Follow-up Thought: Facebook Credentials and Hiring Process

April 2, 2012 by · Leave a Comment

Just a quick follow-up to my previous post “Before I hire you I’ll need the keys to your home…

I read a comment on LinkedIn that said there were no laws prohibiting employers from asking you to turn over your Facebook credentials so they can see your private information.  In my non-lawyerly view I think it relates to plenty of laws that declare certain questions as “off-limits” as part of the hiring process.   Age.  Sexual orientation.  Pregnancy.  Disabilities.   It is not uncommon to find details related to these personal issues shared with friends and family on Facebook but often, they are explicitly hidden from public view.

By asking a candidate for their Facebook credentials so that the employer can rummage through these personal details is no different, at least in my view, from them asking these questions directly during an interview.   If certain pre-employment questions are already prohibited by law, then requiring a candidate to turn over access to that information via another avenue seems to splashdown in the same swimming hole.

Let me play a scenario:

A candidate had a pretty good interview.  A few days later an HR rep from the company calls him up and says there is just one more step in the process.  Since their Facebook page isn’t public, they’ll need the userID and password “just as routine”. He gives it and within a week receives a letter that he was not selected for the job.

On his Facebook page, it’s pretty clear he’s gay.  Many of his posts and those of his friends refer to him and his partner.  He believes that is the only reason he didn’t get the job.  He thinks that asking for his userID and password wasn’t “routine” at all but merely an excuse to find out information they were prohibited from asking him directly.

His next two calls are to an attorney and the media….

Now, it may be that the company had a legitimate reason to hire someone else but the perception here is what matters.  Imagine your company being dragged through the media and labeled as discriminatory.   We’ve all seen what happens when the media plants an idea into the minds of its audience.  The truth is often pushed to the back burner while the sensational, ratings-grabbing story rules the day.  There may or may not be any legal ground but it sure makes good publicity for a hard hitting lawyer.

If this came to pass, would you reconsider asking for those Facebook credentials?  Maybe sticking with traditional background checks, interview questions, reference checks, and looking at publicly available profile information with social media sites is the better choice.

 

Filed Under: Business and Security, Ethics · Tagged With: , , ,

They did WHAT with my data?

March 29, 2012 by · Leave a Comment

What are your employees doing with your data?

I know… they are all doing their jobs and not doing anything out of the ordinary.  Unfortunately, that isn’t always the case.  Time and time again, we see individuals inside an organization abusing their access to inappropriately view, or in the worst case steal, sensitive information.

Take for example this recently reported case in Hawaii – “HCFCU admits member information breached“.   Almost a year ago some “trusted” employees accessed information to fill up petitions for the credit union board nomination process.  Another employee thought this was messed up and reported it.   The credit union is putting employees through “new training” to reinforce policies.   I hope they have other tools to detect inappropriate access other than relying on the “just tell us” approach.

This is just one of many example of insiders breaching confidentiality.  This happens quite frequently whether it is the budding entrepreneur stealing your customer lists to go into business on his own or the hospital employee swiping medical records of celebrities to sell to the paparazzi.    The insider threat appears in just about any industry vertical.

Ask yourself:

  1. Who has access to what information?  Do they need that access to perform their job?
  2. When someone changes jobs internally, do you just tack on their new permissions to their old OR do you remove previous access and give them what they need for their new position?
  3. Do you have generic user accounts or does each person have a user account that identifies them and their access?
  4. Can you tell who has accessed your most sensitive information and when?   Is access times or number of records accessed outside of the norm?   Do you know what to do when that happens?
  5. Do you have incident response procedures in place that direct you on how to handle a breach should it occur?

Based on your answers, you may be at greater risk of a breach.   There is no such thing as 100% security but taking appropriate measures to safeguard sensitive information from external and internal threats, being able to detect abnormal behavior, and having a plan “just in case” all fit within the practice of due diligence.

In information security, you can’t assume that everyone will do the right thing.  Too many organizations have experienced the results of such assumptions in terms of dollars and cents, tarnished reputation, lost customers, and for some..they shut their doors.   It simply isn’t worth the risk.

Photo Credit:  photostock at freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , ,

Close the barn door… the horse is out!

December 15, 2010 by · Leave a Comment

It never fails. Information security controls are immediately put into place AFTER a significant security incident has happened.  This is true even when these controls are reasonable to have in place and could have prevented the incident from happening at all.   Often, decisions made after an incident are knee-jerk reactions rather than business-minded protections.

As a case in point, the Department of Defense issued a new ban on removable media being used on classified machines in response to the WikiLeaks release of diplomatic cables.  Completely reactive.  The point here isn’t the effectiveness of the control but the timing.

