Slashdot Mirror
When Data Goes Missing Will You Even Know?
Lam1969 writes "Jack Gold says IT shops may have a huge problem on their hands, and probably don't know even know about it. The problem is USB flash drives, which he predicts will probably reach 10 GB in capacity in three years, and the lack of policies to guide use of them by employees. From the article: 'With more and more employees using flash drives, smart phones with Secure Digital memory cards, portable hard drives, etc., the likelihood of companies actually knowing about all instances of data loss is declining rapidly. And as a result, the possibility of companies breaking laws, whether for data-loss disclosure or regulatory compliance, is growing dramatically.' Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."
The log files don't lie!
Of course if you can't find them, then it doesn't matter, does it? Does WinXX create a log file of USB insertion - damned if I know!
Been there, done that, paid for the T-shirt
and didn't get it
The company that I work for recently had a laptop stolen. It had personnel information for a large large number of employees (greater than ten thousand) and may or may not have been properly protected. I think that qualifies as pretty serious data loss, and it didn't need a flash drive to happen.
Will it be more prevalent? Maybe. But it already happens. Now, the question is, is there a program that can encrypt/decrypt an entire (relatively) small drive with some sort of key system or something? I think that will be the most logical step to protect small drives like these.
It's been present ever since Windows 2000 - if a company is worried about data loss via USB drives and the like, it's possible to disable access to USB drives using regular Windows security templates.
What the article probably meant to say is that sloppy security practices, combined with increasing personal storage, increases the risk of unknown data loss.
You can lock down a Windows box just fine against casual and accidental leaks if you know what you're doing, and you have a corporate policy to enforce. You can even prevent deliberate attempts at data theft, if you really want to be a hardass.
-EvilMagnus
It isn't the theft of data that TFA is really concerend about.
The real threat comes from actual LOST data. With portable storage media getting bigger and bigger, more and more data can be put on it. Including massive amounts of spread sheets and even databases. (I worked for one company that insisted on keeping a sensitive database on USB keys, to be sneaker-netted around to whoever needed it).
Top that off with more and more USB keys floating around the office. Sure, right now, not every employee has one. Or, at best, every employee has just one. But it is becoming more and more prevellant to have "unowned" keys. In other words, a company buys a crapload, and people just grab whichever key is available at the moment to use.
Soon, people will treat USB keys like they treat floppy disks; there'll be a big pile of them, and employees will just grab one as they need it.
Because of this causal attitude towards USB keys, it'll become near impossible to track all the data. Employee X copies Spread Sheet A onto a key, takes it home to work on it, brings it back, and tosses the key back in the pile. You now have an unaccounted for instance of that data. Each time an employee does that, you have more and more instances of data that are unaccounted for.
There's no guarentee that the employee will blank out the key. There's no way of tracking which data is on which key. So an employee might check out a key that has data on it that isn't theirs. There might be hundred of files on the key. Who knows. They don't. They won't care, either. They'll just copy thier files over, work on them, copy them back.
So, each key has tons of data on it. If someone were to ask the CFO "Show me all copies of Sensitive Spread Sheet 5", they couldn't.
Now, one employee checks out a key. They treat it just as casually as they would a floppy disk. They lose it somewhere. (Falls out of their pocket, gets left on the bus, etc). Now, a floppy disk might have just a tiny amount of information on it. A few documents. A couple spreadsheets. A USB key could have an entire database! Someone picks it up, and suddenly has the bank information for all the company's employees...
That's the big issue there. Not that employees will sneak data away on USB keys (though that is a concern, too), but that employees will be too casual with large amounts of data and quite literally LOSE it.
UTF-8: There and Back Again
Funny,
As a dev (and with tons of confidential and privlidged info on my computer) I am specifically instructed to take my notebook home every night. It is considered part of our business continuity plan. Not only that but this is a large multinational corp, not a mom and pop shop. That said, the drive is encrypted, and security policies are in place for communication back to the office when I'm away (2048 bit RSA VPN).
What it boils down to is this:
My employer knows that if I want to steal data I can do it. Even if it comes down to hand transcription of one memorized line of code per day. So they trust me and provide me a hardened notebook to do my work on. Even if it is lost the data will not be compromized till it's likely to be useless anyway.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Yep. It's in Genesis. Something about a bloody great boat.
What worries me is how far the lesson has been taken. What happens if Him Upstairs has full backups? What if he decides he doesn't like the direction things are going and rolls back to an earlier saved state? How would we ever know if he did?
Real Daleks don't climb stairs - they level the building.