Tag Archives: Clinton

8 Ways to Avoid Being “Extremely Careless” with Data

Posted on July 15, 2016 | Leave a comment

Clinton_Security

On July 5th, FBI Director James Comey made a statement that the FBI would not recommend criminal charges against Democratic Party presidential nominee, Hillary Clinton. The announcement was the result of an investigation into the fact that, while serving as secretary of state, Clinton relied exclusively on a personal email account housed by her own personal server rather than using an official, protected state.gov email address. She also communicated from her private email across several electronic devices. Amongst emails about yoga appointments and family outings, Clinton exchanged highly classified information – including Benghazi communications – leading the FBI to question possible breaches of the account from foreign governments and hackers. After months of exhaustive investigation and countless hours of media coverage, the FBI did not uncover sufficient evidence to recommend criminal charges in the case, but concluded that “[Clinton and her staff] were extremely careless in their handling of very sensitive, highly classified information.”

While it’s evident that Clinton probably didn’t think she was being so careless with her data, there are a few simple ways that people in heavily-regulated and litigated industries can avoid being extremely careless. This is especially important when it comes to ediscovery, a time when you’re highly likely to make private information public.

1. The personal & professional are inseparable. Nowadays, people answer work emails on their personal devices and vice versa. They send company files to their home computers so they can work nights and weekends, and send personal documents to print or fax from work. This can be a major headache when it comes to data security, as we saw with the Clinton email scandal. Data that was once relativity secure on company premises leaves the office on portable devices and home networks and is then exposed to the risk of physical and virtual theft. Companies with BYOD or work-from-home policies should establish and enforce strict and specific security guidelines. Employees who work from home or from portable devices should always logout of email accounts and be careful not to join any unknown networks.

2. Keep passwords fresh. Update passwords every 4-6 months. Contrary to popular belief, updating your passwords every 60 or 90 days won’t necessarily result in better security measures, especially when your passwords aren’t strong in the first place. Experts recommend using a password manager like LastPass,  DashLane, or KeePass to generate stronger passwords and keep track of them.

3. Beware of the cloud. Add security layers anywhere sensitive data lives, particularly if it’s shared in the cloud. Putting locks on network file directories is simple enough, but with the massive surge in cloud usage, data leaks become more difficult to control. According to expert Joe Moriarty, businesses can better protect cloud-based data “by adding content controls, protection, tracking and deep analytics to files.” Content controls that a company can easily implement to secure data include watermarking files and videos; limiting employees’ ability to forward or print files; and most importantly, preventing unauthorized viewing, saving, and sharing of data.

4. Continued education by HR. Training your employees on security best practices is crucial to preventing a breach. Consider assigning a compliance officer who can be involved in business decisions. Such a position helps bridge the gap between tech-savvy IT employees and those who may not be able to answer, “How does this affect PCI, PII compliance of HIPAA?”

5. Remember printers? According to expert Michael Howard, the biggest mistake companies make when it comes to securing sensitive data is not securing their printing fleet. He goes on to say a staggering 90% of enterprise businesses have experienced a breach due to unsecured printing. In order to avoid this risk, Michael recommends installing security software that limits printing and helps protect your company paper trail.

While establishing day-to-day security practices is important, safeguarding data during ediscovery is a whole new ballgame. During ediscovery, data changes hands many times internally and externally. Data is gathered from multiple network drives, sources, and authorities then handed over to another party or two, and some of that data might end up in the public record. Penalties for breaches during ediscovery can include mistrials, fines, sanctions, and even lawsuits, so the stakes are extremely high.

6. Know your data. Every organization needs to be familiar with where its data resides, the laws governing it, and  how it may be collected, processed, retained, and transferred before litigation begins. This is especially important when working with cross-border litigation, given the recent changes in EU data protection laws.

7. Limit scope as much as possible. Evaluate the scope of data that is being requested during discovery. For litigation purposes, can the data requested be reasonably limited so that personal data issues can be reduced or eliminated altogether?

8. When in doubt, redact. Redaction is the only foolproof way to protect sensitive data. With the growing amount of ESI and increasing regulations surrounding things like PII, you can’t risk letting sensitive data slip through the cracks during ediscovery and into the hands of opposing counsel. Unfortunately, the viability and cost of manual redaction is quickly approaching an unsustainable level. With the correct redaction software, companies can ensure sensitive data gets redacted automatically, saving time, costs, and reducing the risk of human error during review.

