Post reply

Finding a Balance

  • November 15, 2007 at 8:02 pm

    #183868

    Comments posted to this topic are about the item Finding a Balance

  • November 15, 2007 at 10:13 pm

    #751705

    USB and portable devices can often be encrypted. The major HDD encryption vendors out there... Safeboot, Utimaco, PointSec, etc., all have products that do so automatically when inserted. However, they usually install a small loader app that if you know the password, you can decrypt. So this helps in the lost USB drive issue, but it doesn't do much in the malicious employee situation.

    This is a hard one because there are so many ways to circumvent the rules. You mentioned bluetooth. One technology that often gets forgotten about is infrared. And it works. I've used infrared to transfer files back and forth between my laptop and mobile phone back when I still had a mobile phone. One of the things the military has done is go to diskless workstations in sensitive environments that don't have the USB ports, etc. I remember a friend of mine who worked on the B-2 project describing the setup. We see it nowadays advertised as thin client systems and the like. And it works... to a point.

    However, this is really only the tip of the iceberg. Blocking webmail sites is necessary. Ensuring access to sites like GotoMyPC.com aren't permitted is another necessity. And it still doesn't solve the issue of printing hardcopies of data and then taking that offsite and using a good scanner with OCR to recover the data. Nor does it address unconventional uses of technology such as Kaminsky's use of DNS to store media files.

    This is why security folks are walking around with that perpetual "Someone ran over my dog" look. There are so many ways to beat the system now that security is always playing catch up. It's also why security folks seem very unyielding when it comes to bending the rules for something. We've lost sleep at night considering some of the potential consequences.

    K. Brian Kelley
    @kbriankelley

  • November 16, 2007 at 1:56 am

    #751738

    There is no such thing as perfect security in any context, whether physical or data. All you can do is make it dificult for the less sophisticated bad guys. Then make sure that you at least can detect who has stolen / sabotaged what by having robust audit trails and alarms (eg access pattern matching).

  • November 16, 2007 at 2:35 am

    #751743

    2 Scenarios.

    1) "Lost or stolen device". Can't the industry come up with some kind of key-pair solution for this, like they have / had in PGP ? The idea is that the mobile device can only be used in combinatin with registered hardware that holds part of the key combination. Surely something like this should be possible ?

    2) "Bad people or people gone bad". The best solution for this is good HR (don't hire bad people) and good management (don't let people go bad). Take good care of your people and they'll take good care of you. Spend time with your employees, give them attention and LISTEN to them. Chances are you'll pick up signals of anger and / or frustrations in an early stage and you'll be able to do someting about it.

    I think working on data security awareness and employee satisfaction is a far better investment than throwing more hardware and procedures at the problem.

  • November 16, 2007 at 3:15 am

    #751761

    Once again, I think this is an example of looking at the technology involved in a problem and then assuming it's a technological problem overall. I don't believe this is any different from any other form of theft, and the basic rules for policing that exist already should be applied here.

    If you've got something worth protecting, you put a lock on it. The more important, the bigger the lock.

    No matter how good your security, it has vulnerabilities, and you can't do anything after the fact if you don't know you've been hit. Therefore, monitor and audit.

    If you don't tell people something's wrong, they have a get-out clause. Therefore publicise the rules.

    If there's little personal risk involved, and the benefits are high, lots of people will have a go. Therefore redress the balance, both by making it likely they'll get caught and, once caught, that they'll suffer badly.

    That's obviously not a comprehensive list, but it's exactly the same for protecting (for instance) the physical pounds, shillings and pence in a bank's vault as for the data in its databases. Implementing it involves lots of areas, not just one, and is a cultural thing, not a discrete topic.

    I really wish we'd stop thinking of IT as a special case and inadvertantly suspend common sense as a result.

    Semper in excretia, suus solum profundum variat

  • November 16, 2007 at 3:38 am

    #751767

    majorbloodnock (11/16/2007)

    "Stultior quam anser, sed item vigilans"

  • November 16, 2007 at 4:57 am

    #751780

    Jurriaan Themmen (11/16/2007)

    majorbloodnock (11/16/2007)

    "Stultior quam anser, sed item vigilans"

    😀

    I'm not going to pretend to be a Latin scholar, but I get the general idea....

    Semper in excretia, suus solum profundum variat

  • November 16, 2007 at 6:11 am

    #751792

    Jurriaan Themmen (11/16/2007)

    1) "Lost or stolen device". Can't the industry come up with some kind of key-pair solution for this, like they have / had in PGP ? The idea is that the mobile device can only be used in combinatin with registered hardware that holds part of the key combination. Surely something like this should be possible ?

    This doesn't work very well, either. Case in point, one organization secured their systems with the RSA SecureID tokens. That's just a key fob with a 6 digit number that changes every minute. You add that 6 digit number to a 4-8 digit pin you set and you've got a two factor solution that's generally pretty solid. But you still want to keep the key fob separate from say, the laptop, even though there is that PIN.

