Banking optimize

10 ways to make sure your data doesn't walk out the door: UPDATED

Many organizations focus on protecting against external attacks but ignore a threat that might be even more destructive: data theft by someone inside the company. Here's an up-to-date look at critical areas of concern.

Hacker attacks that bring down the network get a lot of attention, so companies concern themselves with protecting against those threats. But if your organization is focusing only on this type of security, it's a little like putting all your efforts into preventing a bomber from blowing up the building but neglecting to worry about the burglar who sneaks in through a back door and makes off with all your valuables.

Unfortunately, the same security precautions that prevent DoS attacks, viruses and worms, and other high profile attacks may not be addressing a much more insidious problem: theft of company data for corporate espionage or other purposes. Yet the disclosure of your trade secrets to a competitor or the release of private company information to the media could, in some cases, result in a much greater loss than network downtime.

In this article, we'll take a look at what you should be doing to keep your data from walking out the door.

This information is also available as a PDF download.

1: Practice the principle of least privilege and put policies in writing

There are two opposing philosophies by which you can set your network access policies. The first, the "all open" policy, presumes that all data is available to everyone unless you explicitly restrict access. The second, the "least privilege" policy, operates on the assumption that all data is off-limits to a given user unless that user is explicitly given access to it. The latter is like the "need to know" policies of government intelligence agencies: Unless a user has a demonstrated need to have access to a particular file, he/she can't access it.

You may think it should be obvious that your employers are not to copy important company information and take it home or email it outside the internal network without permission. However, unless you put such policies in writing and have workers sign for receipt, you may be hard pressed to penalize them for violating that policy. Unwritten rules are much more difficult to enforce.

Your policies should be specific and give examples of what's prohibited. Workers may not understand, unless you spell it out, that emailing a company document as an attachment to someone outside the network (or even to their own home account) is just as much a violation of policy as copying that document to a USB drive and physically taking it out the door.

Wording of the policy, however, should make it clear that the prohibition is not limited solely to the examples you give.

2: Set restrictive permissions and audit access

You can't depend on policies alone to protect your data. Just telling employees what they shouldn't do won't prevent some of them from doing it anyway. Technological enforcement of your policies takes away their choice about whether to comply. The first step in protecting data is to set the appropriate permissions on data files and folders. It goes without saying that data on Windows networks should always be stored on NTFS-formatted drives so you can apply NTFS permissions along with any share permissions. NTFS permissions are more granular than share permissions and apply to users accessing the data on the local machine as well as over the network.

In keeping with the principle of least privilege, you should give users the lowest level of permissions possible for them to get their work done. For example, give Read Only permissions to prevent users from modifying files. For more details, see 10 things you should know about working with NTFS permissions.

You can also set up auditing on files and folders that contain sensitive data so that you can see who accessed it and when. Learn more about auditing object access with built-in Windows Server auditing here.

Numerous third-party auditing solutions can audit file access across multiple storage sites. Examples include:

3: Use encryption

Another advantage of storing data on NTFS-formatted drives is the ability to apply Encrypting File System (EFS) encryption. EFS is supported by Windows 2000 and later operating systems and will prevent other users from being able to open the file even if they have NTFS permissions. With Windows XP/2003 and later, encrypted folders can be shared with other users by assigned them special permissions through the encryption dialog box.

One way data can be stolen is by stealing the entire computer, especially if it's a laptop. With Vista and Windows 7 Enterprise and Ultimate editions, you can use BitLocker full drive encryption to protect data in case the computer is stolen. For more on EFS and BitLocker, see Prevent data theft with Windows Vista's Encrypted File System (EFS) and BitLocker.

There are many third-party alternatives in the encryption space, too. Examples include:

4: Implement rights management

Some data theft can be prevented by using the methods above to keep the wrong people from accessing that data. But what about theft by people you need to give access to? You can use Windows Rights Management Services (RMS) and the Information Rights Management (IRM) feature in many versions of Office 2003 and Office 2007 to prevent users from forwarding, copying, and otherwise misusing email messages and Office documents (Word, Excel, and PowerPoint files) you send to them. Find out more about RMS/IRM on TechNet.

5: Restrict use of removable media

One of the most popular ways to sneak digital information out of an organization is by copying it on some sort of removable media or device. USB thumb drives are inexpensive and easy to conceal, and high capacity SD, CF, and other flash memory cards can hold a huge amount of data. Users can also copy files to their iPods or other MP3 players or to CD or DVD writers. You can permanently restrict the installation of USB devices by removing the ports physically or filling them with a substance. You can also use software to disable the use of removable devices on each individual computer or throughout the network.

