Tuesday, October 23, 2007

Clowns on Parade: Giving Administaff Your Keys Isn't Much Better Than Leaving the Door Open

Chains and their "weakest links" are used all the time in metaphor. But I realized this metaphor was wrong after seeing an odd "chain of locks" securing a no-vehicle gate last week near the GGNRA in Marin.

The only practical reason I could imagine for using this chain of locks is that a large number of people all need to be able to open the gate (e.g., park staff, firefighters, police). Instead of having one lock and sharing copies of the key, someone decided to give each party a lock and key. By chaining them together, any opened lock allows the gate to be opened.

I'm still not sure why they would choose this approach (if any reader is familiar with this construct, please tell me!)

With personal information, we may not share a "master key" with many people, but we offer a lot of locks and keys to a lot of different parties. Any one of them can leave us wide open. Like last week, when Administaff -- a huge co-employment organization that my employer uses -- announced ... (drumroll) ... a laptop was stolen with personal info, including SSNs, for everyone on every payroll they processed in 2006 (approximately 159,000 people total).

With friends like this ... you know the rest.

There's a wonderful FAQ on the theft, where Administaff explains that it's not the organization's fault: "the information was not saved in an encrypted location, which is a clear violation of our company’s policies." In other words, they're blaming the employee for violating the company policy.

I don't buy it.

Yes, I believe there's a company policy somewhere that says not to copy the entire human resources database onto your laptop in plain text.

But I don't believe Administaff made reasonable efforts to see that this policy would be carried out.

I suspect there were at least three distinct failures:

Failure #1: The employee whose laptop was stolen was tasked with an activity for which the easiest workflow involved loading the entire database onto his or her laptop. How do I know this? Most workers do not take the hardest route to doing their job. They take the easiest one they can.

In this case, someone took the easiest route even though it meant violating a policy (that he most likely never took note of anyway). When Administaff management allows the easiest workflow to be one with this much security exposure, they share the blame. If they don't know what workflows are being used for Social Security data, then they are failing at a bigger level, namely not auditing sensitive processes in their own identity-theft-prone line of business.

Failure #2: At best, the server system which "owns" the stolen data allowed this employee to produce a report containing critical data for a very large number of records. (At worst, this data is not stored in any controlled application at all, but rather in something like Access, FoxPro, or Excel. While I know this is a real possibility, it's such a revolting idea that I will ignore it for now.) Assuming this application has a user/role model, why would this user have such a reporting privilege?

Even if the application is designed to support some "work offline" workflow, so a that network connection is not required to access each record, this can be accomplished without any mass download of records. A modest number of records could be downloaded and cached for an offline work session, and synched back later. The record cache would, of course, be secured with a passphrase and/or other elements.

My point here is that there's no way the employee accessed and then copied/saved each of 160,000 records, one at a time. The application had to help, making it easy to do some operation on "all" or on a large set of records (birthdate in a specific year, last name starting with a certain letter, etc.) Awful idea. Administaff is leaving the door wide open, no surprise that the employee stumbles on through.

Failure #3: How long was this data on the laptop before the laptop was stolen? At one large financial institution, any computer connected to the network -- whether on site or via VPN, virtual machine or real -- was subject to regular scanning from the mother ship. The security group would check all of these machines not only for vulnerabilities (viruses, vulnerable services), but also for content. Were they after pr0n? Not so much. They wanted to find out if any disproportionate amount of their data ended up on any of your machines.

If, say, they found a file that looked like a bunch of credit-card numbers, you'd have some explaining to do. While this approach would not stop a clever data thief (who would employ steganography or removable drives), it would do a great job at stopping any accidental hoarding of customer data. In fact, it would do a great job at stopping this pervasive stolen-laptop-stolen-data problem.

Apparently Administaff really cares about this stuff. Surely enough to spend the half-hour thinking about it that I did when I wrote this post. Just not enough to actually do anything.


Jamie said...

