Posted by: David Scott
acceptable use, content management, data breach, data theft, IT security, IT Wars, security policy, the business-technology weave
I’ve been doing a little work for a big State agency. By “big,” I mean big budget, large number of citizen-clients served, lots of personnel records, and – as in all big environments – lots of potential for harm absent strong controls. What sort of harm are we talking about? Data breach: With exposure of names, addresses, work histories, and even arrest records and information about children and spouses… occasionally, SSNs are parts of these data sets.
And in fact, the potential of harm turned into actuality: A large breach has happened – and has gone totally unreported in the news or to any of the agency’s oversight authorities. Stunning is the fact that for months a breach situation was ongoing, known, and no steps were taken to stop the ongoing loss of data: Sort of a slow-motion, high volume, leak of data. Wow.
For this reason, the agency and State shall remain anonymous. I’m confident that I can provide a reasonable guarantee of anonymity being that I’ve contracted at a number of facilities. However, even if the agency comes to light, exposure would be a good thing: It would likely accelerate critical fixes to systems, practices, and policies. I am at present wrestling with making my concerns known to a higher level of State Government; I must assess IT governance’s understanding of peril and their associated sincerity in securing the environment ASAP – and the speed and quality of changes in delivering security – vis-à-vis client risk for identity theft or just exposure of sensitive, perhaps embarrassing, information.
In the course of my work, I’ve stumbled upon some egregious security problems. These aren’t gnarly, difficult-to-see, expensive-to-fix liabilities. These are obvious problems involving: poor practice; lack of policy and documentation; and lack of training and awareness. Through my involvement many of these liabilities have been taken care of. Let’s review a few –
The agency has a large Resource Room at the front with about 30 PC workstations. These are provided for clients and jobsearch activities. That is, taxpayer-citizens who are generally unemployed or perhaps facing layoff. Many of these clients are blue collar folks with little or no PC experience – many do not have computers at home, or they may lack internet access, or lack appropriate software and skills in producing a resume and related documentation in applying and competing for jobs. There’s a rather nice proprietary application called ResumeMaker that does a good job in walking clients through documenting their education, job history, and the other necessary information in building a nice looking, comprehensive, resume. Not only are computers and broadband available, there is help in the form of staff who help craft resumes and cover letters, help with uploads of same to online job openings, and who even do the typing for some clients.
The first thing I noticed was that in creating a login profile for access to the computers, they were advised (onscreen) to use the last four of their Social Security Number and the last two digits of their Birth Year. Further, upon subsequent logins to the system, this six digit login ID was not masked – the numbers were exposed in the login field, until the client clicked “OK.” Of course, any client looking over another client’s shoulder, knowing full well the context and content of each ID, would be able to glean last four of SSN and last two of birth year. Wouldn’t you know? When I call Verizon, my mobile phone provider, the exact vetting info they ask for is last four of my SSN and year I was born. I’m sure other examples are out there. This login field is now masked, thanks to your humble blogger and his elevation of this breach potential. But this pales in comparison to the rest of what I’m going to tell you – most of which remains to be fixed. Over the next few posts I’m going to report exactly what I’m going to do in the face of a very poorly maintained environment. I’d also like to solicit Comments for things you’ve seen out there.
Upcoming in the next post: Data breach (client records); wireless insecurity; network outages with lost work/data; unregulated environment… leading to…? Stay tuned…