Slashdot Mirror
Securing Files in a Hostile Workplace?
lockdown asks: "How do I secure the files used in my department? I work in an engineering department and I've been tasked with securing our electronic files. We are a likely target of pirates, both internal and external. The 'resale' value of our files is very large. Attackers would be interested in selling our files or just posting them publicly for bragging rights. While I trust our engineers, many of whom have been here over 10 years, we do have many short-timers and temps in other departments. Worst of all, our IT department is clueless and even hostile to our efforts. (They are proud that, 'our network is so outdated that it can't be hacked.') How do I came up with a way to secure our files in a hostile environment and still get our work done?"
"The constraints of my personal situation include:
- the world controlled by the IT department (the network, most servers, tape backups, external firewalls, etc) are out of my control,
- we do not have good physical control of our environment to prevent physical theft or PC access,
- we need to compartmentalize access to different teams,
- we need to be able to recover access in the event a bus hits an engineer,
- engineers need to be able to securely take files home,
- data files can range into the GBs,
- this can't get in the way of getting work done,
- being engineers, we tend to work with a wide range of obscure tools that are unlikely to be supported by commercial solutions and may not play nice with the OS
- we are stuck with Win boxes as clients, but we could have a local dept. *nix security server,
- each engineer need to be able to enable access to any other engineer,
- I would like at least 2 factor security, something you know and something you have,
- I would like the 'something you have,' attached to engineer's car key ring (something you can't go home without) and
- open source preferred (no proprietary pixie dust, please)."
Encryption with the key stored on a USB flash keychain? Your key can be ridiculously long this way, since most of the USB keychains have at least 16MB of storage space.
This situation strongly depends on the ATM packet size ratio to the compressibility of the files. To get a decent analysis from us ask slashdot experts, please post links to the files here so we can examine them and offer you the best advice possible.
we all know we want to say it.. you work for Valve don't you??
You really have quite a few problems there. Have you considered PGP, possibly with keyring USB drives to store the keys? People would only need the proper keys for the things they need access to, and temp works can have keys revoked and such.
I have a laundry list of requirements that would tax any reasonable persons mind, no control over my environment, obscure software tools and no money. Please fix this for me.
Thank you,
Hopelessly Clueless Engineering, Inc.
Geeze. Having implemented document control for ISO compliance at an engineering firm that does aerospace parts, I can safely say there is no way your requirements are compatible with any software solution. You have *systematic* problems that are far greater than any humble software could aspire to solving.
Sig under construction since 1998.
Get a couple of these.
1) if you can't trust your IT department, you're screwed, especially if management thinks they should have access (they're IT -- it's their job.) You could deny IT access, by handling everything yourself, but that's often a political nightmare.
2) without physical security, you have no security. You could encrypt the filesystems, but that has it's own set of problems. It wasn't that long ago that somebody stole an entire mainframe in Australia.
4) if things are encrypted, more than one person needs to know the passcodes. But the more people who have access, the more people that can do bad things ...
7) is a big one. If you can only trust some of your engineers, then only the engineers you can trust can have access to the files. But obviously engineers you can't trust need access too ... you're screwed.
10) yikes.
Just give me an Admin account on your server, and I'll secure it for you.... :-)
Seriously, where I work, we use a VPN that is secured using a PIN and a RSA token. Basically, the RSA token is a little keychain thingly that displays a 6 digit number which changes every minute or so. When the user wants to connect to the network, they need to enter their PIN plus the 6 digit number.
Because the token is "keyed" to the individual, only my RSA token will work with my PIN. In order for a person to break in, they need both the person's PIN AND the person's unique RSA token. Obviously, this makes the network a lot more secure than a network protected by a traditional username/password setup.
Based upon your requirements, this may not be the best solution, as it fails to satisfy several of your requirements. However, my intuition tells me that you will be hard-pressed to satisfy ALL of your requirements with a single product (without rolling your own).
------
www.moneybythenumbers.com
You work in Valve right?
install the AirGap(TM) firewall.
To me it sounds like there are three problems you're trying to solve:
1) Securing files stored at work.
2) Securing files while being transferred around at work.
3) Securing files when stored to take home.
I also assume that your 'recover access in case of being hit by a bus' requirement is also 'recover access if the physical security key is lost/left at home today/dunked in hot coffee'.
For #1 - I'll leave that to the paranoid masses out there, I'm sure they can come up with something.