I suspect that the multi-lock chain allows various services to each have their own single-key-multiple-lock setup for similar gates all over the place, without requiring all services to use the same key.

In other words, I think that each of those locks is keyed the same as a bunch of locks elsewhere, so that a particular set of individuals can carry one key and open any lock to anywhere they're authorized to go.

That's just a guess, though, and considering that I've never seen anything like that before either, it's probably wrong. :)

Security Retentive said...

Bruce Schneier covered this back in 2004 for the Hollywood sign...


Security Retentive said...

To be fair of course in the data theft case Windows makes it extremely tricky to do full-disk encryption natively except in Vista. You can buy a whole disk encryption package, and the US-GOV is going this for a bunch of things, but it takes time to roll it out.

Yes, this is a breakdown in controls and security, and really sucks. Its hard to know ow many business processes they may have been in the process of fixing over the last N-months to try and get this all working, and then had a laptop go missing. The point being that even if they were trying to fix things crap can still happen...

One way to fix this of course is data minimization, not ever having the data in question, not allowing it off servers in their datacenter, etc. All things they could and should have been doing...

Anonymous said...

China Wholesale has been described as the world’s factory. This phenomenom is typified by the rise of buy products wholesalebusiness. Incredible range of products available with wholesale from china“Low Price and High Quality” not only reaches directly to their target clients worldwide but also ensures that China Wholesalers from China means margins you cannot find elsewhere and China Wholesale will skyroket your profits.

Anonymous said...

A study last yearnike tn, the author in the essay read NIKE , a reporter at the Shanghai headquarters in an interview, nike chaussuressee a pr in high school to read a league plans, employees interviewed told reporters in Beijing's streets, they children to interview, the children said, "truly understand them." tn chaussures These words, if the author touches product function, brand spirit and culture is to become part of the consumer of two basic methods

Anonymous said...

Charlestoncheap columbia jackets. turned a pair of double plays to do the trick. spyder jacketsThe had at least one runner on in every inning but the first and outhit the RiverDogs by a 12-6 margin Lawal should be a focal point of the Yellow cheap polo shirts along with highly touted newcomer, 6-9 Derrick Favors, rated as the No. 1 power forward on the ESPNU 100. The Yellow JacketsThere are ed hardy shirts pretty ed hardy shirt for men,
ed hardy womens in the ed hardy online storedesigned by ed hardy ,many cheap ed hardy shirt ,glasses,caps,trouers ed hardy shirts on sale ,You can go to edhardyshirts.com to have a look ,you may find one of ed hardy clothing fit

Anonymous said...

Lacoste Polo Shirts, , Burberry Polo Shirts.wholesale Lacoste polo shirts and cheap polo shirtswith great price. clothingol.com offers lot of 10ralph lauren polo lacoste polo shirts and lot of 20 Burberry Polo Shirts. clothingol.com offers classic fit polo shirts. polo clothingCheap Brand Jeans ShopMen Jeans - True Religion Jeans, burberry polo shirtsGUCCI Jeans, Levi's Jeans, D&G Jeans, RED MONKEY Jeans, Cheap JeansArmani Jeans, Diesel Jeans, Ed hardy Jeans, Evisu Jeans, Women JeansJack&Jones Jeans...

Anonymous said...

nike shoes & Puma Shoes Online- tn nike,puma shoes,puma cat, baskets cheap nike shox, air max.cheap nike shox r4 torch, cheap nike air, nike running shoes air max, puma speed and more. Paypal payment.nike running shoes Enjoy your shopping experience on Nike & Puma Shoes Online Store.

Opal said...


Ding Michelle said...

You will require a finances trainer that could retain all your necessary items such suits for women as money along with bank cards. You need to have this to High Heels shoes aid wait your very own in the fantastic situation regarding favour.

Seacanoeist Mark said...

I liked your article, I will share your article to everyone!!

WoW gold|Diablo 3 Gold|RS Gold|Cheap Diablo 3 Gold