{"id":8566,"date":"2006-09-21T17:01:00","date_gmt":"1999-11-29T20:00:00","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=8566"},"modified":"2006-09-21T17:01:00","modified_gmt":"1999-11-29T20:00:00","slug":"corporate-data-theft-by-directors","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=8566","title":{"rendered":"Corporate Data Theft … By Directors!"},"content":{"rendered":"

The Register has an article<\/a> that claims that 29% of directors say they steal corporate data when they leave a company.\u00a0 24% of thefts were done using USB devices (sticks, MP3 players) and 18% used email.\u00a0 There are no excuses for this … this is just plain theft of company data to bring to a competitor so that they have an unfair and probably illegal<\/em> advantage.<\/p>\n

So we’ve identified that USB and Email make up 42% of data theft mechanisms.\u00a0 What do we do?\u00a0 The first thing to do is lock down access to resources.\u00a0 This goes from the basics of controlling data access to controlling device access.<\/p>\n

Data access is one of the simplest things to do but is rarely done right.\u00a0 First of, use Active Directory groups to grant access.\u00a0 I can’t think of a place I’ve been to where they haven’t granted access to users directly.\u00a0 That’s just plain dumb and impossible to manage.\u00a0 Next, define owners of the data.\u00a0 This should be a number of people who are in a position to grant and revoke access to data.\u00a0 Only they should give permission to IT to grant access to a user.\u00a0 People automatically assume that IT know who should have access … how can we?\u00a0 Data access is a business issue, not an IT issue.\u00a0 We control the mechanism but not who needs access to the data.\u00a0 Using a strictly enforce and audtiable procedure will control access and give auditors something to track.\u00a0 You can do this with paper but I’d look at a Sharepoint Services site and Infopath<\/a> (from the Office Professional suite), maybe with a SQL back-end.\u00a0 By tying this with PKI\/certificates you can implement a rapid, paperless system with trustworthy signing.<\/p>\n

Then there is device access.\u00a0 How many users really need access to a DVD\/CD writer, USB sticks, etc, to carry out business?\u00a0 It will be less that 10% in a typical mid sized organisation or larger.\u00a0 For now, the best solution I’ve found is DeviceLock<\/a>.\u00a0 This service can be installed on all desktops to put permissions on all interface types, e.g. read only CD\/DVD, no access to USB, access to USB printers, no access to FireWire.\u00a0 Permissioning\u00a0is done on a group basis so you can allow local administrators full access, restrict access to all normal users and grant specified access to security groups.\u00a0 For example, I’d have a group called USB-Read and another called USB-Write.\u00a0 The deployment of the agent would configure these groups with the appropriate permissions on every machine on the network (this can be done during install, from a central console or via group policy).\u00a0 Then when\u00a0a user has a manager state they have a business need for a device, e.g. to write to a memory stick, I’d drop them into the USB write group.\u00a0 Microsoft is promising similar functionality in Windows Vista, managed by Group Policy.<\/p>\n

A few years ago I was working in a leading pharmaceuticals site as a consultant.\u00a0 A manager came up to me and asked quietly to investigate something.\u00a0 A sales person with access to sensitive data had left the company to go to a competitor and they suspected that this person had forwarded large amounts of data via email.\u00a0 They asked me what could be done to find out what had happened.\u00a0 I asked them "what auditing have you" and they responded "none".\u00a0 They were $\u00a3^& out of luck.<\/p>\n

Even with restricted access, it’s possible for someone to steal data.\u00a0 A person with access to company secrets could gain authorised access to a memory stick and everyone has access to email anyway.\u00a0 So auditing is necessary.<\/p>\n

Firstly, enable auditing on sensitive resources such as file shares.\u00a0 Make sure you audit successful and failed access.\u00a0 You need to monitor failed attempts but the purpose of this exercise is to monitor theft of data that someone had legitimate access to.<\/p>\n

Anyone who has looked at the security event log in Windows knows that you might as well read the Egyptian Book of the Dead … it makes more sense.\u00a0 And what do you do if you have many servers?\u00a0 Are you going to look at the log of every server and trawl through the endless events that pop up for each file access or folder opened?\u00a0 At the moment, you can use a crude tool called EventCombMT.<\/a>\u00a0 It is pretty crude and sucks to use with servers spread across a WAN.\u00a0 Unix and network types are used to Syslog.\u00a0 There are 3rd party implementations for Windows but here’s the catch.\u00a0 It costs more money and in the end, it’s just copying the noise that is the security log from every server to one point to create an even bigger amount of noise.\u00a0 Microsoft have been working on a solution for years called Audit Collection Services<\/a>.\u00a0 It’s finally on the way as a part of System Center Operations Manager 2007 (MOM 2007).\u00a0 It will gather key events, soon after they happened, and store them in a central dedicated SQL 2005 database.\u00a0 This database can be secured for auditor access only.\u00a0 It also has a view for reporting so that you have a simple view of the data, presenting the information as if you were browsing the Security Log.<\/p>\n