For #2 - Logically you need to use VPN between your client and the server on which the files are stored. There's a heap of options out there...
For #3 - and assuming that you run Windows Clients and need 'free' access to the filesystem for your weird applications, I haven't seen any good, open-source method. The alternatives are things like native NT/XP security (no integration with your hardware 'key') and variants on PGPDisk and DriveCrypt (could have the keyfile on a USB key). The only open source thing I've seen is axcrypt which currently doesn't support external keys.
My question is, who is paying your IS department's bills? Normally it's the revenue producing arms of the company (ie: R&D via sales). That means that they are there to Service your needs (Isn't that the 'S' in 'IS'?). While you have been hired for your engineering skills, they have been hired for their sysadmin (etc.) skills. Stop doing their work for them for free!
/* affect != effect */ void affect(int *thing,int effect) { *thing += effect; }
And disconnect yourself from the IT Dept's network - go and buy a switch!
What is the meaning of life? Seriously, your situation and requirements basically preclude any solution. The only way to get this done is to change either the security requirements, or the existing situation. Since I am assuming that the security requirements are there for good reason, you have to change the half-assed existing situation that is getting in your way. Once that is conplete, the only thing that comes to mind if PGP / GPG encryption using a token on a USB keychain or something similar as the decrypting key with DVD-R of some flavor to move the data, but even that is not as platform portable as you want.
No clue what these files or how you need to work with them but PGP has a pretty good Windows interface now. You just right-click a file to encrypt/decrypt. You'll need support from your fellow engineers but s'long as the files are kept encrypted on the server and only ever decrypted locally (and then re-encrypted when they go back to the server) you should be okay. Just be sure to clear out the local files every night when you go home!
It sounds like the standard answers such as restricted access rights to the server, files and so forth are not an option in your circumstance. One possible solution - depending on your workflow requirements - might be to look at some digital rights management software.
In this forum, digital rights brings up Microsoft, RIAA and so forth - which I'm sure will get me pilloried. However, it sounds like you are in an environment that would be a good candidate for this kind of software.
IBM, Microsoft and other big vendors are working on solutions - but you may want to look on smaller providers like Sealed Media, Authentica or Liquid Machines.Frankly, the technology has a way to go and the weakness of many of these companies is the encryption and the protocols for passing keys. For how badly this is implemented in many systems, you only have to look to Dmitry Sklyarov's presentation on the security of eBook readers to have some ready questions on hand to determine whether these solutions are secure enough for you.
With that said, there are vendors using this software on the 'net, Harvard Business Online being one good example. For your needs, these applications are probably secure enough and will accomplish what you want. The question is whether they can be integrated well enough in your workflow.
.. even without the hostile environment.
If engineers can take the files home, you'll have to secure their home networks as well. Can you trust them to do that competently?
If any engineer can given access to any other engineer, you can't effectively divide teams. Within very little time, all engineers will acquire access rights to all processes. That's what usually happens.
You'll need to rework your requirements to a list that is consistent with itself first (which means, mostly, thinking which of these requirements are more important). Then you can start looking for a solution.
And don't trust security advice from Slashdot. For every competent answer, you'll get ten incompetent ones, and unless you have a good security background, you won't be able to tell the difference.
You're looking for a full-blown document management system. The only one I'm familiar with is IBM's Domino.Doc.
Basically, you need a database to store everything in (single network file store), access controls, and revision control (in the event two engineers check out the same file at the same time). It'll cost you money, and no matter what you choose, you'll need 1 or 2 people who understand how to maintain and administer the product.
Your best bet is to involve management. And the Legal department. In writing. State your business case, state clearly the risks, mention other organizations that have suffered from intellectual theft. Make the list long, but light on details, and include estimates of dollar value of theft. Give a dollar value for the stuff that might be stolen.
If other people on staff are a problem, then you have a human resources problem, and not a technology problem. It's tempting to have technology solve problems, but in the end, it doesn't work. If people are the problem, then people have to be the solution as well.
First off, there is (in my humble opinion) no way to guarantee the safety of data that is accessible by machines connected to the internet, no matter how many firewalls are in place. Even something as stupid as having web access on a work machine may one day cause you grief, no matter the security, no matter what operating system. A Trojan Horse, whether something whipped up by a hacker with you as the specific target or a worm coming in from the wild, can access files on your machine and then send them elsewhere. The only true, secure solution is to put two computers on everyone's desk, one for outside access, and one internal-only. You'll also need to police the systems so no employees try to sneak a connection between the two.
Taking work home is even worse. Buy your employees dedicated laptops -- then lock the OSes so that the network will only work on your intranet. Otherwise, again, your precious data may be exposed to the outside world.
Your insanely hostile environment mandates a solution in which all data is encrypted at all times except when it is being accessed on a single workstation.
The requirement for shared access mandates that the encryption key be shared. Smart cards provide this by giving each user an individual passkey that they use to access the shared encryption key. This prevents a person's lost smartcard from compromising the security of the files.
You also need software that accepts the passkey and smart card directly from the user and uses it to decrypt the file. The software should then present the file directly to the Operating System of the workstation on which it is used. This should be as transparent and ad hoc as possible. Also, ideally, it would not allow the unencrypted file to leave the workstation. I don't have any idea how to accomplish that one.
As to the 'at home' usage requirements, you might look into using a custom CD-based Linux distro or, if Windows is necessary for application software, there are a couple of places where you can get CD-based versions of Windows 98. As someone mentioned, the users home PC is the weak link in your scenario.
"I assumed blithely that there were no elves out there in the darkness"
if you can have a local *nix server, how about logging into that and using that as the source of secure data? I guess the real issue is working with large files (engineering files can get friggin huge) across a network - but it's a local box on a LAN it's alot more doable than in a WAN environment. Trust me, I'm in that hell supporting one right now.
.. and to take files home, I guess you could use a 'half-decent' archiving tool with password protection. Not really that secure, but better than most. I recommend RAR out of the lot, but that's only from preference not security.
... how about a server using that, and removable storage (USB disks, HD caddies, etc) with the same ..?
So, all work done at work is kept on the secure *nix box
There are a range of secure disk-based systems
Robert Anton Wilson
I don't mean to be offensive here but you do not state what your qualifications with regard to IT are so, I must ask are you qualified to evaluate and judge the competence of your IT department and their procedures?
You see, I frequently run into middle and upper level managers that pose the same questions and issues that you do. They have decided that their files are the most important thing in the world and that the IT department is incompetent because they do not seem responsive to said managers' queries or concerns. But, in spite of the managers' feelings on the matter, I rarely see a situation where the IT department is truly incompetent or is doing a poor job on security. What is really happening is that the managers are not qualified to evaluate the IT departments procedures and that said departments become "unresponsive" to these managers after a while of hearing the mistrust and false accusations from someone unqualified to judge.
The fact is that most file servers offer most of the features that you are asking about. Most file servers(Windows NT-2003, Netware, Unix) have very good security measures that allow compartmentalized access, the ability to recover an account and its files when the user is hit by a bus, extensive access logging and auditing, the ability for the file's owner to assign other users access permissions, the ability to handle very large files, potentially secure access control via user ID and password, and more. Most newer ones will allow you to encrypt individual files, directories or even entire disks to further restrict access although this can interfere with work when multiple users are involved. Also, most file servers from within the past decade can support two factor security schemes that utilize one time password key fobs or even biometrics like thumb print scanners(which I find preferable to key fobs that can be lost or stolen).
The most contrary item on your list of requirements is the ability to take home large files. This is a gaping hole in any security system and if the files are so terribly valuable, your company should implement measures to make sure that taking these files anywhere form the server is impossible, or at least extremely difficult. Why would you implement an elaborate security system and the have the files walking out the door on a disk or tape? (As I think about it, Microsoft claims that this can be done securely under their Trust Computing and DRM plan. But, I won't buy into it.)
In the end the question returns, are you actually qualified to evaluate and judge the IT department's processes and procedures or are you feeling dejected because they are "unresponsive" to your individual needs? One final note about your IT department's pride in their antiquated network. There are several systems out there that although old are still more than capable of doing their job and are indeed quite secure. DEC Vax systems running LAT can be completely secure from both external and internal attack. The same can be said for Novell systems when they rely on the IPX protocol. In spite of your obvious dislike and mistrust of your IT department, it is entirely possible that they are truly very secure with their outdated network.
Many people assume that the only reason to get an audit done is for responsible admins to double check their work and verify that their network is secure. This is a completely valid reason, and the best reason to do one, but there are also political motvations, like in your case. The IT department's stance is that they are secure. You beleive otherwise: have an infosec company do an audit. They can show the problems in the network, do so in an impartial way, and give it directly to management who can either exonerate you, or give you the tools needed to do your job.
