Slashdot Mirror
When Data Goes Missing Will You Even Know?
Lam1969 writes "Jack Gold says IT shops may have a huge problem on their hands, and probably don't know even know about it. The problem is USB flash drives, which he predicts will probably reach 10 GB in capacity in three years, and the lack of policies to guide use of them by employees. From the article: 'With more and more employees using flash drives, smart phones with Secure Digital memory cards, portable hard drives, etc., the likelihood of companies actually knowing about all instances of data loss is declining rapidly. And as a result, the possibility of companies breaking laws, whether for data-loss disclosure or regulatory compliance, is growing dramatically.' Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."
From the slashdot post:
While there is truth to this, it is not a new truth and it is not the complete truth. It's one more mechanism for "losing" data but it's not the first and it won't be the last.It's an effective mechanism for moving large volumes of data, but it's not the only mechanism.
Corporate espionage and theft has and will continue to exist. USB drives are just one more aspect. While there may be some "exposure" and scandal soon about some USB drive falling into the wrong hands I doubt it will surpass any of the recent scandals (lost tapes and customer data).
Unfortunately, I'm guessing the article is correct in its prediction: "It is highly likely that within the next year, we will see at least one publicized major case of unencrypted data loss from a portable device. Afterward, a lot of companies will ban such devices". That would be a knee jerk reaction and counter productive but I'm already seeing it on so many other levels, e.g.,
among many others. I still think the greatest exposures are social engineering... and the paranoia around security policies don't address that. Sigh
(And, besides, isn't the RIAA is working on a solution to apply DRM to USB drives too? ) ;-)
To think that malicious employees waited until flash drives to steal data! Dear god, what about paper printouts, hard drives, e-mail, and (dare I say it?) floppy disks?!?
EVERYDAY IS CATURDAY
Dang, that reminds me, I need to figure out where my USB flash drive is....
The log files don't lie!
Of course if you can't find them, then it doesn't matter, does it? Does WinXX create a log file of USB insertion - damned if I know!
Been there, done that, paid for the T-shirt
and didn't get it
"I had to invade the owner's privacy to see what I could discover from the content of the files."
Wouldn't this be accessing files that you were not granted access to? Isn't this a crime in several US states, and is it really a good idea to admit to it in a column with your picture and name at the top?
Just curious if the 'Good Samaritan' is putting himself at risk (and if it was curiosity or a desire to return the property that was the motivation).
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."
Which will solve exactly nothing. What are you going to do, search everyone as they enter and leave the building? If you want to limit data theft, limit access to huge amount of data in the first place. That eliminates the risk to any new technology to get the data offsite.
AccountKiller
Geez. It isn't lost, it is copied. Maybe you don't want it copied, great, but it is not lost, not misplaced, not missing. Some people will quibble about it being stolen or pirated, but it is not lost.
Infuriate left and right
I know of several companies which have filled in all the USB/firewire ports on most of the computers with epoxy. Only people who actually have a real need for devices using those ports have working USB/firewire (there are no floppies or CD/DVD burners in 'regular' staff machines either)
The company that I work for recently had a laptop stolen. It had personnel information for a large large number of employees (greater than ten thousand) and may or may not have been properly protected. I think that qualifies as pretty serious data loss, and it didn't need a flash drive to happen.
Will it be more prevalent? Maybe. But it already happens. Now, the question is, is there a program that can encrypt/decrypt an entire (relatively) small drive with some sort of key system or something? I think that will be the most logical step to protect small drives like these.
It's been present ever since Windows 2000 - if a company is worried about data loss via USB drives and the like, it's possible to disable access to USB drives using regular Windows security templates.
What the article probably meant to say is that sloppy security practices, combined with increasing personal storage, increases the risk of unknown data loss.
You can lock down a Windows box just fine against casual and accidental leaks if you know what you're doing, and you have a corporate policy to enforce. You can even prevent deliberate attempts at data theft, if you really want to be a hardass.
-EvilMagnus
Giving employees laptops is very normal now considering it helps them to work from home / while in travel.
Can't they move huge amounts of data with these things?
What else can you ban? Enforcing policy != banning stuff.
It isn't the theft of data that TFA is really concerend about.
The real threat comes from actual LOST data. With portable storage media getting bigger and bigger, more and more data can be put on it. Including massive amounts of spread sheets and even databases. (I worked for one company that insisted on keeping a sensitive database on USB keys, to be sneaker-netted around to whoever needed it).
