Slashdot Mirror
Steps To Protect Oneself From Corporate Espionage?
rhizome asks: "Our CIO had his laptop, along with all media (CDRs and floppies) stolen from his desk last night. Being that there were several other laptops out in the open, it would seem that the thieves knew what they were looking for. Our company enjoys a unique position in our market, and there has been interest by other, larger, companies in absorbing our role. The numbers are adding up nicely, to say the least. Beyond calling the police, who may just take down enough information for our insurance company to replace the hardware, what can be done? How have others dealt with this situation?" Encryption is the best bet for keeping sensitive information on anything that can be picked up and carried out of a secure location (this includes handhelds). If such precautions can't be performed on a specific piece of hardware, then said hardware shouldn't be used for sensitive information. What other precautions should corporations put in place to protect their data?
Yes, I was thinking that the computer wasn't stolen; it just up and left, wanting to be free and all.
Sure, the hardware is a real monetary loss, but as for the corporate info, isn't this what all of us Napster supporters are for? Freedom to acquire others' information without consent or cost.
(using sarcasm, of course)
-----
D. Fischer
ShoutingMan.com
Have all the sensitive data be saved by employees on network drives, that should greatly reduce physical data theft, but makes electronic data theft easier.
Use the international kernel patch to get
encrypted filesystems, www.kerneli.org
Or use Sentry program if you have Windows.
Thanks
Gaz
Absolute Software makes such a product. It periodically polls the company's servers with location data (like the phone number you are calling out to the Internet with, or your IP settings). It will even stealthily call out by itself to the Absolute servers by a 1-800 number even if you are not connected! Call-blocking, etc, is all covered, the software will get your phone number.
So when your laptop is stolen, you just contact the company and it will monitor the location of the laptop the next time it is hooked up, contact the cops, etc. A lot of corporations have used this, with recovery success. And the kicker is, the software is installed such that even if you reformat the hard drive, it still works! I don't know how this works but it does.
Check it out.
I take my laptop into the bathroom with me. And its handcuffed to me, so you just can't grab it.
.sigs??
Seriously, I think everything should be password protected and encrypted (32-bit+ encryption). Especially if it is sensitive info. That's the best you can do.
Being careful is all about paying attention to what you do. Is it imperitive you burn sensitive info to a CD?? Stuff like that...
-- Don't you hate it when people comment on other people's
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Some good thoughts. Here are a few others, based on my own inner demons.
The notion behind these thoughts is to establish that the concepts and ideas were generated from within the company, before any possible implementation date by the thiefs. If it comes to it, you may have a leg to stand on if you identify the party responsible and pursue legal action. Since this could occur *after* they take a product to market using your ideas, this will help show that you generated them earlier.
- First & foremost: talk to your IP legal counsel and ask how to document IP retroactively for information that isn't properly documented, dated, etc.
- After determining what info was stolen, make sure you have current documentation and/or duplicates of it.
- If not already done, write up the information in a proper lab book, dated, signed by author and knowledgable witness
- Possibly place copies in sealed envelopes with dated forms notarized by lawyer.
- If you have working, but non-public, implementations then photograph (if hardware) or print and date code (if software), etc.
- Perhaps now is the time to file that patent.
- Talk to professional contacts!!! You may have a colleague at the (presumably) offending company who knows about the theft and is willing to provide information. I don't know if it would be considered bribery, but since whistle-blowing can be hazardous to one's career (despite protectionary laws), possibly make an opening in your company as a safety net if someone comes forward and subsequently loses their job.
IANMOA (I am not much of anything), but documentation is always good, even after the fact; and most people view corporate theft as slimy and would rather not be part of it. Use that to your advantage.
-----
D. Fischer
ShoutingMan.com
This accomplishes nothing whatsoever for infosec -- it's just IT masturbation. Why? If your network is not encrypted, any idiot can be hired to attach a network sniffer and recover it later. Or not recover it, if your firewall allows enough packets through, and most practical firewalls do. Any you'll never know unless you're running a network traffic analyzer and conscientiously attending to its logs. It doesn't prevent any idiot from pointing a tiny video camera at a monitor, or planting a microphone in the executive conference room. It doesn't prevent printouts from being dumpster-dived (-dove?). It doesn't check whether client hosts are trustable (think Back Orifice, recording keyboards, TV-transmitter monitors, Trojan executables/OSes, et cetera ad naseum). It doesn't keep yahoos from faxing trade secrets to unknown destinations. It doesn't keep applications from writing local temporary files, nor OSes from paging things out to local hard drives.
