Tuesday, December 27, 2011

Employee Fraud Thanks to the Cloud

Peer-to-peer and cloud-based file sharing may have been designed by punk kids to get free music, but now some of those punk kids are punk employees of the world's financial institutions. They have not forgotten their craft, according to the Federal Trade Commission:

"when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network. ... we found health-related information, financial records, and drivers’ license and social security numbers--the kind of information that could lead to identity theft."
 -- FTC Chairman Jon Leibowitz on the FTC's website.
A very small fraction may intentionally use these technologies to steal sensitive or private information about the institution or its clients, but a far larger number are unwittingly exposing this information to the open Internet.

Coverage also at the Washington Post.
Many of my clients block P2P clients and websites as well as related traffic on company-owned PCs within the institution's firewall. PCs on desks in offices are probably safe. But before you pat yourself on the back, though, make sure you're looking at all potential exposure points. Wherever there's a hole punched in your corporate firewall, there's a potential loss. Ask yourself two questions:
  1. Is the same level of protection and surveillance being placed on VPN, email, webmail, virtual web conferencing, mobile email, and all other devices which span across your firewall DMZ?
  2. Is your monitoring / blocking technology based solely on the sources and destinations of traffic (ex. "safe" and "prohibited" IPs) or does it also monitor content? Perfectly benign channels such as email or virtual web conferencing usually allow files to be transmitted outside the institution in order to facilitate essential communication and collaboration. Can you, without killing these valuable tools, control WHAT data is transmitted?
 If not ... time to make a little space on the roadmap for new controls.