Information Security Tips from Westfield Insurance

I was recently in a situation where I had to explain why our information security group had made strict requirements for one project team and much lesser requirements for another project team.  Cries of “It's unfair”, “You’re just picking on us” and "You're singling us out" were heard in the isles when the teams read the requirements.

Requirements are simply based on the type of information that is being handled, or as it is known in the security industry, its “Data Classification”.  Here are some examples of possible data classifications that a company may have:

• Some information can be considered “Public”.  For example: the annual statement of a company, directions to their Home Office, advertising, statements on websites and even this Blog post.  This information is targeted at people regardless of the company they work for and can’t really get lost or stolen because you freely give it away.  You really don't really even need to try to protect this information.

• Other information can be considered “Internal Use Only”.  For example, the employee phone number directory and management reporting hierarchy, your vendor list and their contact numbers, specific processes that you use for responding and resolving incidents, etc…  You don’t want this information all over the place because it could weaken internal controls or could be used by a salesperson or competitor for a slight advantage.  If it is lost, it is more of an inconvenience or embarrassment rather than a serious, regulatory or legal issue.  You should place some simple controls around this information.

• Some information is specifically identified in regulations and laws.  This information is called “Customer Privacy Information” or CPI and contains things like SSN, Drivers License Number, Account number and PIN, etc…  This information, if lost or stolen, will result in a company releasing a Privacy Breach notification and executing all the steps required by the State where the customers reside.  This information requires strict protection, monitoring and response.

• Finally, some information can be considered “Confidential”.  This type of information includes things like employee salaries, merger and acquisition plans, company intellectual property, etc…  If this information was lost or stolen, your company would realize a severe impact.  This information also requires strict protections and monitoring.

Just this brief list of four possible data classifications makes it easy to see that if a project is implementing a system that automates the tracking of internal work requests that have a classification of “Internal Use Only”, they will have significantly different requirements than a project has been proposed to expose employee benefits information over the Internet classified as “Customer Privacy Information”.

What controls are appropriate for each data classification?  Who should perform the classification? What is the classification for aggregate information?  These are topics for a future posts.  But remember that you don't need to protect all information the same way.

Hours after the death of Michael Jackson, the first wave of spam began hitting in-boxes. Currently the email, with a subject line “Confidential – Michael Jackson”, is not pitching a product or directing you to a malicious website but it is trying to get people to reply to capture email addresses.

Graham Cluley, a Sophos senior technology consultant, said “Undoubtedly we'll see more with Jackson. Actually, spammers and hackers have done Jackson before. Several years ago they pitched a breaking news story, claiming that he had attempted suicide."

Right now, there are only guesses as to what hackers may do to use the pop singer’s death as a means to deploy bots. One thought was top-secret hospital footage to get you to download software to view it.

You should also use caution with results from searches run with the singer’s name. There has already been search engine manipulation relating to Farah Fawcett who also just recently passed. Criminals will create web pages with keywords and news stories in order to get them to the top of search lists. If you go to one of the sites, they drop malware on your box.

The best thing that you can do is be cautious, update your virus definitions and OS patches. Don’t just install any software. 

You can read the full article @ http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9134895&taxonomyId=17&intsrc=kc_top

Where were you on June 9, 2009 at 10:22am?  At that moment in history, the 1,000,000^th word was adopted into the English language.  What was that word?  Web 2.0.  Now you are probably asking yourself, I’ve heard of Web 2.0 well before June…why are we only adopting it now?  Well, the Global Language Monitor has certain criteria by which they judge; but that is well beyond the scope of our discussion here.

So what is Web 2.0?  It has nothing to do with the technology or domain naming.  Mostly it is about the dynamic content and the way users interact with the Internet.  Remember how your parents read the newspaper every evening or watched a newscast on television?  The information flow was one way.  Web 2.0 is about sharing information, opinions and experiences.  You live with Web 2.0 everyday and you probably don’t even know it.  Have you read a review on Amazon?  Have you commented on a news article?  Those are just a couple examples of user provided content.  Websites such as Facebook, Twitter and MySpace, YouTube and other social networks are the big names in social networks or Web 2.0 but there are countless others.  You may think that because you don’t have a Facebook account or don’t visit social networking sites that you, your family or business are immune anything harmful; you better think again.

