EPA data breach highlights worrying trend

In the war over government data security, the statistics indicate the bad guys are winning. And some security experts say any hope of reversing that trend will take "a whole new paradigm" in IT security.

The U.S. Government Accountability Office (GAO) reported last week that federal data breaches involving unauthorized disclosures of personally identifiable information increased by 19%, or about 13,000 to 15,500, from 2010 to 2011.

At least some of the time, victims of those breaches are being left in the dark about it for months. About 123,000 Thrift Savings Plan participants whose personal information was compromised in a July 2011 breach were not notified until this past May.

That is not the only instance. The Washington Business Journal reported that the U.S. Environmental Protection Agency (EPA) waited until last week to notify 5,100 employees and 2,700 "other individuals" of a data security breach last March that exposed their Social Security numbers and banking information.

Greg Long, head of the Federal Retirement Thrift Investment Board, responding to questions from the Senate subcommittee on government management oversight, said the thrift board had followed federal guidance in responding to the attack, but didn't have the funding for a notification plan.

Daniel Berger, president and CEO of Redspin, a security assessment vendor, told CSO Online that the increase in breaches is no surprise, given that attacks have become, "more sophisticated and persistent. Groups such as foreign governments, organized crime, and hacktivist networks have the capability for multi-dimensional, coordinated, ongoing attacks against specific entities such as U.S federal agencies."

Berger said traditional perimeter defenses and other security controls are "no match for such attacks. A whole new paradigm is needed."

Tony Busseri, CEO of Route1, an IT security firm, suggested to Federal Computer Week that a piece of that new paradigm has to include better technology.

The EPA breach, reportedly caused by a virus in an email attachment on a contractor's computer, points again to the vulnerability of human error.

"We cannot just have policy-based approaches to cybersecurity," Busseri said by email. "It has to be technology-based too. If we rely upon the human condition - i.e., we expect someone to adhere to a policy -- and that's the only protection we have, we're going to have failure. By nature people are prone to making errors."

John Steven, internal CTO of Cigital, also said technology is lagging, especially when it comes to protecting usernames and passwords. "Credential thefts are not new vulnerabilities," he said. "These are system bugs that have been there for seven years and are being exploited now."

Steven said that is happening in both the private sector and government. "When the Yahoo [data breach] story broke, I went back and looked at three of my clients. We had reported critical vulnerabilities in password protection, an they had opted not to fix them," he said.

And the problem is made worse because of the human factor -- too many people using the same user name and password for multiple sites, he said.

Tanya Forsheit of InfoLawGroup said it is too simplistic to conclude that the GAO's statistics mean there is an actual increase in breaches.

It could be that there is better and more accurate reporting of them, Forsheit said. However, she added that "policies, procedures, controls, etc. -- a strong information security program -- is the best medicine to mitigate the risk of a breach."

"It does not mean that breaches won't still happen, of course," she added. "There is no such thing as perfect information security."

Still, shouldn't there be a requirement for more timely notification of potential victims of breaches?

The problem, say both Forsheit and Daniel Berger, is that there is no single standard. "State and federal breach notification laws govern how quickly an organization is required to notify affected individuals of a breach," Forsheit said. "Those deadlines depend on the particular law involved. The 46 state laws are all different, and the federal laws that do exist -- under HIPAA/HITECH, and separately for federal agencies -- are different still."

John Steven said he would support a stronger, unified policy on notification, but added that it will not cure the problem on its own. "It's one leg of a stool," he said. "The key is to build the system correctly, so it is designed to protect credentials."

"I'd highly recommend a federal standard for breach reporting requirements across all industries," Berger said. But he adds that he believes data security has to evolve to "a more holistic, data-centric approach to confront current threats."

Everybody from enterprises to government agencies should be asking themselves what are their most critical corporate information assets, Berger said, along with other crucial questions, including: "How is this data used, transmitted, and stored? Are access control policies in place and enforced? Have we integrated mobile computing, whether it's corporate issued-devices or BYOD, into our policies and procedures? How do we monitor use? Are my employees sufficiently aware of what constitutes acceptable use and practice from the IT security perspective?"

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts