We will soon be the target for major attacks.
David Hobson, MD of Global Secure Systems (GSS), talks about the forthcoming threats to head our way.
The Olympics is one of the largest global events staged by any individual country yet, unfortunately, the headlines often have little to do with the athletes’ performance on the field - The Munich massacre of 1972; the Atlanta bombing of 1996 and this year’s games haven’t even begun in Beijing yet they’ve been making headlines. And soon it will be our turn.
The recent issues and protests surrounding the torch on its journey through the streets of London, Paris and San Francisco have highlighted some very serious security issues we will face in the run up to, and during, 2012. Once the UK steps into the limelight, with the baton passed to London during the closing ceremony at this year’s event on the 24th August, the focus will be redirected and we will become the next major target of attacks driven by political and religious beliefs – believe it or not, not everyone in the world loves the UK and our culture. These attacks are more than likely to be both physical and digital and will, undoubtedly, be a magnificent smokescreen for organised crime to hide behind. The security community faces a tremendous challenge of educating organisations about the threats to their business.
At the end of 2007 the Times newspaper had a front page story disclosing details of an unprecedented warning issued by CPNI – Centre for Protection of National Infrastructure to major businesses in the UK accusing China of carrying out state-sponsored espionage against vital parts of Britain’s economy, including the computer systems of big banks and financial services firms. The Government alleges that British companies doing business in China are being targeted by Chinese State Organisations using the internet to steal confidential commercial information (a touch ironic with them hosting this years Olympics!). And we’re not alone, while I was in the USA, recently, it was publicly confirmed that the US Defence Department acknowledged that their systems have also been compromised by China and they have no idea to what extent and depth. So what are the threats to your organisation and why would the Government issue notices to anyone?
As the dependence on IT continues to grow, so does the realisation of how much sensitive or critical information is held within IT environments. As more and more sensitive data is digitised, and regulatory requirements become increasingly stringent, organisations face the challenge of securing and protecting their data against unauthorised access, tampering and loss. An enterprise's network is an inherently complex entity including a myriad of devices, platforms, applications and operating systems. Because of increased employee mobility and the growing number of end-user network-capable devices, tracking and controlling network access has become essential to maintaining data security in corporate networks. Organisations must balance access to these resources, whilst protecting valuable assets and ensuring customers' privacy. Failing to get the equilibrium right proves to be a costly business issue.
The sheer number of threats and intrusions to corporate IT systems has grown phenomenally in the past few years and today's security risks are complex. Threats to an organisation range from external threats to internal threats as well as passive threats. Networks and personal computers need to be protected from vandals (malicious mobile code, Trojans, worms, VB/JavaScript), viruses, data exposure and inappropriate content. To better deal with the rapidly evolving threats, organisations are moving towards combining proactive and reactive security measures both within the existing network and at the boundaries where the network may interface with external and unknown devices. Historically associated with protecting a network against attack from the Internet, firewalls are increasingly becoming more important for securing a network against internal threats.
So where to start? Even thinking about dealing with the number of security vulnerabilities that your organisation faces is enough to cause a migraine. Finding and prioritising the sheer volume of network's vulnerabilities, and then ensuring that they are fixed, is a nearly impossible task that can leave your organisation exposed. Implementing ongoing vulnerability management to discover and assess vulnerabilities, and to implement and maintain system configurations, will ensure secure environments saving time and money in the long run.
The threat to business is increasing as we rely upon the data within an organisation. The good news is that UK plc finally seems to be waking up to the threat to their business. The information we have suggests that, after many high profile data losses, boardrooms are finally giving security a bigger piece of their IT budget. Is this because no CEO wants to see himself or herself on the front page of the nationals, and have to explain to their shareholders how they lost all their customer data? Or is it because the threats are finally being given proper airtime?
