Wednesday, September 14, 2016

Email encryption? Who really cares!

So, I finally took advantage of the low mortgage rates I've seen advertised all over the place and refinanced my house.   I was excited! The bank I applied for the mortgage through was able to do just about everything online, using a combination of Adobe PDF delivery mechanisms and a portal to upload documents required for the mortgage.  

In typical fashion, something broke with their portal and I needed to send one last document to the bank.  My options were to either drop it off at the local branch or send it to them via email.

As it is, with my job, I have many tools at my disposal in order to send messages encrypted through email, but I decided that I really didn't want to use any of our systems at work since I like to maintain a separation between personal business and work.

Hmm, what should I use within my personal email account to encrypt this stuff? Should I zip it and password protect the file?  That sounded like a good idea, but then I started to think of the risk involved with me just sending the stupid PDF.  Do I really care? I mean, what could happen? Is there a chance that some hackers are a just standing by at Comcast headquarters with one of the switches port mirrored, looking for stuff coming off of the residential backbone? I guess it's possible, but what are the chances? Are we really going overboard with this email encryption stuff? Do we REALLY need it?

Unfortunately, in reality, the answer is yes... We do need it.  The biggest problem is that you don't know what's happening between the two endpoints. You can't put your faith in a gut feeling that there won't be any evil happening once the data hits he Internet or that the infrastructure is somehow too big or obscured enough to even allow the capture of your "one in a billion" packets that pass through in a nanosecond.  Since you don't have any control or visibility of what happens between the originator and he receiver, you just can't take that chance with sensitive data assets.

I teach at a college here in Chicago and one of the assignments I have the students in my Information Security course complete is research on something called Room 641A.  Google it... You'll have fun.

(As posted on LinkedIN)

Thursday, September 1, 2016

Data Classification - Who needs it?

As an information security practitioner, there are times when you look at the security landscape for your organization and think, wow, there are definitely some areas we can improve on.  Many of these areas are not necessarily easy to tackle and execution may even seem impossible!

One thing I had always struggled with when working in banking, was data classification. We did have data classification defined, to an extent, but it was really basic and didn’t allow us to make real decisions on investing in technology and security controls.  The bulk of what we really needed to protect was customer information, but was that good enough?

In banking there is a defined segmentation of data that needs protection – customer data.  Putting forth the minimum required effort from a compliance standpoint is really a shortsighted view of a larger data classification need, because there are so many other groups of data that fit into a grey area.  In this grey area lives large quantities of private information, such as the information that human resources maintains on our employees (salary, health care info, etc.), information relating to mergers and acquisitions, employee lists, schedules, bank access codes, combinations to vaults, minimum cash limits…  The list goes on.

How do we classify the sensitivity of this data? It certainly doesn’t fall into the larger category of customer information, but it definitely needs to be protected from exposure.  What’s more, this inadequacy will start to expose itself when looking at initiatives such as DLP, rights management, DR optimization, justifying spend on technology, and now – cyber-insurance requirements.

Take the time to look at how you are classifying data, what types of data labels you are using, and how data classification feeds into larger initiatives.  You may be surprised at how many areas this touches and how it may help with some of the initiatives listed above.

If you need help understanding how Data Classification can help you, or if you are in need of building out a more comprehensive Data Classification scheme, let me know.

(as posted on LinkedIn)