As a rule of thumb, it should not be a thumb drive
By Chip Bates
Reading this article about IRS employees whose data was breached by an insider who apparently plugged in a thumb drive into an employee’s PC and downloaded information on 20,000 employees. Well, that seems like pretty loose security protocols from a government agency who collects extremely sensitive data on every citizen and entity filing a federal tax return. I’ll save my sarcasm on what we should expect from our federal government regarding citizen privacy for another time, but this is another warning shot that not all data breaches occur from external hacks into a network.
In addition to the myriad of external bad actors trying to infiltrate your network with malign intentions, you must not assume just because people walk through your employee entrance every day that they are not bad actors as well. In fact, insiders are often conspiring with external parties to assist in data exfiltration. While the IRS breach article goes on to state that it appears the employee data stolen was not used for nefarious purposes (for whatever that’s worth coming from an IRS official) that is not the point. The point is it could be used, sold or otherwise transferred to those who profit from stolen personal data. So, if you cannot trust an insider who can you trust?
Trust no one.
No, this is not paying homage to the late great X Files TV series, but a mindset that even trusted employees should not necessarily be trusted from a network security standpoint. We all like to think the person sitting next to us in the office is honest and trust worthy, especially when you let him or her use your computer (which just so happens to have more user access privileges than your cube mate’s) for a moment while their computer is, let’s say, rebooting. After all, you just went for a quick cup of coffee. Besides, you’ve worked together for months and he or she seems like a quiet, good hardworking person. Isn’t that always what neighbors say of serial killers when interviewed after they find out the person next door has a murderous hobby? Go figure. That why inside jobs can go on for so long undetected, if discovered at all. It is human nature to trust people, especially those who seem to be model corporate citizens. Similar to airport security, which for decades relied heavily on the principle that people are basically honest and trustworthy. 9/11 changed that mindset. With so much valuable personal data being stored on servers and networks, data security must be equal parts prevention from elements inside and outside the walls of an organization. Certainly, this concept of insider security controls has been around for a long time, but the consistent application of it (or lack thereof), as the IRS case so perfectly illustrates, still leaves too many holes to exploit. Knowing who has access to what data, as well as, watching for “suspicious” network activity are just basic principles that can be monitored and managed with various technology solutions today. Which is why it seems shocking to me that in this day and age someone could simply plug a thumb drive into a USB port and walk off with loads of personal data, at the IRS of all places.
But then again, maybe not that shocking.