InstantForum.NET v2.9.0SQLServerCentralhttp://www.sqlservercentral.com/Forums/notifications@sqlservercentral.comWed, 22 May 2013 00:33:01 GMT20http://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxShould they be banned? If you cannot trust those who work there yes. And can you trust them all?If there is data it might get stolen. If you have valuable data it has a higher probability of being stolen. If you have very valuable data that is crutial information it is only a matter of time till someone gets to it. M.Tue, 04 Sep 2012 11:14:41 GMTMiles Nealehttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]David.Poole (8/31/2012)[/b][hr]The problem security people face is that the people who want to use iPads etc are the most senior people in the organisation. No Mr CEO you can't use your iPad/Nexus 7.....I'll get my coat:ermm:[/quote]Couldn't agree more! The 'do as I say, not as I do' attitude is something I not worked out to have try and negate or to leverage for my own advantage. One day I'll find a way and I'll be able to get sqlpass.org, that notorious 'online community', whitelisted by Risk!Mon, 03 Sep 2012 06:11:49 GMTSteph Lockehttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxI see companies get increasingly interested in BYOD (Bring your own device).There are a number of senior business execs who like the portability of iPads and the ability to intersperse notes, photos etc.They may be using an iPad app to put together a presentation and then want to upload this to the network and the obvious progression to downloading spreadsheet and other data to enhance their presentation.What we really need is some form of wireless private cloud so if you use mobile devices all work is stored seamlessly in that private cloud and not on the device itself. Move out of reception range and the device simply cannot access the work done on the premises.The problem security people face is that the people who want to use iPads etc are the most senior people in the organisation. No Mr CEO you can't use your iPad/Nexus 7.....I'll get my coat:ermm:Fri, 31 Aug 2012 10:41:01 GMTDavid.Poolehttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]majorbloodnock (8/31/2012)[/b][hr][quote][b]Eric M Russell (8/31/2012)[/b][hr][quote]I offer advice only from my own personal experience; I just toss it into the mix and readers can balance whatever I write with the experiences and advice of others. My point is that the prevailing opinion of most corporations that deal with sensitive data (banks, healthcare, government, etc.) is that employees should generally be restricted from downloading data from their networked PCs to portable storage devices or (even worse) 3rd party cloud storage websites like DropBox or SkyDrive. The potential risk outweighs whatever marginal benefit.[/quote]There I can now agree, Eric. The "generally" inserts enough flexibility to allow for exceptional circumstances, and in my experience there are always exceptions.[/quote]From the first post, I though I had left enough wiggle room to cover special situations where an employee might need to use portable storage. However, I don't think that corporations should allow employees freedom to plug-in portable storage devices whenever they choose and then simply request that they only use it when needed. The firewall should block access to remote cloud storage or FTP sites, and by default the workstations should be configured to deny install of USB storage devices.[url]http://support.microsoft.com/kb/823732[/url]Fri, 31 Aug 2012 09:20:11 GMTEric M Russellhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Eric M Russell (8/31/2012)[/b][hr][quote]I offer advice only from my own personal experience; I just toss it into the mix and readers can balance whatever I write with the experiences and advice of others. My point is that the prevailing opinion of most corporations that deal with sensitive data (banks, healthcare, government, etc.) is that employees should generally be restricted from downloading data from their networked PCs to portable storage devices or (even worse) 3rd party cloud storage websites like DropBox or SkyDrive. The potential risk outweighs whatever marginal benefit.[/quote]There I can now agree, Eric. The "generally" inserts enough flexibility to allow for exceptional circumstances, and in my experience there are always exceptions.Fri, 31 Aug 2012 09:05:16 GMTmajorbloodnockhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]majorbloodnock (8/31/2012)[/b][hr][quote][b]Eric M Russell (8/31/2012)[/b][hr][quote][b]majorbloodnock (8/31/2012)[/b][hr][quote][b]Eric M Russell (8/31/2012)[/b][hr]In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.[/quote]I'm afraid that, to me, that sounds rather sweeping. Thinking back over the years at the number of times various people at my company have had to move files around and where a memory stick or similar was the most appropriate vehicle, I'm convinced that:[li]in some businesses there is often a legitimate need[/li][li]business is rarely tidy, so there will always be legitimate exceptions to any rule[/li][li]"personal storage device" is something of a misnomer; "portable storage device" is probably closer to the mark[/li][li]It's dangerous to make assumptions about other situations based on set of circumstances.