• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Sherpa Short Story: Data Leakage at Gensui Imaging
 

Sherpa Short Story: Data Leakage at Gensui Imaging

on

  • 641 views

Sherpa introduces its first short story! Grant Lindsay, Product Manager for Compliance Attender for Lotus Notes, takes us through a fictional scenario, where an employee of a major imaging company, ...

Sherpa introduces its first short story! Grant Lindsay, Product Manager for Compliance Attender for Lotus Notes, takes us through a fictional scenario, where an employee of a major imaging company, leaks an upcoming merger. Based on real life situations, this story will explain how companies can stop email messages and capture them in a graveyard journal before any confidential information is released. Read the story to learn more!

Statistics

Views

Total Views
641
Views on SlideShare
440
Embed Views
201

Actions

Likes
0
Downloads
1
Comments
0

4 Embeds 201

http://www.sherpasoftware.com 176
http://unbouncepages.com 20
http://blog.sherpasoftware.com 4
http://planetlotus.org 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Sherpa Short Story: Data Leakage at Gensui Imaging Sherpa Short Story: Data Leakage at Gensui Imaging Document Transcript

    • Data Leakage at Gensui Imaging A Short Story by Grant LindsayUnder the copyright laws, neither the documentation nor the software can be copied, photocopied, reproduced, translated, or reduced to anyelectronic medium of machine-readable form, in whole or in part, without the written consent of Sherpa Software Partners, except in themanner described in the software agreement.© Copyright 2011 Everest Software, L.P., d.b.a. Sherpa Software Partners, L.P.All rights reserved. Printed in the United States.Compliance Attender for Lotus Notes is the registered trademark of Sherpa Software Partners, L.P.
    • ------------------------------------------------------- Part 1 ------------------------------------------------------- hat I am about to tell you must not leave this room.” It was Derek Reinholts opening statement to“W his management team. Fourteen people sat around the conference room table as Derek stood by the whiteboard that was now doubling as a screen. He continued, “Sonia, can you get the lights,please?” The room dimmed and Derek began his presentation in the glow of the projector.The slides included the well-known review of how Derek had started Gensui Imaging with a college roommateduring their senior year at Carnegie Mellon University and of how, over the intervening seventeen years, theyhad grown a part-time business into a successful digital image processing company.“You and your teams,” Derek said to his audience, “—in fact, all of our nearly 1,200 employees—have beeninstrumental in our phenomenal growth and global presence in our industry. And now,” he paused as a grinspread across his face, “Gensui Imaging is moving into a new chapter of its history.”The next slide showed an animation of the words “Gensui” and “Acme” gliding toward each other from oppositesides of the screen, overlapping in the center, and finally dissolving to re-form as “Gensui Acme Imaging.”Derek paused to scan the faces of his leadership team and said, “Were merging with Acme Co.” There was acollective gasp and then, quiet expressions of “wow” and “thats exciting” as the impact of the news sank in. Amerger with Acme Co. would expand Gensuis market reach and solution offerings. That much was obvious. But,the potential of a merger with their largest client and the nations number three video post-production shop wasnothing short of electric.Alexandra Jennings, Gensuis Operations Manager, was in the room listening with growing excitement to Dereksdisclosure of the new deal with Acme Co. Her brain was spinning with the possibilities. Beyond the obvious andshort-term benefits of getting access to Acmes customer base and their brand recognition, there were thelonger-term goals, as Derek was now showing on the screen, of moving into new and complementary marketsand product lines.Wow, Alex thought, I have to tell, Ryan. Discreetly, Alexandra took out her company phone and tapped a quickemail to her husband: “Big news at work about Gensui and Acme!! Tell you more later.”She touched the “send” button and returned her attention to the meeting. Derek was wrapping up by saying,almost as if on cue, “Remember, we need to keep this confidential until the joint press release next Monday. I willalso be scheduling a meeting for the whole company at the same time to let everyone know. Thanks everyone.”As the lights came up and the meeting broke out into excited chatter, Alex felt a slight pang of guilt about heremail, I only told Ryan, she thought. Hes family and, besides, he wont care that much, anyway. He