Either way, one of the issues the security industry faces is that if it does its job well, it will never be able to prove that the money was well invested because incidents have been prevented before they happened! I had the good fortune to sit next to Richard Walton, former Director of Communications and Electronic Security Group, GCHQ at a couple of events recently. He rightly pointed out that had legislation been passed before 9/11, making it compulsory for airlines to fit locked armour doors to a plane cockpit, 9/11 would not have happened. Well, not in the form that it did. In my opinion the industry would have been up in arms over the extra expenditure calling it unnecessary. Perhaps in hindsight this is something that should have been done, after all there had been plenty of hijackings of aircraft before but hindsight is a wonderful thing.
We need Finance Directors to recognise the real benefits from an investment in security that is necessary not only for today but to protect us into the future. As a result of this outlay, when they see fewer breaches, that should be recognised as money well spent instead of down the drain. The threats will be growing, with UK plc becoming a major global target in the run up to 2012. There’s no time to be wasted as it’s pointless to secure the door after the horse has bolted.
London’s Olympics will definitely be reported on and subsequently be remembered in history, let’s just hope for all our sakes it’s for the right reasons.
www.gss.co.uk
Anyone for a Free Beer?
By Calum Macleod, European Director of Cyber-Ark – The Digital Vaulting specialists
What would you consider the value of your company’s data to be? Consider your organisation’s research and develop data, marketing strategies, client database, and all your financial data. What would it be worth to you to have that data returned if you discovered that the only up to date copy had “left the building”? Would you consider offering a public reward to anyone who could supply any information relating to apprehending the people responsible for the theft of every piece of valuable and confidential data that your organisation possess? Would you actually still have a job? Would you know if it happened? The reality is that in many organisations senior management are totally oblivious to the extent to which sensitive information is being leaked outside.
Would you know if your head of finance is so paranoid that he or she keeps all the company’s financial data on his company notebook just to be sure that no one can access it? And yet recently a multi-national, publicly traded company discovered this to be the case when the hard disk crashed on the notebook!
The reality is that most of you are sitting on a ticking bomb and are totally oblivious to the risks being taken with your business by your employees, and frequently it is those in the most responsible positions that represent the biggest risk.
The area that represents one of the major risks to your well being is your IT department. Everything that your organisation does today will use IT in one way or another. In fact the operation of your business is effectively in the hands of your IT department, and in some cases in the hands of staff working for some company to whom you outsourced your IT services. Outsourcing has become a very popular approach because it allows you to reduce your costs and in many cases reduce head count by moving your IT staff to your outsourcer. Attractive as this might be, it frequently is resented by staff who are forced to move and these same staff undoubtedly are still doing the same job as they were when they were your employees, with the same access to your confidential information. Investigations over the past year by a number of independent bodies have identified that as much as 90% of business sabotage is perpetrated by IT staff.
Who Is Looking After Your Infrastructure?
Behind every successful use of your PC or connection to your email, or access to some application that gives you critical data about the state of your business there’s an IT person who is making it all possible. And to make it possible it means that they can access any of your systems, including your PC at any time and look at anything that might be on that system. In fact not so long ago I met with a company where a director was exposed for using his notebook to visit porn websites after one of the IT staff connected to the director’s PC during the day without the user’s knowledge. After all in order to do his job, the IT administrator had the administration password for every PC in the company! Unless there are proper controls such as Privileged Password Management, everything you have on your PC including your email, saved passwords in your browser, and even files that you have opened in your PC are fair game to the person with the Administrator account – and this is while you’re working and you wouldn’t even know it was happening!
Every system and application has at least one privileged account. And these accounts are shared by many people. The privileged account, in the form of administrator accounts and operator accounts are a requirement for every system and application, and this is what makes it possible to keep your systems running. And it is the privileged account that provides the largest exploit opportunity in today’s enterprises. A compromise of the right privileged account, or set of accounts, may create an unknown “puppetmaster” atmosphere where a third party has total control over a computing environment – unfettered access to programs, services, and data. And you can’t just “turn off” privileged accounts because they perform critical functions. Deleting or disabling a privileged account would lead to computers running themselves (or not running) with no human control and no possibility of management. A complete rebuild of these systems becomes a likely consequence.
