Security's Everyman

Security's Everyman

Thursday, July 12, 2007

Maybe he didn't really think this through.

A friend pointed me to this article about a student list at Texas A&M Corpus Christi that was "misplaced" for a few hours. The list contained the personally identifiable information of 49 students. The list contained names and social security numbers of the students. This is the second incident in less than 2 months for TAMCC.

This post isn't about the incident or how it was handled by the college. It's about a comment that was left. Here is the comment:

Posted by josegutz on July 12, 2007 at 1:24 p.m.

It seems like it is an issue with the IT department at TAMUCC.
They need to ban all key or flash drives from being used if they cannot get that security measure together about using SSN's for identity purposes. They should do a PKI access after all they use access cards for Identity when enrolling at the University. Banning these thumb drives would minimize the security risk of someone walking off with all of this information. I don't want to get in too deep about all this technical garb since it seems that one would have a hard time to comprehend such a concept.

Here is my issue with the comment:
  1. This has absolutely NOTHING to do with the IT department.
  2. This has absolutely NOTHING to do with flash drives.
  3. IT does not dictate whether or not the university uses student SSN's as identifiers.
  4. PKI would not have prevented a student from walking off with a SHEET OF PAPER.
  5. PKI is not an easy technology to implement or manage especially is a university environment where my nature of what they do the network needs to be open.
  6. Banning thumb drives would not have prevented anyone from walking off with a SHEET OF PAPER!
This comment just set me off for some reason. Maybe it's because I have friends who work in IT and security for several universities. Maybe it's because the person tried to blame the IT staff for this and IT gets enough of a bad rap as it is. Maybe it's because the comment really didn't serve any constructive purpose except to put blame on someone without having all, no wait, ANY of the facts. Maybe it's because this person probably works in IT. I say that because the average person does not know what PKI is or how it works. Apparently this person doesn't really have much of an understanding of PKI either. If he did he would have realized point 5 above.

Now that I have ranted let me try to add value to this.
  1. Yes, it is a bad idea to use students SSN's as identifiers. I have it on pretty good authority that this is going to change in the very near future.
  2. Yes, PKI can help mitigate the risk associated with storing PII. It can be used to prevent it from being accessed by unauthorized users. It can be used to enforce security policies that could prevent copying data to removable media or prevent documents from being printed. But it has to be used in conjunction with other technologies to be effective.
  3. There is no reason for the SSN's to be on the class roster that is given to the professor. But it is not the fault of IT or Security that this happens. Even if there are policies in place they have to have the support from Management in order to be enforced and true enforcement would require other technology to be implemented.
  4. Security is not just the responsibility of the IT or Security. It is something that has to be embraced by everyone (or most everyone) in the environment. The professors have a share of the responsibility even more so than the IT department does.
Then my final point. If you really want to blame someone for all the problems that SSN has caused us, blame President F.D. Roosevelt and the U.S. Congress of 1935. They are the ones who gave us Social Security Numbers. :)

1 comment:

The Trusted Toolkit said...

Hey Andy,

Admittedly I have not read about this breach, but you make some good points in your comments IMO.

Your comments:
1. Absolutely! Employee ID numbers, student numbers, etc. are much better solutions. I worked on the Threat & Vulnerability team for a major US bank a few years ago and everyone's login to their intranet site was their SSN!

2. PKI is a nightmare if not designed effectively from the beginning. Poorly done PKI is worse than no PKI.

3. Absolutely NO reason for SSN's anywhere on a college campus with the possible exception of a financial aid office. Would be even better if the financial aid office would only use the SSN temporarily (and not store them).

4. RIGHT ON! Security is everyone's job. Funny thing is, Security is NOT an IT function at all. Portions of security require close interaction and support from IT, but IT is never responsible for securing data.

I don't really blame FDR. I don't think FDR could have forseen what business has done with SSNs. Social Security Numbers were NEVER meant to be used as personal identifiers for any purpose other than to keep track of your Social Security account.

Keep up the good work Andy. Fightin' the good fight.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.