Your approach is like having all the cowboys mend a small hole in the fence, while the gate stands open. It wastes their time, and the cows get out anyway. Guarding the doors and cultivating a security-conscious culture has a much better payback.
-- ;-)
Kuro5hin.org: where the good times never end.
Actually a few laptops have been recovered this way through the distributed.net client... which can run silently in the background.
It reports back to servers throughout the world on a regular basis.... without user interaction (normally).
Another way, is place a "backdoor" that uses STRONG encryption, and connects to a remote server (at your company). Like sshd... only REVERSED... sshd that establishes a connection to the outside system... allowing that outside system to gain shell access. (I saw something like this on the _new_ packetstorm recently)
Good luck on recovery.... Usually doing a "backdoor" is better, cause you can login and move information from your stolen system back inside your network.... and then trash the laptop (and then pursue the criminal).
Ever need an online dictionary?
How does one get into industrial espionage as a career path? It sounds like a fascinating line of work; I wonder how one gets involved. I mean, you never see classified ads for industrial spies.
--G
I know this doesn't entirely fix the problem, but I was thinking about this last night. My solution is more "how do I figure out who did this?" and less "how do I prevent this data from being stolen in the first place?"
I set my homepage on Netscape on my PowerBook to my website with a URL that grabs my IP and logs it to a file on my site. I've never had a "homepage" before, and I feel a little stupid using it.
The result is that if somebody were to take my laptop and use the browser on it, I'd have their IP, therefore their ISP, and therefore their identity, or something very close to it.
Like I said, it doesn't prevent the information from being stolen (though I don't think that's possible -- somebody with your computer has all the time that they like to crack your encryption), but it is a possibly useful method of capturing the thief.
-Waldo
I don't even remember the impetus for doing so, but the person who stole it was foolish enough to change the laptop's network settings and actually connect it up to the net again. When server logs start showing someone checking my mail from outside of the company as well as some other network monitoring tools I use kicking in, it doesn't take too long to track them down. The police had a field day with that one, to say the least. The laptop didn't have anything on it of too much importance and wasn't really worth encrypting, but it's a nice two grand to have dropped back into your lap. Needless to say, greater precautions were taken after that.
Interested in open source engine management for your Subaru?
Secondly, consider a desktop firewall. Consider a CEO that is on an Ethernet switch along with other employees on the same switched backbone. There is probably zero chance that remote exploits against the desktop will ever be monitored. Many companies put armor around servers but leave such desktops wide-open. An amazing number of corporate desktops have File and Print Sharing enabled or can easily be compromised by a Trojan.
Finally, I also "honeypot" my system. This is a little esoteric, but I've configured Outlook to check a number of e-mail accounts. One of those accounts I've saved the password in the registry and it goes of to check a POP account on a special system. That system is triggered to notify me when anybody but me logs in to read mail. (The password is saved in exactly a location that many Trojans will look for). This is a little esoteric for most people, though.
(Disclaimer: the company I work for makes a popular remotely-managed desktop firewall/IDS combo).
that's the question you should be asking. I work for a major corporation, and our building is locked down, and I mean tight. Naturally, you have to have your badge displayed at all times, and you need a key card to enter the building. Security is always walking around, and most employees are good about asking someone who is not displaying a badge who they are looking for.
At other buildings in this company I work for every door has a security officer. That's right, every...single...door. And the only way to enter that door is to have a key card or to have the security guard buzz you in. And the security guard will only buzz you in if someone with a valid company ID can vouch for you.
There are security personnel in our buildings 24/7. Even with this there is a clean desk policy in place, and all employees are required to lock everything up if they are away from their desk for more than 2 hours. All employees are also required to have two passwords on their machines, boot-level and system level. You may scoff at these 'rules' and say that no one follows them, but the majority of people do. It's the double edged sword of a bureacracy, you have to follow the process if you want to do anything, but if you want to do something there is a set process for you to follow.
