The Business-Technology Weave

May 16 2010   10:07AM GMT

Insecurity, Part II: A State Agency’s Data “Security” Posture

David Scott David Scott Profile: David Scott


Continuing with our exposure of services and associated liabilities from the other day: 

After a resume and any cover letters are crafted, they are e-mailed to the client’s personal e-mail account.  This is so they can maintain their own resume and letters and get access to them elsewhere:  Public library, home, etc.  This has led to a couple problems.  Frequently, clients have no e-mail account.  Many of the clients are blue collar workers who have no computer experience or skills; it’s been quite eye-opening.   In these cases, the Center creates a Yahoo  e-mail account for the client.

Many clients forget their e-mail passwords, and even their account ID.  So, the Center has these little business-sized cards, with the agency’s name proud and centered, and a line for e-mail ID, and a line for password.  Do any of these cards get lost?  You bet.  It’s rather confounding that, in 2010, modern system and data security measures have long held that you should NEVER write passwords down – and even login IDs should be protected, in my opinion.  Pairing the two on a card, with an e-mail account that contains a trove of personal information, and formalizing the process with the production of agency-approved cards (with agency name!), is bad practice on steroids.  And… we’re just getting started.

Nearly all clients return to the Resource Room on a regular basis:  To perform online job searches, to make application to jobs online, to tweak resumes, to write more cover letters.  Sometimes a returning client’s resume is unavailable – either through a lost e-mail account or the fact that a resume was never sent to an account – sometimes the client ends up with a folder of hardcopy resumes and somehow the electronic version didn’t make it to e-mail.  In these circumstances, which are all too frequent, there manifests a need to get the resume from a “resume bank” – this is a network drive that is unavailable for access in the Resource Room – even by the people staffing the room. 

Up until April, the drill was to go to another room (a classroom with an open door) containing a physically unsecured fileserver.  A resume for retrieval was put on a thumb drive – that thumb then taken into the Resource Center and plugged into the client’s workstation, and resume transferred to that PC’s Desktop.  Can you guess what had been happening?

An estimate by staff members is that over a hundred thumb drives have gone missing – “lost” – with all sorts of client data.  I myself observed various “transfer thumbs” with a dozen or more records each.  It is conceivable that over 1200 records have been breached.  One staff member said that “perhaps hundreds” of thumbs had been lost.

It was only upon my mention of this security problem that the practice was stopped.  The procedure now is to e-mail the resume from the “bank” to the client’s e-mail account, and then to access the client’s e-mail, and thus resume, out in the Resource Center.  Why a mapped drive to the resume bank, with simple authentication, isn’t available to staff in the Resource Center is a total mystery.

Incredibly, upon my initial entrée, there existed no User’s Manual.  Upon initial contact with the Center clients must:  1)  Create a system identity and login credentials;  2)  Create (or have) an e-mail account;  3)  Access ResumeMaker and build a resume;  4)  Convert the resume from the native ResumeMaker format to MS-Word;  5)  Access various online jobsites – the primary being the state-run jobsite; and  6) Logout properly – to include a complete Shutdown – to scrub any work from the PC workstation they were using.

The lack of documentation, a simple user’s manual, meant that even savvy people needed a hand-hold through the process.  I was able to produce a very robust manual in an afternoon’s time – and am happy to say that many people  use it.  This frequently frees staff so that they can help those who most need it.  Further, the last part of the manual, is perhaps the most important:  The Logout procedure…

The Logout remains an incredible breach situation at this Resource Center – it is an ongoing liability now.  Upon login, a small window on the PC (which gets minimized on the Taskbar) indicates who is logged on to that PC.  A gray bar in the window states “I am finished using this computer – sign me out.”  All clients click that when leaving – the screen goes to a login state.  HOWEVER – the desktop and other data storage areas of the PC are not yet scrubbed!  The PC must be completely shut down:  Only achievable in this environment by hitting a Microsoft “Flag” key on the keyboard, and then clicking “Turn Off” above the Start button, and a subsequent “Turn Off” option in a popup box.

This Shutdown procedure was completely undocumented.  Further, and particularly when the room is busy, clients aren’t told to completely shut down their session by insuring the computer was off – nor are they aware of the potential for their data’s breach.

Next:  Part III – No documentation, no policies, no security training/meetings, no wireless security.  A culture with an almost adversarial posture regarding best practices and best progressions; no maintenance of a responsible forward edge for a secured environment.  AND –  what we’re gonna do about it.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: