Keep Out: Private Property
The Housing Authority of the City of Los Angeles provides subsidized housing to nearly 100,000 low-income residents and monthly payments to 15,000 property owners. That level of transactions means the agency's databases are brimming with confidential personal data.
To gauge the security of web portal software designed to improve customer service and give housing residents and landlords the ability to review their data online, the housing authority made the only logical choice: They turned it over to a team of professional hackers who conducted a thorough security assessment to uncover vulnerabilities and then made recommendations for resolving them.
"It's good to be proactive and get someone else to look at what you've done because there's always a risk that you've missed something," says Luis Yataco, the housing authority's assistant director of information technology. "The assessment helped us feel comfortable about releasing information over the Internet to our clients."
Data breaches present a constant threat to the public sector. As a result, state and local governments must conduct annual security assessments or audits to improve their security posture and prevent data leaks, either from hackers or from employees who mishandle data, government IT leaders and experts say.
"They need to do ongoing vulnerability scanning on a day-to-day basis, but they should at least annually have someone come out and do a full assessment and try to break in like the bad guys do," says Rich Mogull, analyst and CEO of Securosis.
Once the assessments are completed and the vulnerabilities are known, IT departments can remedy them by deploying best practices and various security technologies, such as data loss prevention.
662
Total number of data breaches reported by organizations in 2010, exposing 16.1 million records
Source: Identity Theft Resource Center
Pinpointing Problems
Security is a priority at Los Angeles' housing authority, a 1,000-employee agency with two major operational arms: a Section 8 program, which provides monthly vouchers for low-income residents who need housing; and a public housing program, which leases agency-owned apartment units Âdirectly to residents.
The housing authority relies on specialized software to manage the two programs. To protect data, no applications or databases have been public-facing, Yataco says.
Last year, however, many tenants and landlords in the Section 8 program began to demand quicker access to information. Tenants wanted to know their application status and how much assistance they were eligible for, while property owners wanted to know how much rent they could receive and when to expect housing inspections or the results of those inspections. Historically, they've called the agency or waited for letters to learn that information.
To improve customer service and decrease call volume, the IT department last fall considered deploying its software maker's Section 8 portal applications so users could check their information online, but IT staff first wanted to determine how secure the portal technology was.
The housing authority investigated three applications: a web application portal that potential tenants could use to apply for assistance; a status portal for applicants; and a landlord portal that property owners could access to check payment status and get housing inspection information. Last fall, the IT department installed the software in the network's DMZ and deployed a web application firewall for added protection. Then it hired CDW·G to conduct a security assessment.
"We didn't want to just assume that we did a good job securing everything and that things were solid," Yataco says.
A team of CDW·G security experts spent three weeks inspecting the portals. It discovered that two portals were moderately secure, but that the status portal had a gaping hole. The assessment team created fake user accounts and through an algorithm they developed, they searched for random account numbers. Within five minutes, the group gained access to accounts and private information, Yataco says.
The team found minor problems with the other two portals, including weak password policies, the use of third-party scripts rather than internal scripts and the need to disable a Microsoft ASP.NET debug method that showed error messages in detail, which could aid hackers in breaking in to servers.
CDW·G's report outlined the vulnerabilities along with suggested remedies, and the IT staff forwarded the findings to its software maker. After several meetings, the vendor applied fixes to the applications, and CDW·G's team confirmed those fixes.
With the portal apps secure, the housing authority launched the landlord portal last October. So far, 2,200 property owners are using it. The IT department plans to launch portals for tenants in the future, but wanted to focus on the landlords first. Overall, the security assessment was worth the cost, Yataco says.
"Because of the sensitivity of personal identifiable information, there's a lot at stake," he says. "The assessment helps us increase the trust factor with the public, and internally, it decreases our liability and risk."
IT administrators emphasize the need to conduct comprehensive security assessments annually because threats change constantly.
58%
Number of IT organizations that have deployed network DLP, among 775 security and IT professionals surveyed (includes proof-of-concept and full deployments)
Source: Securosis 2010 Data Security Survey
Brent Schipper, IT director for Ionia County, Mich., regularly uses a free security analyzer to scan his network for simple vulnerabilities. But every year, he also hires a third party to conduct a thorough assessment. The county's IT infrastructure is always evolving, which can create new vulnerabilities he's unaware of.
"We are constantly changing equipment or software out, so we may have a completely different version of SQL Server this time next year, and it may need new patches," he says.
