[ISN] You're faxing my what, where?

InfoSec News isn at c4i.org
Fri Dec 3 04:41:03 EST 2004


Jim Middlemiss 
Financial Post 
December 2, 2004

Businesses can avoid potential public relations and legal nightmares
by developing privacy policies, authentication processes and using
cutting-edge technology. The Canadian Imperial Bank of Commerce
learned this the hard way last week when U.S. scrapyard operator Wade
Peer went public with his story about how one of Canada's largest
banks was flooding his fax machine with highly confidential
information about its clients for the past three years.

The faxes, he said, contained social insurance numbers, bank accounts
and client signatures, and despite repeated calls from him they just
kept piling up. Finally he sued CIBC to make them stop. The problem
appears to stem from the fact Mr. Peer's toll-free number for his
autoparts business, which he was forced to close, is similar to that
of one of the bank's processing centres.

After the story appeared in the press, the bank issued a
cease-and-desist order to employees across the country, prohibiting
them from sending internal faxes containing client information.  
Instead, they were advised to use the internal courier system or pick
up a phone and engage in an old-fashioned conversation. In a statement
CIBC said for the long-term "we are exploring other potential secure
technological alternatives for the timely transmission of confidential
information between branches and processing centres."

Legislators and governments at the provincial and federal level have
identified this problem and passed a range of laws requiring companies
to take better care of sensitive employee and client information in
their possession.

Claudiu Popa, president of Informatica, a Toronto-based information
security firm, says in addition to financial penalties and lawsuits
for damages, "your name is going to get dragged in the news.  
Embarrassment is one of the biggest fears of companies today."

In addition to faxes, misdirected voice mails, improperly addressed
e-mails and improperly accessed documents all pose a problem when it
comes to protecting confidential data. While it's virtually impossible
to eliminate the problem, there are steps companies can take to reduce
it, security experts say.

The key is developing a solid set of privacy policies and
authentication processes coupled with cutting-edge technologies, says
John Weigelt, chief security advisor at Microsoft Canada. "They
[businesses] have to establish principles to secure their
environment." That includes restricting access to information and
examining "each layer of defence."

FAX FIXES When it comes to faxing large volumes of information, Alan
Gahtan, an information technology lawyer in Toronto, says "I think
there are some policies and procedures a company can enact to reduce
this kind of [risk]." First, he says, "you want to reduce the amount
of information." Don't send social insurance numbers, for example.  
Instead, deposit a master file with the office you are sending the
information to and link to that list through the use of names. If a
business has a large volume of faxes going one place, the most obvious
solution is using speed dial. That eliminates user error as long as
the number is correctly imput the first time and it you check
regularly to ensure it has not been changed.

But why even send faxes in an era of digital information? asks
Informatica's Mr. Popa. "Faxes are outdated. Faxes are not secure.  
Most organizations should preserve documents digitally."

If a business has a lot of data flowing to a single place, it could
implement a virtual private network, a secure direct pipeline. In the
case of computer networks, a scanner can be used to digitize
information programmed to be sent to another printer's Internet
Protocol address. By digitizing the information, it can be subject to
encryption and the use of digital certificates, which prohibit
unauthorized users from accessing or reading a confidential document,
he says.

Faxing documents that require a signature can be eliminated with the
use of electronic signatures and basic encryption functions such as
s/mime (secure/multipurpose Internet mail extensions), which lets the
recipient verify who the information is from and access it only if
they have the correct digital certificate on their computer.

VOICE MAIL PROBLEMS If a caller phones the wrong number and leaves a
message, there is little that can be done to retrieve it, Mr. Gahtan
says. A policy should be in place preventing staff from leaving
confidential information on a voice mail. Also, voice mail requires a
PIN number to access messages, which opens doors to hackers. The
redial function on some phones recalls the last numbers dialled,
including a PIN. Mr. Gahtan says he makes it a practice of calling
another number after accessing his voice mail to ensure his number is
bounced from the redial list.

ENDING E-MAIL ERRORS Besides the possibility of typing in the wrong
address or name in the directory, users should avoid the user-group
function, Mr. Gahtan says, because often the sender is not sure whose
names are in the group.

"Secure messaging and rights management becomes important" when
e-mails and computer networks are involved, Mr. Weigelt says.  
Technologies can be deployed to control and monitor access to
documents within an organization. When sending documents outside,
encryption is the key to ensuring unwelcome eyes don't view them.

Ben Sapiro, an independent IT security consultant in Toronto, says
monitoring and controlling access to documents online is critical.  
Firms need to use server audit tools better to control who is
accessing which documents. Proxy servers can inspect traffic going
across the network and monitor it. Alerts can be set to advise
appropriate managers if someone is trying to access documents that
they are not entitled to see.

LOCKING DOWN EXTERNAL RELATIONS Businesses also need to be aware of
the pitfalls in sending confidential data to third parties. Mr.  
Weigelt suggests putting agreements in place to ensure information is

Mr. Gahtan says: "You want your supplier to agree to conform to some
minimum security practices." Those practices should also apply to
subcontractors. As well, prohibit information from going offshore,
where privacy standards may be lax. Also, include indemnity provisions
so if something bad happens and your business faces a financial
penalty or hardship, then the party that caused the problem reimburses

More information about the ISN mailing list