Hackers weren't to blame for all of the data breaches in 2005--some were pulled off by old-fashioned, sticky-fingered thieves.
Take the breach at the University of California, Berkeley, where conditions were ripe for thievery on a particular day last March: an unlocked office off a remote corridor, a receptionist on break, a shiny new laptop unguarded on a desk.
The IBM ThinkPad, only a day old, was loaded with the Social Security numbers and other personal information of 98,000 graduate students, graduate and doctoral applicants, and others. A demographic analysis was being conducted on the data, some of which was 30 years old. It was a treasure trove for identity thieves.
Only this thief wasn't so sophisticated; this was a crime of opportunity. The thief was part of a ring that would steal laptops and other devices, scrub the hard drives, and sell the computers on eBay. The laptop was traced to the buyer and recovered. Officials at U Cal-Berkeley don't think the data was accessed.
Sometimes it's better to be lucky than good.
Associate vice chancellor and CIO Shelton Waggener is well versed in campus politics and understands the rigors of instituting change and lobbying for information security funding. The laptop theft was Berkeley's second breach in five months--in October 2004, hackers cracked a database housing account information on people participating in a home-care services program; more than 1 million files were exposed. But that was a nameless server hacked by a faceless criminal. A stolen laptop is different, and the realization that similar thefts could happen to anyone brought information security to the highest offices at Berkeley.
"It used to be perceived to be CIO problem, now it's perceived as a campus problem," Waggener says. "The message has sunk in that it's going to take personal accountability. That's huge in terms of progress."
Progress is the operative phrase. In the 13 months since the laptop theft, information security has been elevated to the point where security audits, policy updates and training are par for the course. Funding remains a struggle, but awareness is elevated, data security is paramount and resources are required.
"Security is really an insurance policy. You have to ask, 'How much are you willing to invest to reduce the possibility of having a security incident?' " Waggener says. "Can you afford to invest money to protect something that changes all the time? It's an uncomfortable investment to make. As it works out, incidents happen in areas you have not invested in. It's not that we didn't know how to protect every laptop, but it's an expensive thing to do."
Like in most security organizations, Waggener focused on areas of higher risk. With visibility heightened to the dangers of laptop theft, Waggener had to change his focus.
Outside auditors were hired to evaluate data exposure points. While they determined security policies to be strong, execution and implementation depended on the financial and technical strength of a particular unit. Policies were difficult to follow in a decentralized environment.
Best-practices audits were also instituted; internal teams of security experts would perform spot audits on different departments and help with recommendations. It was a creative way to provide advice without paying extra for it.
Training modules to instruct existing employees and new hires on their responsibilities around data and security policies in general have been developed. Students also undergo security training at orientation, and PCs and laptops are outfitted with free antivirus software. Centralized scanning tools monitor computers on the U Cal-Berkeley network for vulnerabilities and to ensure patching levels are adequate.
Encryption of sensitive data is a priority. U Cal-Berkeley is in the midst of evaluating products to provide mobile and database encryption, securing data whether in motion or at rest. Some encryption has already been deployed. Printed documents are encrypted from the source server to the printer.
Waggener said the key is centralizing security management.
"We're going to create download sites to autoinstall encryption tools and make it easy to use," he says. "We have the policies and standards around the need to encrypt data, but if we're not going to make it easy to get the software and keys, people are not going to do it."
This article originally appears in the April 2006 issue of Information Security magazine. Be sure to cast your vote for one of the Survivor All-Stars in the latest SearchSecurity.com mini-poll.