certainlywont tell anyone. Just in case, Ill email him to keep it confidential, she resolved, when I get back to my desk.Alexandras husband, however, would never get those emails. ------------------------------------------------------- Part 2 -------------------------------------------------------Three days before Dereks big meeting with his management team, Valerie Wright, the Email Administrator forGensui, was at her desk, busy as usual. The home-grown support ticket system, built on IBM Lotus Notes andDomino, had several requests assigned to her and she was in the middle of an urgent one for the head of Legal.The support request application certainly made things run more smoothly, but the requests never seemed toend.Thats when she noticed Peter Terrell, the Director of Information Systems and her manager, standing at theentrance to her cubicle. She removed one of her ear-buds to hear him. “Val, can I see you in my office, please?It will just be a few minutes.” | Page 2 of 8
    • “Ah, sure, Peter.” Her eyes drifted back to her screen. “Let me just get this restore started for Brian and Ill beright in.”A few minutes later, Valerie was standing by Peters office door. “Come in, Val. Close the door, please.” She didso. “Have a seat.” Peter wasnt one for closed-door meetings, so she knew this conversation was going to beunusual. She hoped she wasnt in some kind of trouble.Peter began. “I need your help with something sensitive and very confidential.”“Sure.” Valerie relaxed. This wasnt about her. “What is it?”“We need to set up another filtering rule in Compliance Attender.”“Okay. Do you have the specifics?”“I do.” Peter smiled as he handed a sheet of yellow notepad paper to Valerie with his neat, block-letter writing onit.She let out an involuntary “hmmm” when she read the words “merger” and “Acme.” She looked up at Peter.“I think you can see,” said Peter, in a more serious tone, “that this must remain strictly confidential.”“Well, yeah!” Valerie looked at the sheet again for a few seconds, then said, “So, you want me to set up aCompliance Attender filtering restriction to stop any messages that have these keywords from being sent. Is thatright?”“Thats right.”“Sure. Thats easy.” Then, Valerie added, “Do you want to capture these messages, too, or just stop them?”“We had better keep a copy of any of these potential leaks for review. Derek will want to see them.”“Okay. Ill set up a graveyard.” A thought occurred to her. “These keywords might produce more than a few false-positives. We should likely turn on reviewing for this graveyard.”Peter looked puzzled. “Refresh my memory.”“Well, you know that a graveyard is a repository for messages that get stopped by Compliance Attender, right?”“I remember that.”“Okay. So, we can set up any given graveyard with a review process that lets authorized users read thosefiltered messages and either confirm or over-rule the graveyard action. The approvers can either release themessage, if its a false-positive, or confirm the graveyard action, if it isnt.”“I see.”“And only the approvers (and the database Manager) can see the messages,” Valerie continued, “and, eventhen, only when they are in this pending state. So, its really locked down.”“Thats important, here.”“Who should I make the approver?”“I guess that will be me,” Peter said. | Page 3 of 8
    • “And should I make anyone your back up, in case you cant get to a message to act on it in a reasonable time?”“Hmmm... lets put Derek, since, as of now, we three (and the lawyers) are the only ones in the company whoknow about this. But, lets give it a full 24 hours before we notify him.”“Can do.”“Do you need anything else to make this happen?”“No. I can come up with the wording for the notifications. Ill let you know when its set up.”“Thanks, Val.”Valerie got up to leave and as she was at the door, Peter added, “Just bring back that sheet when you are done.”“Oh, yeah,” she said, looking down at Peters hand-written note in her hand. “No problem.”Back at her desk, Valerie noticed that the restore of Brians mail file was still running, so she switched screensand opened Compliance Attender. Setting up the Compliance Restriction and Graveyard Definition only took acouple of minutes. Then, she created two Notification Definitions; one for Peter that would be used during theinitial message capture and the other for both Derek and Peter to be sent during the first escalation, twenty fourhours later. She wouldnt need the second or third escalation, she decided.Next, Valerie set the graveyards access control list management settings right on the Graveyard Definition tolock it down tight. After saving her changes, she replicated them to her other mail server, issued the “Set Rules”command to both servers and sent a test message to Peter with the keywords in it.As expected, it was filtered by Domino and placed in the Compliance Attender temporary graveyard. Valeriedecided to let the processing agent run on its schedule, rather than forcing it to run immediately, since it wasalready set to run every fifteen minutes.She popped her head into Peters office and he invited her in. “Were all set,” she said, while closing the door.