The mission of deTECH is to break down complicated IT topics into more palatable bites for consumption by both technical and non-technical audiences. Unless a security or regulatory issue arises that we think is important to you, we avoid topical discussion and keep things fairly vanilla, with a few bad jokes tossed in for good measure. And we avoid religion and politics (money is fair game because we’re CPAs). But an interesting story is making headlines that could use some clarification and has some lessons which are very practical in your world.
Hillary Clinton, the oft-presumed frontrunner for the Democratic nomination for 2016 Presidential race, is having some email trouble. It seems that during her tenure as Secretary of State, instead of using the assigned @state.gov email address, Mrs. Clinton used a personal email server and domain, @clintonemail.com, which was outside the control of the State Department. This is article is not intended to be political, but we can certainly examine some facts and missteps that caused the heartburn in an effort to avoid them in your own world. This particular news story only serves as a good example of what not to do.
Mrs. Clinton used a personal server instead of US Government email
The most obvious issue is that Secretary Clinton was not using the email address provided by her employer, the US Government, to conduct official business. Instead, a private Microsoft Exchange server, originally set up for former President Clinton’s office, was used to send and receive both work and private emails. The first rule of accounting is never co-mingle business money and personal money. The same should be said for email. For business communication, use work email provided by the employer. And if you are the employer, it’s wise to set the tone by using the company email. Complying with your own company policies is just good practice.
The stated purpose was for the convenience of using a single device
An inverse relationship exists between security and end user acceptance, and email-gate is the perfect example of that relationship. When layers of security are added to a system, the more cumbersome it is to navigate. As IT auditors we err on the side of security. We attend several conferences each year and can quickly identify the federal government employees. They’re the ones with two devices—Blackberries, and a second device. The reason government has traditionally been so committed to Blackberry is because of the strength of the security controls available. Apple, Google, Microsoft, and many third party apps are now as good as or better than Blackberry’s security. But in 2009, this was not the case.
For some additional perspective, the most current iPhone when Secretary Clinton took office in January 2009 was the iPhone 3G.
The email address should have been construed as a “phishing attack”
Many of the more recent security and data breaches have involved some kind of phishing attack. deTECH has made much ado about being able to successfully identify a phishing attack. The first line of defense is looking at the source email address. If it is not coming from an expected email address, then astute users would be suspicious. I am surprised that, with 55,000 pages of emails, no other government officials or IT staff recognized the anomalous email address. And if email users send and receive emails to non-government addresses, then the risk of phishing attacks is greatly increased.
Emails during the first three months in office were not encrypted
Security research firm Venafi from Salt Lake City, UT documents that during the first three months of Mrs. Clinton’s tenure as Secretary of State, the email server did not have a security certificate. Therefore the emails sent to and from this server were not encrypted during that time. When data is not encrypted it leaves the information contained in those communications vulnerable to data leaking and prying eyes.
What is classified information, really?
The foundational argument from Mrs. Clinton is that “I did not email any classified material to anyone on my email. There is no classified material.” I’m sure someone with more authority than me will be able to validate this quote. But from a security perspective, a user can only control the information that goes out of their email system. A user cannot control what comes in. It’s plausible that the people responsible for communicating with Mrs. Clinton were not aware that no classified information was to be emailed to her. So it’s difficult to say with certainty that no sensitive information existed on the email server.
Combinations of non-sensitive information can be gathered together to create sensitive information. For example, an email inbox could include a meeting request, conference call number, hotel confirmation number, and phone numbers. All of this information, emailed independently of each other, is not sensitive. However if you have all of this information consolidated in one place an attacker could craft a very realistic technical or social engineering attack.
Finally, I bet if you read your own company’s email policy, you’ll find that there is no expectation of privacy for emails. Emails are inherently considered insecure. Any security person or lawyer (well, almost any lawyer) will tell you, don’t write anything in an email that you don’t want published on the front page.
Emails are an important part of the suite of communication tools we use every day. From the perspective of the private and non-profit industries, the biggest lesson to be learned from this news story is how incredibly important it is to begin learning about how your technology works and what risks exist in that technology. The risks may not all be technical; they include reputational risks too. Good business people surround themselves with trusted advisors including legal counsel, an accountant, and banker. Perhaps it is time to include a technology professional in the group of trusted professionals.