Top that off with more and more USB keys floating around the office. Sure, right now, not every employee has one. Or, at best, every employee has just one. But it is becoming more and more prevellant to have "unowned" keys. In other words, a company buys a crapload, and people just grab whichever key is available at the moment to use.
Soon, people will treat USB keys like they treat floppy disks; there'll be a big pile of them, and employees will just grab one as they need it.
Because of this causal attitude towards USB keys, it'll become near impossible to track all the data. Employee X copies Spread Sheet A onto a key, takes it home to work on it, brings it back, and tosses the key back in the pile. You now have an unaccounted for instance of that data. Each time an employee does that, you have more and more instances of data that are unaccounted for.
There's no guarentee that the employee will blank out the key. There's no way of tracking which data is on which key. So an employee might check out a key that has data on it that isn't theirs. There might be hundred of files on the key. Who knows. They don't. They won't care, either. They'll just copy thier files over, work on them, copy them back.
So, each key has tons of data on it. If someone were to ask the CFO "Show me all copies of Sensitive Spread Sheet 5", they couldn't.
Now, one employee checks out a key. They treat it just as casually as they would a floppy disk. They lose it somewhere. (Falls out of their pocket, gets left on the bus, etc). Now, a floppy disk might have just a tiny amount of information on it. A few documents. A couple spreadsheets. A USB key could have an entire database! Someone picks it up, and suddenly has the bank information for all the company's employees...
That's the big issue there. Not that employees will sneak data away on USB keys (though that is a concern, too), but that employees will be too casual with large amounts of data and quite literally LOSE it.
UTF-8: There and Back Again
Of course getting the users to actually use encryption is another story...
TrueCrypt works pretty good for these situations and it comes with an open source license. The forums contain a lot of tips and tricks for using the application in odd ball situations.
Not affiliated at all, just a satisfied user.
Bad boys rape our young girls but Violet gives willingly.
I remember a similar article here discussing the usage of portable gadgets at workplace, like iPod, camera cell phones, etc and many stated that their workplace does not allow such gadgets in "certain" areas, and they had to actually check them out before entering the premises..
Well, the whole topic is. "People can steal data with USB drives!" News? Ten years ago I was stealing data with floppies. Copied a whole mailing list. (Didn't use the parts I wasn't supposed to, it just simplified things to have the whole thing.) Most "secret" data is basically text, you can fit hundreds of pages onto a floppy.
Anyway, it's impossible to prevent people bringing in floppies, let alone USB dongles. If it bothers you, just open the cases and disconnect any USB sockets. (Use AT keyboards and mice, still easy to get.)
And in Soviet Russia...
When you go missing, will your data even know?
Auditing of a filesystem is the best way to go here, IMHO. Drives are getting bigger, so capacity for log storage grows too. Currently you can set most filesystems that have granular security to audit file access, writing, creation and deletion. Perhaps there is some way to adit target actions ("copied to removable drive X", "opened by Microsoft Word") that will be developed eventually. Personally, I log access to important files as a matter of habit (mostly with NTFS). I've also found that the bigwig execs love it when you tell them you can see who tried to look in their directory.
US Democracy:The best person for the job (among These pre-selected choices...)
No one is gonna stop us from taking pictures of our computer screens with little East German cameras! Old school style!
Let's ban the automobile, 9 out of 10 bank robbers use them to escape from the scene of the crime.
Mea navis aericumbens anguillis abundat
From reading the comments, it's obvious that most of the posters haven't RTFAed. But what's new - this is Slashdot after all...
So to clue you all in:
The article is not about people stealing sensitive data from their workplace using their USB drives. The article is about people losing data, because they've lost the USB drive they had it stored on.
Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
Is the issue called trust. Specifically, towards people on the inside of your organization.
It all boils down to "Do you trust your employees"?
There are businesses that do, and there are those that don't.
Those that do work on the assumption an employee will not do anything to harm the business intentionally - take a file he is exposed to during work and transfer it somewhere outside the organization.
Hence, it will not take all measures required to prevent him from doing so.
A business that does worry about such things will - What you carry will be checked at the door. Your PC will be locked (the case, physically locked). No Floppy, CD-R, USB, no means to connect media you bring from home. Internet access will be so restricted you wouldn't even be able to encapsulate an SSH tunnel over DNS packets you kindly ask your DNS server/proxy to send for you. And so forth.
