November 2016

We Don’t Know What We Don’t Know

by Andrew Koonce, IT Security Officer, 8th Circuit Executive's Office

Have you heard about breaches involving the U.S. Office of Personnel Management, Internal Revenue Service, Department of Homeland Security, Sony, Ashley Madison, Anthem, Yahoo, LinkedIn, America Online, or the Friend Finder Network? This list is a fraction of the data breaches that have been made public!

Other organizations have been breached and either keep it quiet or fall back on plausible deniability. Insufficient security controls often result in the lack of evidence necessary to pinpoint what was stolen and by whom. Many organizations lack an inventory of data and do not know what they have to lose.
In the recent Friend Finder hack, more than 412 million accounts were exposed, including over 15 million “deleted” records that were not purged from the databases. Now millions of people are high-value targets for blackmail, phishing attacks, and other cybercrime. According to a breach notification from LeakedSource, breached accounts included 78,301 .mil and 5,650 .gov email addresses.
In light of numerous organizational breaches, have you identified where you store or share information? If “private” emails, chats, or website accounts became public, what would the consequences be for you?
How vast is your online footprint? Do you have any “digital skeletons” in the closet? What do you post on social media? Could this information be used to gather more information about you or blackmail you? Where is your financial and health information? Do you perform personal business and save documents on public or workplace computers?
These questions should make us think about what information we possess and determine where that information is located, physically or logically. We work hard to keep valuable physical assets secure, and our digital information also warrants protection.
A starting point to information security is identifying critical information and establishing where it is stored. While we do not have possession over all our data, when we identify and locate what we know, we can minimize our susceptibility to hackers by reducing our digital footprint and access to our data.