#1: Shoot Lusers on Sight. (HA HA)
Now, in all seriousness, this site also published an article a little while ago advocating the use of home computers at work.
I guess I'm a little confused. Which is it? Security or Stupidity?
I'm not trying to be condescending, I just want to know which side of the fence I'm dealing with.
Discussion on:
View:
Show:
These are some pretty intensive steps, like it would be worth millions if you lost your data; but nowadats, is that much "extra" security really necessary? I imagine just about every company has a small persentage of employees who scrape off a little information from their companies, it is human nature to covet and steal? But are they really accomplishing anything with it though? I am a student at ITT Technical Institute and I know many other fellow students whom you couldn't stop from getting into your encrypted or secure networks if you tried!
One important point which has been missed is stopping users creating rules in Outlook to auto-forward all their e-mail to an external e-mail account.
This can be easily set at the Exchange server. Forwarding of individual e-mails is still permitted.
This can be easily set at the Exchange server. Forwarding of individual e-mails is still permitted.
Where's this setting in Exchange - we're trying to do just that right now and I can't, for the life of me, find how to prevent users setting this kind of rule!
We're currently stopping the mails at the perimeter by scanning for "auto forwarded by a rule" in the body, then reviewing the cases one by one.
We're currently stopping the mails at the perimeter by scanning for "auto forwarded by a rule" in the body, then reviewing the cases one by one.
Which version of Exchange are you using? It is set by default in Exchange 2007 to prevent this and I believe is default in 2003.
Ten great ideas but if they are so good why do we need to mention the obvious? Because the majority of the people who use a computer are unable to comprehend the logic behind these common sense measures.
Of course, users say that they are in favor of security but they want functionality. The moment functionality (i.e., "I need to use it now" or "That would be nice") is hindered by security, users complain.
The only way that any business will ever implement these 10 ideas will be by licensing their users. That means regular training and testing of users' computer skills. But that is not going to happen unless there is a legal requirement because no business is going to invest that much in user training and support.
Of course, users say that they are in favor of security but they want functionality. The moment functionality (i.e., "I need to use it now" or "That would be nice") is hindered by security, users complain.
The only way that any business will ever implement these 10 ideas will be by licensing their users. That means regular training and testing of users' computer skills. But that is not going to happen unless there is a legal requirement because no business is going to invest that much in user training and support.
You make that point right. I also think that that kind of security is more trouble then solution.
As far as I go is that IPsec policy.. that's ok solution preventing guests and other unauthorized personal to look into network.
But internal control...
I did data scanning through policy in Sophos engine. Nothing is forbidden but I keep logs of every copied, emailed, or whatever document by type of extension. So if theft had happened I will know which way to look at.
As far as I go is that IPsec policy.. that's ok solution preventing guests and other unauthorized personal to look into network.
But internal control...
I did data scanning through policy in Sophos engine. Nothing is forbidden but I keep logs of every copied, emailed, or whatever document by type of extension. So if theft had happened I will know which way to look at.
Things like non compete agreements, confidentiality agreements, etc should at least get some mention.
In many ways the threat of legal persuasion is stronger than all these technical issues. Any technical solution can be sidestepped or outright broken.
I read recently of a company that maintains one network connected to the world for employees, and another entirely separate intranet without outside connections of any kind just for security. Seems like quite an inconvenience to me but I can see how some data is just too proprietary to leave exposed by any means.
In many ways the threat of legal persuasion is stronger than all these technical issues. Any technical solution can be sidestepped or outright broken.
I read recently of a company that maintains one network connected to the world for employees, and another entirely separate intranet without outside connections of any kind just for security. Seems like quite an inconvenience to me but I can see how some data is just too proprietary to leave exposed by any means.
Unless the data is on an isolated network, with all peripheral devices locked out, and no pen and paper, or camera's allowed, and the ability to Men in Black pen erase the employee's memories, data is never safe. Consequently, the only real safety is making sure that you have your IP legally protected, and that you have measures in place so that you can prove that your suspect in fact stole the IP. The auditing and restrictions certainly help to build the legal case though. But don't mistake the fact that they do not protect you from IP theft.
The U.S. military has two separate networks, which given their size is quite amazing. Meaning their is AN ENTIRE WORLD network that runs off of a completely separate data line and NONE of these lines come within 7 feet of the non-secure lines. Talk about secure, they do all of these steps mentioned and more. Better to prevent and prepare then repent ad repair.
I agree that this might not stop the most discerning hacker, but then again how many average HR or Business Joes have hacking skills sufficient to circumven security protections.
This does seem a bit Draconian or extreme and I doubt implimenting a no USB rule will be user friendly. I think it comes down to securing the items that are VITAL to company survival and then laxing gradually the security down to the common files. If company culture is sucure for the sake of the company the drones will fall in line as long as it makes sense, i.e. we have the SSN numbers of millions of Americans so you must comply - would have been nice if they had these measures in place before all that data was stolen the last 2-3 years.
I agree that this might not stop the most discerning hacker, but then again how many average HR or Business Joes have hacking skills sufficient to circumven security protections.