Personally, I would consider Network segmentation, and access controls (both host and network)as the first thing I would think of. Also, read-only smart cards with an encrypted key on in and a strong encryption policy. Keys are checked in every night, and each user has a seperate password. You leave, you cant access the file. Then create a strong security policy for your department and have management sign off on it, so you can take immediate steps if anyone violates the policies (taking a key home, unauthorized laptop, etc.)
if you really need help, feel free to contact me:
me
RandomAndInteresting.comdefending the world from stupidity since 1979
Purchase a solid safe; unhook all file servers, place them in said safe. Post two rabid pit bulls in room containing said safe. Resulting security may be barely enough to contain grandma's cookie recipe.
Considering the number of people who appear to have access to your data, and the current us vs. them politics with the other departments, you can be certain that any measures you take to protect your data from theft will be, in the end, undone by the human factor. You should emphasize, instead, maintaining the integrity of your data.
Weapons of Mass Analysis
"We are a likely target of pirates, both internal and external"
Well, it's a difficult situation. I suggest strong coastal fortress walls, and heavy shelling cannons. Also be sure to have your mates dig the hole before you bury the treasure. That way they will all be tired and you can shoot them and bury them with the treasure. I also suggest wearing a hook and eye patch. Some would argue that this is security through obscurity, but it does have a legitimate affect as a deterrent. Oh, and DON'T FORGET to draw a map with paces relative to everyday objects. This is sure to throw off that random bunch of happy go lucky teenagers in an 80s movie.
It's 10 PM. Do you know if you're un-American?
we are stuck with Win boxes as clients, but we could have a local dept. *nix security server
Its easy - you say your IT people say its "that old it's secure", well if its that old = root exploits-a-go-go. Root the box, then set up the security properly.
What? Noone said the solution had to be legal...
"rm 'filename'" will usually do a fair job of keeping people from viewing the file.
I suppose I could lend you my public encryption key for a while....
"Lawyers are for sucks."
- Doug McKenzie
I'm sure some of the PGP-based filesystem extensions will get you half way there. Just get everyone to carry their private keys on a little USB device, a floppy disk or an iPod. You'll still never stop a leak from a person with legitimate access to the files.
If you can't trust your company's IT department, then you have to
treat the company network as if it were part of the internet --
outside, hostile, dangerous. That means you have to have your own
internal firewall(s) that prevent traffic from coming into your
department from the rest of the company network, except for traffic
that you specifically allow. The IT department can control whatever
servers it likes, but you don't put anything that matters on those
servers; you keep it on your OWN servers. Ideally, the IT dept.
shouldn't even know these servers exist, but absolutely they must
not have access to them. This includes physical access, even if
that means you have to rig a cabinet to set off fire alarms or
whatever if it's breached improperly. (Being engineers, I imagine
you can come up with something. Be creative. Train whistle and
air compressor, whatever, make sure you will KNOW if someone is
getting into there, and make sure power to the alarm system can't
cut without setting off an alarm (think UPS inside the cabinet).)
It gets worse. You said you have no control over the physical
topology of the network. That means anyone random can just plug
in on your side of your internal firewall. That means all your
systems that have data you need to protect MUST be locked down.
I'm thinking you want to limit it to as few systems as possible
(servers) and turn the clients into thin clients, at least for
the purposes of accessing the data you intend to protect. No
system should be able to connect to the servers that house the
data without authenticating each time, and you need to use an
encrypted wire protocol. (X11 forwarding over ssh could be made
to work, but being stuck with Windows clients is hurting you here.
Yeah, cygwin has X and it works, but unless it's improved since
the version I've got it doesn't integrate well and will get in
the way of getting work done. You might want to look into VNC
or something along those lines.)
> we need to be able to recover access in the event a bus hits
> an engineer,
All this means is you have to trust more than one engineer with
the same or equivalent access keys (whether these keys are virtual
or physical or both).
> engineers need to be able to securely take files home,
Can the engineers have decent bandwidth (better than dialup) and
latency (better than satellite) at home, so as to connect in the
same authenticating way as they do at work? If so, this issue
just goes away. Remember, the corporate network is as far as you
are concerned part of the untrusted internet, so whatever
encryption and authentication are good enough to authenticate an
engineer at work are good enough to authenticate him at home.
