On Monday, March 2, 2015, The Washington Post broke the story that former first lady Hillary Clinton used a personal email address during her four-year tenure at the State Department for official government correspondence. The public is, not surprisingly, split on the issue, mostly along party lines: one is considerable outrage, while the other is a shoulder-shrugging “meh” of indifference.
Let’s take a moment, however, to look at this situation through a completely non-partisan, security-only lens. Using a personal email address for business communication is an all-around bad idea, regardless if you are a CSO or the Secretary of State (but an extremely bad idea if you are the Secretary of State).
Exactly what is so terrible about this, and could it happen in your company? This story is a cautionary tale to remind us that CSOs and other business leaders should periodically look into the basics of how their firm facilitates communication and whether there are any bad habits that increase risk exposure.
Government regulations aside, using a personal email account for business bypasses all security and access controls that may be in place. It also makes data retention, compliance with regulations, and discovery nearly impossible.
I’m fuzzy on the whole good/bad thing. What do you mean, ‘bad’?
Peter Venkman, Ghostbusters
Bypasses security controls
Whether you work for a private-sector firm or a government institution, your IT department has implemented security measures around your email account and the device(s) on which you read email. Access may be limited to certain systems, such as company-issued mobile devices, laptops or desktop computers. The emails stored on those devices are most likely encrypted, so if your iPad goes missing it becomes much more difficult for the thief to lift the emails. Finally, IT departments have elaborate controls in place to verify someone is who they say they are when resetting a password or provisioning the email account.
At the time of her tenure, Secretary Clinton was America’s top negotiator and ambassador, with access to very sensitive national secrets. We don’t have to go too far back in time to see what happened the last time a politician used a personal email address for government business and how easy it was to hack.
(CC BY 2.0)
In September 2008, an enterprising young hacker compromised the personal Yahoo email account of the Governor of Alaska and candidate for Vice President Sarah Palin. Not only was the hack described in Wired magazine, but details also revealed that it was not particularly sophisticated, to say the least. These are the steps the hacker took to gain unauthorized access to the account:
- The hacker acquired Governor Palin’s Yahoo email address, “email@example.com.”
- He logged into Yahoo Mail, entered Governor Palin’s email address, and clicked on “Forgot My Password.”
- Yahoo asked a series of secret questions: birthdate (acquired from Wikipedia), ZIP code (he guessed — there are only two in Wasilla, Alaska), and where Palin met her spouse. According to the same Wired article, this last question required a little research, but the answer (Wasilla High) was easily found in her autobiography.
It was that easy.
Leaving with secrets
When I was just beginning my career in Information Security, I worked for a start-up that had a small sales team and several cutthroat competitors. One of our sales people left the company abruptly, and a few days later, we realized he took all his accounts with him, which nearly devastated the company. The way he perpetrated this dastardly deed was simple: he used a Hotmail account for all business transactions, and when he left his email went with him. All his work accounts were, naturally, disabled, but that didn’t do any good. His clients knew exactly how to get a hold of him through his Hotmail account. In fact, the job transition, from the clients’ perspective, was completely seamless.
The response from leadership was immediate and swift: all personal email use was banned on company equipment. In addition, domain names, such as mail.yahoo.com and hotmail.com were blocked at the firewall. The reasoning was simple: data exfiltration was too difficult to control, and they couldn’t let this happen again.
Today, there are sophisticated data leakage tools available to detect this type of activity which were not available at that time, but the core concept is the same: when you allow employees (or the Secretary of State) to store company information on non-company servers and/or devices, you have no control over that data when they leave the building.
Discovery and regulations
According to an article in The New York Times, Clinton’s actions violate federal record-keeping regulations. These regulations are important because emails and other records need to be turned over under a variety of circumstances, such as an investigation or a Freedom of Information Act (FOIA) request. Several times, emails were legitimately requested as part of an investigation, and several times the State Department’s response was that the request could not be fulfilled — because there were no emails. Technically, this is correct. There were none from Clinton on the State Department email servers.
In the private sector, we don’t have to deal with FOIA requests, but emails could be subpoenaed or could be subject to electronic discovery as part of litigation, regulatory action or a government investigation. If employees are using personal accounts for business correspondence, fulfilling these requests will be very difficult — and could put your firm in a precarious legal situation.
There’s enough criticism and hand-wringing taking place over this story, so there’s no need to heap more on. However, even with stories like this, there’s always an opportunity to learn and take some valuable lessons to your company. Do you have proper security controls in place for your email? Do you allow personal email accounts at work, and if so, do you have a way to prevent them from being used for business purposes? If you answered “no” to any of the above, are you making a risk-aware decision?
Originally published at www.csoonline.com on March 10, 2015.