CELO Close-up

by Kent Strickland

In the April 2006 issue of Connect Bruce Petryshak announced the CELO project, which is BGSU’s response to the growing risk of handling sensitive personal information on portable computers and media.

My last article highlighted a number of breaches and the public reaction to lost or stolen data. I also introduced Ohio’s Breach Notification Act and provided an analysis of some encryption issues. This month’s article hits closer to home.

Motivation for CELO
The justification for responding to this information threat is strong, yet harnessing information and providing innovative service through cutting-edge technology is far more compelling, right?
But who jumps from a plane without a parachute? Want the fun? Take care of your ‘chute!

Security is the capacity for risk. Security is confidence.
Risk management is the careful inspection, packing and care of the parachute between jumps, and the knowledge of proper fitting and instruction. It is the continuous discipline of monitoring the state of security and maintaining the capacity for accepting new risk.
The last Connect issue revealed weaknesses in other organizations that resulted in the exposure of sensitive information and subsequent public scrutiny.

Is BGSU safe from identity theft—or just lucky?
Theft in Europe. A BGSU assistant professor traveling in Europe was the victim of a laptop theft last December. “I was traveling on school business in Europe, and while I was getting off a train from the airport, a thief stole my laptop. It happened in 30 seconds—just a flash. These were PROFESSIONALS! I was [bogged] down with luggage and had to put my bags down for a second to get everything off the train, there were mobs of people and the next thing I knew, it was gone. What I learned: I should have hooked the laptop to my body, which I now do at ALL times. Also, make sure you back up ALL of your files before you travel, because I lost four months worth of important files. DON’T save any important files on your laptop (such as social security number, bank numbers, etc.). And don’t travel with more bags [than] you can carry easily.” Reportedly, there was no sensitive University data on the laptop, but the professor did have personal information from past income tax forms on the computer.

Theft from locked car. In May of this year, a BGSU graduate student was traveling in Columbus with a University laptop computer. She did everything right. The car was packed here at home where thieves would not have noticed. The computer was loaded
in the back of the car’s trunk with other luggage loaded in front of it. The car was parked on the
street overnight at a friend’s house in Columbus and nothing happened. The next day around noon she had lunch at a Bob Evans restaurant. It was busy so the only available parking was in the back of the lot. In her words, “It was a nice sunny day and we certain­ly were not expecting anything like this to happen. We went inside, had lunch, paid and were done within an hour. When we got to my car, a 1993 Pontiac Bonneville, the first thing we noticed was the seat was folded forward (my seats are not supposed to fold forward). I opened the door, which was locked when we went inside, and that’s when I realized what had happened. The doors had been locked, all of our belongings were locked in the trunk and this still happened, in broad daylight! The bag with the laptop, a Flash drive, some folders and notebooks and all of my University keys were gone. They got in through the passenger side door where they popped the lock and then pulled the back seat forward. The only opening was a small pass-through. The bag was at the back of the trunk, so probably one of the first things they could reach.” Fortunately, the computer had been re-imaged and contained no data, the media contained no sensitive information, and she had some fairly recent backups.

Theft from a BGSU office. There have been several BGSU computers stolen in recent years, although none contained sensitive University data—so far. In one incident, however, an LCD flat screen monitor was stolen from an office but luckily the thieves passed on the desk-side computer it was connected to, which contained very sensitive information—the kind you read about. Instead, they liberated more compact desktop computers from a building lab. Pictured is a padlock from this incident that the thieves cut from one of the stolen computers with bolt cutters. It symbolizes the imminent threat.
Thieves will go to great lengths to steal, even when we are vigilant and careful. There are solutions to mitigate the threat but frankly, implementation is like the discipline of inspecting, packing and fitting a parachute—not like the thrill of skydiving.

Whole disk encryption
One solution to theft is to ensure that the physical security of each computer is continuously monitored and maintained with little inconvenience. Each environment presents unique challenges, however, especially when a laptop computer is taken off campus, traversing unknown or continuously changing environments.
As part of the CELO project, we are researching technologies to encrypt all of the data on the hard drive for cost-effective and uniform physical security. Basically, following the installation and configuration of encryption tools, you would need to supply a special pass­word to boot the computer, possibly along with a special hardware “key.” You would then use the computer normally, and shut it down at the end of the day (storing any hardware key in a separate, safe location).

How whole disk encryption helps

• If your computer is lost or stolen, no data stored or processed on the hard drive would be accessible by the thieves, as would otherwise be the case.
• It may not be necessary to publicly disclose the incident depending on the data involved and applicable state or federal breach notification laws in effect at the time of the incident. However, the BGSU Office of General Counsel would need to be consulted to make such a determination. What else is necessary? Remember that if you can see the data, so could someone else. There is no single way to magically secure all sensitive information. Like the shingles on your roof or siding on your house, weathering the environment requires applying security in overlapping layers.
• If you do not absolutely need sensitive information, do not gather, process or store it.
• Anti-virus software must be kept current and downloads of unapproved applications avoided, since viruses or spyware could still enable an attacker to take control of the computer or harvest sensitive information.
• If sensitive information is backed up to CDs and they are lost or stolen, the information is exposed. Other tools would be required to encrypt data stored on other media, which is also being researched as part of the CELO project.
• Respect the security wishes of the data owner. If someone gives you access to information and you share it with others without the owner’s knowledge or permission, the information could be considered exposed.
• Printouts containing sensitive information must be shredded or similarly destroyed.
• Do not email unencrypted sensitive data.
• Destroy old diskettes or CDs prior to disposal.
• If you forget an encryption password, the data is rendered unusable. As with a hard drive crash, restoring data from backups is necessary in the absence of special precautions.

CELO future
A significant infrastructure of tools, policies and procedures is required to support the CELO encryption project. This entails significant research into a variety of technologies and techniques. The effort should reduce the risk of a breach, and increase public confidence in BGSU’s ability and resolve to securely manage sensitive data.

Trust takes years to build, but only a moment to lose.

Kent Strickland
ITS Information Security Officer