Friday, October 30, 2009

House Ethics Committee Document Exposed on Public P2P Network

Via PCMag.com -

According to a statement released by the US House of Representatives Committee on Standards of Official Conduct, often known as the Ethics Committee, a document describing investigations of over 30 house members and several aides was exposed on a public network because of "...the use of peer-to-peer file sharing software on the personal computer of a junior staffer, who is no longer employed by the committee, while working from home."

The committee statement states that no matter how strong security systems are, humans can make mistakes that bypass them. There's a lot of truth to this, although there are systems in place, often known as data loss prevention or DLP systems, that attempt to prevent the movement of sensitive data off of authorized networks. A Washington Post story on the breach implies that House members and staffers are permitted to take documents home for work, but quotes House administration rules as saying that if they do so they so: "all users of House sensitive information must protect the confidentiality of sensitive information" from unauthorized disclosure.

Those rules do not place any specific security requirements on home computers or others that are used for access of sensitive House data. They state, on the one hand, that sensitive House data should not leave House property. On the other they state that if the data is taken off property, that it should not leave the possession of authorized personnel and that those people need to protect it. This is not an adequately specific policy for computer security. Even assuming that the P2P software on the unfortunate staffer's computer was legal and there intentionally and that saving the document publicly was an error, it's still easy to lose such documents unintentionally through malware or error.

No comments:

Post a Comment