SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Finding a Balance


Finding a Balance

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)

Group: Administrators
Points: 61905 Visits: 19099
Comments posted to this topic are about the item Finding a Balance

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (10K reputation)

Group: Moderators
Points: 10176 Visits: 1917
USB and portable devices can often be encrypted. The major HDD encryption vendors out there... Safeboot, Utimaco, PointSec, etc., all have products that do so automatically when inserted. However, they usually install a small loader app that if you know the password, you can decrypt. So this helps in the lost USB drive issue, but it doesn't do much in the malicious employee situation.

This is a hard one because there are so many ways to circumvent the rules. You mentioned bluetooth. One technology that often gets forgotten about is infrared. And it works. I've used infrared to transfer files back and forth between my laptop and mobile phone back when I still had a mobile phone. One of the things the military has done is go to diskless workstations in sensitive environments that don't have the USB ports, etc. I remember a friend of mine who worked on the B-2 project describing the setup. We see it nowadays advertised as thin client systems and the like. And it works... to a point.

However, this is really only the tip of the iceberg. Blocking webmail sites is necessary. Ensuring access to sites like GotoMyPC.com aren't permitted is another necessity. And it still doesn't solve the issue of printing hardcopies of data and then taking that offsite and using a good scanner with OCR to recover the data. Nor does it address unconventional uses of technology such as Kaminsky's use of DNS to store media files.

This is why security folks are walking around with that perpetual "Someone ran over my dog" look. There are so many ways to beat the system now that security is always playing catch up. It's also why security folks seem very unyielding when it comes to bending the rules for something. We've lost sleep at night considering some of the potential consequences.

K. Brian Kelley
@‌kbriankelley
Stewart Joslyn
Stewart Joslyn
Mr or Mrs. 500
Mr or Mrs. 500 (505 reputation)Mr or Mrs. 500 (505 reputation)Mr or Mrs. 500 (505 reputation)Mr or Mrs. 500 (505 reputation)Mr or Mrs. 500 (505 reputation)Mr or Mrs. 500 (505 reputation)Mr or Mrs. 500 (505 reputation)Mr or Mrs. 500 (505 reputation)

Group: General Forum Members
Points: 505 Visits: 188
There is no such thing as perfect security in any context, whether physical or data. All you can do is make it dificult for the less sophisticated bad guys. Then make sure that you at least can detect who has stolen / sabotaged what by having robust audit trails and alarms (eg access pattern matching).



Jurriaan Themmen
Jurriaan Themmen
SSC-Enthusiastic
SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)

Group: General Forum Members
Points: 115 Visits: 90
2 Scenarios.

1) "Lost or stolen device". Can't the industry come up with some kind of key-pair solution for this, like they have / had in PGP ? The idea is that the mobile device can only be used in combinatin with registered hardware that holds part of the key combination. Surely something like this should be possible ?

2) "Bad people or people gone bad". The best solution for this is good HR (don't hire bad people) and good management (don't let people go bad). Take good care of your people and they'll take good care of you. Spend time with your employees, give them attention and LISTEN to them. Chances are you'll pick up signals of anger and / or frustrations in an early stage and you'll be able to do someting about it.

I think working on data security awareness and employee satisfaction is a far better investment than throwing more hardware and procedures at the problem.
majorbloodnock
majorbloodnock
UDP Broadcaster
UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)

Group: General Forum Members
Points: 1447 Visits: 3062
Once again, I think this is an example of looking at the technology involved in a problem and then assuming it's a technological problem overall. I don't believe this is any different from any other form of theft, and the basic rules for policing that exist already should be applied here.

If you've got something worth protecting, you put a lock on it. The more important, the bigger the lock.
No matter how good your security, it has vulnerabilities, and you can't do anything after the fact if you don't know you've been hit. Therefore, monitor and audit.
If you don't tell people something's wrong, they have a get-out clause. Therefore publicise the rules.
If there's little personal risk involved, and the benefits are high, lots of people will have a go. Therefore redress the balance, both by making it likely they'll get caught and, once caught, that they'll suffer badly.