In Vista, you can restrict use of removable media (USB devices and CD/DVD burners) through Group Policy. (See What's New in Vista Group Policy for details.) For other operating systems, there are third-party products, such as Portable Storage Control (PSC) from GFI.

6: Keep laptops under control

Another way a user can make off with files is to connect to the internal network with a laptop or handheld computer, copy the files to its hard disk, and then take the computer off premises. You need to maintain control over what computers connect to your LAN, not just remotely but by plugging directly into a hub or switch on site.

You can use IPsec to prevent computers that are not members of the domain from connecting to your file servers and other computers on the LAN. For more, see Server and Domain Isolation Using IPsec and Group Policy.

7: Set up outbound content rules

Firewalls can do more than keep undesirable traffic out of your network. They can also keep specified traffic from leaving your network. Your data can walk out the door physically or it can be sent out a virtual door via email, peer-to-peer file sharing, etc. You can set up your firewall to block certain types of outbound protocols, such as those used by P2P software.

You can also set up your mail server to block sending of outbound attachments. And you can block outbound content by keywords using content filtering appliances, software, or services such as:

8: Control wireless communications

Even if you block sending of certain types of data through your firewall or filtering systems, a determined person may be able to connect a company laptop to a different wireless network within range, one that doesn't have blocking mechanisms in place. Or someone might connect the computer to a cell phone that has Internet access and use the phone as a modem. Keep track of wireless networks that may be available from your company premises and, if possible, block their signals.

9: Control remote access

Your users don't have to be on site to take corporate data away with them. With the popularity of telecommuting and working on the road rising all the time, users can access the company network via various remote access technologies.

10: Beware of creative data theft methods

Remember that your data can walk out in many different formats. A user can print out a document and carry it out in paper form or a thief can steal printed documents from trash cans if the documents haven't been shredded. Even if you've implemented a technology such as rights management to prevent copying or printing documents, someone could take a digital or film photograph of the content onscreen or even sit and copy the information by hand. Be aware of all the ways your data can leave the premises, and take steps to protect against them.


Check out 10 Things... the newsletter

Get the key facts on a wide range of technologies, techniques, strategies, and skills with the help of the concise need-to-know lists featured in TechRepublic's 10 Things newsletter, delivered every Friday. Automatically sign up today.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

26 comments
seanka
seanka

You must have a signed policy in place, which includes anti-compete agreements, or the court will just shrug its shoulders should an employee steal a client list and start their own business. I've seen it happen. The employee is often one whom the client works with every day and with whom has built a great deal of trust. Violation of trust is the key advantage of data thieves.

ITsteve13
ITsteve13

Very informative and well-written article. You provided a lot of interesting insight here, and I?m glad you touched on the importance of restricting USB devices. As you said, one of the most popular ways to sneak digital information out of the office is by way of removable media copies. Because USB flash drives are so small and easy to conceal, and personal MP3 players such as iPods are so popular, the threat of data theft is constant, so it?s necessary to monitor and restrict the usage of USB ports. One tool that easily enables USB restrictions is the NetWrix USB Blocker. The USB Blocker is free, and it enforces centralized USB access control to prevent unauthorized use of removable media via USB ports. The solution is ready to go after a simple point-and-click deployment, and then seamlessly integrates into Active Directory. Once installed, the NetWrix USB Blocker hardens endpoint security and enables regulatory compliance. So one easy way to heed Debra?s advice and comply with step five is by way of the NetWrix USB Blocker. You can download it for free at http://www.netwrix.com/requestd.html?product=ub. Stephen Schimmel Product Manager NetWrix Corporation www.netwrix.com

Daniel Breslauer
Daniel Breslauer

Then be careful of the radiation. Because you must be working at a nuclear weapons factory! This sounds more than slightly exaggerated for just about every company I know, even hospitals. This sounds unhuman.

ambarboza
ambarboza

Is there any way to only monitor the data, not to block the work of the users?

reisen55
reisen55

Ever fire a network engineer? Revenge is a dish best served with a bag full of hardware and software walking out the door, with backdoor accounts left unknown and perhaps in hard to find locations. Immediately shutdown all rights to privileged access that may be compromised, inventory update asap and pursue hardware theft with dilligence.

