Your IT specialist is compulsive when it comes to data security. You follow each one of his expensive recommendations; it helps you sleep at night. But there is one risk that is often overlooked but easily solved: physically securing your hardware. During the annual CEFEX certification site visit, Rob Klobukowski, VP of Information Technology at The Pension Service, Inc., a TPA in Connecticut, described his firm’s response to a low-tech threat:
There was an attempt to compromise our systems via a social engineering attack. A person who claimed to be an AT&T technician showed up onsite and requested access to our phone closet. He explained that he was dispatched to troubleshoot an issue that we were having with our service. Fortunately, (1) our staff is educated that any and all technical requests should come from our IT department; and (2) the phone closet is locked. Called to approve this request, I met the “AT&T tech” and things did not add up. He did not have a clear task or AT&T identification, and got fidgety when asked some reasonable questions about his purpose there. We asked for a cell phone number, which he gave (fake), then said he left his ID in his truck and he would go get it. The last we saw of him were the taillights of his truck speeding from our parking lot.
If he did gain access to our phone closet, he would have most likely placed packet-capturing equipment between our AT&T equipment and our corporate firewall. Since he would have had access to add his equipment anywhere, there is even the possibility that equipment could have been placed inside our firewall. Either way, they would have had unfettered access to our systems without our knowledge. After a couple of days or weeks, this “technician” would have returned to pick up this equipment and potentially a treasure trove of our data — and no one would have been the wiser.
Social Engineering is commonly defined as acts that are defined to influence others. Some social engineering objectives are positive and some are not. A blend of art, psychology and science, Social Engineering rekindles some of the oldest confidence scams. In his book The Art of Deception, Kevin Mitnick of Mitnick Security Consulting makes the point that hacking into computer systems is difficult; it’s easier to con a legitimate user into divulging their login information.
Educating and continually re-educating users is critical. The IT department of a large national TPA used a phishing email to reinforce their prior attempts at education. An email that was easily recognizable as illegitimate was sent to all of their employees instructing them to click on a link. Employees who did so were taken to a web page with a skull-and-crossbones displaying this message: “You have been fooled — Pay closer attention during IT training.”
Another TPA had their systems compromised by a clever low-tech scam. This TPA is in an office complex with other tenants. One of the tenants found a manila envelope in the men’s room with a label indicating “ABC TPA — Census Data.” He delivered the package to the receptionist of the TPA. The receptionist opened the envelope to find a flash drive. In order to deliver it to the right administrator, he inserted the drive into his computer. It was not census data.
TPAs should also expect increased scrutiny of their IT systems from their alliance partners. This is because the Federal Trade Commission has ratcheted up their privacy and data security enforcement. The position of the FTC is that an entity that maintains personal information of their customers, like an insurance company, could be held responsible for security lapses by their vendors and partners. In a case involving Snapchat, a popular photo-sharing app, the FTC ordered them to “take reasonable steps to select and retain service providers capable of maintaining security practices,” in response to charges that the app's claim that they automatically delete photos wasn't entirely true. When holding companies liable for security breaches of their partners the language the FTC uses is: “knew or should have known about their partner’s inadequate security.”
No solution to protect sensitive data is perfect. But the risk is real. The data maintained by TPAs is valuable, and the bad guys want it. At a minimum, TPAs should acquaint themselves with the CEFEX Best IT Practices and continually remind your employees of fundamental security measures. Additionally, TPA alliance partners can be a good source for IT support.
Richard Carpenter, CPC, CEBS is the founder of the Technical Answer Group, Inc. (tagdata.com). He currently provides consulting services (USVIpensions.com) to TPAs across the country.
What do you think about this article? Click here to discuss with your colleagues in the BMOC Discussion Forum.
- Log in to post comments