That's obviously not a comprehensive list, but it's exactly the same for protecting (for instance) the physical pounds, shillings and pence in a bank's vault as for the data in its databases. Implementing it involves lots of areas, not just one, and is a cultural thing, not a discrete topic.

I really wish we'd stop thinking of IT as a special case and inadvertantly suspend common sense as a result.

Semper in excretia, sumus solum profundum variat
Jurriaan Themmen
Jurriaan Themmen
SSC-Enthusiastic
SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)

Group: General Forum Members
Points: 115 Visits: 90
majorbloodnock (11/16/2007)


"Stultior quam anser, sed item vigilans"
majorbloodnock
majorbloodnock
UDP Broadcaster
UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)

Group: General Forum Members
Points: 1447 Visits: 3062
Jurriaan Themmen (11/16/2007)
majorbloodnock (11/16/2007)


"Stultior quam anser, sed item vigilans"


BigGrin

I'm not going to pretend to be a Latin scholar, but I get the general idea....

Semper in excretia, sumus solum profundum variat
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (10K reputation)

Group: Moderators
Points: 10176 Visits: 1917
Jurriaan Themmen (11/16/2007)
1) "Lost or stolen device". Can't the industry come up with some kind of key-pair solution for this, like they have / had in PGP ? The idea is that the mobile device can only be used in combinatin with registered hardware that holds part of the key combination. Surely something like this should be possible ?


This doesn't work very well, either. Case in point, one organization secured their systems with the RSA SecureID tokens. That's just a key fob with a 6 digit number that changes every minute. You add that 6 digit number to a 4-8 digit pin you set and you've got a two factor solution that's generally pretty solid. But you still want to keep the key fob separate from say, the laptop, even though there is that PIN.

What did the organization's security folks find? A sales rep had bought one of those keychain rings and managed to thread the power cord of the laptop through it. On that keychain was, you guessed it, the SecureID token. What made it all the worse is that the sales rep had started spreading how to do this to other reps.

There's a picture of that somewhere on the Internet. But basically like you said, awareness is really the only answer. The catch is to hit enough where they are well informed but not so saturated they just tune anything new out.

K. Brian Kelley
@‌kbriankelley
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (10K reputation)

Group: Moderators
Points: 10176 Visits: 1917
majorbloodnock (11/16/2007)
Once again, I think this is an example of looking at the technology involved in a problem and then assuming it's a technological problem overall. I don't believe this is any different from any other form of theft, and the basic rules for policing that exist already should be applied here.


The basic rules do break down, however, because of the nature of how compromises can happen and the requirement to be able to use the data in the first place. Let me use some examples. If you've got this really nice neckalce you may have a safe in your home that's bolted to the foundation or support beams such that a rogue would have to take apart the house to get at the safe. As far as you're concerned, there's only one necklace. Either you (if you are female) or your wife (if you are male) has it or its in the safe. Only you or your wife have the combination to the safe. You've ensured your 12 year-old son does not, even if he does want to put his latest *insert artist here* CD in the safe to keep Johnny from down the street getting his grubby hands on it. Therefore, there are only two potential folks who can access the safe. Auditing isn't that hard at all.

But let's look at data. Your organization deals with sensitive information such as US Social Security Numbers or US Tax ID Numbers. You have a few dozen folks who must handle this data on a regular basis just to do their jobs. Their security allows them access to the data. And they may access data many, many times throughout the course of the day. The nature of their jobs means its not unusual for several people to be accessing the same records, albeit for different reasons. Sure, you can audit the fact that all of this data access is occurring, but unless one particular worker is being foolish and making a lot more queries than normal, how exactly do your audit logs help you when you find your company has had a security breach and some of your customers have been victims of identity theft?

K. Brian Kelley
@‌kbriankelley
Jurriaan Themmen
Jurriaan Themmen
SSC-Enthusiastic
SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)SSC-Enthusiastic (115 reputation)

Group: General Forum Members
Points: 115 Visits: 90
I think scenario 2 would apply in the story you're sketching.

A sales rep who has the time to figure out how to circumvent security, simply doesn't have enough real work on his / her hands and / or is not focused on his / her job well enough.
That's a management problem.Whistling
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search