Finding a Balance

  • @Brian - Thanks. Good to find the common ground again.

    @jack-2 - I know what you mean. Unfortunately, the editorial asked, "should we ban personal storage devices from the workplace?". The answer should be, "it depends". An editorial based around "how aware are you of the security concerns that personal storage devices raise?" could be enlightening, but asking a yes/no question like this implied that the editorial was starting from a (as has been mentioned before) technology-fixated standpoint.

    Semper in excretia, suus solum profundum variat

  • Attempting to ban devices is futile at best and likely psychologically counterproductive.

    Anyone with evil intent can easily smuggle devices in. However the fact that such rules would affect people's legitimate and (when properly used) harmless products like ipods, phones, etc. will undoubtedly build a wall of resentment, and perhaps a culture of rule violation (everyone knows everyone else is doing it.. and everyone feels it's justified).

    There is no foolproof answer, but the key is in the traditional means of HR and management policies (prevention of embezzlement is a similar problem, and there is much experience at handling it) and with securing access to data (including locked USB ports on many machines).

    People are not machines. They do not work well when locked down. They are not loyal when locked down. Where people are treated as responsible adults (including incouraged to take personal responsibility to help protect the company's data) you have much more success in spotting the troublesome individuals.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Jack Corbett (11/16/2007)


    While I agree with this point, I think the point of the editorial is that technology has made it easier to steal data. I can get 1000's of SSN's in under a second with a thumb drive and only 1 in the same amount of time using pen and paper.

    It really is a people issue, but there are unethical people out there in every industry so you have to do your best to slow them down.

    I have mixed feelings about thumb drives because I really don't know how much of an improvement that will be. Unless you purposely go after infrared and bluetooth, you haven't done yourself a whole lot of good. And as soon as you go after bluetooth, you limit some of the wireless keyboard and mouse combos which we see in use. That means you're back to USBs meaning now you've got to stay a step ahead on the portable devices. Not exactly fun.

    Also, the tried and true method of generating a print out and then taking that out with your other papers will still work. And as good as some of the OCRs are nowadays, it's a trivial exploit.

    Technology can only help somewhat. You are right, and others who have posted here are, too, in that this is a people problem. Good hiring policies, good awareness policies and proper training, engendering a sense of loyalty to the organization (which means the organization has to show loyalty and treat employees with dignity and respect) all come into play in order to try and reduce the threat.

    K. Brian Kelley
    @kbriankelley

  • Locks only keep honest people out.

    RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."

  • rudy komacsar (11/16/2007)


    Locks only keep honest people out.

    No, they keep out the curious and in the case of an attacker who is looking for easy prey, they keep those guys away, too (who will go and find easy pickin's somewhere else). They won't keep out a knowledgeable attacker who is making a concerted effort to get in.

    K. Brian Kelley
    @kbriankelley

  • For any company with more than 0 employees, there is no excuse for not having a policy, not communicating said policy, and not exercising penalties described in said policy, fairly and even-handedly, across the entire organization. CEOs are just as much employees of the company as facility maintenance personnel and should be just as bound by the policies. And where any job function is out-sourced, those companies and people must be required, as a matter of contractual agreement, to accept and abide by the policies set forth by each of their clients.

    That being said, every technological solution is just a roadblock. We will all end up saner in the end if we stop thinking there is a be-all and end-all technological solution for anything. I would not describe where I work as a paramount of security implementation, but we at least employ multiple methods of protecting data.

    Not only firewalls and constant scanning of perimeter security and encrypted laptops, but encrypted emails for customer communication and software monitoring email to ensure that personal information is not sent in the clear.

    To get back to the original question, I would agree that simply banning them would have a reverse effect. Making the fraudulent use of data expensive PERSONALLY to the perpetrator makes for a much beter disincentive. Granted, this thinking is anti-SOX, which seems to penalize those who didn't have a problem and creates a whole new policing industry.

    Still, even personal disincentivization creates a Pandora's box. Every roadblock will be attacked by a newer and better method, so keep your eyes open.

    ------------
    Buy the ticket, take the ride. -- Hunter S. Thompson

  • A company I previously worked for used the approach of trying to lock everything down. New machines all got the BIOS locked up and the drives wiped and the company's locked-down Windows installed. (They were trying very hard to gain the benefit of volume purchase of ordinary desktops, not thin-clients, and couldn't do blades for the desktop.)