For Your Eyes Only
It may be for “your eyes only” but if it’s on a company computer system then you can be sure that there are others who are able to use their IT privileged status to have a look. In the banking world, payment files are usually exposed to system administrators. And since these files are used between applications they are not secured. So as a result a systems administrator can easily access a payment file, make a “slight adjustment” and you’d probably never know until the postcard arrives from Paraguay!
The day to day needs of information transfer with users who are not part of the enterprise are growing. Distributing data from back-end systems to customers, or sharing information with partners and other 3rd parties - these types of communications are becoming vital for e-Business.
Financial reports need to be distributed to business customers; legal and financial information needs to be shared with lawyers or board members who are located out side of the enterprise; highly-sensitive Clinical trial information is shared among research laboratories, medical professionals and federal institutions. Payment or salary wire-transactions are also examples of day-to-day file transfer needs, as well as contracts, patents and other types of sensitive information that is exchanged or shared on a regular basis with external entities.
It could also affect the party with whom this information is concerned, and damage the organization's reputation. For example, imagine the results of an M&A agreement exposed before the deal is closed, or a sensitive design file shared with a manufacturer or supplier that has leaked. Other than the implications on the organization itself, there are also regulation issues of personal liability for mismanaging sensitive information.
You can use digital vaulting to eliminate this risk using a unified solution to secure both privileged access and highly sensitive data. It means you can put all your sensitive documents under a virtual lock and key, only making the information accessible to those who have permission to access that information. It’s a product the auditors and IT security people love because you know exactly who has access to the information and when. It also means that the IT department no longer have total control over every person’s computer systems! So unless you’re like Croucher Brewing Company in New Zealand that is offering Free Beer for Life for the return on their corporate secrets, then its time to take control otherwise the monkey will continue to be the organ grinder!
www.cyber-ark.com
What would you consider the value of your company’s data to be? Consider your organisation’s research and develop data, marketing strategies, client database, and all your financial data. What would it be worth to you to have that data returned if you discovered that the only up to date copy had “left the building”? Would you consider offering a public reward to anyone who could supply any information relating to apprehending the people responsible for the theft of every piece of valuable and confidential data that your organisation possess? Would you actually still have a job? Would you know if it happened? The reality is that in many organisations senior management are totally oblivious to the extent to which sensitive information is being leaked outside.
Would you know if your head of finance is so paranoid that he or she keeps all the company’s financial data on his company notebook just to be sure that no one can access it? And yet recently a multi-national, publicly traded company discovered this to be the case when the hard disk crashed on the notebook!
The reality is that most of you are sitting on a ticking bomb and are totally oblivious to the risks being taken with your business by your employees, and frequently it is those in the most responsible positions that represent the biggest risk.
The area that represents one of the major risks to your well being is your IT department. Everything that your organisation does today will use IT in one way or another. In fact the operation of your business is effectively in the hands of your IT department, and in some cases in the hands of staff working for some company to whom you outsourced your IT services. Outsourcing has become a very popular approach because it allows you to reduce your costs and in many cases reduce head count by moving your IT staff to your outsourcer. Attractive as this might be, it frequently is resented by staff who are forced to move and these same staff undoubtedly are still doing the same job as they were when they were your employees, with the same access to your confidential information. Investigations over the past year by a number of independent bodies have identified that as much as 90% of business sabotage is perpetrated by IT staff.
Who Is Looking After Your Infrastructure?
Behind every successful use of your PC or connection to your email, or access to some application that gives you critical data about the state of your business there’s an IT person who is making it all possible. And to make it possible it means that they can access any of your systems, including your PC at any time and look at anything that might be on that system. In fact not so long ago I met with a company where a director was exposed for using his notebook to visit porn websites after one of the IT staff connected to the director’s PC during the day without the user’s knowledge. After all in order to do his job, the IT administrator had the administration password for every PC in the company! Unless there are proper controls such as Privileged Password Management, everything you have on your PC including your email, saved passwords in your browser, and even files that you have opened in your PC are fair game to the person with the Administrator account – and this is while you’re working and you wouldn’t even know it was happening!
