On Guard Against ID Theft
Written by CHERYL GERBER
POTENTIAL VULNERABILITY OF MILITARY PERSONNEL UNDERSCORES BROADER PROBLEM OF SECURING INFORMATION ON NETWORKS.
Although the theft of a laptop from a career Department of Veteran’s Affairs employee in May most likely did not lead to any nefarious use of the personal data it contained, the incident highlighted the exceptional issues that military service members and veterans face when it comes to identity theft and fraud.
While the laptop itself is private property, the personal data of about 26.5 million veterans, active duty and guard/reserve members belongs to the individuals and the VA. In June, law enforcement arrested the suspected young thieves who randomly burglarized the VA employee’s home. The laptop, external hard drive and personal data were all recovered.
“Law enforcement and the FBI are confident that the personal information was not compromised while the laptop and external hard drive were missing. Nonetheless, we are taking additional steps,” said Matt Burns, a VA spokesman. Since then, the VA, Department of Defense and other federal agencies have identified and enlisted numerous options to improve the security of identity and personal data.
The VA responded to the laptop theft by conducting a broad inspection of how it handles data protection and cyber security across the agency. “The silver lining in this cloud is that it raised our awareness of the need for a change in the lax culture that existed in the cyber information security area. We are looking more closely at the systems in place to determine where improvements are needed. Our goal now is to become the gold standard in cyber security,” Burns said.
RISK ASSESSMENT
The department accepted an offer from an identity risk management company named ID Analytics to provide a rigorous analytical assessment of the VA data for free in order to gain recognition for its technology. The company is using its Graph Theoretic Anomaly Detection technology along with its ID Network database to trace and chart each identity and all of the associated identities and organizations. The chart is then analyzed to check for anomalies in behavior patterns.
ID Analytics spent four years amassing information in its huge ID Network that shows personal data usage over time. The database includes information from financial institutions, telecommunications companies, government agencies, lenders, credit card companies and, increasingly, health care agencies.
“Basically, we take the VA’s breach files—the identities that were on the stolen computer equipment—and put them in our ID Network, a fraud prevention system. We compare the breach files to what’s in our ID Network to see if there’s been any suspicious misuse of the veterans and active servicemembers’ data,” said Karen Stadelmeier, director of marketing at ID Analytics.
The VA plans to continue using the company’s technology after the analysis is complete. “ID Analytics will provide data breach analysis on an ongoing basis to make absolutely certain that there was and is no breach of personal data,” said Burns.
In June, the Office of Management and Budget issued a memorandum recommending identity theft safeguards based on a checklist from the National Institute of Standards and Technology for all federal agencies to follow.
The recommendations include:
• Encrypt all data on mobile computers and devices which carry agency data unless the data is determined to be non-sensitive, in writing, by the deputy secretary or an individual designated in writing.
• Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.
• Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes of inactivity.
• Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data.
GuardianEdge Technologies provides a free guidebook that helps interpret other items and references on the list.
In an effort to prevent identity theft, the VA awarded a $3.7 million contract to Systems Made Simple (SMS), a small business integrator, and Merlin International, a government technology integrator.
SMS and Merlin will utilize the encryption solutions of GuardianEdge and Trust Digital to upgrade all 300,000 VA computers with enhanced data security encryption systems that will protect private data agency-wide.
“We are excited to continue and grow our relationship with the VA by helping them implement a world-class security architecture,” said John Trauth, executive vice president, government systems, for Merlin. “This combination of security systems integration expertise with leading encryption technology from GuardianEdge and Trust Digital enables the next stage of secure encryption for sensitive desktop-based data throughout the VA.”
GuardianEdge’s Encryption Anywhere software is part of the company’s Data Protection Platform for encryption of hard disks and removable storage devices. Encryption Anywhere snaps into Microsoft’s Management Console and is embedded in Microsoft Active Directory.
Trust Digital’s Mobile Edge Device Security technology will provide encryption in all of the VA’s personal digital assistants and smart phones that access e-mail and other application data from the VA enterprise network.
“Encryption Anywhere is a single system for managing policy using Active Directory,” said Warren Smith, GuardianEdge vice president of marketing. “Using Active Directory as the core management console, we can deploy rapidly in multiple VA locations simultaneously.”
