SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Finding a Balance


Finding a Balance

Author
Message
Samuel Clough
Samuel Clough
SSC Journeyman
SSC Journeyman (75 reputation)SSC Journeyman (75 reputation)SSC Journeyman (75 reputation)SSC Journeyman (75 reputation)SSC Journeyman (75 reputation)SSC Journeyman (75 reputation)SSC Journeyman (75 reputation)SSC Journeyman (75 reputation)

Group: General Forum Members
Points: 75 Visits: 108
This may sound a little draconian to some, but I work for a major broker dealer and given the risks of some of the data getting out (we have ssn#s and people's info easily available to many employees), I don't understand why more enterprises don't utilize thin clients in a greater way. Thin clients that have very limited desktop hardware are completely adequate for most users and you should be able to eliminate the usb ports, disk drives, etc that pose the biggest risk.

I know it would not make sense for all employees because some employees would need a full workstation for various reasons, but for a lot of employees it would and that would at least reduce the attack surface greatly.
Stewart Joslyn
Stewart Joslyn
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1233 Visits: 188
I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.



majorbloodnock
majorbloodnock
SSCrazy
SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)

Group: General Forum Members
Points: 2429 Visits: 3064
Stewart Joslyn (11/16/2007)
I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.


Exactly. A Cold War spy listening in to conversations in bugged offices was stealing information just as much as anyone who's siphoning off data from a database. Monitoring in the latter case isn't easy, any more than finding all the bugs in all the offices in the Cold War was easy, but as someone involved in minimising security threats, you do your best. Doing nothing because it's difficult is just not an option.

@Brian, I hold by my original statement. This isn't a technological problem; it's only the solution's implementation that's technologically based. What you're trying to achieve is as old as the hills, and it's only the tools used that have changed.

Semper in excretia, sumus solum profundum variat
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (23K reputation)

Group: Moderators
Points: 23946 Visits: 1917
majorbloodnock (11/16/2007)
@Brian, I hold by my original statement. This isn't a technological problem; it's only the solution's implementation that's technologically based. What you're trying to achieve is as old as the hills, and it's only the tools used that have changed.


I agree wholeheartedly with that. Now if the auditors would figure that one, we'd be a lot closer to actually resolving some of the issues.

K. Brian Kelley
@‌kbriankelley
Jack Corbett
  Jack Corbett
SSC-Forever
SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)

Group: General Forum Members
Points: 42839 Visits: 14925
Stewart Joslyn (11/16/2007)
I think we're still technology fixated - you don't need a pen drive or any other IT hardware to steal a few social security numbers or bank details - a pencil and paper works perfectly well if you have any access to the data at all. Not a high volume solution but that won't make the victim - or the regulator - any happier.


While I agree with this point, I think the point of the editorial is that technology has made it easier to steal data. I can get 1000's of SSN's in under a second with a thumb drive and only 1 in the same amount of time using pen and paper.

It really is a people issue, but there are unethical people out there in every industry so you have to do your best to slow them down.

I have often thought that thumb drives should be blocked where I have worked. I worked as a contractor at a student loan provider last summer and I could walk in with a thumb drive and have all kinds of personal information. Didn't seem right then and doesn't seem right now.



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming
At best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at work

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
majorbloodnock
majorbloodnock
SSCrazy
SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)

Group: General Forum Members
Points: 2429 Visits: 3064
@Brian - Thanks. Good to find the common ground again.

@Jack - I know what you mean. Unfortunately, the editorial asked, "should we ban personal storage devices from the workplace?". The answer should be, "it depends". An editorial based around "how aware are you of the security concerns that personal storage devices raise?" could be enlightening, but asking a yes/no question like this implied that the editorial was starting from a (as has been mentioned before) technology-fixated standpoint.

Semper in excretia, sumus solum profundum variat
jay-h
jay-h
Hall of Fame
Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)

Group: General Forum Members
Points: 3675 Visits: 2375
Attempting to ban devices is futile at best and likely psychologically counterproductive.

Anyone with evil intent can easily smuggle devices in. However the fact that such rules would affect people's legitimate and (when properly used) harmless products like ipods, phones, etc. will undoubtedly build a wall of resentment, and perhaps a culture of rule violation (everyone knows everyone else is doing it.. and everyone feels it's justified).

There is no foolproof answer, but the key is in the traditional means of HR and management policies (prevention of embezzlement is a similar problem, and there is much experience at handling it) and with securing access to data (including locked USB ports on many machines).

People are not machines. They do not work well when locked down. They are not loyal when locked down. Where people are treated as responsible adults (including incouraged to take personal responsibility to help protect the company's data) you have much more success in spotting the troublesome individuals.

...

-- FORTRAN manual for Xerox Computers --
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (23K reputation)

Group: Moderators
Points: 23946 Visits: 1917
Jack Corbett (11/16/2007)
While I agree with this point, I think the point of the editorial is that technology has made it easier to steal data. I can get 1000's of SSN's in under a second with a thumb drive and only 1 in the same amount of time using pen and paper.

It really is a people issue, but there are unethical people out there in every industry so you have to do your best to slow them down.


I have mixed feelings about thumb drives because I really don't know how much of an improvement that will be. Unless you purposely go after infrared and bluetooth, you haven't done yourself a whole lot of good. And as soon as you go after bluetooth, you limit some of the wireless keyboard and mouse combos which we see in use. That means you're back to USBs meaning now you've got to stay a step ahead on the portable devices. Not exactly fun.

Also, the tried and true method of generating a print out and then taking that out with your other papers will still work. And as good as some of the OCRs are nowadays, it's a trivial exploit.

Technology can only help somewhat. You are right, and others who have posted here are, too, in that this is a people problem. Good hiring policies, good awareness policies and proper training, engendering a sense of loyalty to the organization (which means the organization has to show loyalty and treat employees with dignity and respect) all come into play in order to try and reduce the threat.

K. Brian Kelley
@‌kbriankelley
Rudyx - the Doctor
Rudyx - the Doctor
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10580 Visits: 2503
Locks only keep honest people out.

Regards
Rudy Komacsar
Senior Database Administrator

"Ave Caesar! - Morituri te salutamus."
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (23K reputation)

Group: Moderators
Points: 23946 Visits: 1917
rudy komacsar (11/16/2007)
Locks only keep honest people out.


No, they keep out the curious and in the case of an attacker who is looking for easy prey, they keep those guys away, too (who will go and find easy pickin's somewhere else). They won't keep out a knowledgeable attacker who is making a concerted effort to get in.

K. Brian Kelley
@‌kbriankelley
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search