[/li]I fully accept your assertion may be entirely appropriate to your business, but it's not for mine, and unless you want to argue that you know my company better than I do, you're going to have to take my word for it. I'm not trying to have a go at you, incidentally; just trying to point out your post comes across as rather inflexible to me.[/quote]In a corporate environment, if employees are routinely moving files around using portable devices (like from one PC to another), then that would indicate there is something lacking in their network environment. If they need access to files, then they should put in a request to IT help desk to have permissions added for that network folder. If there is some special event, like when an employee is assigned a new PC and they are in the process of copying things from their old PC, then they should again request assistance from IT support. If we're talking about a small company, like a consulting form with a handful of employees where everyone manages their own IT, then that different. I can see in that situation where portable storage would be routinely needed.[/quote]Does that mean you do intend to try convincing me you know more about my business than I do?[/quote]I offer advice only from my own personal experience; I just toss it into the mix and readers can balance whatever I write with the experiences and advice of others. My point is that the prevailing opinion of most corporations that deal with sensitive data (banks, healthcare, government, etc.) is that employees should generally be restricted from downloading data from their networked PCs to portable storage devices or (even worse) 3rd party cloud storage websites like DropBox or SkyDrive. The potential risk outweighs whatever marginal benefit.Fri, 31 Aug 2012 08:52:19 GMTEric M Russellhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Eric M Russell (8/31/2012)[/b][hr][quote][b]majorbloodnock (8/31/2012)[/b][hr][quote][b]Eric M Russell (8/31/2012)[/b][hr]In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.[/quote]I'm afraid that, to me, that sounds rather sweeping. Thinking back over the years at the number of times various people at my company have had to move files around and where a memory stick or similar was the most appropriate vehicle, I'm convinced that:[li]in some businesses there is often a legitimate need[/li][li]business is rarely tidy, so there will always be legitimate exceptions to any rule[/li][li]"personal storage device" is something of a misnomer; "portable storage device" is probably closer to the mark[/li][li]It's dangerous to make assumptions about other situations based on set of circumstances.[/li]I fully accept your assertion may be entirely appropriate to your business, but it's not for mine, and unless you want to argue that you know my company better than I do, you're going to have to take my word for it. I'm not trying to have a go at you, incidentally; just trying to point out your post comes across as rather inflexible to me.[/quote]In a corporate environment, if employees are routinely moving files around using portable devices (like from one PC to another), then that would indicate there is something lacking in their network environment. If they need access to files, then they should put in a request to IT help desk to have permissions added for that network folder. If there is some special event, like when an employee is assigned a new PC and they are in the process of copying things from their old PC, then they should again request assistance from IT support. If we're talking about a small company, like a consulting form with a handful of employees where everyone manages their own IT, then that different. I can see in that situation where portable storage would be routinely needed.[/quote]Does that mean you do intend to try convincing me you know more about my business than I do?Fri, 31 Aug 2012 08:40:02 GMTmajorbloodnockhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]majorbloodnock (8/31/2012)[/b][hr][quote][b]Eric M Russell (8/31/2012)[/b][hr][quote]Does it make sense to ban personal storage devices?[/quote]In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.[/quote]I'm afraid that, to me, that sounds rather sweeping. Thinking back over the years at the number of times various people at my company have had to move files around and where a memory stick or similar was the most appropriate vehicle, I'm convinced that:[li]in some businesses there is often a legitimate need[/li][li]business is rarely tidy, so there will always be legitimate exceptions to any rule[/li][li]"personal storage device" is something of a misnomer; "portable storage device" is probably closer to the mark[/li][li]It's dangerous to make assumptions about other situations based on set of circumstances.[/li]I fully accept your assertion may be entirely appropriate to your business, but it's not for mine, and unless you want to argue that you know my company better than I do, you're going to have to take my word for it. I'm not trying to have a go at you, incidentally; just trying to point out your post comes across as rather inflexible to me.[/quote]In a corporate environment, if employees are routinely moving files around using portable devices (like from one PC to another), then that would indicate there is something lacking in their network environment. If they need access to files, then they should put in a request to IT help desk to have permissions added for that network folder. If there is some special event, like when an employee is assigned a new PC and they are in the process of copying things from their old PC, then they should again request assistance from IT support. If we're talking about a small company, like a consulting form with a handful of employees where everyone manages their own IT, then that different. I can see in that situation where portable storage would be routinely needed.Fri, 31 Aug 2012 08:32:19 GMTEric M Russellhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Eric M Russell (8/31/2012)[/b][hr][quote]Does it make sense to ban personal storage devices?