Cut that out, or I will ship you to Norilsk in a box.
Or else fix some of those requirements. The biggest one is the physical access problem; the only mostly secure way to do that is full encryption. And encrypting & decrypting gigabyte files will certainly get in the way of getting work done.
No internet access to secure PCs, no digital media allowed in or out of the secure area. And make the engineers understand that, if they are found responsible for data escaping, it means not only their job but their career as well, and quite possibily a large chunk of money.
If your data is worth that much, if the company's future depends on it, you cannot afford to take any risks. Hire an expert security consultant to examine YOUR system and implement security safeguards and procedures. You will have to give up an amount of conveniences and features in order to achieve security. Don't kid yourself that there is a transparent way to do this.
...
Sell some of your valuable files, and use the proceeds to fund a security upgrade.
Conformity is the jailer of freedom and enemy of growth. -JFK
Buy a bunch of these 2gb Flash Drives
Instruct the engineers to rectally insert them when not in use. You'll be safe from everything but a cavity search. Large files can be spanned across multiple devices, just find someone with extra capacity available. (The Goat.se dude could be your new server).
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
This is plain stupid. You can get some encryped USB drives and smart cards or you can change your environment. I can't imagine that this is a real scenario. What pointy haired manager would allow this type of environment to fester, especially when all the management types can think about these days is protecting IP?
except for contradictary requirements ("We don't trust engineers but they can take files home and use as they please" "We have no control over computers but our solutions must be a robust computer system") you should look into document management portal systems.
Some examples are OpenText's LiveLink or IBM's Lotus Notes.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Your problems are management company created problems. They need to be solved on that level.
Your company needs to create a security admin. This person needs to be above the level of department managers. This person needs to dictate security policies company wide. If a manager doesn't like her policies, that manager needs to go to her boss.
The security admin needs to have her job on the line if your code gets out in the open.
Do that one thing and see what happens.
Many, many, many people are gonna be pissed off.
Good. Sometimes that is a good thing. People need to get pissed occasionaly, it is a good way of putting them in line.
Numbers 2 and 10 are completly unaceptable.
Having any engineer being able to enable access to any other engineer is simply not a good thing. Force those people to go through the proper channels to get access. It will force a paper trail, if code gets leaked it gives you a place to start.
I simply won't comment on #2.
#3 is part of #2. Think about it.
#5. Why do engineers need to take files home? Should any engineer be able to spontaneously take any file home? Where I work it is SOP for people to PCANYWHERE into there workstations from home. I am not sure how good of an idea THAT is, but I like it better then allowing people to burn anything they want to a CD and be off with it.
#8 There needs to be accountability for the tools you are using to do your job.
Fix those things from within the company. I bet what you are left with after you have fixed those things can be fixed with software.
What I did in the same situation was:
1. Fix the physical security: get a clear desk policy up and running. As well as protecting you from intruders, it also means the impact of a fire will be much less.
2. Move all important files to the server (which will be backed up and has access controls).
3. Put power on passwords on all PCs, make sure they are good ones (if you need access in an emergency, there will be an administrator password held by the IT department): this means network hackers would have to get down with the hardware - they hate that.
4. For Portable PCs, deploy an encryption solution, since these are most likely to be stolen, and the only way to then prevent access would be encryption. PGP Disk is great.
5. Training: giving people a refresher which explains the risk and which shows them how and why to protect their own data will make all of the above measures more effective.
"Well, put a stake in my heart and drag me into sunlight."
Unfortunately, you are not the one who should implement any security measure... you need to make your manager aware of the fact that some corporate assets may be at risk, and that he/she might want to conduct a risk analysis to see how large the risk of information disclosure actually is, and what it is worth to the company to mitigate these risks. This largely depends on the real value of the information, not the perceived value. And you are, forgive me in saying so, biassed towards the value of this information.
Security is not a technical issue, it is a management issue. So talk to your manager!
Do a risk assessment, show the issues you have and the risk to business in cold hard cash.
ie the threat, the risk (impacty on the business), likelihood and possible ways of reducing the threat/risk with costs.
Present this info all the way up to the board of Directors, at the end of day they run the business and its there descision. You need to get a high level manager/director to sponsor this for you as well.
