Walking out the door with sensitive data – a look at the FDIC breach
Federal agencies have a steep hill to climb when it comes to protecting their networks. They have a very diverse and extensive list of malicious actors looking to break into their networks – a lethal combination of state sponsored hackers, hacktivists and individuals out for personal or financial gain. They also have networks that some experts and security vendors claim are the least prepared for cyberattack.
With this large list of potential online enemies, the last things federal agencies need are vulnerabilities within their own walls. But that’s exactly what the Federal Deposit Insurance Corporation has been facing.
For those unfamiliar with the FDIC, they’re the, “independent agency created by the Congress to maintain stability and public confidence in the nation’s financial system by insuring deposits; examining and supervising financial institutions for safety and soundness and consumer protection; making large and complex financial institutions resolvable; and managing receiverships.”
Ultimately, the FDIC was created following the Great Depression to restore the confidence of American citizens in their banking institutions, which had been subject to failures and massive “runs on the bank” during that economic disaster. But the recent challenges at the FDIC may inspire something other than confidence in the American public.
Last month, it was revealed that the FDIC experienced as many as seven incidents where PII of American citizens literally walked out the door with former agency employees.
According to the agency, which has come under serious scrutiny from Congress, “Every indication is that all of the individuals without malicious intent inadvertently downloaded the material when they were downloading personal files before separating from the FDIC. We identified the downloads swiftly, contacted the employees and recovered the information. These employees provided affidavits affirming that they did not share the information.”
This could very well have been the case. These individuals could have simply walked away from the agency and into other jobs or retirement in good standing, and with no ill intent towards the agency or the citizens it serves. But it’s indicative of a larger problem that both government agencies and private citizens face when it comes to insider threats and data security – data can be replicated and stored anywhere very quickly, and you don’t know just how secure these makeshift repositories are.
Let’s say that an FDIC employee wanted to access files at home so that they could get something done while teleworking or after hours. To get that information home, they store it in their personal Google Drive or DropBox. Now, let’s say that they use the same password to access those accounts as they do their LinkedIn account, or Myspace account. Both of those companies just announced that they were breached and login credentials were stolen.
Who is to say that those credentials aren’t used to get access to that FDIC employee’s DropBox? What is keeping them from simply turning the key and receiving access to the personal banking information of American citizens? Nothing at all.
This is why it’s essential that federal agencies and any other organization with sensitive data take all precautions to ensure that the data stays in house. Part of this is ensuring that secure access is available when and where employees need it, and ensuring that only the correct people have access to it. The other part is ensuring that access remains easy for employees.
Why is ease of use of concern? Simple. The more difficult it is for employees to access the information they need to do their jobs, the more likely they are to circumnavigate the security and authentication put in place to restrict that access. If authentication requires multiple difficult steps that make their lives more difficult, they’ll start emailing the data to themselves, putting it in cloud storage, or saving it to thumb drives as a way to get around these clunky processes.
Then there’s the question of access and authentication. How can organizations – such as the FDIC – ensure that people that leave the agency can’t keep their access to sensitive information and data?
This is where today’s modern authentication solutions can come into play. This next generation and authentication and security solution can enable what some in the industry are calling “secure credential sharing,” which obfuscates credentials away from the users. This allows for much more hardened passwords to be enacted, as well as more aggressive password change policies. This prevents maliciousness when someone leaves the organization and removes the need to have to reset credentials as a reaction.
These same solutions can also use location to ensure that information is only accessed within their walls. Utilizing geo-tags and other available information, these solutions can ensure that data, documents and other information is only accessed in approved locations. Once the non-malicious user exits the building, the files are rendered useless.
The threat landscape facing government agencies from the outside world is challenging and daunting enough without having to worry about insider threats and vulnerabilities within their own organizations. To keep sensitive constituent data safe, agencies need to ensure that data is available to those that need it, they need to ensure that the people accessing it are who they say they are, and they need to ensure that the data is available and accessible enough – without too many hoops to jump through – to ensure that shortcuts and workarounds don’t lead to vulnerabilities.