Every system and application has at least one privileged account. And these accounts are shared by many people. The privileged account, in the form of administrator accounts and operator accounts are a requirement for every system and application, and this is what makes it possible to keep your systems running. And it is the privileged account that provides the largest exploit opportunity in today’s enterprises. A compromise of the right privileged account, or set of accounts, may create an unknown “puppetmaster” atmosphere where a third party has total control over a computing environment – unfettered access to programs, services, and data. And you can’t just “turn off” privileged accounts because they perform critical functions. Deleting or disabling a privileged account would lead to computers running themselves (or not running) with no human control and no possibility of management. A complete rebuild of these systems becomes a likely consequence.
For Your Eyes Only
It may be for “your eyes only” but if it’s on a company computer system then you can be sure that there are others who are able to use their IT privileged status to have a look. In the banking world, payment files are usually exposed to system administrators. And since these files are used between applications they are not secured. So as a result a systems administrator can easily access a payment file, make a “slight adjustment” and you’d probably never know until the postcard arrives from Paraguay!
The day to day needs of information transfer with users who are not part of the enterprise are growing. Distributing data from back-end systems to customers, or sharing information with partners and other 3rd parties - these types of communications are becoming vital for e-Business.
Financial reports need to be distributed to business customers; legal and financial information needs to be shared with lawyers or board members who are located out side of the enterprise; highly-sensitive Clinical trial information is shared among research laboratories, medical professionals and federal institutions. Payment or salary wire-transactions are also examples of day-to-day file transfer needs, as well as contracts, patents and other types of sensitive information that is exchanged or shared on a regular basis with external entities.
It could also affect the party with whom this information is concerned, and damage the organization's reputation. For example, imagine the results of an M&A agreement exposed before the deal is closed, or a sensitive design file shared with a manufacturer or supplier that has leaked. Other than the implications on the organization itself, there are also regulation issues of personal liability for mismanaging sensitive information.
You can use digital vaulting to eliminate this risk using a unified solution to secure both privileged access and highly sensitive data. It means you can put all your sensitive documents under a virtual lock and key, only making the information accessible to those who have permission to access that information. It’s a product the auditors and IT security people love because you know exactly who has access to the information and when. It also means that the IT department no longer have total control over every person’s computer systems! So unless you’re like Croucher Brewing Company in New Zealand that is offering Free Beer for Life for the return on their corporate secrets, then its time to take control otherwise the monkey will continue to be the organ grinder!
www.cyber-ark.com
Anti-virus software is not the only computer security tool
The truth is that anti-virus software is but one of many computer security tools and the way things are going we seem to be needing ever more. This is a shame and could turn people off the Internet and such all together.
By Michael Smith (Veshengro)
When Mike Saign received an email - purportedly from an eBay auctioneer - accepting his rather low offer for a high-end golf club he reckoned there to be something fishy about it and smelled a rat.
The sender of the email claimed that his PayPal account was down and asked Saign to wire payment to him via Western Union. Instead, however, having his suspicions aroused, Saign, downloaded Iconix e-mail ID, a free tool that pegged the e-mail as a fake.
Then, having saved from being scammed, Saign disabled Iconix and hasn't used it since. Because, he says, he feels like the security software in a normal computer keeps you away from most bad things.
That, however, is not necessarily so and I am sure those of us in the know would rather disagree with him in that.
In fact fraudulent e-mails and tainted and “contaminated” websites are more prevalent than ever. Spam, much of it pitching fake drugs and financial scams, according Symantec, accounts for 80% of all e-mail. The number of new strains of malicious programs has increased fivefold in 2007 over 2006, and about 20,000 new malicious programs are unleashed on the Web each day, according to AV-Test Labs.