For those who haven’t followed the WikiLeaks drama, here is a tidbit taken from a December 10, 2010 CNN article that can be applied to many organizations.

“Pfc. Bradley Manning says he downloaded hundreds of thousands of files from SIPRNET to a CD marked “Lady Gaga” before giving the files to WikiLeaks.”

Do you have a Private Manning in your organization who has access to sensitive information?  Can he easily take that information out of your environment and sell it to the highest bidder?  Why not consider that risk and address it before it becomes an issue?

The culprit often lies in the attitude of executive leadership.   How often have you heard the following?

  • “We’ve been doing things this way for years and haven’t had a breach.”  (that you know of)
  • “Show me the hard dollar return on investment before I sign off on these security thingies.”  (BTW, since most security implementations aren’t revenue generating, a ROI will always be zero.)
  • “It’s not convenient.”

These excuses need to be replaced with a desire to take ownership of information you have.  The focus needs to be on protecting your intellectual property and maintaining competitive advantage.  It should examine the risks to information and appropriate measures to reduce risk without impacting the functions of the business.

Controls don’t have to be expensive or fancy.  They just need to be effective.  Understand and take control of your information before an incident forces rushed decisions that impact your ability to conduct business.

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , ,

Business and Security Need Each Other

October 4, 2010 by · Leave a Comment

A recent eWeek article “Cyber-security Hurts Federal Government Productivity, Survey Says” clearly demonstrates the significant security issues related to perception and communication.   There seems to be a significant disconnect between what is thought to be needed to perform an agency’s mission and doing so without compromising computer systems.

“Surveyed federal executives believe that cyber-security policies and procedures should be modified to provide more emphasis on the importance of allowing federal managers to achieve their agency’s mission,” said Bryan Klopack, GBC’s director of research.

I get a two-for-one with this comment.  First, it is apparent that federal managers don’t understand that a compromise of their agency’s computer systems will prevent them from delivering or performing their mission.  Second, it seems as though policies and procedures are written in a vacuum without discussion with those the policy impacts.

There is no doubt that over-restrictive policies exist when it comes to web-site and e-mail access.  Knee-jerk reaction usually leads to common sense being thrown out the window.   That said, the threatscape has changed and there is real potential for systems to be compromised because of “choice failure” with e-mail and website use.   Some system-wide protections simply need to be in place and inconvenience, by itself, is not a good enough reason to abandon good security practices.

In an editors note in SANS NewsBites, John Pescatore put it into perspective:

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity.

The problem seems to stem from an over-reaction to a Presidential “mandate”.

President Obama signaled early in his administration that cyber-security in the federal government, especially in communications, and coordination, was a priority. “This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better,” he said.

Various agencies have responded to Obama’s mandate with their own rules.

Unilateral response to a “do better” mandate usually generates bad outcomes for everybody.   This is what appears to have happened here.  No communication.  No requirements definition.  Just a policy that is enforced through technology.  Damn the torpedoes… full speed ahead!

What should be happening here?

First, business leaders (aka management) need to step up and gain some understanding that the threats they face could essentially grind productivity, and subsequently their mission, to a halt.   It is no longer okay to say “this is the security group’s problem” and then walk away.  Participation, horizontally and vertically throughout an organization, is required.  Second, the security team needs to understand how people work, what they need to get their job done, and then work with them to find solutions.

It’s easier said than done but the status quo is indeed unacceptable.  There is no such thing as 100% secure.  There is, however, the potential to reduce risk while providing for business (or agency) needs.   Without business, there is no need for security.  Without security, business will fall victim to attack and fail.   Contribution and collaboration is required to bridge this gap.

Based on this survey, I’m afraid we’re trying to cross Alaska’s Bridge to Nowhere.

Filed Under: Business and Security, National InfoSec · Tagged With: , , , ,

NJ Supreme Court impacts privacy expectation

April 5, 2010 by · Leave a Comment

The New Jersey Supreme Court recently ruled that a company shouldn’t have read an ex-staffer’s private e-mails even though they were sent from her employer’s computer.    NorthJersey.com article.

Interesting ruling which will certainly change some thoughts as to personal use of work computers.  While I’m a proponent of privacy rights, I’m torn on this particular ruling.   The company had a policy in place that warned e-mails “are not to be considered private or personal to any individual employee”.  That’s a fairly common policy statement but the usual intent is the use of company e-mail not a personal Yahoo account.  I tend to side with the court that the attorney-client privilege applied because there was an attempt to keep the personal e-mail secure.  Personal e-mail accounts, especially with an attorney seems to be reasonably outside the reach of an employer in my non-legal opinion.