[/quote]In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.[/quote]I'm afraid that, to me, that sounds rather sweeping. Thinking back over the years at the number of times various people at my company have had to move files around and where a memory stick or similar was the most appropriate vehicle, I'm convinced that:[li]in some businesses there is often a legitimate need[/li][li]business is rarely tidy, so there will always be legitimate exceptions to any rule[/li][li]"personal storage device" is something of a misnomer; "portable storage device" is probably closer to the mark[/li][li]It's dangerous to make assumptions about other situations based on set of circumstances.[/li]I fully accept your assertion may be entirely appropriate to your business, but it's not for mine, and unless you want to argue that you know my company better than I do, you're going to have to take my word for it. I'm not trying to have a go at you, incidentally; just trying to point out your post comes across as rather inflexible to me.Fri, 31 Aug 2012 08:16:26 GMTmajorbloodnockhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote]Does it make sense to ban personal storage devices?[/quote]In a corporate environemnt, there is rarely a legitimate need for employees to be downloading stuff from the network to a "personal storage" device. In the vast majority of cases, employees who do this are not trying to do anything illegal, perhaps they are just wanting to copy their photos or MP3 music files to their work PC. A developer may think that having a portable copy of a database on this laptop will make him more productive. However, in both of these cases there is no real business need, and it presents risk to the company.Fri, 31 Aug 2012 06:37:17 GMTEric M Russellhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxThis security is the norm for us - only company supplied encrypted USB sticks will work on the machines, no cd or DVD or usb ports or bluetooth/infrared etc. Wall ports are blocked so you can't plug in or move a pc without IT help and can only plug in company supplied equipment which has standard builds, "windows L" keyboard locking is standard practice, most people can't write to their C drive or install anything (My Documents and profile things go on network server drive for portability) and there's a strong firewall and no wireless links allowed. All internet sites for email and social networking (and ebay etc) are blocked.We have a few ADSL machines totally unconnected to the network where the privileged few can download updates etc. or access otherwise blocked websites. It's generally not a problem. Work is for work and home is separate. Mobile phones are not banned as they can't be connected so personal messages and emails etc are accessible that way. If something is needed for work there's administrators who can access things. It prevents far more problems than it causes and with standard builds you know what software everyone has, so no coding for different browsers etc. Fri, 31 Aug 2012 01:47:19 GMTP Joneshttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxWell funny story about the company where I once worked. We had to test due to a data center move. As part of the test they shut off the network to a group of PCs. These PCs had no way to connect to our shared files nor did they have floppy or disk drives. These PCs were completely on an Island for all intense and purposes. We then asked if we could have some USB drives at our disposal to move the files we needed to accurately test the data center. Anyhow we were told that they were afraid to buy us USB devices because we could steal data however out the other side of their mouth they encouraged us to bring in our own USB sticks to move data. In that instance the fear or theft was just an excuse they knew would be difficult to refute.Mon, 19 Nov 2007 15:16:20 GMTSean Law-383356http://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxThis is why all companies whould have policies on the management and protection of information that spells out the different classes of data (company use, private, etc) and what steps are neccesary to safeguard each class. Make the penalties for violations clear, and enforce them.Only grant access to data if it is required for the person's job. Personnel data shoul dbe very restricted.Most of this is common sense.Fri, 16 Nov 2007 14:02:21 GMTRoss McMickenhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]K. Brian Kelley (11/16/2007)[/b][hr]...We did that recently with our admins. We have a screen saver policy that forces screen saver lock after X minutes and some of them had become too reliant on it. Therefore, one of the security guys started slipping into cubes right after they walked out and sending an email to the person and to the security team to prove the point. Now the admins are paranoid and are locking their workstations as they get up, even if they are only going a couple of cubes down.