Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12345»»»

Finding a Balance Expand / Collapse
Author
Message
Posted Thursday, November 15, 2007 8:02 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 12:34 PM
Points: 31,181, Visits: 15,626
Comments posted to this topic are about the item Finding a Balance






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #422873
Posted Thursday, November 15, 2007 10:13 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
USB and portable devices can often be encrypted. The major HDD encryption vendors out there... Safeboot, Utimaco, PointSec, etc., all have products that do so automatically when inserted. However, they usually install a small loader app that if you know the password, you can decrypt. So this helps in the lost USB drive issue, but it doesn't do much in the malicious employee situation.

This is a hard one because there are so many ways to circumvent the rules. You mentioned bluetooth. One technology that often gets forgotten about is infrared. And it works. I've used infrared to transfer files back and forth between my laptop and mobile phone back when I still had a mobile phone. One of the things the military has done is go to diskless workstations in sensitive environments that don't have the USB ports, etc. I remember a friend of mine who worked on the B-2 project describing the setup. We see it nowadays advertised as thin client systems and the like. And it works... to a point.

However, this is really only the tip of the iceberg. Blocking webmail sites is necessary. Ensuring access to sites like GotoMyPC.com aren't permitted is another necessity. And it still doesn't solve the issue of printing hardcopies of data and then taking that offsite and using a good scanner with OCR to recover the data. Nor does it address unconventional uses of technology such as Kaminsky's use of DNS to store media files.

This is why security folks are walking around with that perpetual "Someone ran over my dog" look. There are so many ways to beat the system now that security is always playing catch up. It's also why security folks seem very unyielding when it comes to bending the rules for something. We've lost sleep at night considering some of the potential consequences.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #422894
Posted Friday, November 16, 2007 1:56 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, May 9, 2011 7:49 AM
Points: 343, Visits: 188
There is no such thing as perfect security in any context, whether physical or data. All you can do is make it dificult for the less sophisticated bad guys. Then make sure that you at least can detect who has stolen / sabotaged what by having robust audit trails and alarms (eg access pattern matching).


Post #422933
Posted Friday, November 16, 2007 2:35 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, February 12, 2008 1:36 AM
Points: 113, Visits: 90
2 Scenarios.

1) "Lost or stolen device". Can't the industry come up with some kind of key-pair solution for this, like they have / had in PGP ? The idea is that the mobile device can only be used in combinatin with registered hardware that holds part of the key combination. Surely something like this should be possible ?

2) "Bad people or people gone bad". The best solution for this is good HR (don't hire bad people) and good management (don't let people go bad). Take good care of your people and they'll take good care of you. Spend time with your employees, give them attention and LISTEN to them. Chances are you'll pick up signals of anger and / or frustrations in an early stage and you'll be able to do someting about it.

I think working on data security awareness and employee satisfaction is a far better investment than throwing more hardware and procedures at the problem.
Post #422939
Posted Friday, November 16, 2007 3:15 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, October 7, 2014 7:12 AM
Points: 1,049, Visits: 3,009
Once again, I think this is an example of looking at the technology involved in a problem and then assuming it's a technological problem overall. I don't believe this is any different from any other form of theft, and the basic rules for policing that exist already should be applied here.

If you've got something worth protecting, you put a lock on it. The more important, the bigger the lock.
No matter how good your security, it has vulnerabilities, and you can't do anything after the fact if you don't know you've been hit. Therefore, monitor and audit.
If you don't tell people something's wrong, they have a get-out clause. Therefore publicise the rules.
If there's little personal risk involved, and the benefits are high, lots of people will have a go. Therefore redress the balance, both by making it likely they'll get caught and, once caught, that they'll suffer badly.

That's obviously not a comprehensive list, but it's exactly the same for protecting (for instance) the physical pounds, shillings and pence in a bank's vault as for the data in its databases. Implementing it involves lots of areas, not just one, and is a cultural thing, not a discrete topic.

