mailing list archives
Re: security products
From: rohnskii () gmail com
Date: Wed, 18 Feb 2009 18:52:35 -0700
Some of your questions are easy, some are a little harder, and some not possible.
First question to answer is who are you protecting the data from, external hackers, or internal "employee" leaks? In
many ways, protecting from external leaks is easier. For data to be usable, it has to be accessible to internal users.
The high points have all been touched on by other responses, lets try to bring them together.
File encryption when file is stored on hard drive to protect the data "at rest". You say it is already being done.
Can be done at individual file using "password" or folder or HD/volume level. The thing to be very aware of is that
the built in "password" protection in Excel and Word, well to be blunt it SUCKS! It is adequate to protect from casual
access, but anyone who is determined can get freeware or buy software from the internet that will "recover" lost
passwords. So if he is serious about protecting that data, find something better. The next step up would be to use
NTFS built in encryption to protect the folders.
VPN from local computer to network shared hard drive to protect the data "in motion".
Control Access to the files themselves. The "easiest" way of doing that is probably to implement M$ Active Directory
to control who has access to the files.
That is all the "easy" stuff to implement because odds are they already have the basic M$ infrastructure in place.
Access logging to monitor who has accessed files. It will not prevent data loss, but it will help identify how much
data the "bad guy" has accessed when it comes time to do damage control. Access logging can be a "stand alone" or part
of the concepts described below.
NAC (Network Access Control) tools would be the next. NAC is used to control which user IDs and which PC's/terminals
can access the network and conditions when access is allowed. One of the types of restrictions can include limiting
ability to copy/save files to specific locations or devices (ie can't save to local HD or USB drives)
DLP (Data Loss Prevention) is a relatively new class of tools that are aimed specifically the concern your friend has
The bottom line is that an "insider" attack is the one that that is almost impossible to totally prevent. You can
limit the impact by detecting anomalous data access and reacting. But, once you provide users with legitimate need to
see the data access then they can find ways to leak the data. The obvious ways have already been pointed out such as
printed copies, file copies to USB, DVD/CD or digital/camera phone photographs of the monitor. Less obvious ways
include exporting data via HTTPS, FTP/FTPS, IM, VoIP, sniffing of wireless connections and P2P.
This is a good introductory article on DLP, including a full list of vendors:
http://www.csoonline.com/white-paper/451753/_Requirements_of_Data_Loss_Prevention is another article worth reading.
Your friend has taken the right first step, he recognized he has a potential problem and is taking steps to try and
remedy it. But, depending on the type of customer data he has and the size of his business he probably should consult
with a recognized Information Security professional. If he is located in the USA it is almost 100% certain he has
legal obligations that he is not fully aware of. Even if he isn't in the States, there is probably information security
legislation in place. He might want to start with his business lawyer or auditor to find out what (if any) legislation
Implementing a full feature Information Security program will take a lot of time and money to do. So the sooner he
starts the better.
TJX, the 2007-2008 "poster child" for data leaks/hacks apparently was in the process of updating the cause of their
leak, using weak WEP encryption on their wireless networks.
- Re: security products, (continued)