Ex-Lover Busted, But Not Totally to Blame

September 21, 2009 by · Leave a Comment

A 38-year-old Avon Lake, Ohio man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he’d had a relationship with ended up infecting computers at Akron Children’s Hospital.   (Misdirected spyware infects Ohio hospital.  McMillan, Robert. 17 September 2009. ComputerWorld.)

Graham certainly gets what is coming to him.  Sending spyware to your ex is more than a little creepy.  However, it seems to me the hospital is culpable in the release of protected health information (PHI) due to poor security practices.   The hospital has an obligation to protect this information yet they allow an employee to not only access personal e-mail but also download and install an application.  In this case it turns out to be spyware.

Unfortunately, this is a common occurance.  Employees use business assets as their personal playground, downloading and installing all types of applications that have no business being on the PC.  I’m not talking about pictures of Grandma Edith and the new puppy, rather peer-to-peer file sharing and communication applications, games, and other programs of amusement.  This places companies at risk for the accidental release of personal information or compromise of systems.

With more regulatory pressure being placed on organizations to protect personally identifiable information, companies are going to need to make a decision if they are running a business or a playpen.  It may be safer (and less expensive) to put in a foosball table and pinball machine than suffer the consequences of a breach.

Filed Under: Business and Security, Should Have Known Better, Workstation Security · Tagged With: , , ,

Small Business – a Target

August 26, 2009 by · Leave a Comment

Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation’s largest financial institutions.

European Cyber-Gangs Target Small U.S. Firms”  Washington Post August 25th

Launching these attacks from “safe havens” against organizations that tend to have limited information security postures is a cash cow for these criminal outfits.  This should be a wake up call to small and mid-size businesses who may not have the knowledge to adequately protect themselves, that some information security help may be needed if they want to stay in business.

If you think this can’t happen to you then understand these attacks are simple and ignoring the threat doesn’t make it go away.  Ask yourself if your company can survive if if its ability to process credit cards is taken away?  If the answer no then perhaps an evaluation of your security posture is in order.

Filed Under: Business and Security, PCI, Should Have Known Better ·

It’s Just One Little E-mail…

August 6, 2009 by · Leave a Comment

How often is e-mail used to send documents and information that contains sensitive information?  I’ve seen consultants share sensitive information about clients this way as well as staff members just “trying to be helpful”.  I’m sure this happens all the time and it can be mitigated through training and providing staff the tools necessary to send information securely.   While it is fair to say the majority of these incidents never make the news, the Commerce Department wasn’t quite so lucky:

The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed to a risk of identity theft following an inappropriate transfer of the personal information in mid-July, according to a letter sent to department employees last week.

An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form on July 13, according to the letter. The employee informed supervisors of the oversight almost immediately, and there is no indication thus far that information has been compromised, according to the letter.

Federal Eye: Personal Data Mishandled at Commerce Dept.“.   Ed O’Keefe.  Washington Post, August 3, 2009

As another case in point, a friend of mine filled out an online appointment request for his physician.  He included all types of PII including social security number, date of birth, as well as the reason for his visit.  The online form was secure however, whatever program the office used was sending the “got your schedule request” e-mail with all of the information he had put in, including the PII.  The steps the physician took to secure the request were thrown out the window because the same information was sent via e-mail in the clear.  Oops!

I’m not sure how much more the concept of not sending PII over e-mail can be hammered home.   Mistakes happen but when it’s done as part of a business practice then perhaps there needs to be some financial penalty involved to make the point.

Filed Under: Should Have Known Better · Tagged With: , , , ,

More Useless Legislation

August 3, 2009 by · Leave a Comment

“File Sharing Leaks Sensitive Federal Data, Lawmakers Are Told” – Washington Post

Another politician jumps into high gear with more useless legislation and finger pointing after sensitive information was leaked via P2P software on federal computers.   Policy already dictates that P2P software shouldn’t be used but these agencies lacked the technical controls to implement the policy.  Adding legislation that merely says “don’t do it” is not the answer.  Blaming the P2P software companies for federal agencies failure to implement good security is pathetic but certainly not unusual for the political blame game.

Good endpoint security with perhaps the prudent implementation of whitelisting technology can provide the technical controls necessary to enforce such policy.

Filed Under: Should Have Known Better · Tagged With: ,

When Will They Ever Learn…

June 3, 2009 by · 1 Comment

When an employee leaves a company either voluntarily or involuntary, the business must have the processes and procedures in place to immediately revoke access to information resources.   This isn’t a new concept in the information security realm but it is something that is often applied lackadaisically in organizations.  With the cost of breaches rising, leaving doors open for potentially disgruntled ex-employees can be a costly mistake for your business.  Just as you provide access to new employees, you must be ready to remove access when an employee separates.

The article snip below is a recent addition to the “should have known better” club:

The ex-employee, Dong Chul Shin, was fired from the company March 3 for performance reasons, and escorted off the premises, according to court records.  But the company failed to immediately shut off his VPN access.  That afternoon, someone using Shin’s account began logging onto the corporate network, e-mailing out proprietary data to a personal Yahoo account linked to Shin, and modifying and deleting files, according to a search warrant affidavit by the Dallas FBI agent Robert Smith.

Poulsen, Keven.  “Ex-Employee Fingered in Texas Power Company Hack.” WIRED 29 May 2009.

http://www.wired.com/threatlevel/2009/05/efh/

Filed Under: Should Have Known Better · Tagged With: , ,
Newer Posts »