I really wish we'd stop thinking of IT as a special case and inadvertantly suspend common sense as a result.


Semper in excretia, sumus solum profundum variat
Post #422962
Posted Friday, November 16, 2007 3:38 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, February 12, 2008 1:36 AM
Points: 113, Visits: 90
majorbloodnock (11/16/2007)


"Stultior quam anser, sed item vigilans"
Post #422968
Posted Friday, November 16, 2007 4:57 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, October 7, 2014 7:12 AM
Points: 1,049, Visits: 3,009
Jurriaan Themmen (11/16/2007)
majorbloodnock (11/16/2007)


"Stultior quam anser, sed item vigilans"


:D

I'm not going to pretend to be a Latin scholar, but I get the general idea....


Semper in excretia, sumus solum profundum variat
Post #422983
Posted Friday, November 16, 2007 6:11 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
Jurriaan Themmen (11/16/2007)
1) "Lost or stolen device". Can't the industry come up with some kind of key-pair solution for this, like they have / had in PGP ? The idea is that the mobile device can only be used in combinatin with registered hardware that holds part of the key combination. Surely something like this should be possible ?


This doesn't work very well, either. Case in point, one organization secured their systems with the RSA SecureID tokens. That's just a key fob with a 6 digit number that changes every minute. You add that 6 digit number to a 4-8 digit pin you set and you've got a two factor solution that's generally pretty solid. But you still want to keep the key fob separate from say, the laptop, even though there is that PIN.

What did the organization's security folks find? A sales rep had bought one of those keychain rings and managed to thread the power cord of the laptop through it. On that keychain was, you guessed it, the SecureID token. What made it all the worse is that the sales rep had started spreading how to do this to other reps.

There's a picture of that somewhere on the Internet. But basically like you said, awareness is really the only answer. The catch is to hit enough where they are well informed but not so saturated they just tune anything new out.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #423001
Posted Friday, November 16, 2007 6:20 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
majorbloodnock (11/16/2007)
Once again, I think this is an example of looking at the technology involved in a problem and then assuming it's a technological problem overall. I don't believe this is any different from any other form of theft, and the basic rules for policing that exist already should be applied here.


The basic rules do break down, however, because of the nature of how compromises can happen and the requirement to be able to use the data in the first place. Let me use some examples. If you've got this really nice neckalce you may have a safe in your home that's bolted to the foundation or support beams such that a rogue would have to take apart the house to get at the safe. As far as you're concerned, there's only one necklace. Either you (if you are female) or your wife (if you are male) has it or its in the safe. Only you or your wife have the combination to the safe. You've ensured your 12 year-old son does not, even if he does want to put his latest *insert artist here* CD in the safe to keep Johnny from down the street getting his grubby hands on it. Therefore, there are only two potential folks who can access the safe. Auditing isn't that hard at all.

But let's look at data. Your organization deals with sensitive information such as US Social Security Numbers or US Tax ID Numbers. You have a few dozen folks who must handle this data on a regular basis just to do their jobs. Their security allows them access to the data. And they may access data many, many times throughout the course of the day. The nature of their jobs means its not unusual for several people to be accessing the same records, albeit for different reasons. Sure, you can audit the fact that all of this data access is occurring, but unless one particular worker is being foolish and making a lot more queries than normal, how exactly do your audit logs help you when you find your company has had a security breach and some of your customers have been victims of identity theft?


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #423005
Posted Friday, November 16, 2007 6:23 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, February 12, 2008 1:36 AM
Points: 113, Visits: 90
I think scenario 2 would apply in the story you're sketching.

A sales rep who has the time to figure out how to circumvent security, simply doesn't have enough real work on his / her hands and / or is not focused on his / her job well enough.
That's a management problem.
Post #423007
« Prev Topic | Next Topic »

Add to briefcase 12345»»»

Permissions Expand / Collapse