A security assessment team spends a day checking for security holes. Most of the vulnerabilities it uncovers are weak passwords or software updates and patches that must be installed. But one year, the team discovered one web server that was not in the DMZ, which put data at risk.
The city of Annapolis, Md., conducts a security assessment as part of a yearly audit of its financial system. Paul Thorn, MIT director for Annapolis, welcomes the audit because he doesn't have a full-time IT security officer. Every year, he reviews the city's IT processes, policies and procedures with an auditor, and together they look for areas of improvement. Once the assessment is completed, the auditor prioritizes the security fixes that are needed.
"You want to get the full breadth of experience of the people in the security industry that have an extensive body of knowledge," Thorn says. "You will not be able to do it all by yourself in a small organization."
Stopping Leaks
Once organizations learn where their security vulnerabilities lie and how to correct them, they can focus on applying additional technologies, such as data loss prevention, to further protect their information. DLP software and appliances monitor networks, storage and endpoints for sensitive or confidential information, and control the transfer of that data, such as through e-mail, instant messaging and removable storage devices.
The technology is flexible and allows IT staffers to customize security policies for different users and determine what data types are sensitive, says Brooks Evans, IT security officer for Arkansas' Department of Human Services, which is using DLP products to scan e-mail and protect data on computers.
Photo: David Stover
If users try to do something that's not allowed, such as transfer files to a USB drive, print documents or copy and paste content, DLP technology can block it, warn users that they are about to do something risky, or quarantine the action and alert the IT staff for authorization, he says.
For example, at the Department of Human Services, a McAfee Email Gateway catches e-mail with sensitive content and quarantines it. Next, IT security and privacy staff review the e-mail and determine whether it can be sent. If approved, the staff can encrypt the e-mail before it goes out. The McAfee device quarantines 20 to 30 e-mail messages a day, so it's not a burden, Evans says.
The Virginia 529 College Savings Plan, an independent state agency offering four Section 529 college savings programs, recently deployed DLP software to secure data for its more than 2.1 million active accounts.
The agency bans employees from transmitting sensitive data through unsecure means, such as e-mail, FTP or HTTP, and has implemented technical controls that prevent storage of customer data on portable devices, such as USB drives. Every employee is trained on those policies, but DLP tools help ensure those policies are enforced, says Rosario Igharas, the agency's director for information security.
"Our employees know what our policies are, and this is a technical solution to ensure that potential security leaks don't happen," she says.
Last fall, the agency began investigating DLP tools and purchased Symantec's DLP software suite, which includes Symantec DLP Network Monitor, Network Prevent and Endpoint Prevent.
First, Igharas surveyed each business unit to determine who needed access to customer data to do their jobs and how they used that information. In November, the agency installed Symantec's DLP network monitoring tool to assess traffic flow. Both exercises gave her insight regarding how to write DLP security policies and response rules and what potential problems might arise when implementing DLP.
"You have to understand how the business is using personal information and understand necessary business processes, so you don't impede the business flow while trying to improve data security," she says.
This February, Igharas installed Symantec's DLP endpoint software on users' notebooks and began writing DLP security policies to protect data. The software inspects e-mail messages, identifies any sensitive data that is not suitable for unencrypted transmission, and automatically blocks that e-mail from going out.
Symantec's endpoint agent inspects each computer for sensitive data on local hard drives and any connected USB flash drives and prevents users from printing such information, she says. It also scans Excel spreadsheets that have hidden worksheets or data and prevents any sensitive data from being transmitted.
The IT staff customizes rules based on groups of employees, IP addresses, the devices they use and whether they are on the agency's network. When employees are on the agency network, the DLP software looks for exact matches of personal information.
For those working remotely or over Wi-Fi, the IT department deploys more restrictive rules, such as blocking all nine-digit numbers to ensure that no Social Security numbers or other confidential data is potentially transmitted in an insecure environment. Doing so results in more false positives, but it's a necessary evil, Igharas says.
Symantec's DLP software also inspects outbound data and prevents the posting and transmission of sensitive data through FTP, telnet, instant messaging or websites.
Now that DLP is implemented, the IT staff plans to look beyond customer information and use DLP further to safeguard other proprietary agency information and internal working documents.
"We look forward to utilizing other aspects of the DLP system in the future," Igharas says. "We haven't achieved its full potential yet, but at this point, we are pleased with the results."