[/quote]I spent nine years doing database administration & development and network administration for a police department. SOP was when you walked away from your workstation, you did a Windows key-L and locked it. When I started at my current gig, I do the same thing, and the guy next to me finally noticed that my workstation was always locked and was wondering how I did it. Now a lot of people do it, though quite a few rely on the screen saver to lock their system.We, the system administrators, also had two PC's on our desk with a KVM switch. We would log in to one as admin without internet access and the other as a user with internet access. Virtualization wasn't really viable back then.Fri, 16 Nov 2007 13:28:53 GMTWayne Westhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Peter Schott (11/16/2007)[/b][hr][quote][b]Steve Jones - Editor (11/16/2007)[/b] People don't respect security when it's a pain and it gets in their way. They don't see the risk of something happening as a problem.[/quote]I think this sums it up pretty well. A lot of people don't really care about trying to steal and the dishonest will find ways. However, putting place policies that make it harder to do real work will generally lead to people finding ways around those policies or just not working as hard/well/efficiently as they would otherwise. Really insane policies may even drive people away just to find someplace where they can work without so much trouble.[/quote]This is why security awareness is so important. However, most people think they know it already so usually until you prove the point with a demontrated test, you don't get their attention. We did that recently with our admins. We have a screen saver policy that forces screen saver lock after X minutes and some of them had become too reliant on it. Therefore, one of the security guys started slipping into cubes right after they walked out and sending an email to the person and to the security team to prove the point. Now the admins are paranoid and are locking their workstations as they get up, even if they are only going a couple of cubes down.Fri, 16 Nov 2007 11:17:05 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Bob Hoffman (11/16/2007)[/b][hr]Simple technology solution:Use only NT Terminal Server as your network OS with users getting only thin clients.[/quote]Can you say privilege escalation attack? And once I escalate to admin, I'm punching out off-site... all under the context of an administrative account. Therefore, non-repudiation fails. There have more than a handful of priv. esc. vulnerabilities that require local logon privs. That's one of the issues with Terminal Services/Citrix: you get the local logon. Not to say that's not a good idea, as Terminal Services/Citrix usually have a great ROI for an organization, but just to point out that even from a technology perspective you can still beat technology with technology.Fri, 16 Nov 2007 11:12:50 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Steve Jones - Editor (11/16/2007)[/b] People don't respect security when it's a pain and it gets in their way. They don't see the risk of something happening as a problem.[/quote]I think this sums it up pretty well. A lot of people don't really care about trying to steal and the dishonest will find ways. However, putting place policies that make it harder to do real work will generally lead to people finding ways around those policies or just not working as hard/well/efficiently as they would otherwise. Really insane policies may even drive people away just to find someplace where they can work without so much trouble.As for the bans/blocks - I can see arguments for and against them. Some people really have no need for those types of devices to be connected to their workstation and blocking them wouldn't be a huge problem. However, sometimes good people with legitimate needs for USB drives and similar might go bad. There's nothing that will really stop that.Fri, 16 Nov 2007 10:28:48 GMTPeter Schotthttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxSimple technology solution:Use only NT Terminal Server as your network OS with users getting only thin clients.No Floppies, USB, Blue tooth or CD/DVD RW support. Ever.Now you just need to ban printers, paper and pencils ... :Whistling:However, I know of someone in the 80's who was told during a buy out that he could not take any information out of the office. Except maybe for what was already in his head. So he would call his home answering machine and read off the contact list until he had it all. At night he would write it all down, erase the tape and continue the next day.You can not stop every person bent of gaining information for nefarious reasons from doing so. People need access to information to do their jobs otherwise why have them work?Fri, 16 Nov 2007 10:22:14 GMTBob Hoffman-209065http://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxThis is a great debate and thanks for all the comments. I wasn't trying to limit the discussion in anyway to technology as a solution. Banning could be locking machines or preventing them from entering the premises.I'm sure most of us don't want clear purses (as some retail outlets require) or metal detectors to prevent stuff from coming in and out. I'm not sure that would work well in any case.If someone really is intent on stealing data, I'm not sure you can prevent them, just as pointed out with the paper/OCR issues. I think detection and some monitoring are your only chances.And keep in mind