Most consumers are, however, in a real and serious fog about the array of security tools they can – and probably should – use to protect themselves.
Craig Spiezle, Microsoft's director of security and privacy, says his own wife couldn't tell anyone which security tools they really ought to be using. "The big challenge we're dealing with is the volume and velocity of new threats," says Spiezle.
The thing is, though, if Microsoft actually would configure their software in a better way – we know it can be done from the likes of Linux (a system that I use for work) – people would actually have no need for such an array of security software which, again, also slows down the performance of the computers often. Especially here the performance of the older models and those with a low memory.
Because we are basically in a pandemic situation as far as consumer PC infections go that (home) PC users are left to decipher for themselves what set of security products they ought to be using and how much protection they are actually getting. No one has, as yet, figured out a business model to cure that.
There are many tools in the armory of computer security, but each will only offer narrow protection,therefore, consumers need to try to understand what each of these tools actually tackles.
Anti-virus programs fail to catch every malicious program. So keeping anti-virus subscriptions current isn't enough, though it does a great deal. Consumers must also get in the habit of quickly installing all software program updates from Microsoft (With caution, I would add there. Always do a “manual” install and choose what you want to install), Apple, Adobe, Mozilla and Java, because many contain the latest security patches.
Beyond that, consumers should consider using:
Certified e-mail: Iconix and Goodmail each sell services to businesses that assure the authenticity of e-mails sent to customers.
Iconix recently launched e-mail ID as a free program consumers can install in their Web browser. The program verifies e-mail sent from 500 companies, including eBay, PayPal, Citibank, Amazon.com and Expedia.
However, the Iconix program can also be a pain the the backside, I am afraid to say, and sometimes takes quite a while to deal with the emails. It also does not work, I have found, with email clients other that Outlook, and with only some of the Web-based services.
The best way, in most cases, as far as untrustworthy emails, phishing emails and scams are concerned, is good old fashioned common sense. If something is too good to be true it more than likely is. If someone tells you you have won a lottery that you have no idea of ever entering then it is a scam, as simple as that. Bill Gates also does not give away any of his money to the likes of you and me. So, do not forward such scam emails. They clog up the Net.
Web page scanners: These tools use varying technologies to gauge the reputation of most Web pages. Programs such as AVG's LinkScanner, ScanSafe's Scandoo, Trend Micro's TrendProtect, McAfee's SiteAdvisor and Finjan's SecureBrowsing grade Web pages as safe, unsafe or questionable.
Web scanners aren't perfect. But they provide a layer of protection against what has become cybercrooks' favorite way to spread malicious programs: via the Web. "The more layers you have, the safer you are," says Roger Thompson, AVG chief research officer.
While, once upon a time, not so long ago, I have been one of the greatest advocate of AVG and would tell everyone to get it, anyone who has read my recent article on the AVG8 program will know why I have changed my tune.
Browser security tools. Microsoft's Internet Explorer 7 (anyone using IE7 must their head examined – I was forced by something from MS to install it but refuse to use it) and Mozilla's Firefox 2 (this is the browser that cannot be too highly recommended for security and safety), the most widely used Web browsers. Both those browsers offer anti-phishing filters that alert users if they try to click to bogus websites set up to fool them into typing passwords and other sensitive data. Microsoft, however, distributes IE7 with this feature disabled, so users must choose to turn it on, while in Firefox 2's anti-phishing filter is always on.
There are no 100% solutions in security as far as computers are concerned for you tell a hacker that a system is safe and the first thing he is going to do is set himself the task to crack it. This is the same with viruses. As soon as the virus writers realize that their virus is being caught they change the code and create a new one. Only the greatest of vigilance as to what sites we visit and what email we deal with can give us some measure of safety, combined with some good tools. But, common sense is also useful on the Internet; let's use some more of it.
© M Smith (Veshengro), May 2008
By Michael Smith (Veshengro)
When Mike Saign received an email - purportedly from an eBay auctioneer - accepting his rather low offer for a high-end golf club he reckoned there to be something fishy about it and smelled a rat.