DLP Deployment Best Practices
Rosario Igharas, director for information security for the Virginia 529 College Savings Plan, shares these tips for choosing a data loss prevention manufacturer and implementing the technology.
- Figure out what data and what part of the IT infrastructure you want to protect. That determines whether you buy a full suite of DLP tools or just buy only a specific piece. For instance, will you enforce security policies on endpoints or on the network?
- Hire a consultant. Bring in a DLP expert to help you define rules. "We didn't have large-scale DLP experience, so we wanted the tech know-how of someone who has worked on big implementations," Igharas says.
- Involve all stakeholders. Work with each business unit that will be affected by DLP to define DLP policies. "If you don't cooperate with each other in defining DLP policies, DLP could impede them from doing their jobs," she says.
- Refine security rules over time. IT staff and users alike need patience during implementation because creating and perfecting DLP policies requires a lot of tweaking. Initially, when the agency implemented DLP on the office network, it used general rules, such as blocking all nine-digit numbers to protect Social Security numbers. That created lots of false positives, so the IT staff became more specific and checked for customers' exact personal information to decrease false positives.
Arkansas DHS Deploys DLP
Given its mission of providing health, family, child, senior and disabled services, the Arkansas Department of Human Services handles a magnitude of personal data. The department must also comply with the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA) and other compliance laws that require the IT department to ensure privacy and security.
Two years ago, the agency deployed McAfee Email Gateway to block spam, viruses, malware and other inbound attacks; it also has a DLP component to identify sensitive content and block it from going outbound.
In most cases, there are valid reasons for the sensitive information in e-mail messages. Clients receiving benefits often communicate with their caseworkers through e-mail, and in the correspondence, the clients may use their personally identifiable information. The IT staff trains the employees to remove that sensitive data before they hit the reply button, says Brooks Evans, the department's IT security officer.
DLP technology works, but be prepared for a long learning curve to eliminate false positives, he warns. Two years after installing the Email Gateway, the deployment is ongoing. Specifically, the staff is continuously tweaking security policies and keywords and phrases so the device can scan for sensitive content in e-mail. For example, "heart attack" is not sensitive, but if the sentence reads that a state resident had a heart attack, then that data is sensitive.
"We often look at what is caught, and the privacy officer and one of the analysts regularly fine-tune the words, and they tune it up or down depending on false positives," he says.
Evans advises IT organizations to roll out DLP slowly. Work with a small number of employees in each office or department that deals with sensitive data and work out the kinks before fully deploying it. While building in the security rules, you also have to spend time building exceptions for different offices or groups of employees because they have different missions.
"Do a deliberate rollout. Don't jump into it. No one should underestimate the manpower of tuning it," he says. "It took six months of one engineer and two to three months of a security analyst full time to get the product tuned properly."
Not all DLP products work well, either. The Department of Human Services initially deployed a different brand of DLP endpoint product for its computers, but the software was slow -- it would take about a minute and a half just for the print dialogue box to show up on users' screens.
The IT security staff scrapped the first endpoint product, and is now testing CA's endpoint DLP tool. The staff is using professional services to come out for a week or two to help the department roll out the technology with the least amount of impact to users, Evans says.
Strategies for Conducting Security Assessments
Every year, a third-party security firm asks Ionia County, Mich., IT Director Brent Schipper how comprehensive an audit he wants, and every year he tells them the same answer: Go for it. Make it as thorough as possible.
"I give them free will," he says. "I tell them to go as deep as they have time for. Hack passwords, try to access the network and try to hack the Wi-Fi network."
Do your homework when choosing a security assessment firm, Schipper advises. Call other IT leaders in other communities or nearby businesses and get recommendations. Interview them and check their references, Schipper says. It's important that you are comfortable with them and trust them because they are going to gain access to your IT infrastructure.
Try to stick with one company because they can show you your progression or regression over the years. For example, in some years, there may be a sharp rise in vulnerabilities because the IT department upgraded to new equipment. "They say it's perfectly normal and not to take it personally. And they provide recommendations on how to patch it," he says.
The security assessment team also compares how the county fared in its assessments with its other clients, which includes businesses such as financial institutions. It provides a good baseline on how well the county is doing with its security, Schipper says.
The yearly assessments are also important in case county leaders or other departments have questions about the county's security posture. The yearly audit shows that Schipper is on top of things.
"It's good to let the county commissioners know that we do a periodic review and let them know what has gone on. I like to bring up where we are and that we're looking good," he says.