85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
85160670 (banned)
Member
2015-Mar-5 12:38 pm
The two most dangerous IT security sins, that everyone doesHmmmm...."Employees are putting business data at risk with their email and file sharing habits. This is among the findings of the latest survey by email encryption specialist DataMotion. Although companies are increasingly putting security and compliance policies in place nearly 44 per cent of respondents admitted that these are only moderately enforced at best. In addition more than three-quarters of respondents said they believe employees at least occasionally violate their companys compliance and security policies. More than one in five said those who do so are aware of what they are doing, but violate the policy anyway to simply get their job done."...[ » www.itproportal.com/2015 ··· veryone/ ] |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN
1 recommendation |
Kilroy
MVM
2015-Mar-5 12:59 pm
said by 85160670:but violate the policy anyway to simply get their job done. The A number one reason we have security issues. Security isn't convenient. Closely followed by the idea that huge complex password policies make everything more secure. Being able to use a password of 1qaz isn't more secure than 987412365. I don't use my personal phone for work e-mail because it will allow me to use the first password, but not the second due to the consecutive numbers. |
|
2 recommendations |
to 85160670
In my experience most IT policies ignore the needs of employees so there is no alternative but to do workarounds to get your job done. I know I did so routinely. Trying to appeal to the head IT guys was about as useful as banging your head against the wall.
In fact I worked at a small division of a large company and the local IT guy had setup a local, and undocumented, DSL line so certain users could bypass the corporate network when needed. User would physically unplug their machine from the main network and plug into the DSL line. |
|
KearnstdSpace Elf Premium Member join:2002-01-22 Mullica Hill, NJ
1 recommendation |
to 85160670
that is why security will always have issues, making things secure has a habit of making them more user unfriendly.
Requirements for expiring, long complex passwords that you cannot recycle cause the writing down of passwords for example. |
|
1 edit
1 recommendation |
StuartMW
Premium Member
2015-Mar-5 3:20 pm
As an aside making "things unfriendly" isn't the same as making them impossible.
Any IT policy that makes it impossible for people to do their job without resorting to workarounds isn't a good one.
IMO many IT people live in their own little worlds and have no idea what other workers actually need to do.
Let me give an example. I was a designer (hardware/firmware/software) and often needed to download large files (PDF documents, software etc) from vendor sites. For a long time the corporate policy was to block all FTP so I downloaded stuff at home and brought the files in to work. Later the IT guys got a clue and enabled FTP for selected users (I was one of them). Our division only had a T-1 connection so I'd still download from home since others would complaint of slow speeds when I did so from work. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
to StuartMW
At work we have a "HIPAA environment" that's supposed to be locked down against pulling files out of it. Because it's so difficult to work in, we figured out a workaround to get the data out onto our personal machines. Shhhh. It's just IP addresses, sheesh. |
|
Mike Mod join:2000-09-17 Pittsburgh, PA ·Verizon FiOS
|
Mike
Mod
2015-Mar-5 4:24 pm
IP addresses are one of the 18 sacred PHI identifiers of HIPAA. Your workplace is breaking federal law and if you're caught you're going to jail for a long time. HHS/DOJ does NOT piss around. HIPAA is scary because it always pierces the corporate veil and goes after individuals. |
|
KearnstdSpace Elf Premium Member join:2002-01-22 Mullica Hill, NJ |
Kearnstd
Premium Member
2015-Mar-5 5:22 pm
that is interesting that HIPPAA calls an IP Address identifiable yet in copyright lawsuits judges have said an IP is not a person. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
to Mike
I'd like to take that five dollar plasma weapon to the guy who said IP addresses are sacred. None of the data we use could actually identify a person, but we have to treat it as such anyway. Come to think of it, wonder how DOJ would feel about this same data going overseas? And then there's several other situations I can think of that arise in my workplace which could be, maybe be, if you squint at it in the noonday sun, be a violation. I could rant at length about the headaches this causes for all involved. Anyway, just a real live example of how measures intended to protect data are ignored, or worse, end up potentially exposing it, much like complex password policies lead to passwords on sticky notes. |
|
Mike Mod join:2000-09-17 Pittsburgh, PA |
Mike
Mod
2015-Mar-5 6:24 pm
If someone has a static IP you can trace that to a person. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
sivran
Premium Member
2015-Mar-5 6:48 pm
Naturally. But we're far away from any end-user IPs. Let's just say, after working with this stuff for a couple years, I can confidently say the chance of actual PII being in the data sets we work with is practically non-existent. I wish there was some sort of certification process or something where we could prove that and get this monkey off our backs, (geeze, I'm starting to sound like a Republican) but I don't think there is. Now, back to the topic at hand. My workplace's password policy, I recently learned, keeps records of the previous 10 passwords. With quarterly password changes, that's over two year's worth. I think that's fairly reasonable. The OP's article talks about encrypted email -- AFAIK, we don't do that at all. We also allow mobile email, with the stipulation that devices are password (not pin, swipe, or pattern) protected, although that part can be bypassed on some devices apparently. Mine forced me to change when I set up email, but then allowed me to change back afterward. I no longer have work email on my phone though, I found it annoying. |
|
19579823 (banned)An Awesome Dude join:2003-08-04 |
to StuartMW
quote: In my experience most IT policies ignore the needs of employees so there is no alternative but to do workarounds to get your job done.