While the data we deal with on a day-to-day basis may not be labeled as “Highly Classified” like Clinton’s, it’s still very important to have the proper procedures in place for handling and protecting it. With ESI volumes growing at an alarming rate, it’s important that we look to technology for help with data security, particularly during ediscovery, so that we aren’t caught being extremely careless.

Leave a comment

Posted in Cyber Security, Data Breach, eDiscovery, Hacking

Tagged ,

Thoughts on Emailgate.

Posted on July 6, 2016 | Leave a comment

Department of State

Note: not a political post, just adding some Infosec commentary to what we were told yesterday.

Last night, I sat back and watched FBI Director James Comey’s press conference on the Hilary Clinton email saga through my technical and investigative eyes.

I think it was the first mainstream press conference I’d seen with so much mention of slack space, a digital forensics term for the portions of the hard drive not currently used, but filled with fragments of previously deleted files. It was like when you see someone you knew from growing up on the local news and thinking, “oh, I used to sit next to that person in math class!”

The overview of how the FBI had reconstructed years worth of “shadow IT” usage by the former Secretary of State and her staff, spoke of a classic unwinding of the spaghetti exercise. Where a path that lead to an end state is crisscrossed by avenues that may or may not be of relevance, but nevertheless must be investigated.

James Comey then went on to list the findings of the investigation, and painted a picture, which is unfortunately a picture that I’ve personally seen painted over and over again through my work in information security and digital forensics.

A culture existed at the State Department that allowed Mrs. Clinton and her staff to operate outside the boundaries of the policies, procedures and regulations that were in place to protect information and people. In this case of course, that is all the more concerning, because we’re talking about highly sensitive national security information which is protected by law.

In Comey’s words, Clinton and her staff were “Extremely Careless” in their information handling.  He was right, they were, there can be no denying that. As he went into detail on some of Mrs. Clinton’s email practices, I was reminded of a few similar cases I’d personally worked on.

  • While conducting a security review of a semiconductor’s perimeter IP address range, I found evidence that FTP sites were being hosted on an unofficial server within the range. As it turned out, one of the network administrators had punched a hole through the firewall to a server that was hidden in the data center, attached to the internal network, and he made money hosting data for others with zero overhead costs. I was shocked to discover that this was a known activity when it was raised in the report, although, when I explained the risk in more detail the sites did go away, and the network administrator was reprimanded and eventually lost their job.
  • I once stumbled across an undocumented SSH entry point to a hosting environment, set up by a team to bypass a corporate two-factor requirement. It had been “approved” by a couple of layers of management.
  • I conducted an audit of an on-premises corporate Exchange deployment and found that a senior member of an organization was forwarding every single email received to a personal Gmail account, because they preferred the Gmail UI. The idea had been suggested by another person within the company.
  • Anecdotally, I have a thousand stories of siloed groups within organizations using “cloud services” and tools dangerously “under the radar”.

In all of the cases above, a culture existed in which, for whatever reason, people were empowered to do extremely careless things, which put the safety of information at risk. Much like at the State Department in regards to email.

The problem is, the end result doesn’t really care if it is born of malice, extreme carelessness or ignorance. It’ll still be the same. And if the end result is a breach, well, we’ve all seen that one play out many times.

In the end, the FBI will not be recommending charges against Mrs. Clinton or her staff. I’m not going into any more detail on whether I think that is right or wrong. To use one of those most horrific of terms, “it is what it is, and we can’t change that.”

Given this fact, I hope if anything positive comes out of this case, it’s the following:

  • The case highlights that security cultures everywhere, especially in government agencies charged with keeping us all safe, that empower this type of behavior, get an overhaul.
  • It encourages more productive and positive conversations between IT teams, Security teams and end users about things that they find restrictive or cumbersome in their working lives, so a mutually acceptable solution can be found.
  • It reinforces that no one within an organization should be above the rules when it comes to information security. Leaders should set an example.
  • That security teams are reminded that not all threats come in the form of IDS alerts from Chinese IP addresses. Some of your biggest risks might be right under your nose, in the form of Shadow IT lurking in broad daylight. Get visibility, now.

 

The US government is touting cyber as the next theatre of warfare. If the US wants to be seen as a leader in cybersecurity, a top down order to discover and address the doubtless many Emailgates that are occurring right now must surely be forthcoming.

Leave a comment

Posted in Cyber Security, eDiscovery, Forensic, Law Enforcement

Tagged ,