Vulnerable Disclosures: TIP OF THE WEEK: How misdirected email can harm your business (and bottom line)

Wednesday, September 17, 2014

TIP OF THE WEEK: How misdirected email can harm your business (and bottom line)

Too often when conducting security assessments we make some rather telling discoveries. Many times businesses are not even aware that they have problems and by then it may be too late. As part of our annual security training we are taught to use the resources at our disposal to maintain efficiency. We have come to rely on technology to speed up the processing of medical claims, to place orders online and to maintain required records for business use. Corporations create policies to try and give guidance to employees and contractors in safe data handling as well as enforcing strong passwords, policies on data storage and handling as well as regulatory assistance in regards to Sarbanes Oxley, HIPAA and Classified data handling. All of these measures are in place to limit the liability of the company and ensure that information does not end up in the wrong hands.

In this article we will focus on email and the typical use in business. I will cover some of the issues with email systems in use today and we will go over some of the ways in which you may be able to protect your company from costly mistakes.

In this article I will focus in on 5 key areas:
1. Verification of Identity
2. Encryption
3. Storage for Auditing Purposes
4. Misdirected Email
5. Detection of the Insider Threat

Verification of Identity
It goes without saying that you should go without saying that when you leave your workstation you should ensure that you lock it with a password. Often times when performing security audits we note upwards of over half of the employees in the organization fail to perform this simple step to ensure that nobody can look at your email or see what documents and other sensitive information that you may have open that they may not have a requirement to see or read. What is to stop someone from sending an email on your behalf? What is to stop them from deleting the message from your sent folder and deleting your trash? If this were to occur at your organization could you recover the sent message if there were a legal issue or requirement to do so?

We seriously doubt it as we have only seen a handful of companies in the 20 years we have been doing security auditing that actually could reproduce the sent email message after it was deleted from the senders mailbox. You remember the IRS scandal that has been all over the news. Lois Lerner claimed that she had a hard drive crash and that the IRS could not recover her email messages. This brought about many hours of Senate inquiries, investigations and it's still in the news today. The problem here is two fold.
Due to sunshine laws and other Federal regulations public officials must maintain records of their email for a period usually of 2 years at minimum. The IRS claimed that the backups were unavailable at first and then claimed that they did not exist even though there are rules and laws that require this information to be archived. We will use this example in this section to talk about some of the reasons having access to old email is critical for businesses.

What were to happen if an employee were to accidentally delete a contract received through email. The person that executed the contract has a copy of the contract but your only copy was deleted accidentally. Then as part of the services being provided said second party cannot produce the contract that was executed. An unethical company may alter their copy of the contract to include terms different than the original but if you cannot produce the contract it may be hard to prove that the terms of the contract have been modified so you are putting your companies assets and resources at risk because an employee made a simple error.

What would happen if a threatening email was sent out of your organization to a third party and the action was reported to law enforcement. Do you have a definitive way to ensure that the sender was the actual person that sent the message? If the message was a spoofed email do you have proof that the employee was not the source of the message? Do you have a written policy that is signed stating that the employee will be responsible for the use of your email infrastructure solely? Do you have a disclaimer on your email messages stating that the organization may not hold the same views as the sender? Just a few things to think about.
Partial Solution: Smart card email authentication is a very good way to verify the sender is who they claim to be. Two factor authentication will prevent the unauthorized sending and unauthorized reception of email not intended for the intended individual.

Encryption:
Encryption is a good tool for maintaining organizational security. The use of encryption can prevent unauthorized access to information in the event that a laptop is stolen or a communication is intercepted. It can also be used to verify the identity of the sender and receiver. When using encryption however the organization MUST maintain the master key to be able to decrypt any communications in the event of a court order or legal requirement. Encryption of email allows you to ensure that messages are not being intercepted in transit and also ensure that only persons with the appropriate keys can decrypt the message. Encryption is not 100% effective every because there may be remnants of decrypted messages on a laptop, computer or smart phone depending on the product being used. Encryption should be viewed as a safeguard and not a final line of defense. Given enough time and hardware encryption can be defeated rather easily with the advent of powerful GPU cards that are not all that expensive today.

Storage for Auditing Purposes:
It should be said first off that in business things happen. Too often businesses are in a reactive mode when it comes to liabilities and security and they only become proactive when it could cost them reputation points or financially. One common recommendation that we make to many of our customers is to ensure that you have email archival in place and verify frequently that messages can be recovered from the archives.

There are commercial solutions and inexpensive open source programs designed to intercept and store email in archives for long term accountability. If you can't confirm or deny that an email originated from your company you may be in trouble if a problem arises.

What are some of the downsides to the archival of email?

Misdirected Email:
In the event that an address is transposed you must ensure that you notify the recipient and request that the message be deleted. Keep in mind that you have lost control of the information in the email and it could now be shared out by the untrusted third party. While there is nothing to prevent that if you keep your email you have proof that you have notified the recipient and requested that the information be deleted. If that information shows up down the road as a compromise or helps a hacker to compromise a system you have done all that you can do. You have to evaluate the value of the message and take the appropriate actions to minimize the risk to your organization after you discover that a message went to the wrong party.

In some instances you may not even realize that it went to the wrong address so that is why disclaimers on ALL email messages are really helpful in showing due diligence on the part of the sending organization. Mistakes happen and email gets misdirected due to typo's, email accounts not being present on the receiving system (in which case the postmaster of the receiving organization receives the message in most cases), DNS errors or many other situations which may be out of your control.

