BOWLING GREEN STATE UNIVERSITY


Computer Security

Sensitive data should never be stored on portable devices, caution BGSU information technology officials.

New software, user caution can help thwart information theft

It’s become an almost daily story—government agencies, private organizations and universities lose sensitive information, either through hacking or theft of portable devices such as laptop computers.

Colleges seem particularly vulnerable, according to national security experts. From Stanford and San Diego State universities in California to Ohio University, which was breached five times this spring, many have been struck. The problem is growing daily, and the ramifications could be long ranging and destructive.

It is clear that a proactive approach is necessary to combat the problem, according to BGSU’s Chief Information Officer Bruce Petryshak. For one, individuals must take common-sense steps to avoid compromising information resources and, two, institutions must stay ever vigilant in employing means to safeguard personal and research information.

This becomes even more important as universities implement technologies providing users with greater access to shared information, because with that access come greater risks.

Celo Project protects data resources

As a positive measure, BGSU’s Office of the CIO has created the Celo (Kay-Loh) Project, a multiyear, multilevel, multiphase plan to protect data and intellectual property, said Petryshak. A working group has been assessing campus needs and will be developing procedures and policies to add further layers of security to protect BGSU’s sensitive data. The initial phases of the project have been identified as Celo Strategy, Public Key Infrastructure, Electronic Signature and Encryption.

Whole-disk encryption will be the first phase to be implemented. Encryption is the transformation of data into a form unreadable by anyone without the secret decryption key. By encrypting the whole disk, whether on a desktop, laptop or jump drive, the contents will be inaccessible to anyone for whom they are not intended.

A request for proposals for whole-disk encryption has been issued, and vendor presentations are being evaluated by the Celo Project team. Once the selected product is in place, faculty and staff will be asked to use the software to encrypt the information on their computers and portable devices so that sensitive data will not be accessible even if stolen. If used conscientiously by the campus community, encryption will provide much greater security, Petryshak said.

It is important to remember, however, that even encrypted information is not absolutely safe, which leads to the initial part of creating a secure environment—individual responsibility for taking precautions.

What you can do
Information sent, received, printed or stored on desktop machines needs to be treated with security in mind at all times, said Information Security Officer Kent Strickland.

“Remember that if you can see the data, so can someone else,” Strickland said. “There is no way to magically secure all sensitive information. Like the shingles on your roof or siding on your house, weathering the environment requires applying security in overlapping layers.”

Here are several guidelines:

  • If you do not absolutely need sensitive information, do not gather, process or store it.

  • Set up desktop and laptop computers so that passwords are needed to log in. Do not save those passwords for automatic login.

  • Anti-virus and operating system software must be kept current and downloads of unapproved applications avoided, since viruses or spyware could still enable an attacker to take control of the computer or harvest sensitive information. “A mobile laptop computer without current software and virus protection can physically bypass BGSU protections and introduce a virus/worm threat into the network,” Strickland said.

  • Remember that if sensitive information is backed up to CDs and they are lost or stolen, the information is exposed. Other tools would be required to encrypt data stored on other media, which is also being researched as part of the Celo Project.

  • Destroy old diskettes or CDs prior to disposal.

  • Shred or similarly destroy printouts containing sensitive information.

  • Do not email unencrypted sensitive data.

  • If forwarding sensitive information, be sure that the recipient is authorized to have that data.

  • Take special care when moving or storing information, which includes emailing and using public file-sharing systems. Consider whether it could be viewed in the process by an unauthorized person. If the data is sensitive or personal, consider whether if two pieces of information were put together, an unauthorized person could gain access to private documents or data.

  • Respect the security wishes of the data owner. If you give someone access to information without the owner’s knowledge or permission, the information could be considered exposed.

Portable devices are a risky business
Portable devices such as laptop computers, personal digital assistants (PDAs), jump drives, CDs, DVDs and even today’s sophisticated cell phones pose a significant security threat. Recent news reports of employees of the Veterans Administration and the Ernst & Young accounting firm taking home personal information on laptops only to have them stolen point out the danger of transporting unencrypted information.

Recent cases have shown that even storing devices in locked car trunks is not protection from theft, Petryshak pointed out.

In addition to being stolen, every day thousands of portable devices are left in taxicabs and restaurants, and on buses, airplanes and trains. The potential for them to be lost or taken is so great that it is best just to assume the worst when using them, said.

Therefore, the University asks that employees not store personal or sensitive information regarding students, colleagues or research on portable media.

Legal reporting requirements
Many states have enacted legislation covering cyber-security incidents. Ohio’s Breach Notification Act, which went into effect last February, requires that people be notified if any security breach involving their unencrypted personal information has occurred.

Federal legislation is also in effect requiring that states follow the rules of other states when information about citizens from those states is compromised. Thus, if information about a BGSU student from California were stolen, BGSU would have to follow California’s laws on remediation and restitution for that individual. This could become quite costly and is yet another reason to strenuously avoid any such data losses, Petryshak said.

A culture of openness
The traditional academic culture of openness may have unwittingly contributed to the security problem, experts say. The Internet has made collaborative research projects and sharing of information immeasurably faster and easier. Posting student grades and paying bills online is convenient. Colleges electronically store financial and even medical information for both students and employees.

Unfortunately, hackers have realized this and have tended to view universities as easy targets. A recent article in the Los Angeles Times reported that colleges accounted for the largest percentage, or about 30 percent, of security breaches reported in the media last year. And for the first time in seven years, colleges listed security as the number one concern in regard to their computer system, according to Educause, a nonprofit group that promotes technology use.

Foundation laid
BGSU has been keenly aware of the issue for nearly two decades and has been taking steps to help protect the identities of students, faculty and staff and safeguard sensitive information. From Project 90, in 1990, when BGSU began using personal identification numbers instead of Social Security numbers for students and employees—a practice still not used in many institutions—to the present, when more sophisticated means are being employed, the CIO’s office has worked diligently to stay abreast of information security threats and make recommendations to the campus to help keep it safe.

The latest round of security measures, especially whole-disk encryption, will provide another wall of defense against those who would gain access to data. But we must all be vigilant, Petryshak says, and not make things easier for criminals.

To view the Celo Project Web page, visit http://www.bgsu.edu/offices/cio/page21277.html.

For more information about information security alerts, policies and more, visit http://www.bgsu.edu/its/security.

July 10, 2006