Alot of this kind of problem is getting the business (directors) to be aware of the problem and the threats to the revenue stream. If they choose to ignore any advice at leasat you've 'done your bit' and should be satisfied with that. Perhaps they'll come back in a few months with some positive results. Security is usually low on the adjenda, especially internal data security.
Heck, it's take me three years to get a semi decent computer room for physcially securing our engineering machines...and that was on done as it was required by the insurance company due to cost of replacing the hardware rather than the data!
Replying to each in turn:
1, you can't control external IT services, external IT is hotile to you.
Fine, if you have support from your department, then treat the rest of your company's IT assets as 'hostile' and 'insecure.' Having your bosses support is crucial, it's his job as a project manager, or division head to facilitate his employees getting their work done. Further, its his job to make sure that important information and data is not compromised. He is delegating that responsibility to you, but it is still responsible. Hence, if 'hostile IT' has a fit, its his job to deal with them and to keep them off your back. This is similar to chain of command in the armed forces; your supierior officer is responsible for you and it his job to make sure you can do your job. Make sure your boss knows whats going on and do nothing behind his back. An open and honest relationship with your boss is crucial in office politics.
So, Firewall your LAN. You're worried about network based threats, so install an IDS to watch traffic that crosses your border 'your firewall'. Make sure that your windows boxes are patched; there are microsoft tools for facilitating this.
Even if you don't have support for a firewall from your IT people, you can set up a NAT machine to bridge from your old IP space to a private network (10/8, 192.168/16, etc.)
If you need to provide external access to internal resources, use a secure connection. There are systems for validating user identity (rsa tokens, smart cards.) Use them as your authentication system.
2, You don't have physical access controls and you cannot implement them.
Encrypt hard drives, I believe Windows 2000+ has the option for encrypted volumes. I would check around to proove to yourself, without a doubt, that its secure. Make sure swap partitions are encrypted, etc.
If someone has the resources and interest to physically break into your workplace, then encrypted hard drive volumes might not be enough.
Another approach is to make sure that no sensitive data is saved to the hard drive. This is difficult, as compiling or loading data may write data to swap partitions or leave other sensitive information in unguarded locations.
Consider a terminal server, and secure the terminal server. With a terminal server, you can place it behind large amounts of steel, locks, and other physical measures that make theft increasingly difficult. Remember, humans are generally the weakest key; if you are able to lock down a small part of your resources in a cage, or a reinforced closet, who has access to it?
Further, a terminal server would reduce downtime for engineers. "my power supply burned out; my hard drive died." big deal, their PC becomes essentially a stateless client.
3. Need to compartmentalize.
Frankly, if you're in a microsoft world, the easiest system is probably to use CIFS with ACLs. Use Active Directory to model the "logical" break down of people in your organization. Its left up to the reader as an exercise in 'trust'. I would get two fileservers, and use fibrechannel to have redundant links to a redundant RAID array. (compaq, dell, etc. would love to sell you this.) If cost is a concern, a similar solution could be constructed. Place these servers in the secure cage with the terminal server. Give the terminal server and your file/authentication servers a private, local LAN between each other. Place a tape library in the cage as well, and automate backups. You might consider renting a machine at a colo somewhere far away and using that for off-site storage over a secure VPN.
4. "engineer hit by a bus scenario"
Your fileservers will still allow the administrator to access all files, but, lock the administrator accounts to local log in only. You can only be the super user after unlocking fifteen physical locks that bolt down 100 lbs of stainless steel. However, in an emergency, you can retrieve information.
5. take files home
What about allowing VPN access to the terminal se
fnord.
encrypt you files (Winzip or PGP).
/valueadd
get a random password generator.
change encryption password every week.
don't run TCP/IP NetBIOS on your "local" network.
check if this enable. on command-line:
netstat -na
and check if the ports 137 ad 138 are open.
if yes then disable this (network proparties).
or firewall them (Zonelabs).
choose a non routable protocol for "local" network,
so in the chase of break, in the hacker will
not have access to "local" network since it's
using a different protocol.
don't use "shares (files, printer)" over TCP/IP.
NetBEUI for XP can be found in the
directory of the XP install CD.
say you need to give acces to some files to public/community.
use NetBEUI or IPX for "shares (files,printer)" and then
share the FTP directory or Apache htdocs directory.
drag/drop/blob anything you want to share with the internet.
maybe add a simple password, so not any random guy
visting your LAB/DEPARMENT can just BLOB your research
onto FTPd or APACHE.
disaallow FTP-service and APACHE-service read/write files to "shares"
on "local" network.
firewall every maschine (Zonelabs).
close all ports and open only what you need.
with XP you can have the OS do the encryption
for you automatically.
