Hacker attacks that bring down the network get a lot of attention, so companies concern themselves with protecting against those threats. But if your organization is focusing only on this type of security, it's a little like putting all your efforts into preventing a bomber from blowing up the building but neglecting to worry about the burglar who sneaks in through a back door and makes off with all your valuables.
Unfortunately, the same security precautions that prevent DoS attacks, viruses and worms, and other high profile attacks may not be addressing a much more insidious problem: theft of company data for corporate espionage or other purposes. Yet the disclosure of your trade secrets to a competitor or the release of private company information to the media could, in some cases, result in a much greater loss than network downtime.
In this article, we'll take a look at what you should be doing to keep your data from walking out the door.
This information is also available as a PDF download.
1: Practice the principle of least privilege and put policies in writing
There are two opposing philosophies by which you can set your network access policies. The first, the "all open" policy, presumes that all data is available to everyone unless you explicitly restrict access. The second, the "least privilege" policy, operates on the assumption that all data is off-limits to a given user unless that user is explicitly given access to it. The latter is like the "need to know" policies of government intelligence agencies: Unless a user has a demonstrated need to have access to a particular file, he/she can't access it.
You may think it should be obvious that your employers are not to copy important company information and take it home or email it outside the internal network without permission. However, unless you put such policies in writing and have workers sign for receipt, you may be hard pressed to penalize them for violating that policy. Unwritten rules are much more difficult to enforce.
Your policies should be specific and give examples of what's prohibited. Workers may not understand, unless you spell it out, that emailing a company document as an attachment to someone outside the network (or even to their own home account) is just as much a violation of policy as copying that document to a USB drive and physically taking it out the door.
Wording of the policy, however, should make it clear that the prohibition is not limited solely to the examples you give.
2: Set restrictive permissions and audit access
You can't depend on policies alone to protect your data. Just telling employees what they shouldn't do won't prevent some of them from doing it anyway. Technological enforcement of your policies takes away their choice about whether to comply. The first step in protecting data is to set the appropriate permissions on data files and folders. It goes without saying that data on Windows networks should always be stored on NTFS-formatted drives so you can apply NTFS permissions along with any share permissions. NTFS permissions are more granular than share permissions and apply to users accessing the data on the local machine as well as over the network.
In keeping with the principle of least privilege, you should give users the lowest level of permissions possible for them to get their work done. For example, give Read Only permissions to prevent users from modifying files. For more details, see 10 things you should know about working with NTFS permissions.
You can also set up auditing on files and folders that contain sensitive data so that you can see who accessed it and when. Learn more about auditing object access with built-in Windows Server auditing here.
Numerous third-party auditing solutions can audit file access across multiple storage sites. Examples include:
3: Use encryption
Another advantage of storing data on NTFS-formatted drives is the ability to apply Encrypting File System (EFS) encryption. EFS is supported by Windows 2000 and later operating systems and will prevent other users from being able to open the file even if they have NTFS permissions. With Windows XP/2003 and later, encrypted folders can be shared with other users by assigned them special permissions through the encryption dialog box.
One way data can be stolen is by stealing the entire computer, especially if it's a laptop. With Vista and Windows 7 Enterprise and Ultimate editions, you can use BitLocker full drive encryption to protect data in case the computer is stolen. For more on EFS and BitLocker, see Prevent data theft with Windows Vista's Encrypted File System (EFS) and BitLocker.
There are many third-party alternatives in the encryption space, too. Examples include:
4: Implement rights management
Some data theft can be prevented by using the methods above to keep the wrong people from accessing that data. But what about theft by people you need to give access to? You can use Windows Rights Management Services (RMS) and the Information Rights Management (IRM) feature in many versions of Office 2003 and Office 2007 to prevent users from forwarding, copying, and otherwise misusing email messages and Office documents (Word, Excel, and PowerPoint files) you send to them. Find out more about RMS/IRM on TechNet.
5: Restrict use of removable media
One of the most popular ways to sneak digital information out of an organization is by copying it on some sort of removable media or device. USB thumb drives are inexpensive and easy to conceal, and high capacity SD, CF, and other flash memory cards can hold a huge amount of data. Users can also copy files to their iPods or other MP3 players or to CD or DVD writers. You can permanently restrict the installation of USB devices by removing the ports physically or filling them with a substance. You can also use software to disable the use of removable devices on each individual computer or throughout the network.
In Vista, you can restrict use of removable media (USB devices and CD/DVD burners) through Group Policy. (See What's New in Vista Group Policy for details.) For other operating systems, there are third-party products, such as Portable Storage Control (PSC) from GFI.
6: Keep laptops under control
Another way a user can make off with files is to connect to the internal network with a laptop or handheld computer, copy the files to its hard disk, and then take the computer off premises. You need to maintain control over what computers connect to your LAN, not just remotely but by plugging directly into a hub or switch on site.
You can use IPsec to prevent computers that are not members of the domain from connecting to your file servers and other computers on the LAN. For more, see Server and Domain Isolation Using IPsec and Group Policy.
7: Set up outbound content rules
Firewalls can do more than keep undesirable traffic out of your network. They can also keep specified traffic from leaving your network. Your data can walk out the door physically or it can be sent out a virtual door via email, peer-to-peer file sharing, etc. You can set up your firewall to block certain types of outbound protocols, such as those used by P2P software.
You can also set up your mail server to block sending of outbound attachments. And you can block outbound content by keywords using content filtering appliances, software, or services such as:
8: Control wireless communications
Even if you block sending of certain types of data through your firewall or filtering systems, a determined person may be able to connect a company laptop to a different wireless network within range, one that doesn't have blocking mechanisms in place. Or someone might connect the computer to a cell phone that has Internet access and use the phone as a modem. Keep track of wireless networks that may be available from your company premises and, if possible, block their signals.
9: Control remote access
Your users don't have to be on site to take corporate data away with them. With the popularity of telecommuting and working on the road rising all the time, users can access the company network via various remote access technologies.
10: Beware of creative data theft methods
Remember that your data can walk out in many different formats. A user can print out a document and carry it out in paper form or a thief can steal printed documents from trash cans if the documents haven't been shredded. Even if you've implemented a technology such as rights management to prevent copying or printing documents, someone could take a digital or film photograph of the content onscreen or even sit and copy the information by hand. Be aware of all the ways your data can leave the premises, and take steps to protect against them.
Check out 10 Things... the newsletter
Get the key facts on a wide range of technologies, techniques, strategies, and skills with the help of the concise need-to-know lists featured in TechRepublic's 10 Things newsletter, delivered every Friday. Automatically sign up today.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.