2

What's common sense when it comes to minimising the risk of employees spreading critical information to rivalling companies?

As of today, it's clear that not even the US government and military can be sure that their data stays safely within their doors. Thereby I understand that my question probably instead should be written as "What is common sense to make it harder for employees to spread business critical information?"

If anyone would want to spread information, they will find a way. That's the way life work and always has.

If we make the scenario a bit more realistic by narrowing our workforce by assuming we only have regular John Does onboard and not Linux-loving sysadmins , what should be good precautions to at least make it harder for the employees to send business-critical information to the competition?

As far as I can tell, there's a few obvious solutions that clearly has both pros and cons:

  1. Block services such as Dropbox and similar, preventing anyone to send gigabytes of data through the wire.
  2. Ensure that only files below a set size can be sent as email (?)
  3. Setup VLANs between departments to make it harder for kleptomaniacs and curious people to snoop around.
  4. Plug all removable media units - CD/DVD, Floppy drives and USB
  5. Make sure that no configurations to hardware can be made (?)
  6. Monitor network traffic for non-linear events (how?)

What is realistic to do in a real world? How does big companies handle this? Sure, we can take the former employer to court and sue, but by then the damage has already been caused...

Thanks a lot

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Industrial
  • 1,559
  • 5
  • 24
  • 37
  • It seems to me that this would be a far better fit on http://security.stackexchange.com/ – Zoredache Jan 12 '11 at 22:46
  • @Zoretache I had no idea that that even existed. Feels like new Stackexchange sites appearing everyday :) – Industrial Jan 12 '11 at 22:48
  • This could definitely be a sysadmin type of question - do we really want to shunt questions like this to more specialized sites? – mfinni Jan 12 '11 at 23:01
  • @Zoredache I gotta get over there more often. – sysadmin1138 Jan 12 '11 at 23:21
  • 5
    @mfinni that's a real "meta" kinda question but I dislike this kind of fragmentation of the sites I have to say. – Rob Moir Jan 12 '11 at 23:24
  • 1
    @mfinni, my view is that this is a management issue, not system administration. Once policy has been formulated, preferably with the input of the sysadmins, it may well be up to the admins to implement it, which would then become an appropriate topic for SF. Formulation of management policy, which is what this question is about, is not SF material in my opinion). – John Gardeniers Jan 12 '11 at 23:34
  • @robert-moir I agree. I created a question on meta to discuss that issue. – Scrivener Jan 13 '11 at 00:06
  • 1
    As the question is asked, it's about how (technologically) to stop information leaking. Presumably, the policy has already been formulated. – mfinni Jan 13 '11 at 12:17

5 Answers5

5

There are a variety of things that can be done. The are entire industries created around the very idea of "how do I keep information from leaking". The ubiquity of static data-storage and wireless networks (both wifi and 3G/4G) make wired network-perimeter security less of the barrier than it was even 5 years ago.

As with all security, managing the exceptions can be very tricky. Yes, you can disable all USB ports, but that leaves USB keyboards, mice, and printers in the dark. You can disable all access to Facebook, but the Public Relations office will definitely need access. The extremely paranoid can ban all phones with cameras (lest someone phone-cam a doc and mail it to a competitor) but that's really hard to make stick these days. And then there is the old fashioned method of taking home printouts to fax.

If someone really wants to leak information, it's generally easy.

I can't stress enough the impact that municipal scale high-bandwidth networks have on security posture. With nearly everyone with a camera in their pocket and a phone-plan able to accommodate pictures, 1-5 page documents can be sent with ease without ever touching the corporate LAN. If USB connections are enabled, many smartphones can expose local storage to a workplace computer and have files saved on it which can then be sent from the phone directly if not sneakernetted home and sent from there.

The phone-cam 'attack' is particular insidious since it leaves no log-traces on company equipment the way that USB-mounts potentially can.

The ironic thing about Internet-access restrictions blocking social networking sites and all known webmail providers is that it forces people onto their phones for the same service.

Big companies handle this by ignoring the hard to manage threats (see above for a good example of one) and managing the risks they can mange cheaply. That means:

  • Blocking web-sites of any suspicious class (social media and webmail sites are big ban targets) and known web-proxy sites
  • Recording all outbound email
  • Enforce a captive-portal for internet access, requiring logon with corporate credentials before access is given
  • Monitoring outbound email for private data using varying complexities of filters (big industry with this one)
  • Ensuring least-privilege on the local network so people don't have access to secrets they don't need
  • Using asset-inventorying software to monitor corporate hardware for change events
  • Use event-log monitoring software to track hardware events such as use of removable media
  • Set Group Policies to ban certain behaviors deemed unneeded in the workplace
  • Using strong encryption on any WLANs in use

These days the network perimeter is not just at the WAN/LAN demarc, it touches every point of the network where data is released into analog form of any kind and the tools for exploiting such analog holes are getting ever better and ever more common. And other such things.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
3

In the first case are we talking about malicious activity/corporate espionage? Or stupidity/negligence? (both are real issues).

In either case, start with making a note of what information sharing is needed to get the job done (remember the IT tail should never wag the business dog) and a workplace HR policy that spells out that this is all that is allowed and that infractions are disciplinary matters.

