COLUMN

Security Blog Log: Was the analyst a VA scapegoat?

By Bill Brenner 14 Jul 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

That was the verdict of U.S. Department of Veterans Affairs (VA) Inspector General George J. Opfer, who released a scathing report (.pdf) Tuesday on the now-infamous VA data theft.

Security bloggers generally agreed, though some wondered if a disproportionate amount of blame had been placed on the analyst's shoulders.

Sure, he showed poor judgment by walking out of the office with such a large volume of sensitive information, where it was eventually stolen in a burglary. But, some bloggers asked, wasn't the analyst's lack of security scruples simply a symptom of the larger problem? After all, they said, the data may never have left the office had department supervisors been paying closer attention.

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent articles: Metasploit creator promises browser flaws galore Would Blue Pill create a matrix for PCs? Microsoft and the peril of predatory pricing

Opfer outlined a litany of missteps, insufficient security measures and an overall lack of care in the events leading up to the May 3 burglary of the analyst's Maryland home. He also harshly criticized the analyst's chain of supervisors, including VA Deputy Secretary Gordon H. Mansfield, for waiting nearly three weeks to publicize the burglary. That decision, according to the report, unnecessarily placed veterans and active duty personnel at risk for fraud.

The supervisors deserve most of the blame, as far as Liquidmatrix blog keeper Gattaca is concerned.

"I'm still annoyed that the VA was trying to hang the employee out to dry on this issue in a bid to save face," he wrote in a posting this week. "Simply deplorable."

He added, "The funny part here is that the sacrificial lamb … had permission to have the laptop with SSNs [Social Security numbers] on it. I'll say it again, he HAD PERMISSION."

Tom Fragala, an identity theft victim and founder of Truston Corp., a credit-monitoring and identity-theft recovery service, noted in the Truston blog that the VA inspector general found that the analyst whose laptop was stolen had the OK to access the data, but apparently not to take the laptop home.

"I think there will be a different of opinion there," Fragala said. "The analyst (with 34 years at the VA) might argue that since his PC was a laptop, how could he use the data without taking it home?"

But when focusing on the analyst, one misses the point, he said: "It was lax security policies and lack of encryption, plus poor response measures that sunk this ship."

Of course, the VA has announced measures to strengthen those security policies. But Charles Stricklin wrote in the Homeland Stupidity blog that the latest proposals are too little, too late.

"In a case of closing the barn door after the cows have all gotten out, the [VA] took steps to get its information security in order … a half decade after security alerts were first issued and nearly two months after the largest personal data breach in U.S. history," he said, in reference to VA Secretary Jim Nicholson's plans to order a complete restructuring of information security.

During congressional hearings last month, Nicholson announced that VA facilities across the country would "stand down" for Security Awareness Week, during which VA managers would be expected to "review information security and reinforce privacy obligations and responsibilities with their staff."

In military terms, Stricklin noted, a "stand-down" is "an order given to military units, ranging from a single military command to the entire Department of Defense, to cease all but the most basic of duties and focus all attention and training on the special task given them."

Given all the internal security reviews over the years, he expressed doubt that this stand down will do any good. For instance, in 2003, he said, staff members in the VA inspector general's office demonstrated that online outlaws could get access to veterans' protected medical information from outside the VA network. Last year, internal reviews found that access controls were not consistently applied at dozens of data centers, medical centers and regional offices.

"Recommendations included ensuring that background checks are performed on VA and contract workers, restricting off-duty workers' access to sensitive information and providing annual security awareness training for employees," Nicholson said.

Still, access restrictions and security awareness training didn't stop the VA analyst from taking sensitive data out of the office, resulting in an incident that will long be remembered for its numerous and dumfounding missteps.

Tags: Identity Theft and Data Security Breaches,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary