Slashdot Mirror
Nine Ways to Stop Industrial Espionage
An anonymous reader writes "IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button. The corporate crown jewels are usually left open and exposed to the IT guys. So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?" I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.
I suggest a steady supply of red Swingline staplers.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
just don't invent anything and you will have no spies
I suggest a finely crafted nam-shub that will turn them all into jargon-spewing corporate zombies*. That should take care of any free will problems they might have. *Aircraft carrier may be required. Some restrictions apply. Well, I gotta get back to work...ne mi ba se fa no li sa ba fu
I ain't evil, I'm just good looking.
Backed up data is especially vulnerable. In many environments, while lot of work is done on network security, secure management of backup data is not given due concern. Since backup data has sometimes all of the important information at a single place, it is a juicy target for espionage. Data should be encrypted while moving to a backup sever (especially while using a online backup service over the internet) and definitely encrypted while it is stored on the backup media (tape, CDs etc.).
Amanda: Open Source Backup Software
A company is worthles without it's employees. Select good people, pay them well and treat them fairly. Next question... How do you remove paranoid executives from positions of power and stop them from inflating operating costs through needless and morale busting authoritarian technology.
"Don't you know you're going to shock the monkey?"- Peter Gabriel
Clicky clicky page impressions clicky clicky. Or just read it here:
---
Nine Ways to Stop Industrial Espionage
by Calum Macleod - European Director of Cyber-Ark - Wednesday, 2 August 2006.
If we're honest every one of us imagine what we'd do with a few million in the bank. The yacht in Cannes, the private jet in Nice, possibly our own football team, and maybe a few other high maintenance accessories top our list of must-haves. But of course the question is how to get there. Working till I'm too old to enjoy it is one option but of course there is an alternative; the lottery, online poker, a rich widow, stocks and shares - increasingly risky these days - or why not simply help myself to something very valuable.
After all if I'm working in IT I probably have access to the corporate crown jewels. And that could be anything; source code for the next money spinning application that will be released, credit card details for thousands of customers. Recently a Coca-Cola employee and two accomplices were arrested in Atlanta for allegedly stealing confidential information from the Coca-Cola and trying to sell it to PepsiCo.
In fact it's actually quite easy because if I'm working in IT I have access to systems with all kinds of privileged information. Here is my employer thinking that his M&A data is safe and I'm allowed to a free access to the servers storing the data. I can help myself to whatever I want and no one will ever know. And of course it's much easier now than it was when I first started this job. Then I somehow had to get out of the building with everything under my arm, but now I have dozens of ways to get it out. Just make my choice - mobile, USB stick, email attachments, VPN access from home and no one will ever know! And of course it may not even be my employer, just some company that we provide outsourcing services for - it's never been easier!
The problem often lies in the fact that we are constantly tempted because the corporate jewels are literally just lying around where anyone can find them. The problem for today's enterprise is that the transfer of information is increasingly time-critical and the traditional approaches such as FTP and secure email are awkward to manage, and often lack the security mechanisms that sensitive data demands, thus making the risk of leakage very possible. And where it becomes really challenging is when you need to share information with business partners. So here are a few suggestions
>Do not expose your internal network
The process of transferring files in and out of the enterprise must be carried out without exposing and risking the internal network. No type of direct or indirect communication should be allowed between the partner and the enterprise.
Make sure that intermediate storage is secure
While information is waiting to be retrieved by the enterprise or sent to the business partner, it must reside in a secure location. This is especially critical when the intermediary storage is located on an insecure network, such as the enterprise's DMZ, outsourced site, or even the internet.
But encryption and other security mechanisms are not helpful if the security layers where the data is being stored can be circumvented, for example by a systems administrator. Encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications. It is important to have a single data access channel to the storage location and ensuring that only a strict protocol, that prohibits code from entering, is available for remote users. In September 2004, an unauthorized party placed a script on the CardSystems system that caused records to be extracted, zipped into a file, and exported to an FTP site. The result was the exposure of millions of credit card details and the eventual demise of CardSystems.
Ensure that Data at Rest is protected
The cornerstone of protecting storage while at rest is encryption. Encryption ensures that the data is not readable and
It also says to completely seperate the outside and inside network, which means that employees have no email, no google, no internet access at all.
It mentions nothing about compartmentalized access rights to various databases, with a different division of admins having responsability and access to only their systems.
In fact, all it does talk about is transmission interception (which is much less common than those problems mentioned above), and data security.
"that can so easily be bribed to steal them and hand them over to a competitor"
Here is an idea. Pay them enough that this isn't a real temptation. Risking it all on a fast score isn't worth it, if you will be risking much.
I will not mourn that which I never had to lose. - Unknown
Seems I'm not the only one to recently re-read Snow Crash :-)
I believe posters are recognized by their sig. So I made one.
The damage to their corporate IT infrastructure was minimal and easily repaired, I got my family jewels back, and since they fired me they can't collect the $5000+ for classroom training - and all for proving to them that I was grossly incompetent (but not so incompetent as to start an investigation into corporate sabotage).
My god, I'm scum!
The author obviously is not an expert in his field. I was having my doubts when we was suggesting that administrators ought not to be able to delete content in intermediate storage. Then cam the the final blow: He suggested using AES for data signing. AES is symmetric and not suitable for that task.
LedgerSMB: Open source Accounting/ERP
Please move along. This article is lame and devoid of content. All of those measures are well and good but does not take into consideration one thing: human stupidity. The weakest link in the chain.
Case in point: Why on God's blue earth does the VA authorized somebody to copy a database into a laptop? This happened also to other firms and companies. If I were to easily get a file from someone's PC it would be quite easy. Boot the PC with a Linux distro, mount the drive, connect a USB drive and go. No one would ever know I was there. Most users are plain stupid and don't even think about encryption or obfuscation.
Remember, in the end it all comes down to a single person doing something really stupid.
the future is but past forgotten
When I was waiting for my TS clearance while working at the Pentagon (I had an interim clearance), I had to have an air force officer shadowing me the entire time, including, at points, typing for me as I dictated. The officer in question was not an IT person and had no idea what I was doing (or was supposed to do) with the UNIX systems under my care.
/; rm -rf *" at any point, or done many more subtle things, especially since I had to create accounts and such for Oracle or other applications.
I could have typed, or told him to type "cd
In the end, the only way you can police your IT people is to have IT people you can trust, which means that the managers have to know enough IT to know what is going on and what it means without micromanaging. Very few managers have that ability. Very few IT people have the management ability to cross-train into a high-level manager. I, myself, had to bring in someone else to help with the business/finance side when running my own company. I knew what I was doing but was simply not as good at the business side as the IT work and sales.
They missed one biiiiig issue there... In the US, Europe, Japan and Australia, there are good laws that they can use to come after you... If you move work to India, China or similar, its virtually impossible to get anything from that individual - hence the person has much less worry about doing something illigal...
Peter.
Don't forget that unlimited knowledge also endangers the IT workers. It doesn't matter if you're a former boy scout if some bad guys want the information badly enough to threaten your family... and don't think that there aren't such people out there.
Security people know this. They know the only real solution is being very transparent about the fact that the IT person can't help them no matter how much pressure is applied.
It's easier for us to think about the corrupt employee since, gosh, we would never hire him. Nobody is safe from somebody willing to use violence to get what they want, and that's a scary thought.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Simple, I use Linux and set up a number of Linux servers
With any other topic, this would just have been sad,
Genius doesn't work on an assembly line basis. You can't simply say, "Today I will be brilliant."
I've never had a boss worried about IT staff. On the other hand, I've been told many times to keep confidential documents out of the hands of Sales. It is assumed that they will immediately go to a higher bidder.
Intron: the portion of DNA which expresses nothing useful.
That is what we do in my shop. Usually there are still some people who can reek havoc on things...esp. people who know what they are doing.
From my personal experience, unless properly implemented...which it usually isn't, seperation of duties is just a joke for security and makes legitimate work take 2x as long.
Ok, we've ruled them out, now we have our pick of the stupid people and the evil people.
In the last company I was with the bigger problem were the masses of employees that had their passwords taped to their monitor. Or the overly helpful ones that would open and hold the secured doors just because they saw someone holding a box. Want free access to the processing room and card cutter, just tell them your deliving flowers. Most IT staff's are at least competent enough to guard against the obvious. With social engineering so easy to do, why would someone bother with trying to sway those who generally know better? If your IT people are that untrustworthy you probably either need to screen better employees or take a look at what you might be doing to make them willing to sell you out for a song.
It is just that plain simple. Most any hardware/software protections will have weaknesses in them that can be bypassed. Eventually someone will need to have access to the data that it is "protecting" and that person will still be at risk of the same issues you are asking to protect against. The administrators will absolutely need to know how to use the hardware/software inside and out if you expect them to be able to do their job and keep the system working properly. There is almost always a way to get to the data, trust me on this. The best way you can keep this from happening is to treat your employees with respect, pay them fairly, and keep the work environment in proper order. If your employees are happy to work for you, they are much less likely to engage in an activity that will hurt their company.
If however you do go to a hardware/software solution, well, all you have done is add complication to your environment; added extra places where your critical data can be forced offline and unaccessible; added new unknown equipment/software that your staff will need to be trained how to use and maintaine. All this will do is drive home the fact that the company does not trust its employees and makes those employees feel unappreciated and untrusted. This will simply cause the moral to drop in the affected departments making it more likely that someone may consider doing the exact thing you are trying to prevent.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
What are we going to do once the IT guys get those invisibility devices? There will be no stopping them!
The only thing I hate more than hypocrites are people who hate hypocrites.
putting as little information as possible on each web page and force them to click "next" and wait for countless adds to load before they can see the next dribble of info.
People try to make everything a technical problem, which is really the wrong approach. This ain't something you're gonna fix with fancy access control and slick hardware. No matter what you do (separation of duties, cryptography, trusted operating systems), all you'll succeed in doing is making life more annoying for your regular users, and demonstrate a huge lack of trust of your employees.
If you really want a solution, it's got to be as much policy as it is technology. I'd start with, oh, making your employees sign an NDA, and making sure they're aware of what is a company secret (most companies like Apple, Sun, IBM, etc, have classifications just like the government, e.g. "Apple Secret", "Sun Top Secret"). Make sure they know what those secrets mean, e.g. "Our documents labelled Top Secret will probably cause us to lose our dominant position in the market if leaked." Then, you implement auditing on your data storage. If your IT guys start reading company business strategy memos off the file server, you probably won't catch them when it happens. But if it becomes obvious that those memos were leaked, you can go back through the audit logs and see if anyone read them that shouldn't have, and act appropriately (though don't just assume that that person leaked the info).
Bear in mind that the technical part of this 'solution' will probably fail. What you're trying to do is paradoxical. You're saying, "I ultimately trust these guys with the security of all of my information, but I don't completely trust them with the security of all of my information."
The Right Reverend K. Reid Wightman,
background checks and references will solve nearly all bad egg problems. the IT people I've worked with through the years take the security and safety of data as a matter of personal pride. No one is going to pwn3d our machines or data, dammit! The problem we've had in corporate america is dishonesty in executive level, that's cost us tens of billions. IT people just mainly need to not get lazy about security practices and updates, and not let employees do that either, that's the biggest issue with corporate data today.
After skimming the article I get their point that, basically, you shouldn't trust your IT staff. So my question is then who do you get to implement the suggested nine ways? If you say "the IT staff" then WTF is the point? If not the IT staff then who? The board? Hah! The secretaries? Hah!
I guess that leaves a 3rd party solution (read: consultants) and if your company trusts outsiders more than your own employees then there are bigger problems to solve.
And I have just the process for you to solve those bigger problems! Just buy my book or pay my consulting fees and I will personally guide you through the process.
:wq
worried about employees considering:
i me.asp
"Approximately 70 percent of computer hacks come from within a company"
- http://www.cbrweb.com/articles/fightinginternalcr
(Of course the numbers vary based on the source, but I recall other sources being higher than that)
Confucius say: "Man who associates with smarter men than himself is smarter than the men he associates with."
nothing that couldn't be fixed with a little Reason :)
m )
http://en.wikipedia.org/wiki/Reason_(weapon_syste
Lawyers, MBA's, RIAA? A jedi fears not these things!
I am someone who is currently interning for a large fortune 500 tech company who is about to do some drastic changes to the way we do our business (today, actually). There's some serious lay offs going down here, garunteed. The business and marketing folks are as good as out the door. Us tech guys? Pfft, nothing to worry about. The fact is the reason your tech guys have you by the proverbial balls is because you're not educated enough to do their job. Heh, but the fact is, most anyone who has powerpoint and mediocre social skills can do your job. They reach their glass ceiling long before you do, however. They picked a trade with high security and low possibility of advancement. You picked a field with low security but high possibility of advancement. You can't have both unless you run your own business. Sorry.
If you're paranoid about your employees, then they are unhappy with you. The nature of most people is to be faithful to good leaders. Sure, there are exceptions to this rule, but I think it's pretty clear to me, that you do not have the faith of those you manage. Either that or you do not have faith in those you manage. The two generally play hand in hand. I'm with CmdrTaco on this one... I can't imagine having to be paranoid about those on your payroll. Remember, you have the power, and tech guys are becoming more and more common each day. Make them happy with you and then you'll have little to worry about. Make them happy with your company and then you'll have little to worry about.
And the #1 reason most SA's and programmers get frustrated with managers? The internal policy inhibits innovation instead of improving it. I had a manager whose personal policy was "to hell with policy" and I gotta say, he was the best boss I ever had. I know, for myself, if I want to do the best job I can. If policy interferes with that, then I feel as though I'm doing a bad job against my will. If this continues, yes, I'll hate my job, and I'll feel like it's the company's/manager's fault.
I rambled a little, but hopefully you can garner some advice from that.
Finder of the any key.
Seems pretty simple to me. Pay your employees well and be a good employer.... It will be much more difficult to find an employee if you inspire loyality. At the very least the employee will not want to loose a good thing and not risk it. Pay your employees squat, and treat them like garbage, well you get what you deserve. Fin.
People are generally trusted implicitly because there isn't any gain to doing something wrong in the workplace. While it's not hard to think up reasons to commit a cybercrime, most people don't really gain anything by it, so why bother doing it? And if you are going to gain something by it, you're likely going to be on the list of suspects.
I equate it to seeing all those big plate glass windows in store fronts, and yet there's nary a brick through any one of them. Only time there is, is when someone wants something inside and can't get it another way -- and then they're easily caught.
IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button.
If you're a cop, just flash your badge.
It doesn't hurt if your gun is visible.
About the only way to keep the info out of the eyes of the sysadmins is to use heavy encryption on every file you want to store safely.
And then, make absolutely sure you never forget the pass phrases, or whatever method you use to secure your side of the key.
All the backups in the world won't protect you from forgetting that vital phrase.
Oh, and it has to be non-obvious.
That being said, a good keylogger will most likely sniff that out, so if someone in IT is really after the goods, and is willing to face legal flak to get it, you're still back at the point of being stuck, unless you ensure all the business folk maintain their own machines away from IT, and support them entirely themselves, to a secure enough level that they won't fall victim to an attack when they connect to the corporate network, or a trojan in an email.
Like all solutions, the most workable is to ensure if someone is guarding secrets that are that potent and valuable, you make sure it's not worth their while to go scurrying off with them.. In other words, you treat them well, and remunerate them according to the value of their task..
If you force your IT staff to work over long hours, stiff them on their working conditions all for a flat low rate, you're asking for trouble.
Give them good conditions, and good pay (going to excellent pay for those sysadmins that are responsible for the really tasty info), and you're far less likely to suffer.
Technical solutions just won't work, as the people who know most about it are the ones you don't trust. Which defeats the whole object.
Espionage is a real concern. But the solutions in this article are worse than the problem. THe real solutions include:
1) Mandatory Access Controls (for example SELinux) on systems that hold confidential information.
2) Data encryption for confidential information using public/private key encryption. AES is NOT an answer here though you can use it for session encryption with Diffie-Hellman, etc. if necessary.
3) Training and loyalty of employees is critical.
4) Separation of duties, powers, and responsibilities.
But I guess this is harder than just throwing technology at such a problem.
LedgerSMB: Open source Accounting/ERP
I happen to have this awesome bitmap for you all of you /. posters to look at. Ever heard of Asherah?
* snicker snicker evil laugh *
"You will pay for your lack of vision..." - Emperor Palpatine to Ray Charles
A few years ago, I was working in a company where we were developing products for sale to a few Federal groups. We interviewed numerous people for these jobs. One that was interesting was a chinese women living in C. Springs, married to a USA soldier. She had a masters in C.S. from china. At first, she was not all that interested. But once I mentioned the groups that we were selling to as well as discussed exactly what we were doing, she got very interested. Obviously, we shot that down as soon as she expressed interest in who were dealing with.
Upon cheaking her out, we found out was that she was a chinese national, but told us she was american citizen.
In another case, we had a guy that we interview another job. He was claiming to have a CS degree with loads of Linux experience. But when asked a set of questions, he missed them badly.
- How do you create a new process; you spawn it(did not know fork or exec).
- How do start a new process upon boot up (from the kernel or a central repository; he did not know about
/etc or /etc/rc.d/).
- asked about genearl sorts and only knew quicksort and bubblesort, but could not explain quicksort.
- did not know discrete math.
All in all, what I have found out is that you first have to check ppl very carefully. Then you still have to limit ppl to what they get to. Hopefully with vista, the MS world will start having security. That remains to be seen.I prefer the "u" in honour as it seems to be missing these days.
Studies have shown the most effective deterrent to theft is moral/ethical. If an employee has a good relationship with the company and their managers then they are unlikely to steal from the company, even if they know they won't be caught. If you treat your employees well, are understanding about their problems, and cultivate your relationship you have little to worry about. Talk to them and learn what their goals are and help them achieve it. Do they want to move up into management? Do they want to go to night school and become a programmer or a public relations person? Help them do it. If your employee has money problems, you should be the first person they come to, confident that you will help them work it out either with financial counseling, a pay raise, saving them money by letting them telecommute, or even loaning them the money they need and repaying it from their wages. You employees should not live in fear of being fired or laid off. If they aren't working out they should know you will talk to them and come up with either a new position for them in the company or help them find work elsewhere, while keeping them on in the mean time. Employees should know they are trusted, for breaking that trust is a deterrent. Employees should have a stake in the company, either stock or a bonus plan so they feel their hard work and good behavior means something.
If all of the above is taken care of, you employees will be a lot less likely to steal or do anything else to put the company out (like quit without notice). There is always the rare anti-social personality disorder, but that is a pretty rare case. If, however, you develop a "strictly business" relationship with your staff that is mercenary and impersonal you may have problems. When people don't care about their employer or dislike their employer and feel that they are in danger of being fired at any time, or their job outsourced, they will respond in kind. If the only reason you pay them is because it makes you more money in the long run, why shouldn't they sell the customer database or source code? If you hire mercenaries and treat them like mercenaries, don't be surprised when they act in their own best monetary interest.
If you decide to treat your employees like you are at war with them and need to be defended against them, you're likely to have more problems than any technical solutions you implement will benefit you. There are products that will build a relational model of your network and log all traffic and access to resources based upon DHCP IDs and the like. Between such a system and a good set of untouchable logs for your access controls you can develop an independent group to monitor your staff. If you really need it though, your company is already pretty doomed as your employees probably don't care anyway and are just doing the minimum necessary to get paid.
In Mafia-run America, Reason sees you!
"You will pay for your lack of vision..." - Emperor Palpatine to Ray Charles
Hire honest staff and treat them like human beings so they're not inclined to rip you off. If you catch someone ripping you off, press charges.
You can also create audit trails logging to multiple machines, each controlled by a different employee so that a conspiracy would be needed to avoid being caught. Reading and understanding those logs is, however, very expensive. Its also the kind of mind-numbing job that could leave an otherwise honest IT employee open to committing theft.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Pay us the money and respect that we deserve in our role. Stop treating us like criminals (use a security policy that makes sence, not the latest paranoia that the boss thought of.)
If I am respected and payed what on par with others in my industry, I won't have a need to "Sell Your Secrets!
Trust and respect go a long way.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
Don't treat you employees like shit and they wont steal from ya.
"I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware."
The military seems to have a solutiion. Why don't you ask them?
This reminds me of an old cartoon, two pirates are burying a treasure chest on the beach. The pirate Captain is standing watch while holding a gun behind his back. The pirate crewman is down in the hole, digging. He looks up and says, "Just think cap'n, you and I will be the only ones who know where the treasue is buried!"
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Protecting crown jewels? Oh if you've done any martial arts that's easy, you wear those protector thingies around your... Oh, you mean corporate crown jewels? Um.
/. every few days or so. Welcome to the real, imperfect world of IT.
Well, realistically speaking, you can't. If there was ever some sort of silver bullet on computer security, we wouldn't be readings about some blistering new 0day exploit on
What you can do is at least see to it that good security policy is in place, e.g. secure passwords, firewalls, access levels, locked-down controls, yadda yadda, things one'd suppose be in TFA already (before it melted, anyway). And then you twiddle your thumbs and hope you don't piss the system administrator off.
Make managers get off their lazy butts and actually peek in on their staff at work once in a while, just to "check up on things." Managers tend to become rooted to their desks and assume that the emails they receive from workers contain the truth, the whole truth, and nothing but the truth. While a good manager lets his/her employees get about their job, they never let the employees run the show. An IT department should be not just a reflection of good work, but good management.
And of course, they could wear leather outfits, hoods, and carry whips to keep people in line... fear can be a great motivator.
GetOuttaMySpace - The Anti-Social Network
For IT people I've found you need only two simple words, "FREE PIZZA"
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
and every other agency has been working on this problem with their workers since the beginning. And they still get problems with people selling their secrets. Despite their employees having to undergo the polygraph (pseudoscience, I know) every six months, etcetera. Still, perhaps they (or people once working there, if they wrote a book about the methods) would be a good start on the topic.
But I don't think there is a technical solution to this problem. Technical safeguards, yes. Solution? No.
A monitoring program, staffed by people isolated from the rest of the IT staff, that solely watches and logs which and what files get routinely accessed throughout the enterprise would be a good start. Is such a thing feasible?
The casino, bookie guys do not need rules and regulations. Feel free to take their data (usually cystomer lists), it is full of spikes/seeds (phone numbers, email and land addresses that belong to the owners), so when the data is sold and used (callcenter, email spam/etc) the mails get back to you.
.... so he was pretty determined.
Then the death squad goes after the techs and asks some unconfortable questions, talk about broken kneecaps and burning family houses.
Heck, you can even seed different addresses for each admin (if one is doing the mailing, the other only sees the SQL tables)...
If you think it is science fiction, or fear mongering, come and work for a casino in any Central AM country...
I personally left a place because I was scared - higher staff was regularly followed, I heard bad things about the company, and we had more and more armed people at the entrance. I also heard (from my colleage), that our previous sysadmin was chased down the street by the neighbour casino owner with a gun in the hand, shouting "I kill you bastard" over some customer list that the guy "administrated".
Want 1st person experience: how about police calling me, that a gentlemen wants to talk about one of our employees, who supposedly stole data from a caribbean country's casino. The guy looked like a headhunter/killer to me, who kept calling me for 2 weeks, every day, offering more and more for the person's address or any tip where the person could be met (killed??). And that was back in Europe, and the guy came from the islands
Oh well you can make some other measures, like at one place, they sniffed all IM traffic, read all emails, and made it forbidden to take anything into the office. First usb drives, cds floppies. Later cell phones, walkmans, ipods. ANYTHING. They were as well beleived to go thru the lockers.
Of course I cannot (and do not want to name people, places, etc). All I can say, is that I am done with that industry, even though they pay a lot better than others in southern countries.
The first thing to do is to read the extensive documentation on this subject.
If it's possible, the BOFH has already done it.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
You encrypt the data with a symmetrical cipher such as AES and a random key, then encrypt that key with PK. You can have multiple copies of the encrypted symmetrical key, e.g., any enterprise-level system will have a "recovery key".
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
No references to the invisible cloak?-)
This problem is as old as doing business - and the solutions were found a very long time ago.
For example, how did a company keep its accountants honest, in the days when the accountants kept the books and made all the payments?
The solution was, basically, twofold: firstly, any transaction requires two people. (For example, the employee who actually issues checks is never the same as the employee who authorizes an expenditure.) Secondly, there is an "audit trail", i.e. for each transaction, there is a record of who authorized that transaction and what it was for. Verifying that a company does these things is part of a standard audit, that every public company must have.
The same principles can be applied to any area of a business. Companies which do not apply them to financial IT systems are asking for trouble.
If you have enough employees, one of them will be rotten no matter what you do. Look at all the supposedly good Americans who have been caught been spying for the Soviets.
Having your secrets stored on computers makes them a little more vulnerable but they are also stored or embodied in other ways. A production process, for instance, is embodied in the equipment on the factory floor. You have to worry as much about the janitor as the IT staff. Maybe more. The janitor has access to the waste baskets.
Internal fraud is a huge issue for many companies especially financial institutions. Thus the rationale for creating 1) control environments 2) control activities within those environments and 3) accountability for those activities in the environment which they exist. There is no such thing as perfect security and good luck figuring out whois honest or not.
Sounds like a good Paranoia scenario. I'm Ultraviolet and love the computer!
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Obviously information loss can't be prevented. The best you can do is reduce the likelihood and the ease with which it can be accomplished.
Internal staff will always have access to information. People are corruptible. Even where extremely extensive security measures have been taken, people still manage information theft - government spies are a good example - don't forget that the best spies haven't been caught and we don't even know about them.
I always find if funny when companies get worked up over the security of a reporting solution I'm developing for them. For example, they might be concerned that people should not be able to e-mail reports outside the company. But they have no problem with someone printing off a report or copying it to a flash drive and mailing it out of the country using company postage meters...
There is also a severe productivity cost associated with these security measures. You could take a series of extreme security measures like:
- Disallow flash drives and any other type of device that can store data, such as cell phones, memory cards, removable drives/disks, recordable CDs and DVDs, digital imaging devices, etc.
- Disallow all remote connections to the outside world that could be used to copy data
- Establish a security checkpoint through which all personnel must pass going in or out of your location. Conduct body searches for paper, media, and any other "banned" device or information.
- Set up redundant information access protocols that require more than one person to be involved when accessing sensitive information.
- Establish stiff penalties (dismissal) for the slightest violation of the rules
- Establish significant rewards (big bonusus) for exposing the violations of others.
This might work, but where there is a will, there is a way. Plus, suddenly your company has turned into a hated Big Brother where no one wants to work because it just plain isn't any fun to be there. How much does this cost?For many companies, a more reasonable approach might be:
If you have a problem, if no one else can help, and if you can find them, maybe you can hire: THE A-TEAM.
At my last job, we had a small, close-knit company. We had a steady influx of about a dozen contractors at any given point. Pretty well paid, they generally had 6mo to 1yr contracts, if we didn't hire on fulltime (which was very common). Catered lunches, the company wasn't going down in flames, etc..good place to work, good city, etc. Come one day, I decide to swap out my keyboard for a new one. I bend down to unplug my existing keyboard, and find a KeyGhost dongle on my keyboard. We had no idea who might have put it there, or what their real reason would have been. We hardly had any idea what to do from there, and hired on someone to help us deal with the ramifications. Our best guess is that this person was bribed by the competition to steal secrets. Now, I was the main IT administrator. My question for the authors of the article is how do you protect your IT people from compromised employees? I think the focus should go the other way around. Us IT workers are increasingly the targets of targetted attacks and hacks, trying to get at the information we have. And hardware security, in the case of this keyboard dongle, is almost non-existent. There are theories on how to detect them, but no solid products. So don't focus on the fact that your IT people have access, and how do you prevent them from using that access for harm...your IT people need that access to do their jobs. Make sure you hire on someone with good ethics, do the best job at auditing and process creation that you can. But realize that a big vector is someone trying to compromise your IT person, without them knowing.
I am amazed at the number of tech jobs out there who pay Network Administrators a 1/4 of what they should be paid. Yes I understand that you can't buy loyalty but I bet you will have a happier Network Administrator.
Network Administrators are responsible for the whole ball of wax but yet get crumbs.
It's really not that difficult. You can encrypt backups with public-key encryption -- it uses a random key for a symmetrical cipher, and you encrypt that key with your PK keys. Plural, since you'll probably want to include at least one recovery key. The backups - and the lower-level employees who access them - can be encrypted from birth to grave.
The recovery keys should be well-protected. Think "one disc in safe in CIO's office, second copy with corporate lawyer, third copy in bank safety deposit bank". Or better yet, recovery key in hardware devices that are physically protected.
"Live" access to sensitive systems can be restricted to an inner circle of hell. I mean an inner circle of experienced IT staff. You would want to partition responsibilities anyway in a larger organization.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Or how Stalin did it.
Go look up how those dictators kept a trusted bunch around and maintained them.
If you're going to be a paranoid dictator there's plenty of material around.
At my workplace management has so many conflicting opinions on internal security it's laughable. When I was brought in as IT Manager I couldn't even get admin access to anything because my boss didn't know who I was (even though he's the one that hired me.)
Instead he let the outside I.T. consultants have complete control. My experience and professional references were to no avail. It was three months before I got a key to the server room, and this is in a small, 50 person insignificant business. All the while the outside consultants (who retain full remote access to all systems and networking equipment) could do whatever they want.
The network drives were wide open among departments. No restrictions. Performance reviews, salary spreadsheets were all available to the entire staff with the thought that "no one knows the files are there so it's okay" was good enough.
When I suggested that we could start locking down departmental network folders to restrict access to sensitive data it set off a freakish firestorm of discussion about who could be trusted for these special folders. But... the whole time they'd been wide open! Now suddenly it was an emergency to lock them down and no one could be trusted with the data.
Later on my boss was working on a business pitch in Word. He'd brought in a temp to help with the layout and now he wanted to give it his own special touch. But he was having formatting issues. He wanted my help, but.... I couldn't look at the document!
He said it was sensitive and he didn't want me to see it but at the same time I had to diagnose his formatting problem and tell him how to straighten it out. So it was okay for a one-day temp to see it, but not the IT Manager that he himself hired that has responsibility for protecting all of his data.
A few more months and I'm out of here. It's the craziest place I've worked, and I used to work at an urban police department so I've seen crazy.
Do what Cisco did.
Send your work to China where laws against industrial espionage are stronger and it's harder to bribe employees.
Oh wait a minute..............
[satire off]
"The business and marketing folks are as good as out the door. Us tech guys? Pfft, nothing to worry about. The fact is the reason your tech guys have you by the proverbial balls is because you're not educated enough to do their job. Heh, but the fact is, most anyone who has powerpoint and mediocre social skills can do your job."
This kind of self-aggrandizing claptrap is just annoying. There's no way you could do their jobs. You suffer from the delusion that anything that isn't technical is simple.
Why is it that when people say, "the fact is", "the simple truth is", or "the reality is", they're almost always wrong about the topic under discussion?
that are going to be managed by IT people.
Brilliant!
Interesting, because I ran into that too, in one company I worked at. It was pretty well understood that in order for things to work, *somebody* had to have access to everything. Otherwise, it wasn't going to get backed-up, organized in proper directories, and so forth. So I.T. was "off the hook" for any real hassles there. BUT - they were VERY concerned about salespeople accidently seeing things they shouldn't see, or possibly uploading corporate info to other sources.
Pay your SA's what what they are worth. Don't constantly threaten your IT department with outsourcing and constant benchmarking, especially annually. No one likes to have to keep competing for their job every year. Don't welch on their retirement package. Have bonuses or stock awards when the business is doing well. Don't let Microsoft dominate *all* your software solution choices... They do some things well, some not, so choose wisely for each task, as your SA's will have to support it. Pay for on-call support. If you make your SA's carry a pager, pay them for it, as it is disruptive to their outside lives and family.
Basically, you take care of them, they will take care of you.
*Darb
This sig intentionally left blank.
"The fact is, you're an idiot"
And you have no idea what you are talking about. NONE. Good luck with that.
A company is worthless without good employees. Employees who know how to do their job, show up to work regularly, don't cause stupid office political brouhahas and basically get the job done. There's lots of people like that. But there's also lots of shiftless, lazy folks who'd rather spend all day surfing Slashdot (er... present company excepted, of course! :) ), downloading pr0n or otherwise not doing their job.
And of course there are those who feel they are entitled to more (whether they are or not), and resort to extreme measures to get what they want. Sometimes they get caught.
So this is a very real, true concern and hardly the result of paranoid executives. If anything, executives in most companies are way to complacent about the trustworthiness of their employees.
P.S.
I'm speaking here as both an IT professional and a CISSP.
In the darkness of future past, The magician longs to see. One chants between two worlds, "Fire, walk with me!"
The goal of outsourcing is to not have ANY "jewel" employees - just a neverending supply of interchangible cogs that can be replaced at will.
THIS is why management has become concerned with protecting against their own employees. Rather than pay what it takes to hire and retain loyal, honest employees, they spend even more money preventing the bargain-basement employees from stealing from them.
I don't know about other folk, but I subscribe to these:
http://www.acm.org/constitution/code.html
http://www.sage.org/ethics.mm
Ask your IT colleagues if they've heard of them.
...an Englishman in London.
How about:
- not treating employees like crap
- do not engage in typical cyclical layoffs like many big public companies do
- pay your employees above market, and when someone not in sales closes a deal or saves a dealer from going sour, do NOT give the credit and high five-figure bonuses to the salesman or account support rep when it was actually senior QA or development staff which rescued the multi-million dollar accounts after sales and support dropped the ball resulting in the account threatening to break the contract and/or sue for breach of contract
In other words, if you are running a company, don't be an asswipe to your employees (NOR to your customers)
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
I can do it in 3 steps.
1. Evaluate the skills of your IT staff on a regular basis, and compensate them competitively. No body likes to be short changed and screwed. If you dont' give a fuck, they won't.
2. Eliminate all Microsoft Products from the external network. They are unsecure, unreliable, and expensive. Realize that because Microsoft is the biggest, it's not the "ONLY" solution. Let your IT staff be creative and think "outside the box" and you will be rewarded with ingenuity and skill.
3. Realize the TRUE value of technology within your company and plan your budget accordingly. You can't send your IT staff to a gunfight with a knife.
Dumb and unethical. I have a management position opening up. Where can I reach you for a job offer?
I've had a few bosses I've wanted to grab by the "crown jewels". Really it's their own damn fault. I'd suggest maybe a cup or other protective device, really. Of course, if everyone in your office is trying to grab your nards, protective gear probably isn't your biggest worry.
Now, if you excuse me, I need to feed the code monkeys some bananas ;-)
I learned that 70% of security breaches come from INSIDE the firewall.
protecting corprate data from the inside requires a whole different level of thought then most companies even consider.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Codes of conduct? Is that anything like the Ten Commandments? How well did that work out?
OH, BTW to all the people saying "pay'em what they're worth" How about "Hey! I'm worth a million dollars. Pay up, or else..".
Having recast the unfortunate incident as gross incompetence (perhaps not too far from the truth?) I chose to take the fullest possible advantage of the situation. Sorry, kids - morals are great, but Number One comes first! There's an IT shop in a Midwest town which I'm sure still curses my name when it is spoken; but my income has more than doubled since then, I don't get adrenaline rushes on my way to work anymore, I don't feel like I'm working in the IT equivalent of a labor camp, I actually like and respect my coworkers - I wish I had done everything on purpose, it would've been a sweet example of Machiavellian perfection. As it stands, it was merely a marvellous coincidence.
Oh, and I don't do management. I'm firmly convinced that people will rise to their own level of incompetence - this level is mine.
Irrelevant. Slashbots are unemployable.
Listen p*ssy. I'm sure your the same homo that posted earlier about alf's boner and you just want to remain anonymous fo
Or you could just do what Sony is doing now and just make DAMN sure that no other company wants any of your secrets!
disclaimer: I've been known to store numbers in my ass for which to dig out when quantities are required.
Ken Lay wasn't in IT. A moot point.
TZ
I worked as a permanent temp in a Hewlett-Packard printer factory in Camas, Washington. I was in a room with a loading dock all alone with about a thousand printers, brand-new, boxed and ready-to-ship. My job was to select several printers a day at random and disassemble them so that the parts could be used to make prototypes of new printers. It was cheaper to hire a permanent temp employee to disassemble printers than it was to fill out the paperwork to get the parts from the assembly line before they were made.
Anyway, I put a picture of Claudia Schiffer in a evening gown on my PC as background wallpaper. A few days later I get escorted by an armed guard to the human resources office about a kilometer away and get fired for 'creating an environment conducive to sexual harassment'. Since I had all the codes and badges to access the loading dock, I was tempted to just rent a truck, drive up, and take all the printers and either dump them in the ocean or sell them myself. Of course, according to Hewlett-Packard, I was 100% trustworthy because I passed a marijuana piss test so I was beyond suspission were the items to be found missing.
I didn't steal anything from them, but I was tempted to because I was so pissed at them. Of course, it came as no surprise to anyone that a few years later the morons who run H-P would just roll over and let Carly trash the entire company to the point where they felt relieved that they could finally get rid of her by giving her 28 million dollars to just...go...away.
So, a word to the wise young people, don't work for insane morons like Hewlett-Packard if you want to have a long and prosperous career in the IT or electronics industry. Choose your employer carefully; believe all crazy rumors about your company management, study Dilbert seriously, be flexible, and always ready to just jump ship at any better job offer. The old mentality and social contract between employer and employee is over.
to India, or better, to Russia. Those Russians are top coders and don't ask much pay.
Good point. Pay and working conditions are important, but so is mutual trust and respect. It's not enough for management to trust and depend on the employee, the employee must be able to trust and depend on management.
How many times has a company had some sort of trouble and fired, replaced, outsourced the employee(s), but kept the manager(s)? How about when the employee gets into some sort of trouble - canned.
Things are different when companies (and managers) view employees as assets rather than liabilities.
I worked for a company once that wasn't able to give any raises for 4 years, but all the employees stayed, plugging along because we believed in the product, company, and owner -- and he believed in us.
Now for an imaginary example for all you Firefly fans. How many of you would sign up as crew on Serenity? Ya, me too - in a second. (Notice that even Jayne stays even though he's supposedly all about the "pay" and such.)
It must have been something you assimilated. . . .
1. Hire good people.
2. Treat them well.
3. Pay them well.
That's all you have to do.
Honestly, while those good pieces of advise, the naivety of so many Slashdotters surprises and depresses me. In very small companies, that may be all you need. And for business that don't have big revenue numbers or deal with innovation, espionage isn't much of an issue. I don't think a plumbing company needs to worry about espionage.
But banks, credit card companies, investment firms and brokerages, they do. As do many of the companies doing R&D in drugs, electronics, software, etc. When millions of dollars are at stake on pieces of information that can be copied to a USB flashdrive the size of a quarter, a smart businessman will not assume everyone can be trusted.
As IT professionals as well as hobbyists, we are used to having lots of access and power. It's what makes our jobs easier, more enjoyable and exciting. By nature we tend to be lazy and impatient, not wanting to do something in 4 steps when it can be done in 2 or 3 steps. We like to find ways to automate processes of all sorts. And we often are overworked and underappreciated.
Which means the IT profession is a good breeding ground for corruption. Roger Duronio felt like he wasn't being fairly compensated. Even when he got a year-end bonus of THIRTY-EIGHT THOUSAND dollars on top of his $100,000+ per year salary, he felt cheated. He wanted the full $50,000 bonus he could have received. So he gutted the companies servers, costing the entire business millions of dollars. He also tried to profit on this action, betting stocks would fall quickly enough for him to short sell at a profit (he failed there). Eventually he was caught, tried and found guilty. He really screwed up good, because he ended up not getting anything that he wanted, destroyed his career forever, betrayed both his family and co-workers, and hurt the image of Systems Administrators everywhere.
Roger Duronrio is not the first IT professional to have done something like this. His actions were amazingly succesful compared to many others, and the company was very much willing to publically bring the case to trial. But you can do searches on FBI cases for all sorts of similar situations.
Trust is really just saying you have faith in someone. No technology, procedures or policies can precisely mirror the emphereal nature of that faith. Which is why you don't rely on one or two or three methods to protect yourself and your business. You rely on hundreds of different methods and protections. It's called security in layers, and is such an essential concept of security that people always forget about it.
The article focuses a great deal on encryption, which is most definitely a good idea for all sensitive data in an organization. But that won't help you if you can't trust the keyholder. So what do you do? Well first off, you don't encrypt everything with one key. You use lots of different keys for different data, and lots of different keyholders. You break keys apart so a person only holds part of a key and two people need to work together in order to decyprt data. Or you use an external, third-party entity to escrow the keys. Better yet, you do all of those things, and more.
In the darkness of future past, The magician longs to see. One chants between two worlds, "Fire, walk with me!"
If you have bad people on your IT team, then you are fucked. It doesn't matter if you encrypt the data for backups. What about all the data that is being accessed all day long by various departments? The data is in a production enviornment and is, (as it needs to be) readily available to IT staff. (Think: "Help, my access to a deep share on the X drive has been dropped, please remap!") I have access to it all. If you are worried about bad employees then you should try a little harder to NOT hire them in the first place! I dont fuck around with data at work because I have morals and I dont want to get fired and or go to jail. Some people do not think this way. It is HR's job to weed these people out. Now, there is ALWAYS the exception where a good employee becomes disgruntled and does something stupid as retribution, but wtf are you gonna do? Tie everyones hands so that it makes their job harder, and less produtive than it already is? I am a BIG fan of monitoring employess actions. I do not feel as an invasion of my privacy. In fact I feel more secure and comfortable knowing that I am not going to be blamed for something because there is always some record of where I've been and what I have done. Besides, I don't own ANY of the hardware/software here, so who the hell am I to complain. Sometimes, Big Brother will save your ass!
"Patience is not a virtue, it's a waste of time."
An article titled "Nine Ways to Stop Industrial Espionage" following one about invisibility? The author could rename it "Ten Ways to Stop Industrial Espionage" in the future.
A very important issue is that secrecy is expensive. It is tempting to try to protect a great deal of your data. If you do that, you will spend a great deal of money. And you will impede the work of your people who too often will not have ready access to stuff they actually need to know. And -- pardoxically -- you may reduce the protection given to data that actually needs to be secured because people will develop ways to bypass security so that they can get their job done.
IMO, many companies shouldn't even consider securing any of their data. Those that do, possibly shouldn't put their critical data on computers -- expecially not on networked computers. If all your important data can fit on 200 index cards, put it on 200 index cards and lock them up. What, for example, would be the point in putting the secret formula for Cudweiser beer (12 parts cow urine, 37 parts water, 1 part used motor oil, ...etc) on a computer where anyone can steal it?
Companies that deal in personal data e.g. schools, hospitals, etc. Here we are getting beyond my experience. I suspect that mixing sensitive data with accounts payable, staff eMail, memos about the Christmas Party, etc is not a good idea. But beyond that, I just don't know.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
...is all the corporations that forbid cameras still. Cell phone cameras as well. With faxes, high quality scanners, photocopiers, e-mail, and even white boards that will reduce and print the scribblings upon them, banning cameras is just kinda silly. There's a lot of ways for secrets to get out of the building without anybody ever touching a camera.
(and it's not like they actually frisk anybody to see if there's a camera in their pocket, either)
Nothing to see here. Move along.
You can use public key encryption for backups, with both 'working' and 'recovery' keys. Backups only need the public keys. Backups can be triggered by cron tasks so you only need a trained monkey to change the backup media, not a full sysadmin. The media will have already been encrypted.
Restores require the private keys, but that should be rare enough that it would be noteworthy when somebody asks for the private key. You could use a different key every time, to limit the damage if one key does get out.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
That is still the easiest way to get data you want. This can be done over the phone trying to access passwords, over bribe and blackmail to just asking for the data when the subject is drunk.
Detecting this is much harder. You can have all the technical security in placve, but when you COO sells the data to the competition, there is not much you can do.
Do it in steps and make people aware. First, start using gpg for email for EVERYBODY and EVERY mail. Signing for those that can be clear. Encrypted for those that can't. Get your partners you send trusted information to to use it as well.
Don't fight for your country, if your country does not fight for you.
So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?
1) Hire trustworthy, ethical people with a personal interest in IT as a career, not just a job.
2) Pay them well, they hold the keys to your company as much as the sales, marketing, or executives do.
3) Treat them well, including being honest with them and not samdbagging them with conflicting or ridiculous requirements.
4) Don't hire IT as contractors or temps, bring them on board and give them benefits. Then they won't need bribe money to pay medical bills.
5) Don't outsource their jobs and then expect them to train their replacements.
The short form: don't screw IT professionals, and they won't screw you.
use Sig::Witty;
But someone has to keep the private keys. Do you trust that person? Is it practical to have only one person controlling the keys? If they are out of town and you need to do a restore, you're screwed.
Anyway, none of this does any good if the admin can access the data as it is in production. Going through a backup would be an unnecessary setup for most IT admins. I mean, if you know exactly what you want, just go in an copy it from the server.
I suppose you could go and implement security such that nobody has full access to the systems, but at some point you're just making it difficult for people to get their work done. I'd certainly never put up with it.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
You'll find that the majority of espionage cases involve money. Or, to be more precise about it, the lack thereof.
When folks start handing over secrets ( be them corporate or government ) the person doing the ' spying ' part is usually unhappy about something. Hates the company, hates the boss, has financial issues, envious of the ' super-suits ' making a hundred times their salary, etc. etc.
While the company can do little about the employees personal lifestyle ( perhaps he's an obsessive gambler or suffers from depression ? ) they do have some control about overall employee satisfaction while on the job. An employees pay, the work environment, overall stress level, etc. etc. all contribute to this.
While the company can elect to let go an employee with risk factor qualifiers, it's tough to spot the signs without intruding into an employees personal life. SOMEONE has to have access to sensitive data within the company, so the company needs to ensure that those folks that do are happy with their jobs.
If your IT folks are working stupidly long hours for minimal pay and crappy benefits, then you're setting yourself up for this type of problem. Actually, this isn't limited to the IT folks either. ANY of your employees can become a ' spy ' in the right situations.
( Tip: Seeing the CEO drive up in a Ferrarri after purchasing his / her fourth home because his / her pay is so obscene only serves to remind the rest of the employees of their insignificance. )
Jealousy is another big motivating factor for turning ' spy '.
While you can implement stict controls over data ( no outside personal devices, Marines at the entrances / exits who random search folks, insert your favorite surveillance technique here, NDA's, etc. ) all of that costs money. A LOT of money.
Who wants to work for a company like this anyway ? Would you subject yourself to constant surveillance while on the job ? A camera in your cubicle ? Keyloggers and Remote Viewers on your computer ? An RFID tag stapled to your forehead ? Probably not. . . .
It's a delicate balance keeping your information secret and your work environment appealing to your employees.
In the end, it's easier ( and probably more cost effective ) to keep your employees happy than it is to implement an Orwellian system in an attempt to keep your information intact.
This article is about protecting sensitive data from IT staff disclosure or modifications. Given that this is slashdot, an IT folk watering hole, it should come as no surprise that most of the replies blame the problem on
Experience shows that employees are your biggest security risk and that employees with the greatest access present the greatest risk. That's the way it is; live with it.
Also relevant: anyone following the various forums like slashdot, where the computer guys hang out, will have noticed that, as a group, they have little or no loyalty to their employers and an excess of self-righteous zeal. As a security guy, I have to treat this as a clear and present danger.
Mitigating this risk calls for encrypting sensitive data in a way that only those with need to know can decrypt it. Closely-guarded administrative keys are used to deal with forgotten keys and re-keying when someone leaves (the keeper of the keys doesn't work in IT). Backup isn't a problem, because the only thing on the servers is encrypted volumes.
Most of the rest of the risks are handled by treating user workstations as part of the user, rather than part of the system, and taking the appropriate precautions to protect the workstations from unauthorized tampering (e.g. whole disk encryption) and the system from workstations and their users. Serious, carefully-managed compartmentalization is an indispensable tool.
The best thing about this approach is that it can be done with minimal impact on users or user productivity. It is hard on IT administrative staff, but I'd rather annoy a handful of techies than hundreds of users--especially since it's the latter that are paying the bills.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
As long as you're treating your staff correctly, you should really be concerned about what's on their laptop. VPNs help with this, as does keeping critical data on the server side only (this may be one of the biggest benefits of webapps). You should also make sure they do not insert suspicious media or give passwords to others.
"So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?""
Make a backup. Then if an employee steals the data (copies it and deletes the original), you've got your own backup.
Oh, wait, you didn't mean steal, did you? You meant copy. Big difference. A copy doesn't deprive you of the original.
I am sure they will listen to reason.
I can throw myself at the ground, and miss.
So use a threshold scheme so that no one person has access to the secret key, but it can still be recovered if someone loses their share. Yes, this makes it a pain in the butt to decrypt the backups, but if you need to restore often enough that this is an issue, you probably have bigger problems.
One of the things I tell my people is not to try to solve a management problem with a technology solution. Normally it's because some employee spends too much time surfing the 'net (like I'm doing now!) and they ask me if I can block the Internet for that person. That might solve the immediate problem but if that person is otherwise a good employee wouldn't it be better to invest a few minutes counseling that employee about what is expected of him/her? Using technology to solve a management problem is ALWAYS a temporary fix. If you can't (or won't) communicate with your employees, wasting time, theft and corporate espionage will just be the beginning of your problems. Bring those people along and help them improve, if you try for the easy fix you're only going to breed resentment. Kerry
Don't make strawman arguments based on the strawman's incompetence. Of course you don't want one person controlling critical information. That includes the combination to the office safe in your boss's office. Getting it may not be convenient, but that's the whole point -- to get attention when something unusual happens. "Restores" should always be unusual, especially if they're at odd hours when the usual people aren't around.
As for the last sentence... if you want to work in companies/industries where that's possible, more power to you. But don't pretend that it's reasonable or even legally possible for every company and industry.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
With a family unit, absolutely. But in a family unit, there is typically a head of the household who is ultimately responsible for the family's economic wellbeing, who will impose work upon family members who should be contributing, but are not. Beyond that, family members have a different kind of moral responsibility to each other than do mere acquaintances, which makes this relationship more fitting.
But a commune of hundreds?? A commune of even 50 or less could only work if it was under a strict authoritarian rule, such as the former tribes of American Indians. But that would not be compatible with the taste we've developed for freedom and individuality. But even that wouldn't likely be efficient enough to let people survive. There were once 105 people who formed an independent communist government in Massachusetts. They were extrodinarily industrious and religious people. Yet after a couple years, very many had starved to death, and after some debate on how to manage to stop starving to death, their governor, William Bradford, wrote that, concerning their system of communism, "it was found to breed much confusion and discontent and retard much employment that would have been to their benefit and comfort." So he parcelled up and distributed ownership of the land to the families, making each responsible for their own production. The result was that "much more corn was planted than otherwise would have been," and they recovered, and thrived, invented Thanksgiving Day, yadda yadda, and went on to become the world's only superpower. (For non-(or ill-educated-)Americans, I'm talking about a group of families who called themselves Pilgrims and wore funny hats, who in 1620 procured a ship called the Mayflower, and established England's first colony in America, at Plymouth.) Bradfords expressed some amazing insights, 300 years before communism became all the rage.
This one paints the picture: "The women now went willingly into the field, and took their little ones with them to set corn; which before would allege weakness and inability; whom to have compelled would have been thought great tyranny and oppression."
And: "The experience that was had in this [communist system], tried sundry years and that amongst godly and sober men, may well evince the vanity of that conceit of Plato's and other ancients applauded by some of later times; that the taking away of property and bringing in community into a commonwealth would make them happy and flourishing; as if they were wiser than God."
And: "If [communism] did not cut off those relations that God hath set amongst men, yet it did at least much diminish and take off the mutual respects that should be preserved amongst them. And would have been worse if they had been men of another condition. Let none object this is men's corruption, and nothing to the [system] itself. I answer, seeing all men have this corruption in them, God in His wisdom saw another [system] fitter for them."
