NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Attrition Dataloss> 2009-01

Re: [Dataloss] follow-up: Stolen city laptop recovered; workers' personal data not accessed

From: Renee Brown (reneeidtcompliant.com)
Date: Tue Jan 27 2009 - 13:38:37 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are other aspects of this security breach that should also be addressed. It sounds as though personnel/employees/staffers of the Human Resources Dept. in Madison have not been trained or did not adhere to preventive security measures as it pertains to laptops, data storage devices, and the personal and sensitive information of fellow employees. To quote the article: "The city laptop was taken from a "relatively secure location" in the fifth-floor Human Resources Department offices in the City-County Building, Wirtz said." Weren't the employees having access to that laptop trained on proper security measures? Shouldn't the laptop have been in an absolutely secure location rather than a "relatively" secure location. With written security policies and procedures and training to employees relaying what to do, how to do it, and the importance of doing it, these types of data losses/security breaches may be prevented. It's important to safeguard the information in a technical fashion, but equally important to prevent losses in the first place. Is there any word from the City of Madison on what they intend to do to safeguard personal information going forward? Will they be providing identity theft protection to the affected employees? Without real assurances that the disk was not breached (and there doesn't seem to be proof that there wasn't a breach), then how can the employees sleep knowing that their personal information was out in the world? Sounds woefully irresponsible for the City of Madison to ignore these facts. Sounds woefully naive to think that just because the laptop was left on a bus that there was no breach. Hey, the laptop was reported missing on Friday and didn't turn up until Monday. That's lots of time to access the data!

Best regards,
Renee Brown, CITRMS
Certified Identity Theft Risk Management Specialist
Email: reneeidtcompliant.com

  ----- Original Message -----
  From: Sean Steele
  To: Stefan Wahe
  Cc: datalossdatalossdb.org
  Sent: Tuesday, January 27, 2009 7:01 AM
  Subject: Re: [Dataloss] follow-up: Stolen city laptop recovered; workers' personal data not accessed

Stefan, it appears I've hit a nerve.

I wasn't disparaging anyone personally or professionally, and with regard to your comment regarding my professional responsibilities, I believe it to be exactly my duty and our duty -- as IT security professionals -- to remain skeptical and to call to account anyone in a position of authority able to declare a data breach essentially "null and void" becuase they believe the situation to be sufficiently controlled and controllable.

Any ocassion where senstive data, unencrypted, makes it into the wild should and needs be a serious moment for introspection and analysis.

We all know it can be very difficult if not impossible to ascertain without reasonable doubt whether data has been accessed on a device.

  I'm all for dialogue on this issue, as long as we can agree not to call each other names.
  --
  Sean Steele, CISSP, CISA
  Sr. Security Consultant
  infoLock Technologies
  703.504.9000 x219 direct
  202.270.8672 mobile
  ssteeleinfolocktech.com

------------------------------------------------------------------------------
  From: Stefan Wahe [mailto:smwahewisc.edu]
  Sent: Tuesday, January 27, 2009 9:38 AM
  To: Sean Steele
  Cc: datalossdatalossdb.org
  Subject: Re: [Dataloss] follow-up: Stolen city laptop recovered; workers' personal data not accessed

Living in Madison and working in IT Security, I do know that Madison Police Department has a unit that conducts IT forensics on electronic devices. They have the appropriate staff, resources and training to make such determinations. Additionally they have state and university resources at their availability with more than adequate training and experience in IT forensics. I am aware of this because I have had the opportunity to observe and work with them on other IT Security related issues.

I hope this addresses your questions regarding the professionalism of the Madison Police Department. Please remember that this is a public forum and casting such doubts is not beneficial for those who are working towards solutions in preventing data loss. As a CISSP I hope that you are supportive of your colleagues in these efforts.

My question is if the thief was interested steeling sensitive information off the device, would they then leave the device on city bus? What is their motivation in that action?

Stefan Wahe

  _________________________________
  Stefan Wahe
  University of Wisconsin - Madison
  DoIT Applications and Information Security
  smwahewisc.edu

On Jan 27, 2009, at 6:21 AM, Sean Steele wrote:

Am I the only one who feels a bit dubious about a local police lab's declaration -- based on their exhaustive computer forensics investigation one s'poses -- that a machine's "sensitive information" has not been accessed?

Hmmm.

    --
    Sean Steele, CISSP, CISA
    Sr. Security Consultant
    infoLock Technologies
    703.504.9000 x219 direct
    202.270.8672 mobile
    ssteeleinfolocktech.com
    ________________________________________
    From: dataloss-bouncesdatalossdb.org [dataloss-bouncesdatalossdb.org] On Behalf Of security curmudgeon [jerichoattrition.org]
    Sent: Tuesday, January 27, 2009 6:07 AM
    To: datalossdatalossdb.org
    Subject: [Dataloss] follow-up: Stolen city laptop recovered;workers' personal data not accessed

---------- Forwarded message ----------
From: InfoSec News <alertsinfosecnews.org>

http://www.madison.com/wsj/mad/latest/434816

    By Dean Mosiman
    Madison.com
    Jan 26, 2009

    An oversight by the city of Madison's personnel office is why Social
    Security numbers of 300 to 500 city employees were stored on a laptop
    computer stolen Friday from an office in the City-County Building.

    The laptop was found about two blocks from the City-County Building on
    South Hamilton Street and turned over to police Monday morning, who
    determined late in the afternoon that no sensitive information was
    accessed.

The theft, however, put a scare into many and raised questions about city
security of personal information.

    Mayor Dave Cieslewicz expressed concern about the incident and ordered a
    review of security specific to the situation, spokeswoman Rachel
    Strauch-Nelson said.

    The city laptop was taken from a "relatively secure location" in the
    fifth-floor Human Resources Department offices in the City-County
    Building, Wirtz said.

    [...]
    _______________________________________________
    Dataloss Mailing List (datalossdatalossdb.org)

    Tenable Network Security offers data leakage and compliance monitoring
    solutions for large and small networks. Scan your network and monitor your
    traffic to find the data needing protection before it leaks out!
    http://www.tenablesecurity.com/products/compliance.shtml
    _______________________________________________
    Dataloss Mailing List (datalossdatalossdb.org)

------------------------------------------------------------------------------

_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

  Tenable Network Security offers data leakage and compliance monitoring
  solutions for large and small networks. Scan your network and monitor your
  traffic to find the data needing protection before it leaks out!
  http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]