“That was fast.”“I sent a test message to you with the keywords and it was filtered correctly.” Valerie placed the yellow notepaper back on Peters desk. “You should get a notification, shortly. Just follow the link to the message and eitherclick Release or Graveyard, as the case may be.”Peter looked at his screen. “Wait. I think this might be the notification. Heres that thing you asked for. Is that thesubject?”“Yeah. I was trying to not give anything away in the subject, in case anyone happened to see your phone orsomething. But, the notification email is completely customizable, if you want me to change it.”“No, I like it. Its very casual and vague. Perfect.” Peter double-clicked and said, “Can you wait while I do this, incase I get stuck?”“Sure.”“Okay, so I opened the notification and I see you have included the date, sender, recipients, original subject.Great. And theres the link. So, Ill click that... Ah, theres the message. Oh, I see the buttons. I assume thatRelease will send the message to the original recipients.”“Thats right.”“And Graveyard will keep it here?” | Page 4 of 8
    • “Right again.”“Okay. Since this is a false positive,” Peter said as he gave Valerie an exaggerated wink, “well release it. So, Iclick Release... Do you want to release this message? Yes, thanks for asking. Okay... and Im back to my mail.What should happen now?”“Since you were the recipient of that message, you should get it.”“Okay... well, what do you know? There it is. Nice.”“Also, the graveyarded copy is still back there, logged with who released it and when... for auditing.”“Oh, thats good.”“And, one last thing. I excluded Derek from the filtering restriction in Compliance Attender, so he cancommunicate about... this thing... with whomever.”“Good call. Thanks, Val. Ill let you know if I get into any trouble with this.”“No problem. Now, if I can just get Brian to understand that delete means delete.” ------------------------------------------------------- Part 3 -------------------------------------------------------On his way back to his office after Dereks bombshell meeting, Peters phone chimed and vibrated. On reflex, hepulled it out of his pocket and examined the screen. An email, “Heres that thing you asked for” from the DominoAdministrator. That was one of Vals graveyard notifications. Peter had only gotten a handful of these over theweekend, all of which had been false positives that he had released.This one seemed suspicious, though, coming so soon after Dereks announcement. Peter tapped the screen toopen the notification. It was from Alex Jennings to an outside mail account he didnt recognize. No subject. Notgood.Peter tried not to give the impression of panic as he hurried back to his office to examine the email more closely.As he sat down in front of his computer, he realized he had been worried for no reason. It dawned on him: sincehe had gotten the graveyard notification, that meant the message was caught. It didnt get out. There was noleakage... yet.His sigh of relief was audible. Okay, he thought, Lets take a closer look at you. He double-clicked the notificationmessage in his Notes mail and clicked the link to the graveyarded message. Now, he could see the body:“Big news at work about Gensui and Acme!! Tell you more later.”“Oh, Alex, what did you do?” he muttered. As much as he didnt want to get his friend and colleague in trouble,Peter knew that he would have to tell Derek. Who did you send this to, Alex? he thought. Or, rather, try to sendthis to? The sole recipient was a Gmail address. A quick Google search had Peter looking at Ryan JenningsFacebook page. Alexs husband.Peter was starting to realize that this was probably not corporate espionage when his phone chimed andvibrated again. He glanced over at the small screen on his desk and saw another graveyard notification. Peterswitched to his email tab, opened the new notification and saw that it was from Alex to her husband again. Heclicked the link:“About that Acme email: please dont tell anyone. Love, A.” | Page 5 of 8
