IT Managers Still Fearful Of Employees Stealing/Losing Sensitive Data

Silicon Republic is reporting on a survey by IT Force that says 47.8% of IT managers are still fearful of staff stealing or losing data.  Hacking is #2 at 34.8%.

Before we go further: the real chance of getting hacked if you’ve taken the normal precautions are minimal.  You still should take precautions such as firewalls and server hardening.  Really though, you need to look at application development, software patching and most importantly, physical security.  What’s the easiest way to steal data?  Take out the disks.  Who has the most access to your building?  The least paid staff who also don’t work for you: the security guards and cleaners.  And despite what movies with Sandra Bullock/Harrison Ford and TV shows like 24 would have us believe, 3/4 of all computer crime is really perpetrated by people in the building.

Right, let’s go over this again.

  • Use BitLocker, Iron Mountain DataDefense or SafeBoot to encrypt data on the disk or the entire disk.  This applies to desktops, laptops and servers.  So even if you do lose physical control of the disk or machine you can be sure it’s encrypted.  IRM DataDafense takes it one step further: you can remotely wipe the data (to NSA standards) when the machine next comes online.
  • Use AD Rights Management Services to control who can read what document, email, etc.  You can control this inside and outside of the organisation, e.g. prevent an email or document from being read by someone outside of your network even if it’s forwarded to them.
  • Use device access controls (Vista or DeviceLock) to lock down ports.  Vista does an OK job at this.  DeviceLock rules at this.  You can put permissions on all the ports of your machines, e.g. disable USB devices but allow USB printers and keyboards/mice, disable bluetooth, etc.  DeviceLock allows normal group permission controls and AD GPO management.
  • Force USB device encryption using Windows 7 BitLocker-To-Go or a new version of IRM DataDefense.  Windows 7 allows you to force encryption using GPO.  I’ve not been briefed yet on this new feature of the IRM solution.
  • Centralise access auditing using OpsMgr 2007 Audit Collection Services.  You can gather important security events into a simple central SQL database for security/audit to review and generate reports from.
  • Use Exchange 2007 native or 3rd party services to journal what is being sent or received.  This gives you a history of what’s going on.
  • Use a proxy filter to restrict access to webmail services that bypass mail auditing.  I hate SurfControl as do most people I know.  Everyone I know likes WebSense.
  • Use a passphrase system instead of traditional password rules.  It’s easier for end users and more secure.
  • Physical security for servers is critical.  Where you cannot do this, consider centralisation or using servers with BitLocker and Read-Only Domain Controllers.
  • SQL 2008 has loads of security stuff in it that’s new.  I’m not a DBA so I’m not the best person to talk about those.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.