While nearly every business that deals with any amount of data knows to have a digital lock and key on personal information, it’s the files that seem completely unimportant that can have the biggest negative impact in a hacking situation. If you’re not sure what info could be hiding in you daily emails and powerpoint presentations, you might want to look into Active Navigation. We spoke to Active Navigation’s VP of Business Development, John Cofrancesco, to learn more.
ABERMAN: Well, data! What kind of data are you talking about?
COFRANCESCO: So, unstructured data. Think about those files you save to your desktop, or the word documents, the powerpoints that your boss makes you put into a file share.
ABERMAN: So everything that’s not a database, that structure to where you say, oh, this is where I put a Social Security number, this is where I put where somebody lives. This is just the ordinary course, I’m sending an email, I’m writing a document, I’m downloading a photo. It’s everything other than that.
COFRANCESCO: So, you got it. So the real risk lies in the unstructured data. We’ve got a pretty good handle on structured data, but it’s everything else that’s the wild west, as it turns out. Have you ever seen the show Hoarders? Most people, all businesses, all government agencies, are digital hoarders, and it’s our job to go out there and to help them clean it up. So, we’re kind of like those folks that find the hidden cats underneath the stacks of newspaper, except in the digital realm.
ABERMAN: It’s clear to me, you say we’re all hoarders. It’s been explained to me that we’re almost like digital snails. You know, we leave this trail of data behind us as we go through life, both professionally and personally. But yet in the personal realm, for example, we just saw with MySpace just last week, announcing,oh by the way, all the information was uploaded from 2003 to 2015 is gone forever. So, people are being encouraged to back up their personal data all the time now.
COFRANCESCO: That said, there’s this huge battle. I think you know, 10 or 15 years ago we were told, save your stuff. It was the ABC rule of cybersecurity, save it the first time, save it a second time, and then save it off site somewhere else. We adopted that as a community. And what that did was actually create a problem, because in that data, there’s lurking risk. And that risk is overwhelmingly PII, PHI, classified spillage, in the government arena. So we have all this really high value material, and we don’t know where it is.
ABERMAN: So for example, I write a memo to my boss, and in it I include a sentence that may be of security relevance, but it’s in a non-cleared situation, and nobody’s thinking about it, and it’s just sitting there for the Chinese to find.
COFRANCESCO: That’s exactly what happens. I get to give an example we had from a client last week: so, we get onto the client’s site, and the client tells us our security team has cleaned up this data. And we said, OK, sure. And we went out and we looked, and we found this file called password. And by the way, this is ubiquitous. We find this everywhere. We find a file called password, and it’s an excel sheet, and in it has the username and password for every system they have. It’s super convenient, because if you’re a Chinese hacker, all you have to do is search for the word password. Now, you can crack every system that the agency has. We find this universally.
What’s worse is, not only does the Chinese hacker get all the access to the systems, but they get access using your password and your user name. So it’s not really a hack, it’s not really a breach, from a cyber security perspective. It’s very difficult to root that out. Why is the data leaving the network? Well, it’s very, very difficult to suss that out, and we actually find these type of materials universally in government business.
ABERMAN: Now, what about the issue of photographs, and other documents that don’t really have any textual metadata that can even be stored? I mean, how do you figure out whether or not a photo is gonna be compromising?
COFRANCESCO: So, that’s a really great question. And the key there is… Are you married, John?
ABERMAN: I am, happily married!
COFRANCESCO: Good. Me too. So at my house, my wife has some jewelry. We don’t leave it in the foyer. Right? We leave it in the safe. So, the key here is to understand what content you have, and to make sure it’s in the right place. And because unstructured data has been sort of the Wild West for the last decade, decade and a half, people don’t know what jewelry they have, and they definitely don’t know where it is. So that’s the key. It’s okay to have this material sometimes, it’s not okay to not understand where it is.
ABERMAN: So how do you, without geeking out too much, how do you figure out what is in a database, or data storage, if there isn’t the meta data, and there isn’t the textual data? How do you find out?
COFRANCESCO: This is what we do! So we’re committed, Active Navigation is committed to delivering the most state of the art technology to this really nerdy problem. And I started as a GS4 records manager, so I’m a real nerd. I enjoy this stuff, I’ve stayed in it. So, what we’ve done is, we’ve taken some really powerful technologies that were designed for cryptography and some of the things like SHA 256, and we’ve used them for this nerdy purpose of deriving what’s good and what’s bad. We do that in concert with your SMEs at your business, or your agency, to really suss out the good stuff.
ABERMAN: I love it, data nerds coming to save the world. I like it! So, I’ve been told a number of times on the show, cybersecurity experts have told me the issue with protecting privacy is not new tech. It’s actually getting business and government to use the tech that’s already available, and just practicing common sense. Do you think that’s right?
COFRANCESCO: I think there’s a lot of truth in that. So, it’s very difficult to compensate for a dumb user. And as it turns out, all users are dumb, myself included. So, how do how to help the stupid guy not do something stupid? Really, if we can fully solve that, then we’d all be billionaires. But what we can do is, we can make it easier for the end user to not make the mistake, and that’s the critical thing to do.
ABERMAN: So, our best takeaway from today is: don’t keep your password files in an Excel spreadsheet named ‘password.’
COFRANCESCO: I would say, don’t keep your password files out there. Know, and be actively searching for, that type of material, and other risk material, and you will do the best possible job for your business, your agency, to keep yourself safe.
ABERMAN: Well, it was fun having you on the show today, John Cofrancesco. We wish you the best with Active Navigation.