Petition to outlaw buses.
Granted, I don't have GB sized files, but I do maintain some of my own files on my work computer that I DO NOT want some random admin to have access to, especially if I were to be "let go" one day without warning or time to backup/wipe said files.
I use PGP - the 'freeware' version - because I'm only securing personal files, not work files. For work files I'm sure you'd need an enterprise license or some such thing, but I've found it to be really easy to use. I also haven't tested out how actually secure it is, but it's Good Enough for my purposes. Plus, if you needed to, you can assign different 'trusted' sources when you encrypt your files, allowing other engineers to access those special files without involving the IT dept's help.
If you cant trust your IT department, install an internal firewall(just for you)
Authentication (smthing you know and smthing you have = smartcard) Contact smartcard vendors (Gemplus, etc.) and they will be happy to help you.
Securely taking files home is like securely taking a nuclear device home. This does not exist... Either be "completely" secure or do not allow this...
Not depending on a single person to keep a secret is tricky:
you may try somthing like this: each engineer changes the password every week and encodes it in a way it takes, dunno, 1 week to break. So, if he gets abducted by aliens, it will onky take 1 week to recover his password...
how long until
the world controlled by the IT department... are out of my control
Then this is not your problem, its the IT director's problem. Or a CxO's problem.
we do not have good physical control of our environment
Again, if you are not the one in charge of physical security, its neither your job nor your responsibility.
we are stuck with Win boxes as clients
You're fucked! Seriously, the security of files comes from properly configured and admined win servers, not from the clients.
I would like the 'something you have,' attached to engineer's car key ring... and open source preferred
Mutually exclusive. Keyfobs, smartcards, card readers, usb dongles, all have proprietary software running the authentication server. There might be some freeware projects out there, but none of them come close to the completeness of a commercial product. I suppose you want the keyfobs for free too?
There are some OSS projects where the dongle is an applet which runs on PalmPilots or iPaqs, and holds a local key generated by the server. But then you need either kerberos or radius authentication servers, not windoze domain controllers. And then there is the cost of supplying every engineer with a Palm equivalent, much more than a box of dongles.
Some other points why this is NOT your job:
The 'resale' value of our files is very large.
You did not mention what kind of budget you have been given. Its the first question I ask a potential client in a situation like this, because effective security costs money. If your boss was serious, you would have a budget equal to about 10% of the IT spending of the whole company, and you wouldn't be worried about free software or free dongles.
engineers need to be able to securely take files home
No they don't, if you want anything even resembling security. This is why amateurs like yourself should never be allowed to have anything to do with security. This is like saying that bank tellers should be allowed to take home cash every evening so they can count it. It isn't done in a secure environment.
You need to take this problem to your corporate legal department, and explain to them this may signal a very serious risk to the future of the company. If the IT group is as incompetent as you indicate, its a problem for upper management, not you. Go to your boss and tell him you refuse the job, because it is impossible to carry out without a budget, support from above him, and authority to make significant changes.
Then, make sure your resume is up to date, because one way or another, you are being made the scapegoatse.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
1) Remove all floppy drives and other writable-removable-media drives from every desktop on the network.
2) Keep the servers in a locked room. Put two or three cameras in the server room.
3) Enable firmware passwords on all computers to prevent installation CD root access.
4) Put lock-down cables on all computers to prevent physical theft. Real computers, such as Sun workstations, even have it where the lock-down cable prevents opening the case, too.
5) Isolate your network from all others, especially the Internet.
6) Don't use DHCP or NIS.
7) Keep all network cabling out of the reach of inductive sniffer tools. Keep all network ports on a switched network. Lock all equipment closets.
There are probably a few more things, too, but the above is probably a 99% solution.
Healthcare article at Kuro5hin
Scare your employees and make them fall inline! Use polygraphs.
My company sells (and I work on) a product that meets numbers 1 through 9 of your criteria list (and maybe 10). Here's the website for it: http://www.kastenchase.com/products/acs.asp And here's a PDF brochure that might have less sales noise (maybe): http://www.kastenchase.com/products/CipherShareBro chure_20030729.pdf
We could probably also make the source code available for review, and don't yet have two-factor authentication but we plan to add it soon. Sales guys would have to be the ones to make promises like that, though -- I just write the code.