Aaron
Aaron

You have talked about securing corporate data, but any organisation that works with external resources (consultants, onshore/offshore outsourcers, development labs etc) has an exposure that often seems to be ignored. When external technicians create programs or other types of content in the course of their assignment, do you check the provenance of that IP and ensure that the new data is 'moved' into your domain? Too often I arrive onsite only to find that a previous consultant has built applications/infrastructures/architectures and when they left the only 'handover' was of the running systems. No accounting was made for the ancillary data or for the actual system itself being handed into the client at the end of an assignment. Conversely, are you sure that onsite consultants have created a solution from scratch, or are they just re-cycling IP from previous assignments? There's nothing wrong with that, as long as any re-cycling is properly attributed and you know what your exposure is.

gary
gary

Ten great ideas but if they are so good why do we need to mention the obvious? Because the majority of the people who use a computer are unable to comprehend the logic behind these common sense measures. Of course, users say that they are in favor of security but they want functionality. The moment functionality (i.e., "I need to use it now" or "That would be nice") is hindered by security, users complain. The only way that any business will ever implement these 10 ideas will be by licensing their users. That means regular training and testing of users' computer skills. But that is not going to happen unless there is a legal requirement because no business is going to invest that much in user training and support.

mferns
mferns

One important point which has been missed is stopping users creating rules in Outlook to auto-forward all their e-mail to an external e-mail account. This can be easily set at the Exchange server. Forwarding of individual e-mails is still permitted.

DragonRider_65
DragonRider_65

These are some pretty intensive steps, like it would be worth millions if you lost your data; but nowadats, is that much "extra" security really necessary? I imagine just about every company has a small persentage of employees who scrape off a little information from their companies, it is human nature to covet and steal? But are they really accomplishing anything with it though? I am a student at ITT Technical Institute and I know many other fellow students whom you couldn't stop from getting into your encrypted or secure networks if you tried!

maclovin
maclovin

#1: Shoot Lusers on Sight. (HA HA) Now, in all seriousness, this site also published an article a little while ago advocating the use of home computers at work. I guess I'm a little confused. Which is it? Security or Stupidity? I'm not trying to be condescending, I just want to know which side of the fence I'm dealing with.

ip2host
ip2host

As I mentioned in my previous post I use tracking modul which is built in Sophos engine. Sophos is AV program with some cool features such as data monitoring, client firewall, NAC, etc. ofcourse it is not free but it's worth every penny.

pconaty
pconaty

Have recently found yet another way staff ca nget data out of the company which I have yet to find a solution for. Remote meeting programs such as netmeeting, webex, etc nearly all come with an option to upload/download and share files. As this happens within the netmeeting session I have yet to find a way of tracking whats happening and/or preventing transfer of files. Anybody else found a solution to this?

tracy.walters
tracy.walters

Many users just don't think about security on a day to day basis because they are just trying to get their work done. Security has to become part of their thinking, and they are NOT going to make that step on their own. It's up to IT/Security staff to make it become part of their psyche. I do it by giving a two hour presentation on security at our twice a year Continuing Professional Education events where all the company comes together. It's a handy event for me, but another option is to sponsor brown bag lunches (maybe even get the company to pop for pizza). Cover these ten steps, point out that the success of the company is success for the employee too, and help them get their heads around the idea that security is a good thing. You have to keep reminding people, keep it fresh in their head and part of the company culture. It doesn't have to be accompanied by threats in most cases, but you have to be persuasive. That being said, there are employees who have ulterior or negative motives. The same employee who would steal (pad expense reports, divert funds, etc.) will probably think nothing of selling or using company data for their own interests. Those people will require 'special' handling, and a little paranoia is a good thing with them.