it's not just "bad people" that do this. Hiring practices might not help. First the lost devices are a problem, so it makes some sense to make a policy that prohibits copying data to USB devices and then maybe monitoring when something is copied. Not sure how to do this, but it's an option. I hadn't considered lost devices, especially since we "lose" laptops already, but that's something to consider. Don't allow important data to be moved to USB/Bluetooth/Infrared. This helps prevent the "stupid mistakes"The second is what about good employees that go bad? People get disgruntled, people have financial issues, or maybe just get greedy. What if I found someone that was susceptible to stealing SSNs or something else? If I pay them $1000 or $10,000, would they copy data for me? Who knows, and I'd have to pick someone that wouldn't report my offer, but tackling this problem is more difficult. But most people aren't trained spies, so the harder it is, the less likely they take the chance.Brian K pointed out early that lots of people have legitimate access to data. They do, but they also have patterns they stick to. If they steal data within the pattern, i.e. copy one SSN at a time, there's nothing you can do. If they break the pattern, technology can help.As for the salespeople? They're not forsaking their jobs to get around technology. They're trying to make their jobs easier, and getting around technology because it's in their way. That's the problem. People don't respect security when it's a pain and it gets in their way. They don't see the risk of something happening as a problem.Fri, 16 Nov 2007 09:34:38 GMTSteve Jones - SSC Editorhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Stephanie J Brown (11/16/2007)[/b][hr]As a for instance, the military bans camera phones on base, but at my company there is not a real need to do so (note, someone could take pictures of reports with SSNs...)[/quote]Which raises the question, how do they police this? Given that many military bases also have base housing, some of which have almost open access to locations near the sensitive areas (Kaneohe Bay you could walk on the beach where the amphibious vehicles were, Iwakuni, Keesler and Maxwell it was nothing to get to the edge of the flightline), you can't expect all dependents to not have camera phones. Nor are they checking everyone at the gate, either, meaning it's more of a rule if you get caught. For that matter, what do they do about those off-base... for instance, Shaw and MCAS Beaufort the flightline is visible from OUTSIDE the fence.Fri, 16 Nov 2007 09:12:51 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxSo back to the original question, "should we ban portable devices", the answer seems to be "sometimes yes, sometimes no". Reasonable and prudent probably comes into play. There is no way I can think of to lock out all devices, especially considering the pace of technology, so I'd be asking what it's prudent to ban for a given company / situation. The answer may be different for every company out there! As a for instance, the military bans camera phones on base, but at my company there is not a real need to do so (note, someone could take pictures of reports with SSNs...)We use technology to solve problems, but it's not a panacea. The determined criminal can always find a way to bypass it, and is always sure they will never be caught. So I agree it is more important to be able to find out you've been breached than to ban all technology. And penalties for data theft should be more severe, in my view; the legal system hasn't caught up yet.In the end, it's a social engineering issue rather than a technological one.Fri, 16 Nov 2007 08:45:28 GMTStephanie J Brownhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]G Bryant McClellan (11/16/2007)[/b][hr]Not only firewalls and constant scanning of perimeter security and encrypted laptops, but encrypted emails for customer communication and software monitoring email to ensure that personal information is not sent in the clear.[/quote]Of course, if you are encrypting outbound e-mail, and the encryption is running on the desktop, the firm has lost the ability to monitor what is being sent out -- could be anything, including pure compressed binary data.... It may take a number of e-mails, but large amounts of data could leave via this route before you even were alerted to the anomoly. And if the employee used multiple different recipients and varied the message sizes, they could readily defeat most all monitoring....If you let them receive encrypted e-mail, there's no telling what's coming in!Not to say that this policy/implementation is wrong; just pointing out that there are always holes, and generally big gaping holes that are perhaps non-obvious. And false security is the worst security of all -- but it's generally all false in the tech world. Then again, today, a lot of security policies and proceedures are very effective in the most important measure: the CYA Factor....But while we are all being very dilligent at CYA and making lots of expensive work, I wonder if anyone is really tracking the cost impact of the lost productivity and the employee bad will. An employee who feels that the relationship with their company is poor may have incentive to harm the company in ways that are far deeper than just stealing data -- the sorts of harm that can accrue with just doing their job deliberately bad, even if for only a short time before moving on....Fri, 