This does seem a bit Draconian or extreme and I doubt implimenting a no USB rule will be user friendly. I think it comes down to securing the items that are VITAL to company survival and then laxing gradually the security down to the common files. If company culture is sucure for the sake of the company the drones will fall in line as long as it makes sense, i.e. we have the SSN numbers of millions of Americans so you must comply - would have been nice if they had these measures in place before all that data was stolen the last 2-3 years.
We implemented USB lockdown nearly 18 months ago and have had no major issues. Once you provide whitelisted devices to senior or trusted staff (which still get scanned on connection) there are no major issues. why any responsible IT Dept lets an ordinary call centre user plug their IPOD or a thumb drive into a PC is beyond me. It's asking for trouble.
Being the IT geeks that we are, we are very reliant on engineering and technology to solve data access problems, but in reality, we need to strike a balance: Between technology and policy solutions and between access and security.
I think that there is a subset of situations and users for which these 'best practices' might be useful, but overall, achieving a complete level of lockdown on corporate systems sounds unworkable.
For those users that are using PCs for limited, repetitive activities (call centers, data entry, equipment control, etc), most of this list makes sense and sounds do-able. Some of the items on the list are universally good ideas: least privilege access, proper audits, rights management, etc. I have seen too many companies, from 3-person shops to large corporations, whose networks are so wide open that any discussion of security is laughable. The real problem is resources. Show me an IT shop that has the staff and know-how to properly administer these policies and audits, and I will show you an IT shop that has been slashed by 2/3 over the last two years.
Once you get past the basic 'good idea' part of the list, things get trickier. Even basic secretarial tasks in the modern office require some level of information sharing: emailing attachments, burning CDs for clients and staff, etc. Sure, you can send your junior desktop support admin over to the boss's secretary's PC to epoxy her USB ports, but don't come crying to me when your vacation request form goes missing.
I think that the real key is proper management at an executive level. An understanding of information management needs to start at the top with policies on what data is to shared and what is not. Users usually break policy rules because they have a real business need, not because they are devious - find out where the deficiencies are in legitimate data access and meet the needs of users so they don't have to get creative. If they break the rules for illegitimate data usage, punish those users accordingly and fairly.
Sometimes we in IT forget that computers are communications devices - they are inherently designed to move data. The act of placing a communications device in the hands of a user (especially laptops in the hands of remote users) without real policies on how that device is to be used is often the real problem. Yes, put engineering controls in place where practical, but understand their limitations as well. You must balance engineering controls with policy.
I think that there is a subset of situations and users for which these 'best practices' might be useful, but overall, achieving a complete level of lockdown on corporate systems sounds unworkable.
For those users that are using PCs for limited, repetitive activities (call centers, data entry, equipment control, etc), most of this list makes sense and sounds do-able. Some of the items on the list are universally good ideas: least privilege access, proper audits, rights management, etc. I have seen too many companies, from 3-person shops to large corporations, whose networks are so wide open that any discussion of security is laughable. The real problem is resources. Show me an IT shop that has the staff and know-how to properly administer these policies and audits, and I will show you an IT shop that has been slashed by 2/3 over the last two years.
Once you get past the basic 'good idea' part of the list, things get trickier. Even basic secretarial tasks in the modern office require some level of information sharing: emailing attachments, burning CDs for clients and staff, etc. Sure, you can send your junior desktop support admin over to the boss's secretary's PC to epoxy her USB ports, but don't come crying to me when your vacation request form goes missing.
I think that the real key is proper management at an executive level. An understanding of information management needs to start at the top with policies on what data is to shared and what is not. Users usually break policy rules because they have a real business need, not because they are devious - find out where the deficiencies are in legitimate data access and meet the needs of users so they don't have to get creative. If they break the rules for illegitimate data usage, punish those users accordingly and fairly.
Sometimes we in IT forget that computers are communications devices - they are inherently designed to move data. The act of placing a communications device in the hands of a user (especially laptops in the hands of remote users) without real policies on how that device is to be used is often the real problem. Yes, put engineering controls in place where practical, but understand their limitations as well. You must balance engineering controls with policy.
Many users just don't think about security on a day to day basis because they are just trying to get their work done. Security has to become part of their thinking, and they are NOT going to make that step on their own. It's up to IT/Security staff to make it become part of their psyche. I do it by giving a two hour presentation on security at our twice a year Continuing Professional Education events where all the company comes together. It's a handy event for me, but another option is to sponsor brown bag lunches (maybe even get the company to pop for pizza). Cover these ten steps, point out that the success of the company is success for the employee too, and help them get their heads around the idea that security is a good thing.
You have to keep reminding people, keep it fresh in their head and part of the company culture. It doesn't have to be accompanied by threats in most cases, but you have to be persuasive.
That being said, there are employees who have ulterior or negative motives. The same employee who would steal (pad expense reports, divert funds, etc.) will probably think nothing of selling or using company data for their own interests. Those people will require 'special' handling, and a little paranoia is a good thing with them.