In addition to this, remember that employees are human - unless you're working somewhere that clearly and obviously requires draconian security polices then going over the top will alienate the staff and harm productivity - remember you're not securing the system because securing the system is good fun, you're doing it to protect the business. Part of protecting the business includes not annoying and disrupting employees for no good purpose.

Lastly, in terms of the "setting policy" points, remember that IT Security does not exist in a vacuum. There is little point in locking down the network if physical security is lax. Why would someone need to break into the network if they can just walk into an office and pick up the data in a nice little printout, hide it inside their lunchbox and walk out?

If you don't want people in one department talking about confidential business to people in another department then again, this needs to be made clear to them. Again, there is little point in locking down the network if someone can just buy a friend lunch and ask them about it.

Make sure printers and photocopiers are appropriately secured - people leave all kinds of documents sitting by the printer. And printers and photocopiers sometimes retain a copy of the last printed document in their memory...

As for the actual IT side of things...

Your 6 points are a good starting point but there's a few things to be aware of here:

Configuration lock-down and management is a good start, but how does information legitimately arrive at and leave the business? Can these workflows be abused?

If you're blocking up all the USB ports then how does the mouse work? These are usually USB these days after all. If you leave one port for that a determined thief could unplug the mouse and plug in a USB drive. So perhaps you need to consider software based blocking that prohibits the installation of certain classes of device.

You need to consider sophisticated email filtering if you want to go down that road. Rather than just assuming that any files over a certain size are to be blocked as bad, you need the sorts of email filtering that are available that scan content for keywords and patterns you define and take actions based on that.

Separating sensitive offices VLANs (if not totally physically separate networks) is good standard practice. Be aware that this will increase support costs and may be prone to breaches due to human error on the part of the support technicians who do the wiring.

One thing I would certainly do is ensure that data wasn't stored locally on workstations and laptops but rather saved onto central severs. These should be easier to secure both physically and electronically. Consider storing documents in document management systems that enable you to track access and changes made. This can also allow for IRM to control who can do what to a document. These systems aren't foolproof but can help.

There's a lot more things you can say about this subject but these might give you some interesting thoughts. It's a subject that you can write a book about (indeed several people have).

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
2

The short answer is you can't and you have to be able to trust your users. All you can do is limit what information someone has access to based on their trust level. If they need it for their job, but you don't trust them to have it, then you have the wrong person in that position. Most the critical data isn't going to be large but things like financial numbers, customer credit card numbers, and such. For example, we only have credit card numbers go one way into the system and are never displayed to any user or even back to the customer. Financial reports are audited and reviewed to see who is running them and from where.

JOTN
  • 1,727
  • 1
  • 10
  • 12
2

As you mention, if somebody wants to get stuff out, they will find a way even if you have blocked the obvious routes. For example, try to stop employees from using cell phone cams to do screengrabs or stealing printouts.

I prefer monitoring and mirroring of the obvious routes. This encourages users to go the path of least (monitored) resistance. Don't block all USB usage, instead log usage and mirror the data to a server (we use DriveLock for this) - it can also block USB storage without blocking USB keyboards and mice. Set up auditing of the data periodically and look for odd transfers.

You can do similar stuff with BlueCoat appliances for the network, but you have to proxy all SSL connections to enable the device to audit all file transfers. I'd look into these to cover your (1) and (6). Users will be aware of the proxying though.

If you do completely block access to devices or sites, make sure to check the logs for failed attempts periodically to see who's attempting what. Without intercepting the content itself though, attempts are easily deniable, e.g. by renaming CAD drawings to familyphoto.jpg.

For (5), use BIOS boot passwords to prevent unauthorized hardware changes or boot media, otherwise any user can boot with a LiveCD and copy whole drives.

(3) is silly as mentioned previously. ACLs and content encryption is more appropriate for this.

Also, before auditing logs, have a plan as to what steps will be taken if more information needs to be gathered. Who will ok more detailed sniffing if something illegal/actionable is found? It's not uncommon to enable auditing in a medium size company and find something ugly right away.

Of course, talk to the appropriate legal contact in your organization before implementing any of these policies, and get permission in writing before doing anything.

hurfdurf
  • 933
  • 7
  • 11
1

The things you listed are decent, if you really have such critical info. From the technical side, log everything as well - you can't block EVERYTHING. Item 3 is kind of silly though - just set appropriate ACLs on shared resources (files, websites/SharePoint, etc).

From a non-technical perspective - you can have non-compete agreements. As you say, you can take an employee to court. This is also a deterrent, not just a remedy - remember that.

You can also run your business in such a way that your employees feel valued and would be less likely to engage in such actions. That may or may not be at odds with running the place like it's on lockdown and no one is to be trusted with any info.

What is the critical information that your company holds? If it's patented or a trade secret, then a competitor can't use it (legally, AFIAK, IANAL, etc.) If it's your employee's experience and skills, tough - you don't own that, unless it's someone so high-value that you really do have a binding contract with them for a certain period of time. If it's something proprietary (from my own experience, a large database of contractors that a service company trusted to do work nationwide) - well, that's tougher. Technically, don't expose the whole database; but someone who's committed to the project could collect the most important info over time and slowly abscond with it.

mfinni
  • 35,711
  • 3
  • 50
  • 86