Security Basics: Re: security products

[rohnskii () gmail com]

Some of your questions are easy, some are a little harder, and some not possible.

First question to answer is who are you protecting the data from, external hackers, or internal "employee" leaks?  In 
many ways, protecting from external leaks is easier.  For data to be usable, it has to be accessible to internal users.

The high points have all been touched on by other responses, lets try to bring them together.

File encryption when file is stored on hard drive to protect the data "at rest".  You say it is already being done.  
Can be done at individual file using "password" or folder or HD/volume level.  The thing to be very aware of is that 
the built in "password" protection in Excel and Word, well to be blunt it SUCKS!  It is adequate to protect from casual 
access, but anyone who is determined can get freeware or buy software from the internet that will "recover" lost 
passwords.  So if he is serious about protecting that data, find something better.  The next step up would be to use 
NTFS built in encryption to protect the folders.

VPN from local computer to network shared hard drive to protect the data "in motion".

Control Access to the files themselves.  The "easiest" way of doing that is probably to implement M$ Active Directory 
to control who has access to the files.  

That is all the "easy" stuff to implement because odds are they already have the basic M$ infrastructure in place.

Access logging to monitor who has accessed files.  It will not prevent data loss, but it will help identify how much 
data the "bad guy" has accessed when it comes time to do damage control.  Access logging can be a "stand alone" or part 
of the concepts described below.

NAC (Network Access Control) tools would be the next.  NAC is used to control which user IDs and which PC's/terminals 
can access the network and conditions when access is allowed.  One of the types of restrictions can include limiting 
ability to copy/save files to specific locations or devices (ie can't save to local HD or USB drives)

DLP (Data Loss Prevention) is a relatively new class of tools that are aimed specifically the concern your friend has 
expressed.

The bottom line is that an "insider" attack is the one that that is almost impossible to totally prevent.  You can 
limit the impact by detecting anomalous data access and reacting.  But, once you provide users with legitimate need to 
see the data  access then they can find ways to leak the data.  The obvious ways have already been pointed out such as 
printed copies, file copies to USB, DVD/CD or digital/camera phone photographs of the monitor.  Less obvious ways 
include exporting data via HTTPS, FTP/FTPS, IM, VoIP, sniffing of wireless connections and P2P.

This is a good introductory article on DLP, including a full list of vendors:

http://www.symantec.com/business/solutions/solutiondetail.jsp?solid=sol_info_risk_comp&solfid=sol_data_loss_prevention

http://www.csoonline.com/white-paper/451753/_Requirements_of_Data_Loss_Prevention is another article worth reading.

Your friend has taken the right first step, he recognized he has a potential problem and is taking steps to try and 
remedy it.  But, depending on the type of customer data he has and the size of his business he probably should consult 
with a recognized Information Security professional.  If he is located in the USA it is almost 100% certain he has 
legal obligations that he is not fully aware of. Even if he isn't in the States, there is probably information security 
legislation in place.  He might want to start with his business lawyer or auditor to find out what (if any) legislation 
applies.

Implementing a full feature Information Security program will take a lot of time and money to do.  So the sooner he 
starts the better.  

TJX, the 2007-2008 "poster child" for data leaks/hacks apparently was in the process of updating the cause of their 
leak, using weak WEP encryption on their wireless networks.