The US Ethics Committee has announced that a recent document leak was caused by junior staffer who installed file-sharing software on his personal computer. This statement actually raises questions. It is also testament to how data security requires a holistic approach that includes data loss prevention and data encryption software, among other information leak prevention practices.
Prior to the announcement by the House Committee on Standards of Official Conduct (aka, the Ethics Committee), it was assumed that the leak was via hacker activity. However, what really happened was that a junior staffer, since fired, took sensitive documents home and used his personal computer to work on them. His personal computer had file-sharing software. Other documents, besides the Ethics Committee's document, were also leaked via the same manner.
Prior to the announcement by the House Committee on Standards of Official Conduct (aka, the Ethics Committee), it was assumed that the leak was via hacker activity. However, what really happened was that a junior staffer, since fired, took sensitive documents home and used his personal computer to work on them. His personal computer had file-sharing software.
Other documents, besides the Ethics Committee's document, were also leaked via the same manner.
I'm not sure how this could have happened. I understand the technical aspects of how, but there are too many questions to resolve: Why's a junior staffer carrying around such documents? According to the washingtonpost.com, the Ethics committee is one of the most secretive panels in Congress. And a junior staffer is allowed to take documents related to investigations home? Assuming a junior staffer is allowed to take said documents, where are the data protection tools? Even if a junior staffer is allowed to home such documents (heck, he's already working on it at the office, so he knows the contents), I'm pretty sure losing such documents wouldn't be allowed.I take it the documents that were leaked were digital files. Where's the encryption to protect these files from unauthorized access? If the file wasn't encrypted, was he at least using an encrypted storage device? I mean, if a sensitive file is not encrypted because it's in a secure environment--both in terms of destination and origin--at least that file must be protected while in transit from point A to point B. Did the staffer use a USB disk or something similar? Was it encrypted? Did he save it directly to his personal laptop while at work? I could go on and on...
I'm not sure how this could have happened. I understand the technical aspects of how, but there are too many questions to resolve:
I could go on and on...
The major problem and security loophole in this case is the staffer's behavior. Granted, if the documents he had transferred to his personal laptop were protected with file encryption, the ramifications of a P2P-based data breach would have been negated. (Encrypted files are protected at the file level, and would require the right authorization code to gain access. Note that this is not the same as having password-protection, which is virtually useless.) However, seeing how the staffer was not exercising proper data security practices, chances are he had malware installed on his computer already. One of these could have been a keystroke logger. With one of these installed, the use of encryption is often nullified because a third party is able to obtain the passwords for accessing data. The best policy may have been not have these document taken out from the Ethics Committee's perimeter (which I'm assuming had the right data protection tools in place).
The major problem and security loophole in this case is the staffer's behavior. Granted, if the documents he had transferred to his personal laptop were protected with file encryption, the ramifications of a P2P-based data breach would have been negated.
(Encrypted files are protected at the file level, and would require the right authorization code to gain access. Note that this is not the same as having password-protection, which is virtually useless.)
However, seeing how the staffer was not exercising proper data security practices, chances are he had malware installed on his computer already. One of these could have been a keystroke logger.
With one of these installed, the use of encryption is often nullified because a third party is able to obtain the passwords for accessing data.
The best policy may have been not have these document taken out from the Ethics Committee's perimeter (which I'm assuming had the right data protection tools in place).
Related Articles and Sites:http://www.computerworld.com/s/article/9140154/Leaked_House_Ethics_document_spreads_on_the_Net_via_P2P?source=rss_securityhttp://www.washingtonpost.com/wp-dyn/content/story/2009/10/29/ST2009102904609.html?sid=ST2009102904609