16 Nov 2007 08:39:51 GMTSir Slicendicehttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Sir Slicendice (11/16/2007)[/b][hr]I'm sure that if worked at it I could have built a small bit of code to generate a gif with a set of high-density bar codes, which would have worked even better -- all without installing any software. [/quote]Or better yet, go the stego route and just imbed the data in a image file that looks innocent enough attached to your mail signature. Fri, 16 Nov 2007 08:39:17 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxAgreed with a number of posters. It's all about psychology and human nature.An important part of policy making is that it be sufficiently targetted to harmful behavior, and not antagonize otherwise good employees. People are much more willing to cooperate with narrowly targetted rules that are perceived as fair.Consider two possible policies:1) All USB/ipods/smartphones etc are prohibited.2) Connecting to company equipment is prohibited.#1 is bad for a couple of reasons: It is unenforceable, especially to someone who is already willing to do harmful acts, sneaking a device in is trivial. Unenforceable rules are usually bad, because they can create a culture of rule breaking. Also, even more importantly it calls everyone with an ipod a suspected criminal, even though the primary use of the product is not criminal at all.#2 directly addresses the [i]harmful [/i]action. It does not interfere with or impugn the employees who use these devices legitimately. It is much easier to enforce: a connectio can be more detectable, and violations, since they are inherently more likely to be nefarious, are much more likely to be reported by other employees who would likely turn a blind eye to rule #1Fri, 16 Nov 2007 08:33:52 GMTjay-hhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxA company I previously worked for used the approach of trying to lock everything down. New machines all got the BIOS locked up and the drives wiped and the company's locked-down Windows installed. (They were trying very hard to gain the benefit of volume purchase of ordinary desktops, not thin-clients, and couldn't do blades for the desktop.)The locks sort of worked - noone could burn CD/DVD, thumb drives and USB drives were locked out, etc. Caused them to take a lot of help desk calls to perform the required actions (burn a CD, DVD, etc), or grant the permission and make the config changes for limited time use for specific activities. Very expensive, and not even considering the lost productivity of the users, nor the bad feeling this engenders amoung the users!And the fun part was, I demonstrated that if you took a file and "encoded" it to base-64 (as for pure ascii e-mail), then printed it with a good courier font, the file could be readily OCR'ed and fully recovered. If the file was pre-processed to embedd a good error correction code, even very large files could be handled. I'm sure that if worked at it I could have built a small bit of code to generate a gif with a set of high-density bar codes, which would have worked even better -- all without installing any software. All that's needed is a small copy of Perl, and that could readily come in via e-mail or the web.Locks don't work for this stuff. If you have a high-security need, use fully locked down and isolated networks of blades or thin clients. For general use, deal with it as any trust relationship...... A company that doesn't trust it's own employees to a reasonable extent is doomed anyway.And of course, trust but verify.....Fri, 16 Nov 2007 08:26:36 GMTSir Slicendicehttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxFor any company with more than 0 employees, there is no excuse for not having a policy, not communicating said policy, and not exercising penalties described in said policy, fairly and even-handedly, across the entire organization. CEOs are just as much employees of the company as facility maintenance personnel and should be just as bound by the policies. And where any job function is out-sourced, those companies and people must be required, as a matter of contractual agreement, to accept and abide by the policies set forth by each of their clients.That being said, every technological solution is just a roadblock. We will all end up saner in the end if we stop thinking there is a be-all and end-all technological solution for anything. I would not describe where I work as a paramount of security implementation, but we at least employ multiple methods of protecting data. Not only firewalls and constant scanning of perimeter security and encrypted laptops, but encrypted emails for customer communication and software monitoring email to ensure that personal information is not sent in the clear.To get back to the original question, I would agree that simply banning them would have a reverse effect. Making the fraudulent use of data expensive PERSONALLY to the perpetrator makes for a much beter disincentive. Granted, this thinking is anti-SOX, which seems to penalize those who didn't have a problem and creates a whole new policing industry. Still, even personal disincentivization creates a Pandora's box. Every roadblock will be attacked by a newer and better method, so keep your eyes open.Fri, 16 Nov 2007 08:24:12 GMTG Bryant McClellanhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]rudy komacsar (11/16/2007)[/b][hr]Locks only keep honest people out.