Security Training for the Masses
My company is going through its annual HIPAA privacy and security refresher training. This is a good thing and I wholeheartedly support it, as it's always nice to be reminded of some of the details. "Oh, I forgot that we're allowed to do X! That's good to know."
But the most irksome thing in the world is when you know the right answer to a test question but are required to give the wrong one to pass it. For instance, we were asked:
If you then connect with a VPN, will that ensure a file sent via email will be secure all the way through to its destination? Yes / No / Maybe
Test says: maybe! If you change nothing about your setup except adding a VPN into the mix, you may now be able to send email securely.
I say: The correct answer is "of course not". Our company uses a "split tunnel" VPN so that only connections to certain services go over the VPN but the rest of our traffic goes over the open Internet? Do we need to route someone's after-hours Netflix viewing through an encrypted connection? No thank you. But even without that, once you send an email to your own server, you have no control over what happens next. Does the recipient's server support TLS connections? Are emails stored on that server encrypted at rest? Does their email app require TLS? Who knows! You sure won't. So no, a VPN absolutely does not guarantee an email will be secure all the way through to its destination.
If you encrypt the file you are emailing, will that ensure a file sent via email will be secure all the way through to its destination?
Test says: yes! If you encrypt an email to an employee at another company, it's guaranteed to be secure.
I say: Maybe, sure. I'd even go so far as saying it probably will. However, for all I know the recipient's company uses some key escrow thing that lets them decrypt and analyze all inbound mail, and Joe from IT occasionally sells the interesting ones to North Korea.
Thing is, our particular training program is for the most part pretty decent, as far as such things go. Again, I'm glad we're doing it. I just wish their post-training exams were a little more carefully worded.