Sunday, September 21, 2014

K box leak could be due to human error and biggest culprit, the management

Own experience, two cents' worth.

I had to go to a private clinic to get an x-ray done, for the purpose of employment. Everyone should have done that one time or another, especially in Singapore.

At the counter, a lady (or the customer service staff) was serving many customers. In front of her was a computer terminal that was used to input customer personal data and medical reports/results. To get into the x-ray room, you will be walking right pass this customer service staff. What I saw when I walked out of the x-ray room to the front desk was that she was updating herself with Facebook on the computer terminal that was also meant for sensitive/private data.

Since the K box saga, it led me to think that the easiest way hackers can get into a server and its data would be to fool the staff manning a terminal to the server. By phishing (or spear phishing), staffs are the easiest to fool. By fooling the staff to divulge their login and password, hackers can easily get the key to the server. By fooling the staff to download and execute an attachment (or link), usually with sensational/sexy feeds, people can be easily fooled to click them and compromise the security of their network (and ultimately server containing sensitive data).

For a staff at the clinic, the sensitivity and privacy of patients are at risk and at the mercy of the staff manning the terminal. The management is mainly at fault, because the management allowed (by not preventing) the staff to use the company's property for personal use that could jeopardize the privacy of many patients who entrusted the clinic to protect them.

We are all guilty of wasting companies' time by idling in front of computers and doing things that are not beneficial to the company (nor customers), but rather for personal reasons. For example, the guy blogger who landed in a libel suit for maligning another person was using his healthcare provider company's time and property to write blogs and doing "research" on his blogging material (this can easily be proven by studying the entry time for the blogs he posted/updated). Instead of reading more about how to improve his service method, or studying his patient files diligently so as to provide personalized care to patients, this healthcare provider-cum-blogger was busy with something else.

In my opinion, phishing is still the easiest and effective method to execute. By just sending spam claiming that the person receiving the email has won SGD 10,000, a low but significant number of people receiving this email will click on the corresponding link. A webpage will appear and trick that person to divulge his/her company email login and password. The subsequent prompt, "Congratulation, you will receive a call from us soon", will not raise any alarm to these gullible people. What comes next will be very unpleasant, normally the IT department will call the staff, ask to meet him/her. The IT dept will explain to them that thousands of company's staff data (e.g. email, name, phone number, designation, etc.) have been compromised. This is on top of having received spam/phishing emails from this staff on the company's email network. Normally, the IT dept would suspend the staff's email account for good (or until the staff completed proper awareness course on network security).

However, if management is flawed, don't blame any staff for the compromised/lax security. Onus is still on the company rather than staff.

Just a thought.

No comments:

Post a Comment