Secure Communications and Compliance
Today it is common for the need to communicate as an individual to a business, a business to an individual, or an individual to an individual. In many cases this communication is done with E-Mail. The problem with E-Mail is that it is the same as sending a postcard in the mail to someone. Anyone who sees the postcard can read the message. In the same way anyone who can see the E-Mail can read the message on it because it is send in clear text. This makes it hard to send an E-Mail for only the recipient to see. However, it is not hard to secure this type of communication.
Before starting any communication, you need to stop and think about what kind of information is being sent. In security terms we call this process data classification. Most of the information that is transferred from one person to another person can, most of the time, fall into one of two classifications; public and private. Private data can be referred to by different names, for example personally identifiable information (PII) or protected health information (PHI) are common terms used in some security standards. The definition for private information is well defined by security standards and tend to be rather obvious. The problem is harder to see when information is used from various sources and when all this information, from different sources, is put together, it gives away more information than it should. This is called data leakage. The real question is: What constitutes private information?
Most security literature agree that there are only three pieces of information needed to take someone’s identity (https://www.consumer.gov/articles/1015-avoiding-identity-theft and https://www.makeuseof.com/tag/the-10-pieces-of-information-identity-thieves-are-looking-for/). This is your name, your birthday, and your social security number. Two the of three are very easy to find on the Internet. A social security number is the one that should be hard to find, however there is a strong indicator that this too is somewhere in the dark web at least. However, there are other pieces of information that can be used that may not be as obvious.
Open-Source Intelligence, OSINT, opens up other information that can be used as well. Birth place is important because many security question lists include this question. Special dates such as: birthday wedding and others can be discovered by outsiders. I would include names and nick names for special people in your life. All this information can be used for security questions, or a PIN. I would encourage everyone to enter their name into a search engine, every so often, just to see what information about you is exposed. This will give you an idea of what can be found in OSINT. I do not mean for this to sound like we should just “throw in the towel” on our information and not worry about it. It just means we need to monitor all of our information.
The following examples are of information that has to be transported from a business to an individual and from a business to a business and I will show how to identify the type of data and how it should be transported. The goal here is to open up how to look at data and how to assess the data from a security viewpoint.
Example 1:
A small healthcare provider needs to sent medical information to an individual. On https://www.hipaajournal.com/what-is-protected-health-information/ it is stated:
Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage.
If the information falls into any of these categories, then the data needs to be sent encrypted. There are a couple of ways to achieve this. One way is to have a Web Portal that patients can log into and get the information. For a small business a Web Portal may not be something the business can do. The question is how does this business meet this HIPAA requirement with the limited resources they have. The answer is to look at what tools are available to help. One way I would suggest is to use 7-Zip, https://www.7-zip.org/. This is a free zip utility that can zip file with a password. These files can be open with any zip utility once the password is entered. Using this utility, the PHI can be secured with a password and the file is encrypted. At this point the only issue is the password. Since the communications will be done using E-Mail the password exchanged should be done out-of-band. What this means is that the exchange of the password should not be done by E-Mail since the information is being passed through E-Mail. This is not a problem since a phone call can solve this issue very easy. Once this process is completed not only is the communication secure, it complies with HIPAA. This is a very cost-effective process for smaller healthcare providers.
Example 2:
In this example a business needs to transport information to another business that is a service provider. For this example, we will assume that a retailer is out sourcing data for some data analytics work to be completed by another business. Since the retailer has a Point of Sale, POS, they process payments of many different types. One of the types of payment would be a credit/debit card. Once card data is processed, the retailer will be bound by Payment Card Industry Data Security Standard, PCI-DSS. This standard is enforced by banks and the card brands. Failure to meet this standard will incur penalties from the bank or the card brand; either way there is no way to avoid the penalty. The important data items with a card are: the card number, the card holder name, the expiry date, and the security code. In general, this is the data for fraudulent use of a card. For our example the retailer is using the data analytics company to help identify misuse of card numbers. In this case the data analytics company only needs the card number since they do not need anything else for their work. The retailer can export only the card number with the rest of the tender (payment) data. At this point the data analytics company does not have any real private information since a card number is just as set of numbers. Without the other data even a breach that reveals card numbers, the numbers are useless. If the data analytics company stores loyalty card numbers this make the card number even more unless since there is no way to tell the two type of card numbers apart. In this case there is no need for the data to be transferred encrypted. This will reduce the cost of data transfer and maintenance since all the extra encryption can be skipped. This is where some businesses do a bad job of looking at the data sent out and end up spending more money than necessary in maintenance. Please note if the customer data is included to the data analytics company, the card number may now take on a different data classification and may need to be secured more. This is why understanding the data classification on both sides is so important. Both businesses should be looking at what is needed from both sides, this will allow both to do the best possible job.
The problem with many businesses is that compliance is seen as a check off box, when in reality compliance should be about better business operations. When the goal is to hit the compliance check box, a business is only waiting for disaster to happen. Remember a bad actor only needs to be successful once to create a real problem. The security process must be successful every time to block the bad actor. The odds are not in favor of the business.