[Dshield] Web Site Authentication

BOYD S. (SPENCE) MINER k4kep at backroads.net
Tue Jan 30 14:24:55 GMT 2007


I have been informed that is is a FEDERAL violation to use SSAN for any purpose 
"OR" identification except, that as required by the Social Security Commission.

73
SPENCE





Subject:
Re: [Dshield] Web Site Authentication
From:
"Shawn Cox" <shawn.cox at pcca.com>
Date:
Mon, 29 Jan 2007 11:29:24 -0600
To:
"'General DShield Discussion List'" <list at lists.dshield.org>
Content-Transfer-Encoding:
7bit
Precedence:
list
References:
<37F567410F26BC4A9ED7DF519D3B0F3B017DB40C at watson.epmgpc.com>
In-Reply-To:
<37F567410F26BC4A9ED7DF519D3B0F3B017DB40C at watson.epmgpc.com>
Reply-To:
General DShield Discussion List <list at lists.dshield.org>
Message-ID:
<02c901c743cb$05060090$5701050a at pcca.com>
Content-Type:
text/plain; charset="us-ascii"
MIME-Version:
1.0
Message:
5

This is going to sound a little harsh, but please understand it is not
directed at you Alex.

If your records are still keyed off of SSN your company has big problems.

What you need to do is focus on protecting that SSN info.  Not changing your
authentication method.  Federal Law requires that a breech of your data
systems, that reveals as little as the SSN/Name pair, requires your company
to notify every person whose data is compromised.  Maybe you heard about the
federal government having to do just that for several million veterans?  I'd
bet you a shiny nickel your chief of IT does not under any circumstances
want to pen that letter.  (Here's your business case.)

It is far more likely that someone will obtain a password via a sticky note
or website compromise than will defeat your current authentication method.
This also applies if an unencrypted backup tape is lost.

It is surprising to me that as a company in the healthcare industry an audit
or your lawyers have not brought this up.  Companies have been converting
away from SSN identifiers for 5+ years now.  This is the first thing you
should get done.  Convert to a member number/userid and encrypt the ssn
displaying it for eyes only reports/users.


I've just spent the last 2 years doing exactly this and it wasn't fun, but
my CIO can sleep better at night now.

Good Luck to you.
--S



--



More information about the list mailing list