Safeguarding Sensitive Data

The Housing Authority of the City of Los Angeles provides subsidized housing to more than 100,000 low-income residents and monthly payments to 15,000 property owners. That level of transactions means the agency's databases are brimming with confidential personal data.

To gauge the security of web portal software designed to improve customer service and give housing residents and landlords the ability to review their data online, the housing authority made the only logical choice: They turned it over to a team of professional hackers who conducted a thorough security assessment to uncover vulnerabilities and then made recommendations for resolving them.

"It's good to be proactive and get someone else to look at what you've done because there's always a risk that you've missed something," says Luis Yataco, the housing authority's assistant director of information technology. "The assessment helped us feel comfortable about releasing information over the Internet to our clients."

Data breaches present a constant threat to the public sector. As a result, state and local governments must conduct annual security assessments or audits to improve their security posture and prevent data leaks, either from hackers or from employees who mishandle data, government IT leaders and experts say.

"They need to do ongoing vulnerability scanning on a day-to-day basis, but they should at least annually have someone come out and do a full assessment and try to break in like the bad guys do," says Rich Mogull, analyst and CEO of Securosis.

Once the assessments are completed and the vulnerabilities are known, IT departments can remedy them by deploying best practices and various security technologies, such as data loss prevention (DLP).

Pinpointing Problems

Security is a priority at Los Angeles' housing authority, a 1,000-employee agency with two major operational arms: a Section 8 program, which provides monthly vouchers for low-income residents who need housing; and a public housing program, which leases city-owned apartment units directly to residents.

The housing authority relies on specialized software to manage the two programs. To protect data, no applications or databases have been public-facing, Yataco says.

Last year, however, many tenants and landlords in the Section 8 program began to demand quicker access to information. Tenants wanted to know their application status and how much assistance they were eligible for, while property owners wanted to know how much rent they could receive and when to expect housing inspections or the results of those inspections. Historically, they've called the agency or waited for letters to learn that information.

To improve customer service and decrease call volume, the IT department last fall considered deploying its software maker's Section 8 portal applications so users could check their information online, but IT staff first wanted to determine how secure the portal technology was.

The housing authority investigated three applications: a web application portal that potential tenants could use to apply for assistance; a status portal for applicants; and a landlord portal that property owners could access to check payment status and get housing inspection information. Last fall, the IT department installed the software in the network's DMZ and deployed a web application firewall for added protection. Then it hired CDW·G to conduct a security assessment.

"We didn't want to just assume that we did a good job securing everything and that things were solid," Yataco says. 

A team of CDW·G security experts spent three weeks inspecting the portals. It discovered that two portals were moderately secure, but that the status portal had a gaping hole. The assessment team created fake user accounts and through an algorithm they developed, they searched for random account numbers. Within five minutes, the group gained access to accounts and private information, Yataco says.

The team found minor problems with the other two portals, including weak password policies, the use of third-party scripts rather than internal scripts and the need to disable a Microsoft ASP.NET debug method that showed error messages in detail, which could aid hackers in breaking into servers.

CDW·G's report outlined the vulnerabilities along with suggested remedies, and the IT staff forwarded the findings to its software maker. After several meetings, the vendor applied fixes to the applications, and CDW·G's team confirmed those fixes.

With the portal apps secure, the housing authority launched the landlord portal last October. So far, 2,200 property owners are using it. The IT department plans to launch portals for tenants in the future, but wanted to focus on the landlords first. Overall, the security assessment was worth the cost, Yataco says. 

"Because of the sensitivity of personal identifiable information, there's a lot at stake," he says. "The assessment helps us increase the trust factor with the public, and internally, it decreases our liability and risk."

IT administrators emphasize the need to conduct comprehensive security assessments annually because threats change constantly.

Brent Schipper, IT director for Ionia County, Mich., regularly uses a free security analyzer to scan his network for simple vulnerabilities. But every year, he also hires a third party to conduct a thorough assessment. The county's IT infrastructure is always evolving, which can create new vulnerabilities he's unaware of.

"We are constantly changing equipment or software out, so we may have a completely different version of SQL Server this time next year, and it may need new patches," he says.

A security assessment team spends a day checking for security holes. Most of the vulnerabilities it uncovers are weak passwords or software updates and patches that must be installed. But one year, the team discovered one web server that was not in the DMZ, which put data at risk.

The city of Annapolis, Md., conducts a security assessment as part of a yearly audit of its financial system. Paul Thorn, MIT director for Annapolis, welcomes the audit because he doesn't have a full-time IT security officer. Every year, he reviews the city's IT processes, policies and procedures with an auditor, and together they look for areas of improvement. Once the assessment is completed, the auditor prioritizes the security fixes that are needed.

"You want to get the full breadth of experience of the people in the security industry that have an extensive body of knowledge," Thorn says. "You will not be able to do it all by yourself in a small organization."

Stopping Leaks

Once organizations learn where their security vulnerabilities lie and how to correct them, they can focus on applying additional technologies, such as data loss prevention, to further protect their information. DLP software and appliances monitor networks, storage and endpoints for sensitive or confidential information, and control the transfer of that data, such as through e-mail, instant messaging and removable storage devices.

The technology is flexible and allows IT staffers to customize security policies for different users and determine what data types are sensitive, says Brooks Evans, IT security officer for Arkansas' Department of Human Services, which is using DLP products to scan e-mail and protect data on computers.

If users try to do something that's not allowed, such as transfer files to a USB drive, print documents or copy and paste content, DLP technology can block it, warn users that they are about to do something risky, or quarantine the action and alert the IT staff for authorization, he says.

For example, at the Department of Human Services, a McAfee Email Gateway catches e-mail with sensitive content and quarantines it. Next, IT security and privacy staff review the e-mail and determine whether it can be sent. If approved, the staff can encrypt the e-mail before it goes out. The McAfee device quarantines 20 to 30 e-mail messages a day, so it's not a burden, Evans says.

The Virginia 529 College Savings Plan, an independent state agency offering four Section 529 college savings programs, recently deployed DLP software to secure data for its more than 2.1 million active accounts.

The agency bans employees from transmitting sensitive data through unsecure means, such as e-mail, FTP or HTTP, and has implemented technical controls that prevent storage of customer data on portable devices, such as USB drives. Every employee is trained on those policies, but DLP tools help ensure those policies are enforced, says Rosario Igharas, the agency's director for information security.

"Our employees know what our policies are, and this is a technical solution to ensure that potential security leaks don't happen," she says.

Last fall, the agency began investigating DLP tools and purchased Symantec's DLP software suite, which includes Symantec DLP Network Monitor, Network Prevent and Endpoint Prevent.

First, Igharas surveyed each business unit to determine who needed access to customer data to do their jobs and how they used that information. In November, the agency installed Symantec's DLP network monitoring tool to assess traffic flow. Both exercises gave her insight regarding how to write DLP security policies and response rules and what potential problems might arise when implementing DLP. 

"You have to understand how the business is using personal information and understand necessary business processes, so you don't impede the business flow while trying to improve data security," she says. 

This February, Igharas installed Symantec's DLP endpoint software on users' notebooks and began writing DLP security policies to protect data. The software inspects e-mail messages, identifies any sensitive data that is not suitable for unencrypted transmission, and automatically blocks that e-mail from going out.

Symantec's endpoint agent inspects each computer for sensitive data on local hard drives and any connected USB flash drives and prevents users from printing such information, she says. It also scans Excel spreadsheets that have hidden worksheets or data and prevents any sensitive data from being transmitted.

The IT staff customizes rules based on groups of employees, IP addresses, the devices they use and whether they are on the agency's network. When employees are on the agency network, the DLP software looks for exact matches of personal information.

For those working remotely or over Wi-Fi, the IT department deploys more restrictive rules, such as blocking all nine-digit numbers, to ensure that no Social Security numbers or other confidential data is potentially transmitted in an insecure environment. Doing so results in more false positives, but it's a necessary evil, Igharas says.

Symantec's DLP software also inspects outbound data and prevents the posting and transmission of sensitive data through FTP, telnet, instant messaging or websites.

Now that DLP is implemented, the IT staff plans to look beyond customer information and use DLP further to safeguard other proprietary agency information and internal working documents.

"We look forward to utilizing other aspects of the DLP system in the future," Igharas says. "We haven't achieved its full potential yet, but at this point, we are pleased with the results."