Slashdot Mirror
Steps To Protect Oneself From Corporate Espionage?
rhizome asks: "Our CIO had his laptop, along with all media (CDRs and floppies) stolen from his desk last night. Being that there were several other laptops out in the open, it would seem that the thieves knew what they were looking for. Our company enjoys a unique position in our market, and there has been interest by other, larger, companies in absorbing our role. The numbers are adding up nicely, to say the least. Beyond calling the police, who may just take down enough information for our insurance company to replace the hardware, what can be done? How have others dealt with this situation?" Encryption is the best bet for keeping sensitive information on anything that can be picked up and carried out of a secure location (this includes handhelds). If such precautions can't be performed on a specific piece of hardware, then said hardware shouldn't be used for sensitive information. What other precautions should corporations put in place to protect their data?
Have all the sensitive data be saved by employees on network drives, that should greatly reduce physical data theft, but makes electronic data theft easier.
I don't even remember the impetus for doing so, but the person who stole it was foolish enough to change the laptop's network settings and actually connect it up to the net again. When server logs start showing someone checking my mail from outside of the company as well as some other network monitoring tools I use kicking in, it doesn't take too long to track them down. The police had a field day with that one, to say the least. The laptop didn't have anything on it of too much importance and wasn't really worth encrypting, but it's a nice two grand to have dropped back into your lap. Needless to say, greater precautions were taken after that.
Interested in open source engine management for your Subaru?
that's the question you should be asking. I work for a major corporation, and our building is locked down, and I mean tight. Naturally, you have to have your badge displayed at all times, and you need a key card to enter the building. Security is always walking around, and most employees are good about asking someone who is not displaying a badge who they are looking for.
At other buildings in this company I work for every door has a security officer. That's right, every...single...door. And the only way to enter that door is to have a key card or to have the security guard buzz you in. And the security guard will only buzz you in if someone with a valid company ID can vouch for you.
There are security personnel in our buildings 24/7. Even with this there is a clean desk policy in place, and all employees are required to lock everything up if they are away from their desk for more than 2 hours. All employees are also required to have two passwords on their machines, boot-level and system level. You may scoff at these 'rules' and say that no one follows them, but the majority of people do. It's the double edged sword of a bureacracy, you have to follow the process if you want to do anything, but if you want to do something there is a set process for you to follow.
Moller
The Rainbow Mykotronx FORTEZZA Crypto Card implements cutting-edge cryptographic security and authentication methods in a PCMCIA hardware token for Government and commercial applications. Self-contained, standardized, and easily integrated, the Card provides the ultimate in portable security, together with on-board storage of user credentials, keys, and digital certificates.
Fully FORTEZZA compliant, the card incorporates the National Security Agency-certified CAPSTONE RISC-based cryptographic processor. It is the hardware crypto token chosen to secure the Defense Messaging System (DMS).
More info on the card we're looking at can be found here. (IANAF - I am not a flack).
Securing your data is not something you achieve by using a few buzzword technologies. ... It`s very important to create an awareness with everybody on how to deal with information.
... but determing who has access to which offices at what times... ( key-cards that open the door, cameras in the hallway, ... ) ...
The technology is just a mean to help you implement the security policy, it`s not the wonderous tool that relieves you from your security worries.
Security is not just a job for IS/IT-departments, it`s something that is achieved troughout the entire company. You need to get well written procedures, dealing with every aspect of security. From securing your hard drives with encryption, to making sure there`s a decent lock on your server room, and to making sure people don`t just leave there cd-roms and disks floating around
In this case the notebook was stolen from someones desk, this proves that in your security policy, you not only need to include encryption, firewalling, logging,
If you implement a boot password, it's permanant. You can change the password, but you cannot power up the machine without it.
And forget about flashing the BIOS, clearing the CMOS or any other means of bypassing it. The only way is to replace both the motherboard and HDD. The M/B also stores some info on the HDD, so it can't be used in another laptop.
If you want to get another M/B, you have to give the serial # of the machine. If it's reported stolen to IBM, it will be forewarded to the authorities. If you try to re-use the drive, no-go. In short, brick wall.
But never lose your power on password!!
"History doesn't repeat itself, but it does rhyme." Mark Twain
Starting from encryption is not the best way to secure information. Personally I think that the first measure of security is time. Sincerly I consider that this is mostly the only measure of real security.
Do you have an confidential agreement to be signed tomorrow? Hold it in a place that does not give a chance to anyone to see it before being signed.
Do you have an highly confidential database? Calculate the potential of a break-in and for how long the base should be confidential until you process countermeasures.
Never consider information "eternally" confidential. There is not such thing in Nature.
Maybe people will never know 100% what you know. But surely they will get something out of you. Your problem is to qualify information, and secure it in the propper way. Some information is needed to use in the laptop. but you don't need the whole client database on it. It's better to loose two contracts than to have all your company naked in front of the concurrency.
Encryption is good. But encryption can be broken. In fact encryption should only be considered as an element that "delays" access to information but it does not secure it forever. The stronger the encryption the longer it will be taken to broke it. But, there is a big "BUT here.
The most fundamental of all is that, no matter what you do with information, the time X is not broken. Several people use to encrypt their E-mails, documents, filesystems. but they forget that still there is memory, EM emissions, swap files. Specially I noted that many people forget to look over their shoulders when dealing with information. Someone is typing his "honey123" password and you are standing back and looking.
Most rent-a-cops get near minimum wage. How motivated do you think they are?
Furthermore, doing the same thing all the time numbs one to exceptions. If one out of ten visitors needs some kind of personal attention, the guards would be much more alert in general. When days on end go by with nothing to break the monotony, they get complacent, and it doesn't take much to fool them.
You yourself say "You may scoff at these 'rules' and say that no one follows them, but the majority of people do."
Security isn't a democracy; majority does *not* rule. It only takes one crook getting by to steal that laptop.
--
Infuriate left and right