Tuesday, October 2, 2007

A Simple Incident Response to a Simple Oversight



Today may be the day you need to step up and respond to a breach involving someone else’s confidential information. Do the right thing and you will be OK. Assuming the breach is less than it really is can negatively impact your company, the victims, and your livelihood.

A Little Background
I write for this and The Breach Blog because I am passionate about information security and protecting people when dealing with confidential information. The Breach Blog was born out of this passion just a few months ago, and I have already written 69 articles (with a backlog of four) about breaches and the lessons they teach us. I believe that people can really learn from other people’s mistakes. Anyway, on to the story...

The Incident
This morning I received a phone call from one of the IT administrators at a company that I provide information security consulting for. He was in a panic.

He regularly receives email updates from his human resources department outlining terminations, new hires and management changes. He gets these updates so that he can update the company’s Active Directory. Today, he received his spreadsheets as normal, but this time there was an additional column that he did not recognize before. The column was titled “Assoc. ID”, and the spreadsheet contained information on about 50 company employees.

Can you guess what the “Assoc. ID” is?
If you guessed Social Security number, then you are correct! Oh boy.

On the surface, you may say this isn’t that big of a deal. We can just go to human resources and inform them that this is an unacceptable practice and be done with it. OK, but put yourself in the shoes of a person that was in the spreadsheet. Would you be OK if information security just went to human resources and told them to quit it? I am guessing that your answer may be the same as mine, NO!

If I was a victim, what kind of questions would I demand answers for? Let’s see:

  • I want to know where this information came from.
  • I want to know if this has been an acceptable practice by human resources in the past and if so, how long?
  • I want to know if there was anyone else that received this email.
  • I want to know that the email containing the spreadsheet was deleted. Not just from the “Inbox” either, but also “Sent Items” and “Deleted Items”.
  • I want to know if there were any copies stored locally on the sender’s computer.
  • I want to know if there are any copies on a network drive (i.e. is “My Documents” synchronized).
  • I want to know if this information may be in a backup anywhere that needs to be
    dealt with.
  • I want to know why this happened in the first place.
  • I want to know what human resources is going to do to make sure that this never happens again.
  • Are there any laws and/or regulations, i.e. do I need to disclose this breach to any state attorney generals?
You get the picture yet? I want to know everything there is to know about this breach and I want to take every possible action to contain the damage caused by it.

Victims and shareholders should expect demand no less!

As it turns out, this seemingly innocent mistake/training issue quickly escalated into a full-blown investigation that took away from other important tasks and cost the company money. It would have been easy to take the lazy approach and sweep this under the rug, but what service would I be providing to the victims, the company, or myself? Thank God this breach only affected 50 people and was relatively easy to contain and respond to. What would I have done if this breach affected 5000, 50000, or 500000 people? What if the human resources person sent the email outside of the company?

Tips I've Learned
An easy way to respond to an incident involving personally-identifiable information is to put yourself in the shoes of a victim. This may sound obvious, but too many times I have witnessed information security “experts” going the other way. Answer the questions that you would have as a victim. Take money, lost consumer confidence, stock price, etc. out of the equation and do the right thing. If we all did the right thing we would have less regulation and more time to do other “right things”.

The CIO of this company asked me a question on my way out the door once the investigation was complete. He asked me what makes an information security professional so good at what he (or she) does? My answer: 95% of what makes a good information security professional is common sense. The other 5% is skill.

Unfortunately, it is very difficult to teach someone common sense.

1 comment:

Ash Kumar said...

Hear! Hear!

This is the first time I have read your blog, I am now committed to reading everything you write.

You have hit it on the head by putting yourself in the victims shoes and defining his expectations. Too often judgment is clouded by factors other than what is essential to the victim.