The sender of the email claimed that his PayPal account was down and asked Saign to wire payment to him via Western Union. Instead, however, having his suspicions aroused, Saign, downloaded Iconix e-mail ID, a free tool that pegged the e-mail as a fake.
Then, having saved from being scammed, Saign disabled Iconix and hasn't used it since. Because, he says, he feels like the security software in a normal computer keeps you away from most bad things.
That, however, is not necessarily so and I am sure those of us in the know would rather disagree with him in that.
In fact fraudulent e-mails and tainted and “contaminated” websites are more prevalent than ever. Spam, much of it pitching fake drugs and financial scams, according Symantec, accounts for 80% of all e-mail. The number of new strains of malicious programs has increased fivefold in 2007 over 2006, and about 20,000 new malicious programs are unleashed on the Web each day, according to AV-Test Labs.
Most consumers are, however, in a real and serious fog about the array of security tools they can – and probably should – use to protect themselves.
Craig Spiezle, Microsoft's director of security and privacy, says his own wife couldn't tell anyone which security tools they really ought to be using. "The big challenge we're dealing with is the volume and velocity of new threats," says Spiezle.
The thing is, though, if Microsoft actually would configure their software in a better way – we know it can be done from the likes of Linux (a system that I use for work) – people would actually have no need for such an array of security software which, again, also slows down the performance of the computers often. Especially here the performance of the older models and those with a low memory.
Because we are basically in a pandemic situation as far as consumer PC infections go that (home) PC users are left to decipher for themselves what set of security products they ought to be using and how much protection they are actually getting. No one has, as yet, figured out a business model to cure that.
There are many tools in the armory of computer security, but each will only offer narrow protection,therefore, consumers need to try to understand what each of these tools actually tackles.
Anti-virus programs fail to catch every malicious program. So keeping anti-virus subscriptions current isn't enough, though it does a great deal. Consumers must also get in the habit of quickly installing all software program updates from Microsoft (With caution, I would add there. Always do a “manual” install and choose what you want to install), Apple, Adobe, Mozilla and Java, because many contain the latest security patches.
Beyond that, consumers should consider using:
Certified e-mail: Iconix and Goodmail each sell services to businesses that assure the authenticity of e-mails sent to customers.
Iconix recently launched e-mail ID as a free program consumers can install in their Web browser. The program verifies e-mail sent from 500 companies, including eBay, PayPal, Citibank, Amazon.com and Expedia.
However, the Iconix program can also be a pain the the backside, I am afraid to say, and sometimes takes quite a while to deal with the emails. It also does not work, I have found, with email clients other that Outlook, and with only some of the Web-based services.
The best way, in most cases, as far as untrustworthy emails, phishing emails and scams are concerned, is good old fashioned common sense. If something is too good to be true it more than likely is. If someone tells you you have won a lottery that you have no idea of ever entering then it is a scam, as simple as that. Bill Gates also does not give away any of his money to the likes of you and me. So, do not forward such scam emails. They clog up the Net.
Web page scanners: These tools use varying technologies to gauge the reputation of most Web pages. Programs such as AVG's LinkScanner, ScanSafe's Scandoo, Trend Micro's TrendProtect, McAfee's SiteAdvisor and Finjan's SecureBrowsing grade Web pages as safe, unsafe or questionable.
Web scanners aren't perfect. But they provide a layer of protection against what has become cybercrooks' favorite way to spread malicious programs: via the Web. "The more layers you have, the safer you are," says Roger Thompson, AVG chief research officer.
While, once upon a time, not so long ago, I have been one of the greatest advocate of AVG and would tell everyone to get it, anyone who has read my recent article on the AVG8 program will know why I have changed my tune.