Moller
Well, seems to me any suggestion as to encryption has to meet the following standards:
1. it must be easy to use - because otherwise the PHBs won't use it.
2. it must prevent swapping to disk - because otherwise, you can encrypt all you like, but the data is still fairly easy to recover.
3. it must be fairly quick - because otherwise the PHBs won't use it.
Frequently, CIOs make a policy statement and get the managers to enforce it, but avoid the security and encryption protocols themselves and allow the managers to avoid it too. Which makes it an annoyance for those who actually follow it, while protecting nothing.
In my training (used to have a Secret Clearance), I learned that Confidential material or even unclassified material, gathered in reports and summaries, can have a higher rating. Cost center budgets for one cost center usually don't tell you much, but a spreadsheet of cost centers for the entire corporation tells you a lot, especially with historical data as might be found on a manager's report.
--- Will in Seattle - What are you doing to fight the War?
The Rainbow Mykotronx FORTEZZA Crypto Card implements cutting-edge cryptographic security and authentication methods in a PCMCIA hardware token for Government and commercial applications. Self-contained, standardized, and easily integrated, the Card provides the ultimate in portable security, together with on-board storage of user credentials, keys, and digital certificates.
Fully FORTEZZA compliant, the card incorporates the National Security Agency-certified CAPSTONE RISC-based cryptographic processor. It is the hardware crypto token chosen to secure the Defense Messaging System (DMS).
More info on the card we're looking at can be found here. (IANAF - I am not a flack).
Securing your data is not something you achieve by using a few buzzword technologies. ... It`s very important to create an awareness with everybody on how to deal with information.
... but determing who has access to which offices at what times... ( key-cards that open the door, cameras in the hallway, ... ) ...
The technology is just a mean to help you implement the security policy, it`s not the wonderous tool that relieves you from your security worries.
Security is not just a job for IS/IT-departments, it`s something that is achieved troughout the entire company. You need to get well written procedures, dealing with every aspect of security. From securing your hard drives with encryption, to making sure there`s a decent lock on your server room, and to making sure people don`t just leave there cd-roms and disks floating around
In this case the notebook was stolen from someones desk, this proves that in your security policy, you not only need to include encryption, firewalling, logging,
First, put everything on the network. (You can force this to happen on ANY operating system that you might be running. If you can't, you are running the wrong OS) Disable the floppies on every machine. Then lock the BIOS. (Getting ready to do this myself). Then, lock up the network drives. Steel door with dead-bolts.
Then lock down the servers. Lock them to each other, and lock them to a stud in the wall (you're not secure unless you get drywall dust on you).
Put a security cam in the server room, and probably in the chief's office.
Use a cable lock to lock the laptops to a desk. Better still: since he didn't take it home, he doesn't need a laptop. Make him use a desktop. Lock that to the desk.
Encrypt drives. You can do this in WinXX and Linux (and probably mac and everything else). There are also products for Windows that will call a specified site or phone number if plugged into a modem or 'net connection.
Register the hardware when you buy it. If the drives are encrypted or otherwise won't boot, criminals will often take them to white box shops to get them 'fixed'. Most shops will call the maker (in the case of some Dells, they HAVE to call them, depending on what is broken) and then it can be tracked. Oh, yeah, call the laptop manufacturer and let them know it was stolen.
Finally, if you can patent/trademark it, do it. If all of the above fails, you need to have 'first dibs'.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
If you implement a boot password, it's permanant. You can change the password, but you cannot power up the machine without it.
And forget about flashing the BIOS, clearing the CMOS or any other means of bypassing it. The only way is to replace both the motherboard and HDD. The M/B also stores some info on the HDD, so it can't be used in another laptop.
If you want to get another M/B, you have to give the serial # of the machine. If it's reported stolen to IBM, it will be forewarded to the authorities. If you try to re-use the drive, no-go. In short, brick wall.
But never lose your power on password!!
"History doesn't repeat itself, but it does rhyme." Mark Twain
The tone of the responses seemed to be directed at preventing something like this from happening again, but the question was directed at dealing with the situation as it exists, namely:
Someone has sensitive data, and that someone may well be the competition.