    The locks sort of worked - noone could burn CD/DVD, thumb drives and USB drives were locked out, etc. Caused them to take a lot of help desk calls to perform the required actions (burn a CD, DVD, etc), or grant the permission and make the config changes for limited time use for specific activities. Very expensive, and not even considering the lost productivity of the users, nor the bad feeling this engenders amoung the users!

    And the fun part was, I demonstrated that if you took a file and "encoded" it to base-64 (as for pure ascii e-mail), then printed it with a good courier font, the file could be readily OCR'ed and fully recovered. If the file was pre-processed to embedd a good error correction code, even very large files could be handled. I'm sure that if worked at it I could have built a small bit of code to generate a gif with a set of high-density bar codes, which would have worked even better -- all without installing any software. All that's needed is a small copy of Perl, and that could readily come in via e-mail or the web.

    Locks don't work for this stuff. If you have a high-security need, use fully locked down and isolated networks of blades or thin clients. For general use, deal with it as any trust relationship...... A company that doesn't trust it's own employees to a reasonable extent is doomed anyway.

    And of course, trust but verify.....


    The End.

  • Agreed with a number of posters. It's all about psychology and human nature.

    An important part of policy making is that it be sufficiently targetted to harmful behavior, and not antagonize otherwise good employees. People are much more willing to cooperate with narrowly targetted rules that are perceived as fair.

    Consider two possible policies:

    1) All USB/ipods/smartphones etc are prohibited.

    2) Connecting to company equipment is prohibited.

    #1 is bad for a couple of reasons: It is unenforceable, especially to someone who is already willing to do harmful acts, sneaking a device in is trivial. Unenforceable rules are usually bad, because they can create a culture of rule breaking. Also, even more importantly it calls everyone with an ipod a suspected criminal, even though the primary use of the product is not criminal at all.

    #2 directly addresses the harmful action. It does not interfere with or impugn the employees who use these devices legitimately. It is much easier to enforce: a connectio can be more detectable, and violations, since they are inherently more likely to be nefarious, are much more likely to be reported by other employees who would likely turn a blind eye to rule #1

    ...

    -- FORTRAN manual for Xerox Computers --

  • Sir Slicendice (11/16/2007)


    I'm sure that if worked at it I could have built a small bit of code to generate a gif with a set of high-density bar codes, which would have worked even better -- all without installing any software.

    Or better yet, go the stego route and just imbed the data in a image file that looks innocent enough attached to your mail signature.

    K. Brian Kelley
    @kbriankelley

  • G Bryant McClellan (11/16/2007)


    Not only firewalls and constant scanning of perimeter security and encrypted laptops, but encrypted emails for customer communication and software monitoring email to ensure that personal information is not sent in the clear.

    Of course, if you are encrypting outbound e-mail, and the encryption is running on the desktop, the firm has lost the ability to monitor what is being sent out -- could be anything, including pure compressed binary data.... It may take a number of e-mails, but large amounts of data could leave via this route before you even were alerted to the anomoly. And if the employee used multiple different recipients and varied the message sizes, they could readily defeat most all monitoring....

    If you let them receive encrypted e-mail, there's no telling what's coming in!

    Not to say that this policy/implementation is wrong; just pointing out that there are always holes, and generally big gaping holes that are perhaps non-obvious. And false security is the worst security of all -- but it's generally all false in the tech world. Then again, today, a lot of security policies and proceedures are very effective in the most important measure: the CYA Factor....

    But while we are all being very dilligent at CYA and making lots of expensive work, I wonder if anyone is really tracking the cost impact of the lost productivity and the employee bad will. An employee who feels that the relationship with their company is poor may have incentive to harm the company in ways that are far deeper than just stealing data -- the sorts of harm that can accrue with just doing their job deliberately bad, even if for only a short time before moving on....


    The End.

  • So back to the original question, "should we ban portable devices", the answer seems to be "sometimes yes, sometimes no". Reasonable and prudent probably comes into play. There is no way I can think of to lock out all devices, especially considering the pace of technology, so I'd be asking what it's prudent to ban for a given company / situation. The answer may be different for every company out there! As a for instance, the military bans camera phones on base, but at my company there is not a real need to do so (note, someone could take pictures of reports with SSNs...)

