Scott Schmit

08 May 2008

Avoiding Disclosure of Confidential Information

As the use of laptops, cell phones, PDAs, and USB drives

are ever increasing across our network landscape, Security
Analysts are finding themselves fighting a security war on
multiple fronts with moving targets. Gone are the days when our
network was like a castle with only one way in and one way out.
With the mobile workforce, our perimeter has had more holes
punched in it than a slice of Swiss cheese. Not only is our data
being stored on our servers in-house, but also on Laptops, CDs,
DVDs, and USB drives that can easily leave the confines and
protection of our buildings.

According to a survey conducted by Simpson Carpenter in

September 2005, employees spend on average, one third of their
time out of the office, and almost one half of their time while
in the office away from their desks. Field Auditors need access
to taxpayers data and applications on the network so they can
more effectively collaborate with team members from a remote
location. These users know that mobility can be a major
differentiator, helping them to be more informed, agile and
capable. As mobile workers increasingly access confidential
information within Revenues infrastructure, administrators are
faced with real security concerns. Critical data must not be
compromised. Questions arise over how mobile access to Revenues
network will be controlled and whether user authentication can
be employed.

Some of the biggest profile data breaches in the first few

weeks of 2008 have been caused by theft or loss of devices.
According to www.privacyrights.org, in 2008 there have been
40 breaches of information across the nation with a loss of
218,565,356 total records. The latest data breach for North
Carolina is the Wake County Emergency Medical Services that
reported a loss of 1,188 patient names and 3,454 names and
social security numbers of emergency personnel.1
The problems created by using mobile devices can be
attributed to the following weak spots.

The devices are small and are not tethered and can be
easily lost or stolen
The data on the devices is easily accessible
Schmit Avoiding Disclosure of Confidential Information 2|Page

Some devices use wireless communications technology which

could be insecure
However, the biggest threat to mobile security is the users
themselves. Most employees have not really considered what there
is at stake to loseespecially when it comes to the lack of
physical security controls with mobile devices. Simply put,
people generally are not valuing business assets and treating
the threats and vulnerabilities seriously enough.

Making matters worse, many employees in the Department of

Revenue do not know what information they have, where it is
located, or even what it is worth. In most cases, this often
leads to security oversights and unfortunate breaches that
create business level problems. Employees need to understand how
to notify someone when they detect or lose something.7 Employees
need to keep a close track on their mobile devices and inform
security and management immediately when a device is missing.
North Carolina General Statute 114-15.1 states that any person
employed by the State of North Carolina who receives any
information of theft or loss of any state-owned personal
property, shall as soon as possible, but not later than three
days from receipt of the information or evidence, report such
information or evidence to his immediate supervisor, who shall
in turn report it to the Head of the Department. The Director of
Information Security shall within a reasonable time, but no
later than 10 days from receiving the information, report such
information in writing to the Director of the State Bureau of
Investigation. We also must inform the Internal Revenue Service
and the State Information Technology Service of any lost data.2

The second concern is that the theft or loss of an

unsecured machine or one with unencrypted data can damage our
organizations process, reputation, and the trust from the
citizens of North Carolina. To avoid this problem, Revenue has
implemented a full hard drive encryption on all Laptops and PCs.
We have also encrypted our PDAs and USB drives. Full disk
encryption works better because it's transparent. Users don't
have to be trained and trusted to save all their data in an
encrypted folder. Data theft is not the only potential risk from
unmanaged USB devices and removable media- these same devices
are now being recognized as an entry point for malware. If a
flash drive or USB stick becomes infected with a virus, the user
could plug it into the agencys network and unknowingly unleash
a crippling virus. This is why Revenue has policies and
procedures that address the use of removable media and USB
devices.
Schmit Avoiding Disclosure of Confidential Information 3|Page

The third and last issue deals with the wireless

communications. Wireless LANs and laptops computers are the
current hot vectors for malicious code infections, but the
recent appearance of malicious code in portable and personal
devices does not set well for our security administrators.
Inadequate wireless security was the cause of a major retailer's
well-publicized data breach. This widely aired story has brought
greater attention to the choice of security protocols. According
to news media reports, hackers were able to intercept the stores
802.11 wireless router signal. They used publicly available
software on a standard laptop to crack the encryption used on
the network, enabling them to record passwords and credit card
information. The Department of Revenue requires that all
wireless connections coming into our network be encrypted using
NIST 800-97 standards.