First off, make sure you know exactly what was on the media which was stolen. If possible, grill the CIO and make sure you can identify as much of the data as possible. If it's confidential, and this data begins to appear elsewhere, then you'll have a pretty good clue who took it.
Second, assume that the company which can do you the most possible damage has your information. At this point, you need to develop a strategy to counter their use of this information. It may be something as simple as changing any password you think they may have gotten (or, to be safe, every single one of them), to doing things like changing your business plan and internal strategies. The competition now knows many of your most intimate intimates, and you have to make sure that they can't use them well at all.
The next thing is to look over your security. Data security and site security can be approached at the same time. The suggestions posted here (encryption, secured servers to house data, etc) are all excellent. confer with a security consultant, preferably one who has experience working with the Federal Government, which, in most cases, has some of the tightest security around. A security consultant can do both data and physical security.
For site security, you're going to have to do things like replacing door locks with more secure models (or with electronic card locks, if you want to spend the money) and replacing doors and door jambs with more sturdy material (i.e. something that can't easily be kicked in). Make sure, if you have a drop ceiling, that the tiles can't be lifted up, which might let someone just climb up and over the door, through the ceiling (yeah, I've seen it happen...). Other than that, hip everyone who works there about security...the small things that everyone can do to make sure their information and offices are secure.
-Jimmie
Starting from encryption is not the best way to secure information. Personally I think that the first measure of security is time. Sincerly I consider that this is mostly the only measure of real security.
Do you have an confidential agreement to be signed tomorrow? Hold it in a place that does not give a chance to anyone to see it before being signed.
Do you have an highly confidential database? Calculate the potential of a break-in and for how long the base should be confidential until you process countermeasures.
Never consider information "eternally" confidential. There is not such thing in Nature.
Maybe people will never know 100% what you know. But surely they will get something out of you. Your problem is to qualify information, and secure it in the propper way. Some information is needed to use in the laptop. but you don't need the whole client database on it. It's better to loose two contracts than to have all your company naked in front of the concurrency.
Encryption is good. But encryption can be broken. In fact encryption should only be considered as an element that "delays" access to information but it does not secure it forever. The stronger the encryption the longer it will be taken to broke it. But, there is a big "BUT here.
The most fundamental of all is that, no matter what you do with information, the time X is not broken. Several people use to encrypt their E-mails, documents, filesystems. but they forget that still there is memory, EM emissions, swap files. Specially I noted that many people forget to look over their shoulders when dealing with information. Someone is typing his "honey123" password and you are standing back and looking.
Let's see. You put your company's soul into a little box. It's really important stuff, and you don't want the bad guys to get it. So, what's a good place to store it?
A) Stick it right dead center on the desk of one of the fanciest offices in the building, which is clearly marked on the door as "Guy Who Has Great Information to Steal".
B) Get a good, solid safe, bolt it into the building, and keep your treasured secrets in it.
This isn't a technological problem. As far as laptops go, sure, good crypto can help you, but not all sensitive data lives on a laptop. You need a plan to deal with data - generically - to protect it.
If your data is really valuable, here are some more tips off the top of my mind:
Good solid locks on the doors of the office
Security cameras monitoring the areas where sensitive information lives
A night-shift security guard. (Is it worth $35k/year to have a guy camp your building at night, to save this lifeblood of your company from being stolen?
It's just common sense, guys. You don't need whiz-bang software to fix this problem.
--Kai
--slashsuckATvegaDOTfurDOTcom
Most rent-a-cops get near minimum wage. How motivated do you think they are?
Furthermore, doing the same thing all the time numbs one to exceptions. If one out of ten visitors needs some kind of personal attention, the guards would be much more alert in general. When days on end go by with nothing to break the monotony, they get complacent, and it doesn't take much to fool them.
You yourself say "You may scoff at these 'rules' and say that no one follows them, but the majority of people do."
Security isn't a democracy; majority does *not* rule. It only takes one crook getting by to steal that laptop.
--
Infuriate left and right
What about an AM radio burst system? Or something that uses a small ammount of power?
But I digress. It could be possible to have a smart card reader installed as a means of accessing your laptop to read and decode a magnetic stric. Or maybe a cuecat.
Respond to s