It's a damn good product (if I do say so myself), and we have some happy customers. I've personally been using it daily for about two and a half years (since we started developing it).
I'm not sure you're going to be able to meet all of the constraints. One piece of the puzzle may be linux running Samba re-exporting the company server but layering a crypto-fs on top of it.
Unfortunatly, that would not be a very granular but would at least narrow your risk from the whole company to just your own department.
use VMS!
I might be tempted to use removable hotswapable harddrives of the USB 2.0 or IEEE 1394 variety. I have one myself. It's basically an IEEE 1394 to IDE adapter.
You MUST have physical security. I can hack any machine I can get physical access to... If the data's encrypted, I just walk out with the whole disk and decrypt it at my leasure in my lab...
Your IT people need to either get a clue or you need to get new IT people.
Finally, hire a reputable security consultant and actually do what he tells you to.
Otherwise, you're wasting your time -- just go ahead and post the files on your ftp server now.
There's a few serious problems there, there are some that technology won't solve, and some that have the feeling of being. "We asked the engineers and these are the things they want". The bottom line is this: If they get what they desire, your network will 'never' be secure. Sollutions, or critisicm as follows: #1 > Get onboard with your IT department, if these people stay hostile to your intentions you'll be looking over your shoulder constantly. These folks probably have some, if not all of the skills necessary to break into the network. The most common flaw of any network is that it is exponentially easier to attack it from inside. Talk to them, don't alienate the people that could most easily thwart your plans for security. #2 Get control, if your information is as valuable as you suggest, you need to draft a budget for physical security, someone leaving with a hardcopy of your information will circumvent nearly anything you can impose electronically. Video survailence, locking down printers, removing hard copy drives and unsecure ports (CD Writers, FDD's and securing information ports, USB for instance, is an oft overlooked hole in some small/security impoverished businesses) #3 Just how would you like to have it compartmentalized? Would you like certain teams to have access to sertain sets of information? Such shouldn't be hard at all in a properly secured network. But there are also issues with your employees here, if information is shared behind the scenes it will fall appart, they must know things are top secret, and that heads -will roll- if information is leaked around... #4 Employ a security consultant, someone who's task is -only- security, someone who is bound by contract to keep -everything- confidential, who is trustworthy, careful and honest. (And good luck finding one, a really good security person can be a nightmare to find) #5 ABSOLUTELY NOT - NEVER Allow anyone to take work home with them, the entire concept of doing so is flawed, you can't be certain of the security of their home system, and if you are concerned with someone pirating information from within your company, this is like painting a target on sensitive places on your anatomy, and offering free shots. #6 Into the GBs? That's fine on a network, let me say once again, DON'T LET INFO LEAVE THE BUILDING. If you install one single DVD-R drive, someone could walk away with 4.5 - 9GB of your data. Chances are, that's enough of it to make selling it to your competitors and moving to somewhere far far away, much more profitable, then trying to do it one floppy at a time? #7 What can't? The network itself shouldn't get in the way of 'real' work getting done, but once you lock things down they will never be as smooth and free as when your security was lackluster. Tough security comes at the small price of the odd pain in the neck #8 Physical Tools? One thing you may with to look into is having a small, trustworthy business design software for use with some of them to better integrate into most common OS'es #9 Ouch. As I'm sure a dozen people on this board had pointed out, working with windows clients complicates things, it puts buick sized loopholes into some of the best security procedures, be careful here. #10 In terms of, if you mean the ability to contact them, to speak with them or exchange notes, then you either go with the old fashioned telephone, or a relatively secure program that will work internally only, read into software like Lotus Notes. #11 There are a variety of devices out now that can store either a portion of an encryption string or a portion of a passcode. But the idea of physical hardware, brings up issues like 'what if someone forgets their '. You -cannot- allow forgetfulness to undermine this security procedure, that means no exceptions, everyone has -one-. Giving them another should NOT be taken lightly, and should be a task of the security advisor only. #12 See # 11 #13 There are unfortunately to little open source things around, usually they're being tested, being tinkered with, and once they're refined, they suddenly become closed source. Often you will need to do the research and find someone you can trust in the world of proprietary information, sometimes this even means having someone engineer software -specifically- for you. Hope some of this helps... Kirzen