Browser security tools. Microsoft's Internet Explorer 7 (anyone using IE7 must their head examined – I was forced by something from MS to install it but refuse to use it) and Mozilla's Firefox 2 (this is the browser that cannot be too highly recommended for security and safety), the most widely used Web browsers. Both those browsers offer anti-phishing filters that alert users if they try to click to bogus websites set up to fool them into typing passwords and other sensitive data. Microsoft, however, distributes IE7 with this feature disabled, so users must choose to turn it on, while in Firefox 2's anti-phishing filter is always on.
There are no 100% solutions in security as far as computers are concerned for you tell a hacker that a system is safe and the first thing he is going to do is set himself the task to crack it. This is the same with viruses. As soon as the virus writers realize that their virus is being caught they change the code and create a new one. Only the greatest of vigilance as to what sites we visit and what email we deal with can give us some measure of safety, combined with some good tools. But, common sense is also useful on the Internet; let's use some more of it.
© M Smith (Veshengro), May 2008
15 ways to lose your database
by Peter Mitteregger, European Vice President, CREDANT Technologies
Arguably an organisations most vital asset is its databases, often containing financial infor.jpg)
mation, customer and employee data and intellectual property. There have been many articles written that examine the risks posed of data being exposed and the potential damage caused. In addition, external threats have long been recognised with billions of pounds spent strengthening defences to mitigate against them yet there is little acknowledgment of the very real threat from within. The statement ‘don’t leave your valuables on show’ is a simple principle so why is it often ignored by Corporate UK?
It is proven to be easier to bribe someone on the inside (or even implant them there) to gain access to sensitive data. Leaving this risk aside, how often has someone left your organisation taking company stationary with them? Do you know what else has been taken? Could they have sneaked out with sensitive material? What about a copy of the entire corporate database? Would you even know if they had?
Below, I’ve identified the most common techniques individuals will employ to copy sensitive data :
Legitimate Access Yet Inappropriate Use
Let’s be realistic, employees need to have access to corporate data in the normal course of their duties. Increasingly today, this need is 24 hours a day - 7 days a week and is not restricted to within the corporate walls or to company owned devices. It is this need that is opening up one of the biggest and growing weak points for Corporate UK as data is seeping out via unprotected end-points, a significant number of which the company is unaware exist, or they are simply outside the company’s domain, such as private USB sticks or iPods.
To illustrate, an employee in sales may need to legitimately access customer records whilst on or off site and during a normal day may do so up to 100 times, another employee in R&D may need access to the secret formula for a product that’s in development whereas another employee in the marketing department may need to access the marketing plans for this new product’s launch and email them to the various agencies tasked with delivering the plan. However, there is no viable reason for all of these different employees and departments to be able to access all of this information, in the same way, and do the same things with it. In many instances, the company may be legally obligated to limit access to information on a need-to-know basis.
Access must be restricted to just the records that are needed to perform the task, with control over which bits of each record can be viewed, combined with limiting what can be done with the record.
If there is no obvious explanation why an employee should need to be able to access confidential and sensitive data, whilst off site, then they shouldn’t be able to. It would be prudent to employ a solution that can detect devices trying to connect to the enterprise and sync up with corporate data. Additionally, if there is no reason why they should need to make an electronic copy of these records – be it to a corporate or personal endpoint such as a CD, a USB/Memory stick, an iPod or even a Blackberry, then they should not be able to do so. If there is a valid reason why they need to make a copy then it should be force encrypted with a solution that does not impede the system, regardless of the device it is stored to, to ensure the integrity of the data is protected once away from the safe corporate environment.
By the same token, if an employee does not need to print a copy of the data then they should not be able to do so and even if they do, this should be regulated as I’m positive that there can be no genuine reason for complete records to be printed. Perhaps an alarm bell should be sounded if someone does print the entire database and a means deployed to ensure that it is not removed from the premises.
Another way to identify if an employee is abusing their access rights is if their usual behaviour alters and they suddenly start accessing a greater number of records then usual for longer, or even shorter, periods of time. This could indicate that they are writing the records down in some format to bypass any security restrictions in place.
