Security Management; Data Security; and Articles, Papers, and Reports

Two of the entries on the long list of data breaches in higher education are Georgetown University and UCLA. Timothy Lance recently talked with the IT policy officers at these two institutions to identify some of the policy implications of handling data breaches.

The 2008 Data Breach Investigations Report draws from over 500 forensic engagements handled by the Verizon Business Investigative Response team over a four-year period. Tens of thousands of data points weave together the stories and statistics from compromise victims around the world. This report seeks to answer the following questions;

• Who is behind data breaches?
• How do breaches occur?
• What commonalities exist?
• Where should mitigation efforts be focused?

Review of news sources and databases shows an increase in the number of both security incidents and affected institutions in the last year.

"When is higher education going to get serious about safeguarding the private information of students,
faculty, and staff?"

"Over the last several years, there has been an emerging interest in the development of wide-area data collection and analysis centers to help identify, track, and formulate responses to the ever-growing number of coordinated attacks and malware infections that plague computer networks worldwide. As large-scale network threats continue to evolve in sophistication and extend to widely deployed applications, we expect that interest in collaborative security monitoring infrastructures will continue to grow, because such attacks may not be easily diagnosed from a single point in the network. The intent of this position paper is not to argue the necessity of Internet-scale security data sharing infrastructures, as there is ample research [13, 48, 51, 54, 41, 47, 42] and operational examples [43, 17, 32, 53] that already make this case. Instead, we observe that these well-intended activities raise a unique set of risks and challenges.
We outline some of the most salient issues faced by global network security centers, survey proposed defense mechanisms, and pose several research challenges to the computer security community. We hope that this position paper will serve as a stimulus to spur groundbreaking new research in protection and analysis technologies that can facilitate the collaborative sharing of network security data while keeping data contributors safe and secure."

This is the final report for the 2007 NSF Cybersecurity Summit, held February 22 & 23rd, 2007, in Arlington, VA.

"Much like Moore's Law, PGP has seen huge advances in encryption technologies over the years -- specifically the ability for encryption to work faster and easier in a network while still being transparent to the end user," said Phillip Dunkelberger, President and CEO, PGP Corporation. Excellent encryption research is being carried out at a number of major universities, though it's still at a nascent stage.

"Identity theft is one of the fastest-growing cyber-crimes, and, as a result, 38 states have identity theft legislation -- with some states using encryption as a safe haven," said Southwestern Illinois Community College CIO Christine Leja. "The education market as a whole is becoming more serious about protecting student information and is looking to encryption as the means to making that happen."

"No matter how robust your firewall, trained faculty and staff are your first line of defense against system breaches."

This study summarizies the actual costs incurred by 31 organizations that lost confidential customer information and had a regulatory requirement to publicly notify affected individuals.