Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12345»»»

Finding a Balance Expand / Collapse
Author
Message
Posted Friday, November 16, 2007 6:24 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Tuesday, May 12, 2009 10:03 AM
Points: 27, Visits: 108
This may sound a little draconian to some, but I work for a major broker dealer and given the risks of some of the data getting out (we have ssn#s and people's info easily available to many employees), I don't understand why more enterprises don't utilize thin clients in a greater way. Thin clients that have very limited desktop hardware are completely adequate for most users and you should be able to eliminate the usb ports, disk drives, etc that pose the biggest risk.

I know it would not make sense for all employees because some employees would need a full workstation for various reasons, but for a lot of employees it would and that would at least reduce the attack surface greatly.
Post #423010
Posted Friday, November 16, 2007 6:30 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, May 9, 2011 7:49 AM
Points: 343, Visits: 188
I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.


Post #423012
Posted Friday, November 16, 2007 6:40 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Monday, November 17, 2014 6:00 AM
Points: 1,049, Visits: 3,012
Stewart Joslyn (11/16/2007)
I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.


Exactly. A Cold War spy listening in to conversations in bugged offices was stealing information just as much as anyone who's siphoning off data from a database. Monitoring in the latter case isn't easy, any more than finding all the bugs in all the offices in the Cold War was easy, but as someone involved in minimising security threats, you do your best. Doing nothing because it's difficult is just not an option.

@Brian, I hold by my original statement. This isn't a technological problem; it's only the solution's implementation that's technologically based. What you're trying to achieve is as old as the hills, and it's only the tools used that have changed.


Semper in excretia, sumus solum profundum variat
Post #423017
Posted Friday, November 16, 2007 6:49 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, November 14, 2014 7:14 AM
Points: 6,625, Visits: 1,876
majorbloodnock (11/16/2007)
@Brian, I hold by my original statement. This isn't a technological problem; it's only the solution's implementation that's technologically based. What you're trying to achieve is as old as the hills, and it's only the tools used that have changed.


I agree wholeheartedly with that. Now if the auditors would figure that one, we'd be a lot closer to actually resolving some of the issues.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #423027
Posted Friday, November 16, 2007 6:51 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: 2 days ago @ 1:42 PM
Points: 10,340, Visits: 13,341
Stewart Joslyn (11/16/2007)
I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.


While I agree with this point, I think the point of the editorial is that technology has made it easier to steal data. I can get 1000's of SSN's in under a second with a thumb drive and only 1 in the same amount of time using pen and paper.

It really is a people issue, but there are unethical people out there in every industry so you have to do your best to slow them down.

I have often thought that thumb drives should be blocked where I have worked. I worked as a contractor at a student loan provider last summer and I could walk in with a thumb drive and have all kinds of personal information. Didn't seem right then and doesn't seem right now.




Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Post #423029
Posted Friday, November 16, 2007 7:06 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Monday, November 17, 2014 6:00 AM
Points: 1,049, Visits: 3,012
@Brian - Thanks. Good to find the common ground again.

@Jack - I know what you mean. Unfortunately, the editorial asked, "should we ban personal storage devices from the workplace?". The answer should be, "it depends". An editorial based around "how aware are you of the security concerns that personal storage devices raise?" could be enlightening, but asking a yes/no question like this implied that the editorial was starting from a (as has been mentioned before) technology-fixated standpoint.


Semper in excretia, sumus solum profundum variat
Post #423041
Posted Friday, November 16, 2007 7:09 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: 2 days ago @ 10:04 AM
Points: 762, Visits: 1,945
Attempting to ban devices is futile at best and likely psychologically counterproductive.

Anyone with evil intent can easily smuggle devices in. However the fact that such rules would affect people's legitimate and (when properly used) harmless products like ipods, phones, etc. will undoubtedly build a wall of resentment, and perhaps a culture of rule violation (everyone knows everyone else is doing it.. and everyone feels it's justified).

There is no foolproof answer, but the key is in the traditional means of HR and management policies (prevention of embezzlement is a similar problem, and there is much experience at handling it) and with securing access to data (including locked USB ports on many machines).

People are not machines. They do not work well when locked down. They are not loyal when locked down. Where people are treated as responsible adults (including incouraged to take personal responsibility to help protect the company's data) you have much more success in spotting the troublesome individuals.


...

-- FORTRAN manual for Xerox Computers --
Post #423042
Posted Friday, November 16, 2007 7:36 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, November 14, 2014 7:14 AM
Points: 6,625, Visits: 1,876
Jack Corbett (11/16/2007)
While I agree with this point, I think the point of the editorial is that technology has made it easier to steal data. I can get 1000's of SSN's in under a second with a thumb drive and only 1 in the same amount of time using pen and paper.

It really is a people issue, but there are unethical people out there in every industry so you have to do your best to slow them down.


I have mixed feelings about thumb drives because I really don't know how much of an improvement that will be. Unless you purposely go after infrared and bluetooth, you haven't done yourself a whole lot of good. And as soon as you go after bluetooth, you limit some of the wireless keyboard and mouse combos which we see in use. That means you're back to USBs meaning now you've got to stay a step ahead on the portable devices. Not exactly fun.

Also, the tried and true method of generating a print out and then taking that out with your other papers will still work. And as good as some of the OCRs are nowadays, it's a trivial exploit.

Technology can only help somewhat. You are right, and others who have posted here are, too, in that this is a people problem. Good hiring policies, good awareness policies and proper training, engendering a sense of loyalty to the organization (which means the organization has to show loyalty and treat employees with dignity and respect) all come into play in order to try and reduce the threat.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #423058
Posted Friday, November 16, 2007 7:51 AM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Yesterday @ 7:46 PM
Points: 3,220, Visits: 2,361
Locks only keep honest people out.



Regards
Rudy Komacsar
Senior Database Administrator

"Ave Caesar! - Morituri te salutamus."
Post #423066
Posted Friday, November 16, 2007 8:20 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, November 14, 2014 7:14 AM
Points: 6,625, Visits: 1,876
rudy komacsar (11/16/2007)
Locks only keep honest people out.


No, they keep out the curious and in the case of an attacker who is looking for easy prey, they keep those guys away, too (who will go and find easy pickin's somewhere else). They won't keep out a knowledgeable attacker who is making a concerted effort to get in.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #423083
« Prev Topic | Next Topic »

Add to briefcase ««12345»»»

Permissions Expand / Collapse