dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1713
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned)

Member

The two most dangerous IT security sins, that everyone does

Hmmmm...."Employees are putting business data at risk with their email and file sharing habits. This is among the findings of the latest survey by email encryption specialist DataMotion.

Although companies are increasingly putting security and compliance policies in place nearly 44 per cent of respondents admitted that these are only moderately enforced at best.

In addition more than three-quarters of respondents said they believe employees at least occasionally violate their company’s compliance and security policies. More than one in five said those who do so are aware of what they are doing, but violate the policy anyway to simply get their job done."...[ »www.itproportal.com/2015 ··· veryone/ ]

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

1 recommendation

Kilroy

MVM

said by 85160670:

but violate the policy anyway to simply get their job done.

The A number one reason we have security issues. Security isn't convenient.

Closely followed by the idea that huge complex password policies make everything more secure. Being able to use a password of 1qaz isn't more secure than 987412365. I don't use my personal phone for work e-mail because it will allow me to use the first password, but not the second due to the consecutive numbers.

StuartMW
Premium Member
join:2000-08-06

2 recommendations

StuartMW to 85160670

Premium Member

to 85160670
In my experience most IT policies ignore the needs of employees so there is no alternative but to do workarounds to get your job done. I know I did so routinely. Trying to appeal to the head IT guys was about as useful as banging your head against the wall.

In fact I worked at a small division of a large company and the local IT guy had setup a local, and undocumented, DSL line so certain users could bypass the corporate network when needed. User would physically unplug their machine from the main network and plug into the DSL line.
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

1 recommendation

Kearnstd to 85160670

Premium Member

to 85160670
that is why security will always have issues, making things secure has a habit of making them more user unfriendly.

Requirements for expiring, long complex passwords that you cannot recycle cause the writing down of passwords for example.

StuartMW
Premium Member
join:2000-08-06

1 edit

1 recommendation

StuartMW

Premium Member

As an aside making "things unfriendly" isn't the same as making them impossible.

Any IT policy that makes it impossible for people to do their job without resorting to workarounds isn't a good one.

IMO many IT people live in their own little worlds and have no idea what other workers actually need to do.

Let me give an example. I was a designer (hardware/firmware/software) and often needed to download large files (PDF documents, software etc) from vendor sites. For a long time the corporate policy was to block all FTP so I downloaded stuff at home and brought the files in to work. Later the IT guys got a clue and enabled FTP for selected users (I was one of them). Our division only had a T-1 connection so I'd still download from home since others would complaint of slow speeds when I did so from work.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to StuartMW

Premium Member

to StuartMW
At work we have a "HIPAA environment" that's supposed to be locked down against pulling files out of it.

Because it's so difficult to work in, we figured out a workaround to get the data out onto our personal machines.

Shhhh. It's just IP addresses, sheesh.

Mike
Mod
join:2000-09-17
Pittsburgh, PA
·Verizon FiOS

Mike

Mod

IP addresses are one of the 18 sacred PHI identifiers of HIPAA. Your workplace is breaking federal law and if you're caught you're going to jail for a long time. HHS/DOJ does NOT piss around. HIPAA is scary because it always pierces the corporate veil and goes after individuals.
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

Kearnstd

Premium Member

that is interesting that HIPPAA calls an IP Address identifiable yet in copyright lawsuits judges have said an IP is not a person.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to Mike

Premium Member

to Mike
I'd like to take that five dollar plasma weapon to the guy who said IP addresses are sacred.

None of the data we use could actually identify a person, but we have to treat it as such anyway. Come to think of it, wonder how DOJ would feel about this same data going overseas? And then there's several other situations I can think of that arise in my workplace which could be, maybe be, if you squint at it in the noonday sun, be a violation. I could rant at length about the headaches this causes for all involved.

Anyway, just a real live example of how measures intended to protect data are ignored, or worse, end up potentially exposing it, much like complex password policies lead to passwords on sticky notes.

Mike
Mod
join:2000-09-17
Pittsburgh, PA

Mike

Mod

If someone has a static IP you can trace that to a person.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

Naturally. But we're far away from any end-user IPs. Let's just say, after working with this stuff for a couple years, I can confidently say the chance of actual PII being in the data sets we work with is practically non-existent. I wish there was some sort of certification process or something where we could prove that and get this monkey off our backs, (geeze, I'm starting to sound like a Republican) but I don't think there is.

Now, back to the topic at hand.

My workplace's password policy, I recently learned, keeps records of the previous 10 passwords. With quarterly password changes, that's over two year's worth.

I think that's fairly reasonable.

The OP's article talks about encrypted email -- AFAIK, we don't do that at all. We also allow mobile email, with the stipulation that devices are password (not pin, swipe, or pattern) protected, although that part can be bypassed on some devices apparently. Mine forced me to change when I set up email, but then allowed me to change back afterward. I no longer have work email on my phone though, I found it annoying.
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to StuartMW

Member

to StuartMW
quote:
In my experience most IT policies ignore the needs of employees so there is no alternative but to do workarounds to get your job done.
Yes but in some cases doing this might get cha fired

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to 85160670

Premium Member

to 85160670
I don't think I have ever worked anywhere with a published security and compliance policy.
MaynardKrebs
We did it. We heaved Steve. Yipee.
Premium Member
join:2009-06-17

2 recommendations

MaynardKrebs to Mike

Premium Member

to Mike
said by Mike:

If someone has a static IP you can trace that to a person.

