Welcome

Skeeter Spray is a blog for the common Information Security Professional. Why Skeeter Spray? See Post #1

Friday, April 15, 2011

Another Star for Texas

 Another week, another breach…and I didn’t have to spend a week on vacation to read about this one.   Off we go to the Lone Star State where yes, everything is bigger in Texas…3.5 million.   That is a lot of records to be involved in a single data breach.   If one were to use a cost of $200 per record, well…you can do the math and it is a BIG number.  However at this time, the State of Texas hasn’t offered any free credit monitoring services, but they have set up an informational website.  The story goes that the personal information was on a public facing website.   The information was names, addresses, social security numbers, driver license numbers, etc… the kind of information that shouldn’t be on a public website.  http://www.txsafeguard.org/

In most organizations the people that have access to that kind of information work for Human Resources (HR) and I will assume that is the case with the State of Texas also.   So one of two things happened; (1) HR personnel has privileges to post information on a public website or (2) IT personnel, say maybe the web support team, had access to HR data and downloaded it and posted it on the website.  For now, let us assume #1; although both scenarios lead to the same root cause.

Why does the HR person have access to post information to a website?  I could understand an internal human resources SharePoint site but not a public facing website.  I would have to consider this inappropriate access and it should have been identified during a periodic review of accesses or during an audit.  If neither of these reviews is performed on a recurring basis, then the State of Texas probably has lot bigger problems waiting to be identified.   It is also reported that a number of people have been fired over the incident.   If departments involved haven’t been audited then the wrong people have been fired.  If they have been audited recently, then the State of Texas needs to find different auditors. 

This is just another example of the importance of implementing an access review process, monitoring of privileged accesses, and have a 3rd party come in once in a while and verify that everything is being done the way it should be.

~Skeeter

Monday, April 11, 2011

Data Breaches---Where are you?

I spent a few days in New York City on a vacation (and with only going online three times in five days) and started reviewing some on my favorite blogs and websites to see what happened in the information security world during my hiatus.  Low and behold, we have had a couple of more data breaches disclosed.   The biggest is the disclosure by Epsilon, who is used by a large number of companies for marketing (Epsilon data breach).   While only it would appear only email address where involved in the data breach, it does lead to some questions.

What kind of service level agreement (SLA) did the companies involved have with Epsilon?  How does your company evaluate the security controls of 3rd party vendors (hopefully, prior to signing of the contract)?  Recently I have been reviewing the security controls and data privacy policies for several 3rd party vendors that my company is looking at contracting for specific services.   While security controls might be in place and evaluated by a 3rd party, some of the privacy policies leave something to be desired. 

One of the privacy policies only said that the vendor would only share the personal data (name, email, company, etc...) with their affiliated companies.  What the heck does that mean?  Is that companies that are only involve with the specific product we are looking at or does that mean any affiliated company on any project, product, or services they might contract for?   That could lead to dozens and dozens of companies that could potentially have access to data of my company’s employees.    What kind of privacy policy do all these other companies have?  What happens when one of these 3rd or 4th “generation” companies has a data breach?   My company will never get notified that the email addresses of our employee’s have been potentially involved in a data breach.   

The moral of the story, when you are reviewing the security controls of potential vendors, make sure you know the privacy policy of those vendors and ensure that the notification process is documented in the contract, including timeframes, who makes notifications and to whom those notifications are made.

~Skeeter