TechRepublic
TechRepublic

Being the IT geeks that we are, we are very reliant on engineering and technology to solve data access problems, but in reality, we need to strike a balance: Between technology and policy solutions and between access and security. I think that there is a subset of situations and users for which these 'best practices' might be useful, but overall, achieving a complete level of lockdown on corporate systems sounds unworkable. For those users that are using PCs for limited, repetitive activities (call centers, data entry, equipment control, etc), most of this list makes sense and sounds do-able. Some of the items on the list are universally good ideas: least privilege access, proper audits, rights management, etc. I have seen too many companies, from 3-person shops to large corporations, whose networks are so wide open that any discussion of security is laughable. The real problem is resources. Show me an IT shop that has the staff and know-how to properly administer these policies and audits, and I will show you an IT shop that has been slashed by 2/3 over the last two years. Once you get past the basic 'good idea' part of the list, things get trickier. Even basic secretarial tasks in the modern office require some level of information sharing: emailing attachments, burning CDs for clients and staff, etc. Sure, you can send your junior desktop support admin over to the boss's secretary's PC to epoxy her USB ports, but don't come crying to me when your vacation request form goes missing. I think that the real key is proper management at an executive level. An understanding of information management needs to start at the top with policies on what data is to shared and what is not. Users usually break policy rules because they have a real business need, not because they are devious - find out where the deficiencies are in legitimate data access and meet the needs of users so they don't have to get creative. If they break the rules for illegitimate data usage, punish those users accordingly and fairly. Sometimes we in IT forget that computers are communications devices - they are inherently designed to move data. The act of placing a communications device in the hands of a user (especially laptops in the hands of remote users) without real policies on how that device is to be used is often the real problem. Yes, put engineering controls in place where practical, but understand their limitations as well. You must balance engineering controls with policy.

alliancemillsoft
alliancemillsoft

Things like non compete agreements, confidentiality agreements, etc should at least get some mention. In many ways the threat of legal persuasion is stronger than all these technical issues. Any technical solution can be sidestepped or outright broken. I read recently of a company that maintains one network connected to the world for employees, and another entirely separate intranet without outside connections of any kind just for security. Seems like quite an inconvenience to me but I can see how some data is just too proprietary to leave exposed by any means.

ip2host
ip2host

You make that point right. I also think that that kind of security is more trouble then solution. As far as I go is that IPsec policy.. that's ok solution preventing guests and other unauthorized personal to look into network. But internal control... I did data scanning through policy in Sophos engine. Nothing is forbidden but I keep logs of every copied, emailed, or whatever document by type of extension. So if theft had happened I will know which way to look at.

partiedout
partiedout

Where's this setting in Exchange - we're trying to do just that right now and I can't, for the life of me, find how to prevent users setting this kind of rule! We're currently stopping the mails at the perimeter by scanning for "auto forwarded by a rule" in the body, then reviewing the cases one by one.

oldbaritone
oldbaritone

no, wait a minute... oops - too late. ;-)

ambarboza
ambarboza

If there is an alternative, why take such actions as extreme?

WiseITOne
WiseITOne

The U.S. military has two separate networks, which given their size is quite amazing. Meaning their is AN ENTIRE WORLD network that runs off of a completely separate data line and NONE of these lines come within 7 feet of the non-secure lines. Talk about secure, they do all of these steps mentioned and more. Better to prevent and prepare then repent ad repair. I agree that this might not stop the most discerning hacker, but then again how many average HR or Business Joes have hacking skills sufficient to circumven security protections. This does seem a bit Draconian or extreme and I doubt implimenting a no USB rule will be user friendly. I think it comes down to securing the items that are VITAL to company survival and then laxing gradually the security down to the common files. If company culture is sucure for the sake of the company the drones will fall in line as long as it makes sense, i.e. we have the SSN numbers of millions of Americans so you must comply - would have been nice if they had these measures in place before all that data was stolen the last 2-3 years.

saghaulor
saghaulor

Unless the data is on an isolated network, with all peripheral devices locked out, and no pen and paper, or camera's allowed, and the ability to Men in Black pen erase the employee's memories, data is never safe. Consequently, the only real safety is making sure that you have your IP legally protected, and that you have measures in place so that you can prove that your suspect in fact stole the IP. The auditing and restrictions certainly help to build the legal case though. But don't mistake the fact that they do not protect you from IP theft.

paulmcbob
paulmcbob

Which version of Exchange are you using? It is set by default in Exchange 2007 to prevent this and I believe is default in 2003.

ip2host
ip2host

I am just telling you what I use. Ofcourse I didnt bought Sophos becouse of data scaning, I already had Sophos as antivirus and this is just part of it...

pconaty
pconaty

We implemented USB lockdown nearly 18 months ago and have had no major issues. Once you provide whitelisted devices to senior or trusted staff (which still get scanned on connection) there are no major issues. why any responsible IT Dept lets an ordinary call centre user plug their IPOD or a thumb drive into a PC is beyond me. It's asking for trouble.