You have to keep reminding people, keep it fresh in their head and part of the company culture. It doesn't have to be accompanied by threats in most cases, but you have to be persuasive.
That being said, there are employees who have ulterior or negative motives. The same employee who would steal (pad expense reports, divert funds, etc.) will probably think nothing of selling or using company data for their own interests. Those people will require 'special' handling, and a little paranoia is a good thing with them.
You can download a free 30-day fully-functional copy of FileAudit from: http://www.FileAudit.com
Have recently found yet another way staff ca nget data out of the company which I have yet to find a solution for. Remote meeting programs such as netmeeting, webex, etc nearly all come with an option to upload/download and share files. As this happens within the netmeeting session I have yet to find a way of tracking whats happening and/or preventing transfer of files. Anybody else found a solution to this?
You have talked about securing corporate data, but any organisation that works with external resources (consultants, onshore/offshore outsourcers, development labs etc) has an exposure that often seems to be ignored.
When external technicians create programs or other types of content in the course of their assignment, do you check the provenance of that IP and ensure that the new data is 'moved' into your domain?
Too often I arrive onsite only to find that a previous consultant has built applications/infrastructures/architectures and when they left the only 'handover' was of the running systems. No accounting was made for the ancillary data or for the actual system itself being handed into the client at the end of an assignment.
Conversely, are you sure that onsite consultants have created a solution from scratch, or are they just re-cycling IP from previous assignments? There's nothing wrong with that, as long as any re-cycling is properly attributed and you know what your exposure is.
When external technicians create programs or other types of content in the course of their assignment, do you check the provenance of that IP and ensure that the new data is 'moved' into your domain?
Too often I arrive onsite only to find that a previous consultant has built applications/infrastructures/architectures and when they left the only 'handover' was of the running systems. No accounting was made for the ancillary data or for the actual system itself being handed into the client at the end of an assignment.
Conversely, are you sure that onsite consultants have created a solution from scratch, or are they just re-cycling IP from previous assignments? There's nothing wrong with that, as long as any re-cycling is properly attributed and you know what your exposure is.
Ever fire a network engineer? Revenge is a dish best served with a bag full of hardware and software walking out the door, with backdoor accounts left unknown and perhaps in hard to find locations. Immediately shutdown all rights to privileged access that may be compromised, inventory update asap and pursue hardware theft with dilligence.
Is there any way to only monitor the data, not to block the work of the users?
As I mentioned in my previous post I use tracking modul which is built in Sophos engine.
Sophos is AV program with some cool features such as data monitoring, client firewall, NAC, etc. ofcourse it is not free but it's worth every penny.
Sophos is AV program with some cool features such as data monitoring, client firewall, NAC, etc. ofcourse it is not free but it's worth every penny.
I am just telling you what I use. Ofcourse I didnt bought Sophos becouse of data scaning, I already had Sophos as antivirus and this is just part of it...
Then be careful of the radiation. Because you must be working at a nuclear weapons factory!
This sounds more than slightly exaggerated for just about every company I know, even hospitals. This sounds unhuman.
This sounds more than slightly exaggerated for just about every company I know, even hospitals. This sounds unhuman.
Very informative and well-written article. You provided a lot of interesting insight here, and I?m glad you touched on the importance of restricting USB devices. As you said, one of the most popular ways to sneak digital information out of the office is by way of removable media copies. Because USB flash drives are so small and easy to conceal, and personal MP3 players such as iPods are so popular, the threat of data theft is constant, so it?s necessary to monitor and restrict the usage of USB ports.
One tool that easily enables USB restrictions is the NetWrix USB Blocker. The USB Blocker is free, and it enforces centralized USB access control to prevent unauthorized use of removable media via USB ports. The solution is ready to go after a simple point-and-click deployment, and then seamlessly integrates into Active Directory. Once installed, the NetWrix USB Blocker hardens endpoint security and enables regulatory compliance. So one easy way to heed Debra?s advice and comply with step five is by way of the NetWrix USB Blocker. You can download it for free at http://www.netwrix.com/requestd.html?product=ub.
Stephen Schimmel
Product Manager
NetWrix Corporation
www.netwrix.com
One tool that easily enables USB restrictions is the NetWrix USB Blocker. The USB Blocker is free, and it enforces centralized USB access control to prevent unauthorized use of removable media via USB ports. The solution is ready to go after a simple point-and-click deployment, and then seamlessly integrates into Active Directory. Once installed, the NetWrix USB Blocker hardens endpoint security and enables regulatory compliance. So one easy way to heed Debra?s advice and comply with step five is by way of the NetWrix USB Blocker. You can download it for free at http://www.netwrix.com/requestd.html?product=ub.
Stephen Schimmel
Product Manager
NetWrix Corporation
www.netwrix.com
You must have a signed policy in place, which includes anti-compete agreements, or the court will just shrug its shoulders should an employee steal a client list and start their own business. I've seen it happen. The employee is often one whom the client works with every day and with whom has built a great deal of trust. Violation of trust is the key advantage of data thieves.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