That covers file shares.\u00a0 Next we need to look at email.\u00a0 If this is a worry then you need to implement mail auditing.\u00a0 In fact, in certain regions or industries, you are meant to be doing this already.\u00a0 My experience is that certain regulations such as IFSRA or SOX are being deliberately misinterpreted or ignored so that IT costs can be minimised.<\/p>\n

Commvault provides a compliance solution called DataArchiver<\/a> for Microsoft Exchange.\u00a0 This will capture mail traffic and store it in a secure database that only selected people, e.g. auditors, security officers, IT, can access.\u00a0 This gives you an investigative tool you can utilise to track suspect misuse with.<\/p>\n

Your email anti-virus might offer some basic functionality you can use if you don’t need or can’t afford full blown archiving.\u00a0 Microsoft Antigen has the ability not only to filter certain file types but you can capture attachments.\u00a0 A past colleague once caught some nefarious activity with email attachments, something that was strictly banned, by using Sybari Antigen (as it was called then).\u00a0 <\/p>\n

At this point , we’ve put all the tool in place.\u00a0 What’s left?\u00a0 Nothing surely, because this is an IT problem, right?\u00a0 Nope.\u00a0 Far from it.\u00a0 Like some sensible security consultants tell us, we can put all the mechanisms in the world in place but in the end, the "meat" will be the weakest link.\u00a0 What do I mean?\u00a0 Humans who want to advance their career or appear helpful will do what ever they can, including contravening procedures and rules.<\/p>\n

A while back, I did some work at a finance company.\u00a0 A foreign branch manager had been caught on our proxy logs as a heavy and long term browser of unknown (and hence unfiltered)\u00a0pornographic sites.\u00a0 We reported this to the the necessary internal authorities but nothing was done.\u00a0 Strange, because 2 other people had been quietly let go for the same actions over a 2 or 3 day period.\u00a0 Then late one Friday evening I’m called into an urgent meeting.\u00a0 The security officer and head of auditing revealed to us that this person had quit with no notice.\u00a0 They suspected this person had burned a large amount of data onto CD.\u00a0 But this shouldn’t have happened because the security officer thought he’d changed this persons access rights.\u00a0 What was the problem in this situation?\u00a0 Firstly, the company turned a blind eye to this persons activities because they were seen as a strategic asset in a new market.\u00a0\u00a0 When this person quit there was a suspicion there would be a problem but IT was not told.\u00a0 The security officer, who was overr
\nated, did not understand how Active Directory worked and had failed to make the necessary changes to restrict access to USB, etc.\u00a0 Had we known, this person who was leaving would have lost all access in a matter of seconds.\u00a0 The IT staff in the branch office were completely unaware and actually granted access to the resources for the leaving manager; in fact it was thought that\u00a0they even helped with burning data onto CD.<\/p>\n

One of my biggest gripes in the corporate world is unequal application of company policies.\u00a0 Internal Audit and Security departments spend the majority of their effort watching and analysing people such as IT administrators when they ignore or turn a knowing blind eye to the activities of their directors.\u00a0 Consider the risks, an IT administrator with access to company secrets knows he’s being watched\/audited and won’t take a stupid risk.\u00a0 And the chances of an IT administrator even knowing where to start to look for secrets are minimal.\u00a0 On the other hand,\u00a0a director or senior staff member knows (a) what secrets there are, (b) where they are kept, (c) has access and (d) no one will even blink if a director shows up in audit logs accessing information … assuming there are logs in the first place!<\/p>\n

So what needs to be done?\u00a0 Together, union representatives, security, auditing, IT and solicitors must define policies.\u00a0 These policies should dictate how access is granted and revoked.\u00a0 Unathorised use of data or resources must be defined and prohibited.\u00a0 Punishment must be detailed for contravening these policies.\u00a0 The key component is that the directors must publicly back, enforce and comply with these procedures.\u00a0 A rule is worthless if not applied equally.\u00a0 I dare any HR person to sack an employee for doing something that managers get away with even though procedures ban it.\u00a0 They’ll be in an employment tribunal coughing and bleeding up money in a very public and embarrassing manner.<\/p>\n

In summary:<\/p>\n