Pointing at a business where everyone has web access and a dell sitting on his desk with 2 USB ports looking at him and saying "Hey, this guy can copy a confidential word document on the USB key" is hardly news, doesn't bother anyone in the first type of organization, and usually a non-issue in the second (which would have taken excessive measures to prevent exactly this kind of thing).
Nothing to see here, move along.
-
Hmm, interesting. I've always used my USB flash drive for sharing and copying music from major record labels; maybe I should pick up another one.
keywords: P2P music napster free music
Also, the network is everything, there are not so much totally isolated computers with critical data, and most networks have some or several points of touch with internet, encripted traffic and then hard to trace what is happening with the information.
For the first problem (Data loss due to lost or corrupted disks), which seems to occupy the majority of the article, the solution is easy. Back up your data from your portable storage as soon as you can easily access the mainframe. How long does a differential/incremental backup take? 10 seconds? 2 minutes? A piece of data existing in the portable disk, the mainframe, and the backup tapes, is much harder to be lost.
For the second problem (Data theft due to lost disks), encryption works well. To discourage data theft due to lost disks, a simple, easy-to-use on-the-fly encryption on the portable storage device can help tremendously. The solution has to be simple because if it is a few mouse clicks too many, employees will try to circumvent the hassle.
The Dutch 'Secret' Service (AIVD) recenlty lost a memorystick containing 'secret' documents:
in Dutch: http://www.webwereld.nl/articles/39418l ioNotizieOggi/1,3243,2@1332658,00.html )
from an Italian newspaper: ( http://www.intesatrade.it/IntesaTrade/News/Dettag
Nowadays it is almost impossible to avoid people from copying company data, also because it is becoming a spread practice to bring some work at home.
Not to mention the vast usage of laptops, especially among ICT workers.
Removable media with high capacity is only the "latest" technology to do this.
In the past we have used printers, floppy disks, email and web disks in order to bring data and documents home (or wherever else).
You can lock floppy drives, USB ports, bluetooth features and so on. You can filter web accesses and other publishing media and protocols.
But what about email and printers?
Are you really planning to make work harder and slower?
And I'm pretty sure that in some cases, especially in small companies, the private copy saved the day in more than one case!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
Am I the only one here think thinks it might be kind of cool to work in a paranoid place requires you to check cell phones at the door? Now if only they could eliminate my pesky desk phone and email (um, in the name of security leaks, of course) I might actually have time to productive!
Would anybody beleive me if I made the case that status meetings and rambling, pointless telecons with 3rd parties are risky security leaks too?
The higher level supervising program went to consult one of its own look-up tables to find out what the low level supervising program was meant to be supervising.
It couldn't find the look-up table.
Odd.
It looked again. All it got was an error message. It tried to look up the error message in its error message look-up table and couldn't find that either. It allowed a couple of nanoseconds to go by while it went through all this again. Then it woke up its sector function supervisor.
The sector function supervisor hit immediate problems. It called its supervising agent which hit problems too. Within a few millionths of a second virtual circuits that had lain dormant, some for years, some for centuries, were flaring into life throughout the ship. Something, somewhere, had gone terribly wrong, but none of the supervising programs could tell what it was. At every level, vital instructions were missing, and the instructions about what to do in the event of discovering that vital instructions were missing, were also missing.
While I can't claim to be an InfoSec expert, I do work in the military (Army). I hope you're not inferring that flash drives are taboo because they might get lost. If this is true then CDs, floppy disks, and even paper printouts should be banned as well. This is not the case.
:))were issued flash drives. We had a few go bad, but the majority were damaged by abuse (donning body armor was main culprit). Storage is cheap, and we had a secure network to transfer files. (sneakernet discouraged) Our biggest problem was the people interpreting the data. :)
For MSE at least, we maintain the concept of least privilege. Simply put, everything has a classification level, from unclassified/FOUO, confidential, secret, top secret, and up. You do not mix and match equipment with varying security levels. If a laptop is rated unclassified, it will not go on the SIPRNET (secure network). In addition, a device carrying sensitive information is classified at the highest level of the information (i.e., a CD-R burnt with a Secret and Unclassified documents is now rated Secret, and will be handled as such.)This is how we protect data: determine the security rating, ensure that the boundary safeguards are respected, and treat all data in accordance with preexisting regulations.
