic communication structure of activities and next actions

• Technical

– Kept vendor name out of press announcements

– Notification of other IT professionals about their risk

– Work with software vendor to improve system security

• Human resources approach: Reward staff for reporting

• Failed Forward: Had meetings to review actions, second guess and learn


What we could have done better

• Communication with law enforcement

• Attention to open records issues in documenting the incident

• Incident response procedures more specific

• Communication internally to own staff

• Staff assumptions of system security

• Language with press: Tech, English, Media translation table

• Call them, don’t wait until they call you


Recommendations

• Preparation Activities– Crisis communication plan– Policy on whether and how to notify individuals affected– Protocol for working with University Relations, Legal

Counsel– Prepare communication materials

• In the heat of the moment – Determine outcomes – Plan – Act – Communicate

I’m from Internal Auditing, and I’m here to help you…

Robert N. Clark, Jr. Director of Internal Auditing

Georgia Institute of [email protected]



Responding to Info Security Incidents

Information on an incident may come from a variety of sources:

– OHR – personnel-related complaint

– Legal Affairs – person seeking legal advice

– Financial Services – questionable transaction(s)

– Campus Police – allegation of illegal behavior

– Information Security – analysis of questionable traffic or use, spurious bandwidth usage, intrusion detection reports, etc.

– Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc.

– Unit management with concerns over activity, etc.


Responding to Info Security Incidents

Challenge: ensuring a

consistent approach to

dealing with incidents

Risk: If investigation not

handled appropriately or

consistently, puts Institute

at risk

Solution: IA recommended creation of ad-hoc task force

and procedure to address Info Security incidents


http://www.audit.gatech.edu/IAcollabrative2.wmf

Monday, March 31, 2003

Georgia Tech Dept. of Internal Auditing - Office of InformationTechnology - Information Security Collaborative Diagram

Event Or IncidentRequiring Collaboration

Determine Lead:

- Coordination of Efforts- Determine Custodians of Data

- Responsibility for Reporting

As Required

DetermineScope:

Review Method-Intrusive

-Non Intrusive

Investigation- Level of Forensics

Determine Potential Outcome:

Legal ActionAdministrative Outcome

Ad-Hoc Group Convenes

o Director of Internal Auditing

o Chief Legal Advisor

o Associate VP - Office ofHuman Resources

o Associate VP - Office ofInformation Technology

o Director of InformationSecurity

Communication of Results.

Determine Resources

Other Resources to beConsidered

o Director of Campus Security(Police)

o Associate VP FinancialServices

o Director of InstituteCommunications

o Unit Head of Affected Area

o Chief Technology Officer

ConductInvestigation


Step 1

• Incident is brought to attention of member of mgmt• He/She convenes Ad-Hoc Group [CIO, Chief Audit Executive,

Chief Legal Advisor, Director of Information Security, AVP-OHR, Director Homeland Security]

• “What do we know now?” • Group shares info to determine other

resources that may need to be involved (e.g., AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.)

• Group determines needed resources


Step 2

Group makes a determination on the potential outcome

– E.g., if the situation/allegations are proven true, will this likely result in (1) legal action, or (2) administrative/personnel action only?

– This determines procedures to be followed in conducting the investigation and standard of evidence to which we should adhere

– Also determines whether law enforcement should be notified and/or involved


Step 3

Group determines who will take the lead in facilitating the

investigation.

This person:

– Coordinates efforts, arranges meetings, initiates status reporting

– Initiates status reporting to the Office of the President

– Determines appropriate custodian of investigation data

– Facilitates reporting at the end of investigation


Step 4

• Investigation is conducted following appropriate procedures agreed-to by Group

• Regular communication with Group on status, observations, noteworthy issues

• Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues


Step 5

Group re-convenes to:– Evaluate effectiveness of process; – Document “lessons learned”; – Track total cost of incident in time and resources; and – Discuss ways the situation may be prevented in the

future, e.g.,• Additional audit steps to

examine for this elsewhere?

• Need for policy enhancement?

• Need for additional education/awareness?

Handling a Breach in Security

Dan UpdegroveVP for Information Technology

The University of Texas at [email protected]



UT Austin SSN Data Theft Chronology

• Sun, Mar 2, 7:20 p.m.: Initial observation of high-volume database access from off-campus

• Mar 3, a.m.: Law enforcement contacted

• Mar 4, p.m.: Evidence points to UT student

• Mar 5, p.m.: Two residences searched: Austin, Houston

• Mar 5, p.m.: Austin American-Statesman breaks story; UT datatheft website deployed

• Mar 14: UT undergraduate student charged

• Nov 5: Federal case still pending …

http://www.utexas.edu/datatheft/




UT Austin SSN: What Happened?