[/quote]No, they keep out the curious and in the case of an attacker who is looking for easy prey, they keep those guys away, too (who will go and find easy pickin's somewhere else). They won't keep out a knowledgeable attacker who is making a concerted effort to get in.Fri, 16 Nov 2007 08:20:30 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxLocks only keep honest people out.Fri, 16 Nov 2007 07:51:02 GMTrudy - Doctor "X"http://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Jack Corbett (11/16/2007)[/b][hr]While I agree with this point, I think the point of the editorial is that technology has made it easier to steal data. I can get 1000's of SSN's in under a second with a thumb drive and only 1 in the same amount of time using pen and paper.It really is a people issue, but there are unethical people out there in every industry so you have to do your best to slow them down.[/quote]I have mixed feelings about thumb drives because I really don't know how much of an improvement that will be. Unless you purposely go after infrared and bluetooth, you haven't done yourself a whole lot of good. And as soon as you go after bluetooth, you limit some of the wireless keyboard and mouse combos which we see in use. That means you're back to USBs meaning now you've got to stay a step ahead on the portable devices. Not exactly fun. Also, the tried and true method of generating a print out and then taking that out with your other papers will still work. And as good as some of the OCRs are nowadays, it's a trivial exploit. Technology can only help somewhat. You are right, and others who have posted here are, too, in that this is a people problem. Good hiring policies, good awareness policies and proper training, engendering a sense of loyalty to the organization (which means the organization has to show loyalty and treat employees with dignity and respect) all come into play in order to try and reduce the threat.Fri, 16 Nov 2007 07:36:32 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxAttempting to ban devices is futile at best and likely psychologically counterproductive.Anyone with evil intent can easily smuggle devices in. However the fact that such rules would affect people's legitimate and (when properly used) harmless products like ipods, phones, etc. will undoubtedly build a wall of resentment, and perhaps a culture of rule violation (everyone knows everyone else is doing it.. and everyone feels it's justified).There is no foolproof answer, but the key is in the traditional means of HR and management policies (prevention of embezzlement is a similar problem, and there is much experience at handling it) and with securing access to data (including locked USB ports on many machines). People are not machines. They do not work well when locked down. They are not loyal when locked down. Where people are treated as responsible adults (including incouraged to take personal responsibility to help protect the company's data) you have much more success in spotting the troublesome individuals.Fri, 16 Nov 2007 07:09:12 GMTjay-hhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx@Brian - Thanks. Good to find the common ground again.@Jack - I know what you mean. Unfortunately, the editorial asked, "should we ban personal storage devices from the workplace?". The answer should be, "it depends". An editorial based around "how aware are you of the security concerns that personal storage devices raise?" could be enlightening, but asking a yes/no question like this implied that the editorial was starting from a (as has been mentioned before) technology-fixated standpoint.Fri, 16 Nov 2007 07:06:50 GMTmajorbloodnockhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Stewart Joslyn (11/16/2007)[/b][hr]I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.[/quote]While I agree with this point, I think the point of the editorial is that technology has made it easier to steal data. I can get 1000's of SSN's in under a second with a thumb drive and only 1 in the same amount of time using pen and paper.It really is a people issue, but there are unethical people out there in every industry so you have to do your best to slow them down.I have often thought that thumb drives should be blocked where I have worked. I worked as a contractor at a student loan provider last summer and I could walk in with a thumb drive and have all kinds of personal information. Didn't seem right then and doesn't seem right now.Fri, 16 Nov 2007 06:51:46 GMT Jack Corbetthttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]majorbloodnock (11/16/2007)[/b][hr]@Brian, I hold by my original statement. This isn't a technological problem; it's only the solution's implementation that's technologically based. What you're trying to achieve is as old as the hills, and it's only the tools used that have changed.[/quote]I agree wholeheartedly with that. Now if the auditors would figure that one, we'd be a lot closer to actually resolving some of the issues. Fri, 16 Nov 2007 06:49:43 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Stewart Joslyn (11/16/2007)[/b][hr]I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.[/quote]Exactly. A Cold War spy listening in to conversations in bugged offices was stealing information just as much as anyone who's siphoning off data from a database. Monitoring in the latter case isn't easy, any more than finding all the bugs in all the offices in the Cold War was easy, but as someone involved in minimising security threats, you do your best. Doing nothing because it's difficult is just not an option.