From my experience, flash drives are the most viable portable media aside from paper. When my unit deployed to Iraq in 2003, we discovered that: 1) floppy disks were rendered unreadable by heat/dust within two months, and that CDROM drives usually died after 6-9 months of exposure. The second time we deployed, key leaders (and friends of the supply sergeant
Yep. It's in Genesis. Something about a bloody great boat.
What worries me is how far the lesson has been taken. What happens if Him Upstairs has full backups? What if he decides he doesn't like the direction things are going and rolls back to an earlier saved state? How would we ever know if he did?
Real Daleks don't climb stairs - they level the building.
- Briefcases get lost all the time, and briefcases have been large enough to contain sensitive information for decades now. Keychains also get lost on occasion, and especially for small businesses that's often enough to get in the building at night or steal a company truck.
- Yellow Sticky Notes with your IP address and VPN password fit in your pocket just fine, and DSL means that people can suck up your data even faster than when we used to use Yellow Sticky Notes to carry modem phone numbers and dialup passwords.
- Documents that are actually important are usually 1-100 pages long. You can store them on mashed-up dead trees if you avoid spilling coffee on them. Them newfangled USB thingies hold a lot of data, but back when we carried 3.5" floppy disks 20 miles through the snow uphill both ways , Microsoft Office wasn't as bloated, so a zipfile of The Secret Plans still usually fit in your pocket. That's not the same as carrying out the whole blueprints for your next chip in your pocket, but mini-CDs do pretty well - they're certainly enough to carry the HR personnel database home.
- DVDs and CDROMs fit pretty neatly into briefcases, and most newer PCs have at least a CD burner, so you can still carry the chip blueprints home.
- Laptops are easy to carry, and go missing all the time. The San Francisco Police aren't very good at recovering them even when they've got them in their evidence room and the thief in custody; your mileage may vary
:-) And unlike keyrings and regular briefcases, laptops have obvious resale value so they're more attractive to thieves.
- RM-05 removable disk packs are a bit big to fit in your briefcase, but magtapes fit just fine, and before magtapes we had ASR-33 paper-tape, which works just fine for carrying the Numerical Control tape that tells the milling machine how to cut your submarine-propeller plans.
- Mainframes with Greenscreen 3270s are much less portable, but back when I worked for The Big Phone Company they were worried about people carrying computer printouts home, and they checked our briefcases on the way out the door of buildings that handled sensitive information.
But yes, within the next couple of years, somebody's going to have a USB keyring/wristwatch/Walkperson/iPod/Pseudopod/someBill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There will always be that kind of insecurity with any kind of device, whether it's a disk or a USB drive etc etc.
:)
But why not DRM all data?
If you think clearly about it, DRMing all data will prevent (as much as possible) the use of the data, but not the theft or loss of it.
Simple really..............
Don't be apathetic. Procrastinate!
For a company to function, many employees of the company have to have access to the company's data. All of them, if they are inclined to do so, can copy it. Heck, many of them can sabotage it, and destroy the company.
Guess what the company can do about it? It can stop treating the employees as shit. Especially stop pretending that the company is some amorphous entity that makes its owners/shareholders entitled to profit, and can impose idiotic demands and shitty conditions and pitiful pay on everyone else in it. Employees do their work, this is why they have access to company's things. Nothing, ever, happened in a company without some employees making it happen, so if any of you wonder, why people can destroy your precious company, keep it in minds -- THIS IS BECAUSE THOSE PEOPLE ARE THE COMPANY.
There is nothing wrong with avoiding overbroad access where it isn't necessary for things to work, however there is no way to make any company "secure" from the very people whose only responsibility is to keep things running. Don't piss them off, and remember that you didn't become Presidents, CEOs and VPs by understanding how to operate anything that makes your company what it is. Every time you eat your lunch, think how many people you have abused today, and what will happen if any of them will press a few buttons.
Contrary to the popular belief, there indeed is no God.
"That's the big issue there. Not that employees will sneak data away on USB keys (though that is a concern, too), but that employees will be too casual with large amounts of data and quite literally LOSE it."
I don't see what the big deal is. Huge companies have had really really really important data stolen with no real effect or punishment. I mean things like social security numbers, credit cards, personal information, credit records etc. Do people even remember what happened with choicepoint? Does anybody even know who choicepoint is or what they do?
This is just bullshit. Nobody really cares all that much. There are no consequences to the corporation at all for losing data. Worst comes to worst somebody gets fired. Big whoop.
evil is as evil does
Trying to "outlaw" and "enforce" usb devices is an option only for the dim whitted. I will probably use your suggestion.