That said, I think the issue here revolves around the personal use of company-owned computers rather than specific e-mail.  In this case the employee was absolutely out of her mind to be exchanging communications with her attorney in preparation for a lawsuit against her company using a company issued laptop.  Stupidity aside, the question is if the company had a right to “monitor, audit, intercept, access and disclose” any information that was sent using, or stored on company-owned equipment.  This is where things get a little fuzzy for me.

Since businesses are responsible for the protection of PII that is transmitted from or stored on their equipment, there is certainly an obligation to monitor and audit their equipment to assure compliance.    While I don’t think that extends into people’s personal e-mail accounts let’s create a scenario based on the patient privacy breach at University Medical Center I blogged about in November.

What if the employee was “hired” by a dubious attorney to provide them with face sheets as part of an unethical “referral gathering” scheme.  Now, instead of taking the hard copy face sheet as was done in this case that employee used a personal Yahoo account to send this information to their “attorney”.    I doubt this hits the same measure of attorney-client privilege identified in the New Jersey case but certainly this illustrates a point regarding potential misuse of employer-owned computer assets that can be quite damaging to both business reputation and finances.

As this New Jersey ruling resonates it will be interesting to see how organizations shift their policies, if they do at all.  With the proliferation of social media and smart phones, it may not be an unreasonable time to revisit policies anyway.

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , ,

Disgruntled Employees – An Inside Job

October 22, 2009 by · 1 Comment

Let’s look at a very simple risk equation:

Risk =  Threat x Vulnerability

Now let’s apply that formula to a disgruntled employee.   You have an angry employee (threat) who has access to sensitive company information based on their role in the organization (vulnerability).  The combination of these two creates a situation where sensitive information, say the “secret recipe”, can potentially be disclosed to competitors (risk).  This could have very serious consequences to your competitive advantage, your shareholders, your market share, etc.

The typical security response is to deploy preventive, detective, and corrective controls that hopefully reduce the risk by mitigating the threat and/or vulnerability.  Most often, the controls lean heavily towards detection which is an after-the-fact, reactive response to the problem.  I believe the root cause of this issue lies with the management of an organization rather than the employee.  Here’s why.

I’ve yet to see a person start a new job saying “this place sucks” or “I hate it here”.  Instead, these new employees are often the most enthusiastic and engaged members of your workforce.  Something has to occur that shifts this positive behavior to disengaged and/or destructive action.  Something changes the attitude of the employee.  I contend that it is the systems developed by management that are responsible for the growth and development of disgruntled behavior in the workplace.

Systems for employee review are often filled with hidden agendas and surprises designed to “put the employee in their place”.   Systems are designed to punish failure by taking power away from “empowered” employees who didn’t meet performance expectations (that probably weren’t defined well anyway).  Systems are designed to give responsibility but no authority to act.  It is these types of unfortunately common management systems that set the stage for the development of disgruntled employees.

So, doesn’t it make sense to mitigate or eliminate the risk associated with the disgruntled employee threat by fixing systems that spawn that type of dissatisfaction?  I’m by no means saying that employees rule the roost or that you won’t have an employee unhappy over a disagreement.  What I am saying is by treating employees fairly, enabling them to be successful, helping them learn from mistakes rather than punish them, and creating an environment where ideas are freely discussed without fear will go a long way toward eliminating this threat to information security.

Remember the equation:

Risk =  Threat x Vulnerability

Without the threat, there is no risk.

Filed Under: Business and Security · Tagged With: , , ,

When Will They Ever Learn…

June 3, 2009 by · 1 Comment

When an employee leaves a company either voluntarily or involuntary, the business must have the processes and procedures in place to immediately revoke access to information resources.   This isn’t a new concept in the information security realm but it is something that is often applied lackadaisically in organizations.  With the cost of breaches rising, leaving doors open for potentially disgruntled ex-employees can be a costly mistake for your business.  Just as you provide access to new employees, you must be ready to remove access when an employee separates.

The article snip below is a recent addition to the “should have known better” club:

The ex-employee, Dong Chul Shin, was fired from the company March 3 for performance reasons, and escorted off the premises, according to court records.  But the company failed to immediately shut off his VPN access.  That afternoon, someone using Shin’s account began logging onto the corporate network, e-mailing out proprietary data to a personal Yahoo account linked to Shin, and modifying and deleting files, according to a search warrant affidavit by the Dallas FBI agent Robert Smith.

Poulsen, Keven.  “Ex-Employee Fingered in Texas Power Company Hack.” WIRED 29 May 2009.

http://www.wired.com/threatlevel/2009/05/efh/

Filed Under: Should Have Known Better · Tagged With: , ,