The threats are real and losses have already been greater
than anyone imagined. The Department of Revenue is subject to a
number of regulations. Not complying with these regulations
could prove disastrous to the Department, its employees and most
importantly, to North Carolina taxpayers. The most important
regulations are:

Sarbanes-Oxley Act 2002, which specifies that business

information and process must be strictly controlled and that
chief executives are accountable for missing or leaked critical
information.3
SB1386 California Data Breach Notification Law, which
requires any business or government agency doing business in the
state to notify California residents when personal information
is exposed. 4
IRS 1075 Tax Information Security Guidelines for federal,
State and local agencies and entities. As a condition for
receiving tax return information, recipient agencies are
required by IRC 6103(p)(4) to establish and maintain, to the
satisfaction of the IRS, safeguards designed to prevent
unauthorized uses of the information and to protect the
confidentiality of that information.5
NCGS 132-1.10, which states that if an agency of the
State or its political subdivisions, or any agent or employee of
a government agency, experiences a security breach, as defined
in Article 2A of Chapter 75 of the general statutes, the agency
shall comply with the requirements of G.S. 75-65.

NCGS 75-65, protection from security breaches requires that

this agency shall provide notice to the affected person that
there has been a security breach following discovery or
Schmit Avoiding Disclosure of Confidential Information 4|Page

notification of the breach. The disclosure notification shall be

made without unreasonable delay, consistent with the legitimate
needs of law enforcement, as provided in subsection (c) of this
section, and consistent with any measures necessary to determine
sufficient contact information, determine the scope of the
breach and restore the reasonable integrity, security, and
confidentiality of the data system.6

The mass proliferation of handheld devices, laptops, and

portable media present a dilemma for the Department. On one
hand, these devices are invaluable business tools that employees
need to perform their day-to-day tasks. On the other hand, they
represent serious security risks to very sensitive information.
The Department must implement solutions that allow users access
to business-critical devices while the same time protecting the
Departments information. Armed with knowledge, training, and
well thought-out security strategies, Revenue can anticipate and
rectify vulnerabilities and respond swiftly to malicious
activity. By planning ahead, staying abreast of security
developments, and avoiding blunders, we reduce the likelihood of
a data breach and increase the probability of overall business
success.

REFERENCE:
1. http://www.privacyrights.org/ar/ChronDataBreaches.htm#2008

2. N.C.G.S. 114-15.1. Department heads to report possible

violations of criminal statutes involving misuse of State
property to State Bureau of Investigation
http://www.scio.state.nc.us/documents/docs_Active/Laws%20Relating
%20to%20Use%20of%20State%20Computer%20Systems/NC/N.C.G.S.%2011415
.1.%20%20Department%20heads%20to%20report%20possible%20violations
%20of%20criminal%20statutes%20involving%20misuse%20of%20State%20p
roperty%20to%20State%20Bureau%20of%20Investigation.pdf

3. http://www.soxlaw.com/

4. http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351
1400/sb_1386_bill_20020926_chaptered.html

5. http://www.irs.gov/pub/irs-pdf/p1075.pdf

6. http://www.unc.edu/depts/legal/ssn/NCGS%2075-
65%20Protection%20from%20Security%20Breaches.DOC

7. CSO Journal March 2008 p29 protecting the Mobile Workforce

8. ISSA Journal February 2008 p26 Security Blind Spots