    What did the organization's security folks find? A sales rep had bought one of those keychain rings and managed to thread the power cord of the laptop through it. On that keychain was, you guessed it, the SecureID token. What made it all the worse is that the sales rep had started spreading how to do this to other reps.

    There's a picture of that somewhere on the Internet. But basically like you said, awareness is really the only answer. The catch is to hit enough where they are well informed but not so saturated they just tune anything new out.

    K. Brian Kelley
    @kbriankelley

  • November 16, 2007 at 6:20 am

    #751794

    majorbloodnock (11/16/2007)

    Once again, I think this is an example of looking at the technology involved in a problem and then assuming it's a technological problem overall. I don't believe this is any different from any other form of theft, and the basic rules for policing that exist already should be applied here.

    The basic rules do break down, however, because of the nature of how compromises can happen and the requirement to be able to use the data in the first place. Let me use some examples. If you've got this really nice neckalce you may have a safe in your home that's bolted to the foundation or support beams such that a rogue would have to take apart the house to get at the safe. As far as you're concerned, there's only one necklace. Either you (if you are female) or your wife (if you are male) has it or its in the safe. Only you or your wife have the combination to the safe. You've ensured your 12 year-old son does not, even if he does want to put his latest *insert artist here* CD in the safe to keep Johnny from down the street getting his grubby hands on it. Therefore, there are only two potential folks who can access the safe. Auditing isn't that hard at all.

    But let's look at data. Your organization deals with sensitive information such as US Social Security Numbers or US Tax ID Numbers. You have a few dozen folks who must handle this data on a regular basis just to do their jobs. Their security allows them access to the data. And they may access data many, many times throughout the course of the day. The nature of their jobs means its not unusual for several people to be accessing the same records, albeit for different reasons. Sure, you can audit the fact that all of this data access is occurring, but unless one particular worker is being foolish and making a lot more queries than normal, how exactly do your audit logs help you when you find your company has had a security breach and some of your customers have been victims of identity theft?

    K. Brian Kelley
    @kbriankelley

  • November 16, 2007 at 6:23 am

    #751796

    I think scenario 2 would apply in the story you're sketching.

    A sales rep who has the time to figure out how to circumvent security, simply doesn't have enough real work on his / her hands and / or is not focused on his / her job well enough.

    That's a management problem.:Whistling:

  • November 16, 2007 at 6:24 am

    #751799

    This may sound a little draconian to some, but I work for a major broker dealer and given the risks of some of the data getting out (we have ssn#s and people's info easily available to many employees), I don't understand why more enterprises don't utilize thin clients in a greater way. Thin clients that have very limited desktop hardware are completely adequate for most users and you should be able to eliminate the usb ports, disk drives, etc that pose the biggest risk.

    I know it would not make sense for all employees because some employees would need a full workstation for various reasons, but for a lot of employees it would and that would at least reduce the attack surface greatly.

  • November 16, 2007 at 6:30 am

    #751801

    I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.

  • November 16, 2007 at 6:40 am

    #751806

    Stewart Joslyn (11/16/2007)

    I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.

    Exactly. A Cold War spy listening in to conversations in bugged offices was stealing information just as much as anyone who's siphoning off data from a database. Monitoring in the latter case isn't easy, any more than finding all the bugs in all the offices in the Cold War was easy, but as someone involved in minimising security threats, you do your best. Doing nothing because it's difficult is just not an option.

    @Brian, I hold by my original statement. This isn't a technological problem; it's only the solution's implementation that's technologically based. What you're trying to achieve is as old as the hills, and it's only the tools used that have changed.

    Semper in excretia, suus solum profundum variat

  • November 16, 2007 at 6:49 am

    #751814

    majorbloodnock (11/16/2007)

    @Brian, I hold by my original statement. This isn't a technological problem; it's only the solution's implementation that's technologically based. What you're trying to achieve is as old as the hills, and it's only the tools used that have changed.

    I agree wholeheartedly with that. Now if the auditors would figure that one, we'd be a lot closer to actually resolving some of the issues.

    K. Brian Kelley
    @kbriankelley

  • November 16, 2007 at 6:51 am

    #751816

    Stewart Joslyn (11/16/2007)

    I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.

    While I agree with this point, I think the point of the editorial is that technology has made it easier to steal data. I can get 1000's of SSN's in under a second with a thumb drive and only 1 in the same amount of time using pen and paper.

    It really is a people issue, but there are unethical people out there in every industry so you have to do your best to slow them down.

    I have often thought that thumb drives should be blocked where I have worked. I worked as a contractor at a student loan provider last summer and I could walk in with a thumb drive and have all kinds of personal information. Didn't seem right then and doesn't seem right now.

    Jack Corbett
    Consultant - Straight Path Solutions
    Check out these links on how to get faster and more accurate answers:
    Forum Etiquette: How to post data/code on a forum to get the best help
    Need an Answer? Actually, No ... You Need a Question

Viewing 15 posts - 1 through 15 (of 45 total)

You must be logged in to reply to this topic. Login to reply