Yes but in some cases doing this might get cha fired |
|
Ian1 Premium Member join:2002-06-18 ON |
to 85160670
I don't think I have ever worked anywhere with a published security and compliance policy. |
|
MaynardKrebsWe did it. We heaved Steve. Yipee. Premium Member join:2009-06-17
2 recommendations |
to Mike
said by Mike:If someone has a static IP you can trace that to a person. Nope. You can trace to a machine, but not necessarily a specific person 100% of the time. |
|
|
to sivran
I would not be so keen on Vivaldi as a browser. Have you read the user agreement? It says that they collect data such as IP number and browsing behaviour. Sounds like snooping to me. |
|
KearnstdSpace Elf Premium Member join:2002-01-22 Mullica Hill, NJ |
to StuartMW
That ftp thing reminds me of working tech support for a cable company. I would have to use RealVNC into my home computer to test gaming sites when a customer claimed issues in accessing. They were websensed from inside the network. VNC solved that. If it worked from my home computer I knew I had to t/s their settings. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
to Curiosity
That would be the Vivaldi website, not the browser. |
|
Mike Mod join:2000-09-17 Pittsburgh, PA ·Verizon FiOS
|
to MaynardKrebs
If it's owned by a particular person then it can be traced to that person. There is your pathway to why it is considered PHI. List of identifiers: » irb.utah.edu/_pdf/hipaa_ ··· iers.pdf |
|
Mike |
to 85160670
Now that I want to read the article is there a copy/pasta somewhere that isn't behind a login wall? |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
to MaynardKrebs
said by MaynardKrebs:You can trace to a machine, but not necessarily a specific person 100% of the time. Yes it is, the RIAA and MPAA told me so. |
|
|
NormanSI gave her time to steal my mind away MVM join:2001-02-14 San Jose, CA TP-Link TD-8616 Asus RT-AC66U B1 Netgear FR114P
|
to Mike
said by Mike:If someone has a static IP you can trace that to a person. You can? All you can do with a static IP address is the same as with a dynamic IP address: Identify the account holder. If the account holder is in a multiple person household, you can't ID which specific person did what when. Does not matter if the IP address is static, or dynamic. |
|
Mike Mod join:2000-09-17 Pittsburgh, PA ·Verizon FiOS
|
Mike
Mod
2015-Mar-6 11:18 am
You just said the keyword. Identify.
Sanitized PHI is supposedly to be COMPLETELY anonymous. The most specific you can identify someone in HIPAA language is a surrender for public health reports. A public health incident occurred in zip code 152~~ etc etc.
If it's a two person account holder of an account, you have a 50-50 shot to identify someone. In 1996 it was deemed too specific. |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
85160670 (banned)
Member
2015-Mar-6 3:26 pm
{{{ SMILE }}} / |
|
NormanSI gave her time to steal my mind away MVM join:2001-02-14 San Jose, CA TP-Link TD-8616 Asus RT-AC66U B1 Netgear FR114P
|
to Mike
said by Mike:You just said the keyword. Identify. Okay. Help me to understand the difference between dynamic and static IP addresses WRT "identify". Joe has a dynamic IP address. Jeff has a static IP address. How is it easier to identify Jeff than Joe? Either way, all you have is an IP address. You will need the cooperation of the ISP. Some ISPs will probably just hand it over. Unless they have: • Short retention policy • A hard-ass "show us a subpoena" policy I don't see the difference. |
|
Mike Mod join:2000-09-17 Pittsburgh, PA |
Mike
Mod
2015-Mar-6 4:04 pm
If there is a pathway to the person or at least a good hint, remove the pathway.
Complain to your government, not me. |
|
NormanSI gave her time to steal my mind away MVM join:2001-02-14 San Jose, CA TP-Link TD-8616 Asus RT-AC66U B1 Netgear FR114P
|
Given that the Big Dogs (AT&T, Comcast, TWC, Verizon) seem to have a retention policy somewhere between decades and eternity, I don't see a difference between static and dynamic IP addresses WRT, "Identify". And a lot of good it would do to complain to the government; they would prefer that all ISPs implement eternal data retention. |
|
|
to sivran
said by sivran:Because it's so difficult to work in, we figured out a workaround to get the data out onto our personal machines.
Shhhh. It's just IP addresses, sheesh. said by sivran:I'd like to take that five dollar plasma weapon to the guy who said IP addresses are sacred.
None of the data we use could actually identify a person, but we have to treat it as such anyway. Would you consider a mailing address (as in snail-mail) "sacred" (PII/PHI)? Would you consider a phone number (Home, Cell, or otherwise) "sacred" (PII/PHI)? An IP is treated similarly as PII because it can be used to potentially identify a person, even if only weakly. That meats the "for which there is a reasonable basis to believe can be used to identify the individual" qualification used to categorize such information. We may not like the classifications and we may not agree with them, but that does not mean we can arbitrarily disregard such classifications and do as we please. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX 2 edits |
to Mike
said by Mike:If it's owned by a particular person then it can be traced to that person. Hmm, is that the standard? Like, if it's an IP of a router or firewall (owned by the corporation, not by a particular person) = not PHI, IP of a tablet/PC = PHI? Then again I guess since corporations are people too... The data we work with is logs and configuration files (and the occasional crash dump) from specific network devices. The only difference between the HIPAA environment and my laptop is... well, come to think of it there isn't any. Pretty much all of us are certified and IT can access all of it anyway. Hmmm. Maybe it's not a violation. Heck, if anything it's better off on my laptop--bitlocker encrypted. |
|
1 recommendation |
to Mike
said by Mike:If someone has a static IP you can trace that to a person. No, you can only trace it down to a subnet. IP addresses can be spoofed in many environments, especially if you don't have port MAC filtering in the switch. |
|
Mike Mod join:2000-09-17 Pittsburgh, PA |
to Shady Bimmer
Yes and yes.
There are 18 identifiers and I listed them via a link. |
|