I have heard all this before and business keeps on ticking....
1980's style - no floppy drives in computers
1970's - photo copiers lead to loss of sensitive data
1960's - Beware of employees with Kodak cameras
1950's - Don't through carbon paper into trash cans
That's as far back as I go...:)
Gizmos Gagets For Ninjas
Wouldn't it just be easier to disable the USB via the BIOS or open up the case and disable or remove the USB?
Seems like physically ruining a device with Epoxy is a lazy way to disable something.
He who knows best knows how little he knows. - Thomas Jefferson
Deja vu...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
There are two different things mentioned in the article that I think make the article less than what it should have been.
The first one is data being compromised. There's a clear example when the author found a USB drive in an airport. (He could read it without problems). The second one is data loss, also mentioned. The author mixes both concepts when he compares the loss of a USB drive (assuming it's not backed up) with the loss of records by a big company (that would probably be compromise).
Even though they look like the same problem (if I put all my important data in a standard USB drive, if I lose it the data gets lost and compromised at the same time), they're not. These risks are mitigated with different methods. When you start taking steps against either data loss or compromise, it is shown that the author's definition of "data loss" is not that clear.
Imagine I had all my important data on a USB drive, encrypted (but without backups). If I lost said drive, I would be left without some important data, but it would have not been compromised.
The opposite would have happened if I had backups, but no encryption.
If both encryption and backups were available, if would be (under most circumstances) a non-issue (except for the loss of a USD 20 drive).
All of that assuming the drive owner is honest, and not using it to smuggle data out of a secured area.
The author seems to treat data as a physical object, which is not.
GPG 0x1B479C78
We had a client at one of my previous jobs who explicity banned USB jump drives from the workstations they would be using. So, after a few seconds of head scratching on how to do this I:
.inf file that Windows provides and,
* Disconnected the USB ports and,
* Disabled them in the OS and,
* Removed the USB flash device
* Padlocked the case shut.
It takes a few moments per machine and should be part of the standard build for any business that cares about their data.
There is always encryption programs that can be used if implimented properly. Truecrypt(http://www.truecrypt.org/) axcrypt, bitht from sourcefordge. Plus I am quite sure there are a few commercial alternatives that offer support as well. Point is, its not USB drives that are the problem, its the lack of a proper usage policy to control how they are used. Requiring all USB drives to be fully encrypted and/or haveing all data they contained backed up elseware would be a good start. Its all about policy and educating your employees on your companies acceptable use policy for such devices.
If a business division is working with especially sensitive data, perhaps they should not be working on PC's at all. That might be a job for a thin-client/dumb terminal with no drives or ports (other than ethernet, video, and ps-2 keyboard/mouse).
Sun has been pushing thin clients for years and some of their major selling points have been security both from the data sensitive aspect and security from the user-can't-break-it aspect.
I worked on a data analysis project in the Navy. The computer system was a couple of VAX minicomputers in a cluster with terminals throughout the building. There were six Sun Sparcstations (yeah, it was a few years back) with no floppy drives. The building was divided into two sections - low security and high security. If you brought a briefcase, backpack, anything like that, it stayed in the low security area. All that you brought into the high security area was yourself. Anything else that you needed, the Navy got for you. And if it wasn't a consumable, it was tracked. The only way that anything left that secure area was in a burn bag or packaged and tracked.
We only had a staff of about 20, so it was relatively easy to manage.
Oh, and the building was an old torpedo training facility. Solid concrete walls, but the roof was designed so that if there was an explosion, it would all go straight up. So it wasn't exactly safe to walk on - there was always the danger of falling through. Right into the secure area. Go figure.
-h-
Earth From Wikipedia, the free encyclopedia. Revision history Jump to: navigation, search (Latest | Earliest) View (previous 50) (next 50) (20 | 50 | 100 | 250 | 500). Legend: (cur) = difference with current version, (last) = difference with preceding version, m = minor edit * (cur) (last) 15:54, 24 January 2006 god01 (reverted vandalism from satan666) * (cur) (last) 15:53, 24 January 2006 satan666 (c'mon let's be mature) * (cur) (last) 09:36, 24 January 2006 god01 (rv edit by satan666) * (cur) (last) 09:33, 24 January 2006 satan666 (pestilence) * (cur) (last) 01:03, 24 January 2006 god01 m (Reverted edits by satan666 (talk) to last version by god01) * (cur) (last) 01:03, 24 January 2006 satan666 (famine)