It wasn't anything like an IRS audit. It was far worse. According to an evaluation late last month by none other than the Office of the Inspector Attorney General of the Social Security Administration, two Trojan horses and five keyloggers penetrated all the way onto agency workstations. That's right. Everyone's Social Security number is at risk and everyone is more vulnerable than ever to being a victim of identity theft.
These penetrations came via unauthorized installation of non-standard software, according to the report. Non-standard software doesn't mean it's bad. It just means than it was either not developed by in-house programmers or that it wasn't bought through the agency's regular acquisition process. Still, the story gets worse. Two of the workstation workers knew that the software they were installing were potentially unsafe. The other five installed it unintentionally. The SSA uses Microsoft tools to inventory executable files on Windows machines used by both employees and contractors. This tool scans well over 100,000 devices every week to detect unauthorized software. The policy at the SSA permits non-standard software to be installed as long as agency security officers approve it. Some users simply believed that all they had to do was submit their request to the CIO. OK, they were wrong, but it appears that the CIO simply rubber stamped the request instead of issuing reminders about the standard operating procedures of the department.
This makes me wonder what other protocols exist at the SSA. Who writes the policies? Why aren't they being implemented correctly Do the contract workers have Errors & Omissions Insurance? Are they using other firewalls? How often is testing done to detect vulnerabilities? Are they going to make the CIO accountable for this potential disaster?
Everyone who reads this blog knows that I am a fanatic about my personal security. I'm horrified that seniors' Social Security numbers are on their Medicare cards. Many company websites require job applicants to type in their Social security numbers. I mentioned this to someone in my network who works in HR. She said smart applicant type in 000-00-0000. I give my EIN when I'm hired as a consultant. Unless a job offer is on the table, no prospective employer even knows my real birthday. It's just not something that I'm going to make easily available. Suppose my resume or on-line application is printed out and tossed into a waste paper basket instead of shredded? I also block my credit report so that in case my personal information gets out, along with my address and checking account number (for direct deposit), no one can apply for credit in my name. It's easy to block and unblock and the fee is far less than what it would cost me to deal with my identity being stolen.
As for my birthday, just send me presents all year long. One of these days you'll get it right!
http:www.ssa.gov/oig/ADOBEPDF/A-14-10-21082.pdf