The Good

Rather than jump right into the bad or ugly, let’s first discuss how social networks can be good.  Social networking or social media IS the future of communication.  Rather than wait for the newspaper to be delivered, you get news as it happens by the people who are experiencing or involved in the situation.  Remember the US Airway’s flight that landed in the Hudson River?  Well before the media had a chance to deploy reporters to the scene, passengers on the flight were posting pictures and updates through their Twitter account.  Companies are using social networks as a tool to market their brand.  Have you heard of Blendtec?  How about “Will it Blend?”  Blendtec CEO, Tom Dickson, became an instant celebrity when he began posting videos of his blender destroying things like iPhones, Guitar Hero guitars, etc on YouTube.  It also helped them sell a lot of blenders.  Even Westfield Insurance uses LinkedIn and Facebook to find talent, as well as, communicate promotions and events.  Blogs such as this one and the Westfield Loss Control Blog are another way that companies can reach out to current and potential customers.  Internally, employees can network between departments giving them a feeling of being more than just another “employee.”

The Bad

Those were just a few examples of how social networks can be beneficial to a company. What are some of the drawbacks?  First, it is difficult to balance a work culture that embraces social networking while ensuring that it does not impact productivity.  It is increasingly more difficult to monitor or limit these activities as social networks extend beyond the desktop and onto cell phones.  Additionally, companies may have a difficult time restricting or limiting the content that employees post.  A disgruntled employee may post negative information about their employer for all to see.  Companies may have human resource policies when it comes to employees posting information about their employer; but how does a company draw a hard line in the sand between moral, religious and political biases and freedom of speech?  Social networks are making it difficult for companies to separate an employee’s business relationship and their personal lives.  On the other hand, employees are learning that inappropriate use of social networking may allow a company to terminate their employment.

The Ugly

So your company is on the cutting edge of technology and you have an HR policy that addresses social networks; is that enough?  Not quite.  Aside from the fact viruses, Trojans and other malware have found a new distribution vector; there are many other security concerns.  Data Loss Prevention is among the top as employees may maliciously or accidentally distribute sensitive company information.  Depending on the leaked information, your company may be faced with regulatory fines and requirements such as privacy breach.  Even if the information isn’t overtly sensitive, information may trickle that may give a hacker or your competitors an inside advantage.  Take for example your network administrator who blogs and/or posts questions about Cisco routers and firewalls.  A hacker may use that inside knowledge to target the vulnerabilities specific to Cisco products.  I am sure there are additional threats that remain to be discovered.

Conclusion

Whether your company has adopted or is blocking social networks; it is probably time for a revisit.  While the inherent risks and productivity impact of social sites such as Twitter, Facebook, etc. are good reason to not allow them in the work environment; you may find that people are spending more time on their cell phones texting or other social activities.  It is difficult to balance a no tolerance policy for social sites while allowing shopping or other entertainment sites while on company time.  Blocking all non-work essential sites has proven time and time again to reduce employee morale; which in turn has greater impact in reducing productivity.  If you feel your company is behind in addressing this issue, don’t feel alone.  Many companies are working struggling to weigh the risk versus the reward.  We would love to hear how your company handles social networks. Please make a comment or contact us at infosec@westfieldgrp.com.

Today was a day for milestones... I've reached 10 years with Westfield and my 8 month old starting saying da da. 

10 years ago information security meant keeping up with anti-virus, and making sure you sent your e-mail to the right person.  People were concerned about locking their doors, and making sure their checkbooks were still in their possession.  Schemes weren’t as complex as they are today.

Today information security is almost as complex as the brain teasers you can pick up at the local toy store.  You still need to keep your doors locked, but now you need to make sure you clean the circle the GPS device leaves on your windshield so your car doesn't get broken into.  You also need to shred every document which could remotely leak your identity.  If that's not enough, you need to keep your computer as secure as Fort Knox, with anti-virus software, personal firewalls, anti-spyware, anti-spam, and quite a few more anti-products that are widely available.  If people are willing to dig through trash cans, and spend countless numbers of hours creating viruses what could tomorrow hold in store?

What is information security going to be like in 10 years?  Will your home computer be joined by many other devices requiring all of the anti products above?  Will your car need them, so a hacker doesn't program it to follow their car back to a chop shop?  Will you have to use your fingerprint to access any computer information, including your email?  Will your cell phone be capable of communicating with a maintenance robot doing your laundry, as it senses an intruder breaking into your home? 

The message here is that we don’t know what is coming next, but it doesn’t mean that we can let our guard down.  The best we can do is to educate ourselves and others to help protect the future and prepare for the unexpected.

I'm interested in hearing others thoughts on this topic?  Please drop a comment, and help us keep the future secure.