    • Peter printed the two email messages to the printer on his credenza as he picked up the phone and dialed. A fewseconds later he said, “We might have a leakage issue.” Then, after a pause, “Okay. Ill come right up.” ------------------------------------------------------- Part 4 -------------------------------------------------------Alexandra was reading over the previous weeks project statuses in preparation for her eleven oclock teammeeting, when her desk phone beeped. The call display said, “REINHOLT, D. x2992”She picked up before the second beep. “This is Alex Jennings.” She always answered that way, even when sheknew the callers identity.“Hi, Alex. Its Derek,” the phones ear piece relayed. “Something kind of important has come up. Can I see you inmy office?” Derek didnt say when, but Alex knew he meant now.There was still more than half an hour before her meeting. “Ill be right there.”“Thank you.” Derek hung up.When Alex arrived at Dereks office, she saw that Peter Terrell was already seated inside and that they weretalking, so she paused at the door and knocked.“Hey Alex. Come on in,” Derek smiled. “Give the door a little push, would you.”Alexandra closed the door behind her and approached Dereks desk, a little more anxious with each step.“Have a seat, Alex. Peters going to sit in on this with us.”“Hi, Alex,” Peter said with a forced smile.Alex nodded to him, but just sat.“Peter brought me some news, Alex,” Derek started. “And I need to get your input on it.”“Sure, Derek.” Alex glanced over at Peter who was looking at Derek.“I asked Peter to make a configuration change to our email Compliance software... Whats it called, Peter?”“Compliance Attender.”“Right. Compliance Attender.” Derek continued, “Anyway, I wanted to make sure that we didnt let any news slipprematurely about the Acme deal. Their board is very sensitive about controlling what the media hears and anyleakage about it could sour this merger. Its just too important for us, Alex.”She could see where this was going. That stupid email to Ryan. But, she didnt want to confess anything toosoon, so she just listened.“Which brings us to this.” Derek handed two sheets of paper to Alex. The headings on each read “GraveyardMessage” below which followed other details, including her address and that of her husbands. They were copiesof her emails to Ryan, as she had suspected.She looked up at Derek and said, “Im sorry, Derek. I got excited about the news and told Ryan without thinking. Iwould never leak anything this important...”“I know, Alex,” Derek interrupted with a raised hand. “Its clear this was just a slip. And Compliance Attender | Page 6 of 8
    • stopped the messages from getting out, so there is no harm done. Ryan still doesnt know anything about this.”Then he added, “Does he?”“These emails were the only things I sent him. If he didnt get them, then he doesnt know,” Alex reasoned. “And Iwont tell him anything until the press release, Derek. I promise.”“Thats all I wanted to hear, Alex.” Then, Derek grinned, clapped his hands and said, “Just think. Next week wellbe able to tell everyone and celebrate.” His exuberance always lightened the mood, once the serious work wasfinished. He was a good boss.“Thanks, you two,” Derek said to end the meeting. ------------------------------------------------------- Part 5 -------------------------------------------------------As they left, Peter stopped Alexandra at Dereks office door and said quietly, “Im sorry, Alex. I had to tell him.”“No, dont worry, Peter. You did the right thing,” she said. “Im just glad that that Compliance thing...”“Attender,” Peter interjected.“What?”“Compliance Attender.”“Right. Anyway. Im just glad it caught those messages. Once that stuff gets out, who knows where it will endup?”As they parted, each heading to their own offices, Peter thought how glad he was to have the right tools to solvethese sticky problems. They made him look good. | Page 7 of 8
    • About the Author As the Product Manager for Compliance Attender for Notes, Grant is responsible for product research and development, pre-sales technical support (e.g., Demos), post-sales technical support and competitive research. Grant joined Sherpa Software in 2007 and has 17 years of experience in Information Technology. Of those, more than 16 were spent building applications with Lotus Notes and Domino. He worked with a wide range of company sizes and across several industries including insurance, consulting, venture capital, manufacturing, software and more. Grant is an IBM Certified Advanced Application Developer and an expert in emailmanagement and compliance, LotusScript, Notes Formula Language, application design and security. He isalso skilled in C/C++ and Java Application Programming Interfaces (APIs) for Notes and Domino. Grant isaccomplished in web delivered technologies: HTML, CSS, and JavaScript.He graduated in 1995 from the Career Development Institute with a Programmer Analyst Diploma. Grant spendshis off time with his wife, Lydia, of 19 years and their three retired greyhound racers, Rio, Wavorly and Oriole. | Page 8 of 8