Nope.
You can trace to a machine, but not necessarily a specific person 100% of the time.
Curiosity
join:2001-10-01
Dawson Creek, BC

Curiosity to sivran

Member

to sivran
I would not be so keen on Vivaldi as a browser. Have you read the user agreement? It says that they collect data such as IP number and browsing behaviour. Sounds like snooping to me.
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

Kearnstd to StuartMW

Premium Member

to StuartMW
That ftp thing reminds me of working tech support for a cable company. I would have to use RealVNC into my home computer to test gaming sites when a customer claimed issues in accessing. They were websensed from inside the network. VNC solved that. If it worked from my home computer I knew I had to t/s their settings.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to Curiosity

Premium Member

to Curiosity
That would be the Vivaldi website, not the browser.

Mike
Mod
join:2000-09-17
Pittsburgh, PA
·Verizon FiOS

Mike to MaynardKrebs

Mod

to MaynardKrebs
If it's owned by a particular person then it can be traced to that person. There is your pathway to why it is considered PHI.

List of identifiers:
»irb.utah.edu/_pdf/hipaa_ ··· iers.pdf
Mike

Mike to 85160670

Mod

to 85160670
Now that I want to read the article is there a copy/pasta somewhere that isn't behind a login wall?

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to MaynardKrebs

MVM

to MaynardKrebs
said by MaynardKrebs:

You can trace to a machine, but not necessarily a specific person 100% of the time.

Yes it is, the RIAA and MPAA told me so.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to Mike

MVM

to Mike
said by Mike:

If someone has a static IP you can trace that to a person.

You can? All you can do with a static IP address is the same as with a dynamic IP address: Identify the account holder. If the account holder is in a multiple person household, you can't ID which specific person did what when. Does not matter if the IP address is static, or dynamic.

Mike
Mod
join:2000-09-17
Pittsburgh, PA
·Verizon FiOS

Mike

Mod

You just said the keyword. Identify.

Sanitized PHI is supposedly to be COMPLETELY anonymous. The most specific you can identify someone in HIPAA language is a surrender for public health reports. A public health incident occurred in zip code 152~~ etc etc.

If it's a two person account holder of an account, you have a 50-50 shot to identify someone. In 1996 it was deemed too specific.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned)

Member

{{{ SMILE }}} /

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to Mike

MVM

to Mike
said by Mike:

You just said the keyword. Identify.

Okay. Help me to understand the difference between dynamic and static IP addresses WRT "identify".

Joe has a dynamic IP address.
Jeff has a static IP address.

How is it easier to identify Jeff than Joe? Either way, all you have is an IP address. You will need the cooperation of the ISP. Some ISPs will probably just hand it over. Unless they have:

• Short retention policy
• A hard-ass "show us a subpoena" policy

I don't see the difference.

Mike
Mod
join:2000-09-17
Pittsburgh, PA

Mike

Mod

If there is a pathway to the person or at least a good hint, remove the pathway.

Complain to your government, not me.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

Given that the Big Dogs (AT&T, Comcast, TWC, Verizon) seem to have a retention policy somewhere between decades and eternity, I don't see a difference between static and dynamic IP addresses WRT, "Identify". And a lot of good it would do to complain to the government; they would prefer that all ISPs implement eternal data retention.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to sivran

Premium Member

to sivran
said by sivran:

Because it's so difficult to work in, we figured out a workaround to get the data out onto our personal machines.

Shhhh. It's just IP addresses, sheesh.

said by sivran:

I'd like to take that five dollar plasma weapon to the guy who said IP addresses are sacred.

None of the data we use could actually identify a person, but we have to treat it as such anyway.

Would you consider a mailing address (as in snail-mail) "sacred" (PII/PHI)?
Would you consider a phone number (Home, Cell, or otherwise) "sacred" (PII/PHI)?

An IP is treated similarly as PII because it can be used to potentially identify a person, even if only weakly. That meats the "for which there is a reasonable basis to believe can be used to identify the individual" qualification used to categorize such information.

We may not like the classifications and we may not agree with them, but that does not mean we can arbitrarily disregard such classifications and do as we please.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

2 edits

sivran to Mike

Premium Member

to Mike
said by Mike:

If it's owned by a particular person then it can be traced to that person.

Hmm, is that the standard? Like, if it's an IP of a router or firewall (owned by the corporation, not by a particular person) = not PHI, IP of a tablet/PC = PHI?

Then again I guess since corporations are people too...

The data we work with is logs and configuration files (and the occasional crash dump) from specific network devices.

The only difference between the HIPAA environment and my laptop is... well, come to think of it there isn't any. Pretty much all of us are certified and IT can access all of it anyway. Hmmm. Maybe it's not a violation. Heck, if anything it's better off on my laptop--bitlocker encrypted.

cowboyro
Premium Member
join:2000-10-11
CT

1 recommendation

cowboyro to Mike

Premium Member

to Mike
said by Mike:

If someone has a static IP you can trace that to a person.

No, you can only trace it down to a subnet.
IP addresses can be spoofed in many environments, especially if you don't have port MAC filtering in the switch.

Mike
Mod
join:2000-09-17
Pittsburgh, PA

Mike to Shady Bimmer

Mod

to Shady Bimmer
Yes and yes.

There are 18 identifiers and I listed them via a link.