• An insecure interface to a UT mainframe database provided access to over 1 million records

• A rogue program was written to input 2.6 million sequential SSNs against this interface.

• Of these, ~ 50,000 matched, disclosing names of current/former UT Austin students, faculty, staff, admission & job applicants, library patrons; current/former fac/staff at other UT campuses

• No evidence to date that SSNs, names misused or disseminated – but it’s impossible to “prove a negative”

• UT has attempted to contact all individuals affected


UT Austin SSN: Communications

• https://www.utexas.edu/datatheft/– UT’s public statement– Links to US Attorney statements– Link to email: over 2,000 – Link to data form: over 6,500– Toll-free hotline: over 3,000

• Press conference, same day story broke in A A-S• U.S. mail to all for whom UT can obtain addresses • Confusion, concern re “data theft” vs. “identity theft”• Total costs of incident exceed $120,000

https://www.utexas.edu/datatheft/




UT SSN: Issues, Aftermath

• Highlights risk of SSN as University ID

– UT Austin Cmte had been addressing this issue

• Web front-ends remove “security by obscurity”

• Downside of integrated databases

• All UT System (15 campuses) central & mission-critical applications undergoing security review

• UT System has launched a Security Advisory Cmte and a SSN Task Force


What & When to Disclose?

• Should individuals be advised if their data exposed?

• What constitutes a “security breach?” – Does any access to root compromise all data on system?

– What if all evidence points away from personal data?

• Potential for needless panic, versus

• Potential for further damage to individuals – and institution – if “data theft” becomes “identify theft”

• Public relations implications

• Ethical implications

• Legal requirements: none in Texas currently, but this may change if current California law is adopted elsewhere


California Civil Code 1798.29

(a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

http://caselaw.lp.findlaw.com/cacodes/civ/1798.25-1798.29.html


California 1798.29 (Cont’d)

(e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

– (1) Social security number.

– (2) Driver's license or California ID Card number.

– (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.



California 1798.29 (Cont’d)

g) For purposes of this section, "notice" may be provided by one of the following methods: – (1) Written notice, – (2) Electronic notice, – (3) Substitute notice, if the agency demonstrates that the

cost of providing notice would exceed ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of:

• (A) E-mail • (B) Conspicuous posting of the notice on the agency's

Web site page • (C) Notification to major statewide media



UC System Response to 1798.29

University of California System requries its campuses to take

these steps to comply with the new state law that requires

notification of people after a hacker/intruder has viewed

their personal data:

Data Inventory ~ Set up a process to identify:

– Where personal information is used and stored.

– Who has authority to gain access to and use the data.

– The custodian of the data.

– An acceptable level of security protection for the data.


UC System Response (Cont’d)

Reporting Requirements:

– Campuses must report immediately in writing to UC Assoc VP for Info Res & Communication: Anytime there has been a security breach.

– When the incident is closed. The report should provide a description of the incident, the response process, the notification process, and the actions taken to prevent further breaches of security.

Source: Chronicle of HE, June 6, 2003

See also: Full text of UC policy

http://chronicle.com/prm/weekly/v49/i39/39a03101.htm

http://chronicle.com/prm/weekly/v49/i39/39a03101.htm

http://www.ucop.edu/irc/itsec/UCOP_security_breach_guidelines.pdf


Likely Federal Legislation?

Sen. Feinstein (D-CA) has introduced legislation, “Notification of Risk to Personal Data Act” -- modeled after the California law, with its ambiguities

HB 2262, which amends the 1996 Fair Credit Reporting Act, passed in the House of Representatives Sept. 10, awaits action in the Senate, weaker than some state laws, would reduce individual rights, says PIRG in Daily Texan, 9/25/03

“You have no privacy; get over it,” S. McNeely, CEO, Sun, 1999


Existing Federal Legislation

• The Privacy Act of 1974 (5 U.S.C. 552A)• Family Educational Rights & Privacy Act (FERPA) of 1974• Electronic Communications Privacy Act (ECPA) of 1986• Health Insurance Portability and Accountability Act (HIPPA) of

1996• Gramm-Leach-Bliley Act, "Privacy of Consumer Financial

Information" of 1999• USA Patriot Act of 2001


Resources

Ga Tech, “New security measures protect your information,” www.ferstcenter.gatech.edu/boxoffice/security.php

KU, “Protecting your identity:” www.ku.edu/identity/

UT, datatheft site: www.utexas.edu/datatheft/

Educause-Internet2 Security Task Force: www.educause.edu/security/

Privacy Rights Clearinghouse identity theft resources: www.privacyrights.org/identity.htm

Chronicle of Higher Education: www.chronicle.com

Documents

Damage Control: When Your Security Incident Hits the 6 o’clock News Marilu Goodyear CIO, University of Kansas Robert Clark, Jr. Director of Internal Auditing,