In the case of a disgruntled employee determined to cause mischief records could be altered, or even worse deleted, thereby damaging the reliability of the data.
Another danger is if an employee wishes to steal a copy of a database and may attach it to an email and send it out legitimately through the corporate gateway. A savvier employee, worried at leaving a trail, may try to bypass this by uploading the file to an external system, such as yahoo, hotmail or a hosted document storage and management solution.
There have been a few instances of people seeking employment to steal data to order or even for an employee persuaded to divulge corporate secrets for financial gain.
Opportunistic Access Is Still A Real Risk
There are some risks that aren’t hi-tech and therefore harder to detect and even harder to protect against. For example, the business case for a printed hard copy of sensitive records needs to be strong as an opportunistic may access this and make a photocopy of it, completely undetected!
Another increasingly recognised threat is the mobile employee, justifiably working while travelling; either on the train, in a service station or another location, with someone looking over their shoulder and making a note of material displayed on the screen.
One further, really obvious, risk is writing down and/or sharing passwords. This is a truly naïve practice, with no justification, yet it is still widely abused today.
Illegitimate Access So Of Course They’re Up To No Good
The easiest, yet inexcusable, way for data to be violated is by an ex-employee whose access rights have not been timely revoked accessing the network remotely, perhaps initially just to see if they can, and then tempted into taking liberties with this oversight.
Another potentially soft target is a portable endpoint; such as, but not limited to, a laptop, blackberry or USB/Memory stick, that is misplaced or stolen. Should the device be unprotected then any data stored on it is exposed. Additionally, in the case of a laptop or blackberry, it may prove to provide a back door to the corporate network.
So What’s Corporate UK To Do
It may seem like a nightmare with so many trusted employees out to steal your most vital asset yet there are ways to mitigate against these risks :
Restrict access to only those employees who need it and limit what they can see, and what they can do, with the records
Appropriately monitor employees’ behaviour, ideally setting control mechanisms to flag any significant deviations from the norm
Employ a solution that can detect devices trying to connect to the enterprise and sync up with corporate data and force encrypt information when it is removed, legitimately or illegitimately, from the safe environment of the corporate network
Do not make unnecessary hardcopies of records or leave them unsecured
Educate the mobile workforce to the risks posed by their activities and the devices that they use
When an employee leaves, ensure all access rights are revoked immediately
Never leave a written record of passwords
Perform background checks on new employees, including contractors and any periodic workers. It may be prudent for these checks to be conducted at regular intervals to ensure that nothing has changed as is the case for those working with children via the criminal records bureau
Never leave data security up to the end user. It is imperative that this is controlled and managed centrally which can also reduce TCO (total cost of ownership) as machines don’t need to be locked down or brought in to the office to update them
Corporate Governance requires you now to have security and to be able to prove it. Use a solution that includes a central management console – that way every machine is protected and can be tracked.
Box Out : Quick Overview of 15 Ways to Lose Your Database :
Employees able to access a database regardless of their need to do so, with sight of complete records including information that they do not necessarily need to see
Unrestricted downloading of the database to removable media
Employees able to print individual records, or even the full database, in hard copy format
Employees able to access records, in undefined quantities or for unlimited periods of time, providing the opportunity to make a written copy
Records, or even the entire database, altered or deleted
The full database, or individual files, emailed as an attachment
The full database, or individual files, uploaded to an external storage facility/website or a hosted document storage and management solution.
Secure employment for the purpose of having unrestricted access to confidential data with criminal intent
Existing employees being coerced into removing data for financial gain
Ex-employees who have not had their access rights revoked
Photocopy hard copies
Over the shoulder screen theft from mobile workforce
Writing down, or even sharing, passwords
Loss of external or portable media (memory sticks, CDs, laptops, etc) that contain unencrypted information, often during travel.
Misplaced, or stolen, devices (laptops, blackberries, etc) used as a back door to the corporate network
For more information contact www.credant.com
Subscribe to:
Posts (Atom)