    We use technology to solve problems, but it's not a panacea. The determined criminal can always find a way to bypass it, and is always sure they will never be caught. So I agree it is more important to be able to find out you've been breached than to ban all technology. And penalties for data theft should be more severe, in my view; the legal system hasn't caught up yet.

    In the end, it's a social engineering issue rather than a technological one.


    Here there be dragons...,

    Steph Brown

  • Stephanie J Brown (11/16/2007)


    As a for instance, the military bans camera phones on base, but at my company there is not a real need to do so (note, someone could take pictures of reports with SSNs...)

    Which raises the question, how do they police this? Given that many military bases also have base housing, some of which have almost open access to locations near the sensitive areas (Kaneohe Bay you could walk on the beach where the amphibious vehicles were, Iwakuni, Keesler and Maxwell it was nothing to get to the edge of the flightline), you can't expect all dependents to not have camera phones. Nor are they checking everyone at the gate, either, meaning it's more of a rule if you get caught. For that matter, what do they do about those off-base... for instance, Shaw and MCAS Beaufort the flightline is visible from OUTSIDE the fence.

    K. Brian Kelley
    @kbriankelley

  • This is a great debate and thanks for all the comments. I wasn't trying to limit the discussion in anyway to technology as a solution. Banning could be locking machines or preventing them from entering the premises.

    I'm sure most of us don't want clear purses (as some retail outlets require) or metal detectors to prevent stuff from coming in and out. I'm not sure that would work well in any case.

    If someone really is intent on stealing data, I'm not sure you can prevent them, just as pointed out with the paper/OCR issues. I think detection and some monitoring are your only chances.

    And keep in mind it's not just "bad people" that do this. Hiring practices might not help. First the lost devices are a problem, so it makes some sense to make a policy that prohibits copying data to USB devices and then maybe monitoring when something is copied. Not sure how to do this, but it's an option. I hadn't considered lost devices, especially since we "lose" laptops already, but that's something to consider. Don't allow important data to be moved to USB/Bluetooth/Infrared. This helps prevent the "stupid mistakes"

    The second is what about good employees that go bad? People get disgruntled, people have financial issues, or maybe just get greedy. What if I found someone that was susceptible to stealing SSNs or something else? If I pay them $1000 or $10,000, would they copy data for me? Who knows, and I'd have to pick someone that wouldn't report my offer, but tackling this problem is more difficult. But most people aren't trained spies, so the harder it is, the less likely they take the chance.

    Brian K pointed out early that lots of people have legitimate access to data. They do, but they also have patterns they stick to. If they steal data within the pattern, i.e. copy one SSN at a time, there's nothing you can do. If they break the pattern, technology can help.

    As for the salespeople? They're not forsaking their jobs to get around technology. They're trying to make their jobs easier, and getting around technology because it's in their way. That's the problem. People don't respect security when it's a pain and it gets in their way. They don't see the risk of something happening as a problem.

  • Simple technology solution:

    Use only NT Terminal Server as your network OS with users getting only thin clients.

    No Floppies, USB, Blue tooth or CD/DVD RW support. Ever.

    Now you just need to ban printers, paper and pencils ... :Whistling:

    However, I know of someone in the 80's who was told during a buy out that he could not take any information out of the office. Except maybe for what was already in his head. So he would call his home answering machine and read off the contact list until he had it all. At night he would write it all down, erase the tape and continue the next day.

    You can not stop every person bent of gaining information for nefarious reasons from doing so. People need access to information to do their jobs otherwise why have them work?

  • Steve Jones - Editor (11/16/2007) People don't respect security when it's a pain and it gets in their way. They don't see the risk of something happening as a problem.

    I think this sums it up pretty well. A lot of people don't really care about trying to steal and the dishonest will find ways. However, putting place policies that make it harder to do real work will generally lead to people finding ways around those policies or just not working as hard/well/efficiently as they would otherwise. Really insane policies may even drive people away just to find someplace where they can work without so much trouble.

    As for the bans/blocks - I can see arguments for and against them. Some people really have no need for those types of devices to be connected to their workstation and blocking them wouldn't be a huge problem. However, sometimes good people with legitimate needs for USB drives and similar might go bad. There's nothing that will really stop that.

Viewing 15 posts - 16 through 30 (of 45 total)

You must be logged in to reply to this topic. Login to reply