@Brian, I hold by my original statement. This isn't a technological problem; it's only the solution's implementation that's technologically based. What you're trying to achieve is as old as the hills, and it's only the tools used that have changed.Fri, 16 Nov 2007 06:40:46 GMTmajorbloodnockhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxI think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.Fri, 16 Nov 2007 06:30:08 GMTStewart Joslynhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxThis may sound a little draconian to some, but I work for a major broker dealer and given the risks of some of the data getting out (we have ssn#s and people's info easily available to many employees), I don't understand why more enterprises don't utilize thin clients in a greater way. Thin clients that have very limited desktop hardware are completely adequate for most users and you should be able to eliminate the usb ports, disk drives, etc that pose the biggest risk.I know it would not make sense for all employees because some employees would need a full workstation for various reasons, but for a lot of employees it would and that would at least reduce the attack surface greatly.Fri, 16 Nov 2007 06:24:34 GMTSamuel Cloughhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspxI think scenario 2 would apply in the story you're sketching.A sales rep who has the time to figure out how to circumvent security, simply doesn't have enough real work on his / her hands and / or is not focused on his / her job well enough.That's a management problem.:Whistling:Fri, 16 Nov 2007 06:23:11 GMTJurriaan Themmenhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]majorbloodnock (11/16/2007)[/b][hr]Once again, I think this is an example of looking at the technology involved in a problem and then assuming it's a technological problem overall. I don't believe this is any different from any other form of theft, and the basic rules for policing that exist already should be applied here.[/quote]The basic rules do break down, however, because of the nature of how compromises can happen and the requirement to be able to use the data in the first place. Let me use some examples. If you've got this really nice neckalce you may have a safe in your home that's bolted to the foundation or support beams such that a rogue would have to take apart the house to get at the safe. As far as you're concerned, there's only one necklace. Either you (if you are female) or your wife (if you are male) has it or its in the safe. Only you or your wife have the combination to the safe. You've ensured your 12 year-old son does not, even if he does want to put his latest *insert artist here* CD in the safe to keep Johnny from down the street getting his grubby hands on it. Therefore, there are only two potential folks who can access the safe. Auditing isn't that hard at all.But let's look at data. Your organization deals with sensitive information such as US Social Security Numbers or US Tax ID Numbers. You have a few dozen folks who must handle this data on a regular basis just to do their jobs. Their security allows them access to the data. And they may access data many, many times throughout the course of the day. The nature of their jobs means its not unusual for several people to be accessing the same records, albeit for different reasons. Sure, you can audit the fact that all of this data access is occurring, but unless one particular worker is being foolish and making a lot more queries than normal, how exactly do your audit logs help you when you find your company has had a security breach and some of your customers have been victims of identity theft?Fri, 16 Nov 2007 06:20:51 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Jurriaan Themmen (11/16/2007)[/b][hr]1) "Lost or stolen device". Can't the industry come up with some kind of key-pair solution for this, like they have / had in PGP ? The idea is that the mobile device can only be used in combinatin with registered hardware that holds part of the key combination. Surely something like this should be possible ? [/quote]This doesn't work very well, either. Case in point, one organization secured their systems with the RSA SecureID tokens. That's just a key fob with a 6 digit number that changes every minute. You add that 6 digit number to a 4-8 digit pin you set and you've got a two factor solution that's generally pretty solid. But you still want to keep the key fob separate from say, the laptop, even though there is that PIN. What did the organization's security folks find? A sales rep had bought one of those keychain rings and managed to thread the power cord of the laptop through it. On that keychain was, you guessed it, the SecureID token. What made it all the worse is that the sales rep had started spreading how to do this to other reps. There's a picture of that somewhere on the Internet. But basically like you said, awareness is really the only answer. The catch is to hit enough where they are well informed but not so saturated they just tune anything new out. Fri, 16 Nov 2007 06:11:39 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic422873-263-1.aspx[quote][b]Jurriaan Themmen (11/16/2007)[/b][hr][quote][b]majorbloodnock (11/16/2007)[/b][hr][/quote]"Stultior quam anser, sed item vigilans"[/quote]:DI'm not going to pretend to be a Latin scholar, but I get the general idea....Fri, 16 Nov 2007 04:57:35 GMTmajorbloodnock