GuardianEdge has completed pilot testing at several VA locations and full deployment is underway at some locations, Smith said.
“GuardianEdge is now in the process encrypting all laptops. The next step is to encrypt all systems, including desktops,” said Burns.
NETWORK-INITIATED THEFT
The VA incident also raised consciousness about yet another source of identity theft: outgoing information on networks. “The real problem is not the unlikely VA incident. It’s the fire hose of data spewing out of federal agency networks 24 hours a day, seven days a week,” said Eric Gore, chief executive officer of Pavisor. “Securing information on networks to prevent network-initiated identity theft is the real problem.”
Traditional security tools, such as firewalls, intrusion detection systems and anti-virus software, are designed to combat threats from the outside trying to get inside networks. However, the tools don’t protect information on the inside from spewing out.
Recognizing this problem, Gore this summer launched Pavisor and its technology development partner, Intrusion, to offer enterprise products that can help government agencies detect, alert, prevent and report on vulnerabilities and incidences of identity theft.
The company’s PavisProtect Emergency Assessment Service determines whether a federal agency is leaking unencrypted personal information, rendering it vulnerable to identity theft. PavisProtect provides a 20-page customized assessment report, including details such as event time-stamps, sender/receiver address information and content packet captures.
The service is part of a suite that includes SecureNet IPS (Intrusion Protection System) sensors that have been Common Criteria- certified, and Compliance Commander ID Theft Prevention, a network-connected appliance that sits at the network next to the firewall and watches all communications and protocols going through the firewall. “It’s designed to detect the presence of unencrypted personal information,” said Gore.
Also recognizing this growing problem is a company called TrustedID, which launched this year with a multi-part offering called IDFreeze for individual consumers. The product focuses on preventing identity theft by locking up an individual’s identity directly with the credit bureaus and the creditors.
TrustedID’s products work best in states with credit freeze laws. In the past year, a number of states have passed laws that allow residents to lock and unlock their credit reports to prevent identity theft, said Omar Ahmad, chief technology officer.
“According to the FTC, this is a $50 billion problem and there are 10 million victims of identity theft per year. Seven million victims experience what we call account takeover of credit cards or checks from their checkbook. The other three million suffer from credit origination ID theft, and this is the nasty one,” Ahmad said. Credit origination ID theft is costly, bothersome and takes a long time to rectify, he said.
FRAUD RESPONSE
Ahmed stressed that TrustedID’s IDFreeze solution focuses on preventing rather than reacting to identity theft. However, there are numerous options available to take action on identity theft after the fact. For one, the FTC offers a complaint form on its Web site to report an incident of financial fraud and identity theft.
Insurance companies such as Allstate sell identity theft protection insurance and all three credit reporting companies sell services that notify the victim after a suspected case has occurred. However, they do not offer prevention.
Experian offers a three-tiered selection, starting with Triple Alert, which provides daily monitoring of all three national credit reports and e-mail or cellular alerts if key changes are detected. It includes $10,000 of identity theft insurance.
Equifax partnered with Earthlink to provide a Scamblocker that could prevent ID theft online. The service determines whether a Website is a phishing site. A phishing site can be convincing, as the Web page looks like the official page of a legitimate company. A phishing e-mail sometimes threatens dire consequences if the receiver does not respond by visiting the fraudulent site.
“Phishing is a scam that allows the scammer to pose as a legitimate website in an attempt to steal your personal information,” said David Rubinger, vice president of Equifax communications. Equifax offers several different credit monitoring products, called Equifax Credit Watch.
TransUnion’s Fraud Response Services are a suite of products including credit monitoring, alerts and fraud victim’s assistance. The Fraud Management Platform works with credential-issuing organizations to determine identity verification and authentication, issuing a score that is a predictor of identity validation. TransUnion services are available online, so if active duty service members have Internet access, they can receive inquiry alerts electronically.
The federal government continues to respond in various ways to the growing threat of financial fraud and identity theft. For example, in June, a group of federal agencies, private companies and academia launched the national Center for Identity Management and Information Protection to address personal data protection issues. IBM and LexisNexis are the corporate founders of the center.
The center will work to centralize data to help industry and academia provide effective technologies for law enforcement agents. The collaborative effort will develop more powerful tools to track trends in cyber crimes in order to catch cyber criminals and to combat identity theft. ♦
