paulmudgett.com

How often is e-mail used to send documents and information that contains sensitive information?  I’ve seen consultants share sensitive information about clients this way as well as staff members just “trying to be helpful”.  I’m sure this happens all the time and it can be mitigated through training and providing staff the tools necessary to send information securely.   While it is fair to say the majority of these incidents never make the news, the Commerce Department wasn’t quite so lucky:

The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed to a risk of identity theft following an inappropriate transfer of the personal information in mid-July, according to a letter sent to department employees last week.

An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form on July 13, according to the letter. The employee informed supervisors of the oversight almost immediately, and there is no indication thus far that information has been compromised, according to the letter.

“Federal Eye: Personal Data Mishandled at Commerce Dept.“.   Ed O’Keefe.  Washington Post, August 3, 2009

As another case in point, a friend of mine filled out an online appointment request for his physician.  He included all types of PII including social security number, date of birth, as well as the reason for his visit.  The online form was secure however, whatever program the office used was sending the “got your schedule request” e-mail with all of the information he had put in, including the PII.  The steps the physician took to secure the request were thrown out the window because the same information was sent via e-mail in the clear.  Oops!

I’m not sure how much more the concept of not sending PII over e-mail can be hammered home.   Mistakes happen but when it’s done as part of a business practice then perhaps there needs to be some financial penalty involved to make the point.

“File Sharing Leaks Sensitive Federal Data, Lawmakers Are Told” – Washington Post

Another politician jumps into high gear with more useless legislation and finger pointing after sensitive information was leaked via P2P software on federal computers.   Policy already dictates that P2P software shouldn’t be used but these agencies lacked the technical controls to implement the policy.  Adding legislation that merely says “don’t do it” is not the answer.  Blaming the P2P software companies for federal agencies failure to implement good security is pathetic but certainly not unusual for the political blame game.

Good endpoint security with perhaps the prudent implementation of whitelisting technology can provide the technical controls necessary to enforce such policy.

When an employee leaves a company either voluntarily or involuntary, the business must have the processes and procedures in place to immediately revoke access to information resources.   This isn’t a new concept in the information security realm but it is something that is often applied lackadaisically in organizations.  With the cost of breaches rising, leaving doors open for potentially disgruntled ex-employees can be a costly mistake for your business.  Just as you provide access to new employees, you must be ready to remove access when an employee separates.

The article snip below is a recent addition to the “should have known better” club:

The ex-employee, Dong Chul Shin, was fired from the company March 3 for performance reasons, and escorted off the premises, according to court records.  But the company failed to immediately shut off his VPN access.  That afternoon, someone using Shin’s account began logging onto the corporate network, e-mailing out proprietary data to a personal Yahoo account linked to Shin, and modifying and deleting files, according to a search warrant affidavit by the Dallas FBI agent Robert Smith.

Poulsen, Keven.  “Ex-Employee Fingered in Texas Power Company Hack.” WIRED 29 May 2009.

http://www.wired.com/threatlevel/2009/05/efh/