There may be reporting requirements if there is financial, confidential or if you are a HIPAA covered entity. Check with your compliance department to ensure what steps must be taken immediately to ensure that you are in compliance with State and Federal regulations even if you think you know what steps must be taken.

Insider Threats:
Every year over 80 Billion USD is lost by US Corporations due to insider threats that may consist of Corporate Spies, Governments, Terrorist, Hackers and your Employees. Yes you heard that right. Your trusted employees are a huge threat to your organization and misuse of communications systems and email may cost your organization profits, embarrassment and legal issues. There are many areas of our security auditing that address the technical aspects of protecting your resources but it's difficult without the right systems in place to electronically detect when proprietary information is leaving your company often times without your knowledge or approval.

Do you allow thumb drives in your company?

Do you allow employees to print out documents and check to ensure they are accounted for?

Do you allow personal cell phones in the business and at computer terminals?

Do you have public printers and faxes in common areas?

These are some of the warning signs that information may be leaving without your knowledge. It's easy these days to take a picture of a computer screen or screenshot and email or upload a document to a cloud provider or similar service.

Mitigating the Insider Threat: There are some things you can do to ensure documents, sensitive proprietary information or PHI is not leaving your organization. Having the right training, technical controls, monitoring and auditing in place will help to alleviate the threat but not completely prevent it as nothing is 100% fail safe in the digital age.

The goal in bringing up these topics is to educate and provide guidance and assistance to companies that are at a high risk for disclosures, data breaches or leaks of information by unauthorized personnel and to provide the training, technical safeguards and training needed to keep your company in compliance and as secure as possible without affecting employees ability to do their jobs in an efficient manner. Security is always a balance between available funding and risk management and it's a tightrope act to maintain security while not wasting profits on safeguards that you may not truly need. The only way to be sure is to have an audit done and assume the risk that you choose not to secure and document the gaps in such as manner as to show that you have done as much as you can to prevent possible future disclosures while realizing that nothing is 100% secure and nobody expects it to be.

You must be able to hold individuals responsible for actions and minimize your corporate risk when dealing with technology use in the workplace.

No comments:

About SLC Security

The driving factor in us deciding to provide this service to consumers is the growing cost of cybersecurity defense and notification systems. We are providing an RSS feed of content as a public service. It is our policy to only release the full details of data breach information directly to the companies or entity that was the target of the breach or attack. If you need assistance researching the source of the breach or leak please visit SLC Security Services LLC to obtain assistance.

NOTICE: All information posted to this blog is derived from open source intelligence systems developed by SLC Security Services LLC. The OSINT-X platform is available via subscription and via a paid RSS Feed. The OSINT-X system only maintains 90 days but this timeframe may and will change without notice depending on the amount of data we are processing. We also provide a delayed RSS feed that may not contain all feed sources. The public RSS feed is on this page on the right hand side and is provided without charge. The moderators of this site are all volunteers and are not paid for their services.

If your company needs a TSCM Sweep or Vulnerability assessment feel free to contact us through the contact form on this page or call us at (717) 831-TSCM to schedule an audit.

NOTICE: Starting in January 2015 we will only discuss issues on the blog or in our feeds with the clients directly. We receive upward of 200+ calls per day requesting information. It is impossible for our volunteers to field that number of calls and still get our work done. While we would love to help every person that calls remember we are a for profit business and answering calls takes time. If we are not busy you may get in touch with us. The best approach is to email us at soc@slcsecurity.com instead of calling. Please include your name, telephone number and a brief reason for the call or communication and we will get back to you as soon as possible time permitting.

About this Page

The purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. We will include information on what type of information is being leaked but we will not release the methods in which the information is being leaked unless we are under non-disclosure agreements with the organization. The information posted on this site will contain scrubbed information if we release it to protect the information source and to ensure that the person or persons being affected are not farther harmed by the disclosure of their personal information.

Before a breach is reported it is reported to the entity affected and we normally wait at least 5 days for a response. We only post disclosures whenever there have been no response by the organization or when it involves confirmed leaks or we can verify that the security issue has not been resolved by the organization. Certain items will remain on the blog if they are a major release or new information is being posted frequently concerning the incident.

We do NOT maintain data on the leaked information as we would not want to create a second incident. Reports are submitted by security researchers, patients, clients, corporations and through open source identification as well as through passive monitoring of open source systems and proprietary algorithms.

The information on this site is provided by SLC Security Services LLC a leading cyber security and investigation company located in Raleigh, NC. If your company appears on this list and you would like additional information you may contact us by mail at 2664 Timber Dr Suite 342 Garner NC 27529 or by email via the contact form available at www.slcsecurity.com or by phone at (717)831-8726.

The Stats

Reporting Stats are available upon written request.

Please report all known security issues to soc@slcsecurity.com. We will review each report manually whenever possible. Please note that not all reports will be published to the disclosure list. Also you can specifically request that the data NOT be posted during your submission.

RSS OSINT-X FEED PERMALINK
Feed Delayed 30-60 Minutes
Not all sources we monitor are in this RSS feed. This feed contains mostly news sites but does not include IRC, Darknet or File Dump site monitoring that our commercial products monitor for your organization. This feed is limited in scope. For full access you must be a customer under a service contract. If interested in a full service contract call (919)441-7353 to inquire about pricing and services available.

TWITTER FEED

Wednesday, September 17, 2014

TIP OF THE WEEK: How misdirected email can harm your business (and bottom line)

No comments:

Post a Comment