Indeed, if the communities are families, that works great. It existed in America, until less than 100 years ago, when the "New Deal" enabled children to relinquish responsibility for their older parents, and move out with their own children. And subsequent changes in law and society made marriage itself no longer a permanent institution, and we became a nation of individuals, rather than families.
They were merely covering their asses. You can bet that if they thought they could get away with it then you wouldn't have been reading this story...
Wanted: A better sig than this one. I have neither the wit nor motivation...
The article author suggested using AES for data signing which is a whole different issue.
LedgerSMB: Open source Accounting/ERP
Obviously you don't mean it to the extent you seem to be saying-- you certainly mean that companies should fail to protect, say, customer credit card information. By law also banks and hospitals have certain regulations regarding data protection that need to be enforced.
But I think that businesses ought to protect as little data as possible and ought to weigh the cost of secrecy against the risk of exposure. Many businesses take a knee-jerk reaction and want to protect everything. Yet many of the best businesses protect only information where the cost you speak of can be justified.
LedgerSMB: Open source Accounting/ERP
People respond to how they are treated and what is expected of them. It's known as the Pygmalion Effect and well documented. If the staff get treated poorly or like dishonest people and management is always expecting the worst behavior, then, surprise, the staff will generally meet those expectations. Or if the staff get treated honestly and well and management is always expecting the best, then the staff will generally meet those expectations too. Obviously there are more factors than just how staff are treated and what is expected of their behavior, but those two are very, very large yet often not addressed. Employees, despite what MBAs may say and act, are people and will act to meet expectations, good expectations or bad ones.
Ah, but that would preclude the use of MS products, especially server products and mandate solutions from other vendors and even Free/Open Source software. Networked storage (aka filesharing) on a MS-Windows server , MSIE and MS-Outlook have been invaluable boons to corporate and international espionage. However, it's no wonder that the media, beholden to MS via the advertising budget at the least, tends to focus on employees.
Do not expose your internal network Make sure that intermediate storage is secureBeta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
With a family unit, absolutely. But in a family unit, there is typically a head of the household who is ultimately responsible for the family's economic wellbeing, who will impose work upon family members who should be contributing, but are not. Beyond that, family members have a different kind of moral responsibility to each other than do mere acquaintances, which makes this relationship more fitting.
Actually, this model works well in more democratic households as well. Modern families without a single head, but who talk things out still don't have problems with this kind of model. There need not be a matriarch or patriarch, just a working system. Further, proposing that you are either family members bound together or mere acquaintances (as you imply) is a false dichotomy. The communist model has worked well in the past for entire communities (hence the name). Tightly bound communities often act at least partially in this way, with everyone helping to raise the children of the others and communal resources like wells and public grazing shared by all.
A commune of even 50 or less could only work if it was under a strict authoritarian rule, such as the former tribes of American Indians.
That is an interesting assertion, but I disagree. Their is no reason a single ruler, rather than a town council or even a direct democracy cannot manage a communist community of some size.
There were once 105 people who formed an independent communist government in Massachusetts.
Anecdotal evidence is all well and good, but it hardly applies in this day and age and their is plenty of anecdotal evidence to show it did not apply in the past. Think of all the monasteries that flourished and flourish around the world.
This one paints the picture: "The women now went willingly into the field, and took their little ones with them to set corn; which before would allege weakness and inability; whom to have compelled would have been thought great tyranny and oppression."
This demonstrates that they lacked a proper decision making method and enforcement of equality, not that the model is flawed. I hardly think citations from a bunch of religious zealots who were exiled for their dangerously antisocial behavior is an appropriate test case.
Indeed, if the communities are families, that works great. It existed in America, until less than 100 years ago, when the "New Deal" enabled children to relinquish responsibility for their older parents, and move out with their own children. And subsequent changes in law and society made marriage itself no longer a permanent institution, and we became a nation of individuals, rather than families.
If the only reason you maintain family ties is because of legal repercussions, then the problem is a social one. Personally, I blame the impersonalization of relationships on the capitalist model, corporatism, and resulting social ramifications. People treat everyone according to the rules of self-interest just as they have been taught to for business. The phrase, "its just business" has caused more damage than anything else to American culture, justifying unethical behaviors every moment of every day.
Desperation does not lead to violence. Desperation leads to action. The nature of the action, especially desperate action, is the nature of the actor. No person who is immoral when they are poor becomes moral by becoming rich.
Since it is not the place of government to instill any given morality, nor is it the place of any other to make moral judgments for another, we must concentrate on preventing negative effects, not beliefs. Thus, regardless of whether the choice an individual makes is moral or ethical, if we can reduce violence by removing the need for individuals to make that choice, we have succeeded in our goal to reduce violence.
It is important not to fall into the trap of assigning blame, when looking to solve a problem. Look only at what can be done and what the results
I didn't claim communism required a single ruler, I claimed it required "authoritarian rule". Sure, a totalitarian democracy works just as well as a totalitarian autocracy. The point is that the state/commune must have complete power over the economic life of the individual. Either way, count me out.
While I grant that the Plymouth Pilgrims are but a single example, I would hardly characterize it as anecdotal evidence. It's a thoroughly documented experiment in self-governance among a group of isolated people who tried it both with and without communal property and production, with a bias toward making it work with communism. If I had said, "I knew this guy, and he joined a commune, and it didn't work out at all," that would be anecdotal evidence.
On the other hand, I know of not one example of an economically succesful or sustainable commune. Nor have I ever heard of a self-sustaining monastery. In all instances I'm aware of, monasteries (Egyptian, Christian or Bhuddist) are sustained by the outside community through either donations, offerings, or most often, some form of taxation. And they are always authoritarian.
Wow, who would have expected RELIGIOUS BIGOTRY from a COMMUNIST??? The Pilgrims were neither zelots, nor dangerous, nor antisocial, nor exiled. The Pilgrims' decision-making method was open public debate and a combination of majority vote and decisions by the elected leadership. As for "enforcement of equality," I have no idea what that means, but it certainly doesn't sound pleasant.
There is a need for violence?? The error is in thinking that violence has an economic cause. It does not. While I agree it's not up to the government to instill morality, immorality is nevertheless the cause of violence. While I also agree that it's the responsibility of the government to mitigate the effects of violence, that can only be done by the administration of justice, where by people who commit crimes are removed from the society -- not the falacious concept of economic justice, where people cease to be violent because they're given so much material wealth.
What the heck are you talking about?? That's capitalism!!! As soon as I finish making my surfboard, it's a work product that belongs to the collective to be distributed!! You're telling me I can not only make a surfboard and keep it but I can open a business selling surfboards for money??? How much money can I accumulate before they come to get me? Can I hire employees? Go multi-national? Sell stocks? Is this the new Chinese "communism"?
The point is that the state/commune must have complete power over the economic life of the individual.
Again, I disagree. To function a commune need only have complete control over shared resources, not all aspects of a person's economic situation.
On the other hand, I know of not one example of an economically succesful or sustainable commune. Nor have I ever heard of a self-sustaining monastery.
How odd. There are fourteen long running, well known communes in this particular town, the oldest of which dates back to the 50's. I used to live a few miles away from a communal monastery 600 miles from here that was entirely self-sustaining and in fact paid for their own land and buildings by selling crops they grew (honey, preserves, beer, wine, and other low volume goods). They sent money to their church every year in addition to providing for themselves (they even had a big screen TV).
And they are always authoritarian.
The local communes mostly follow a democratic model. New members need to be voted in by a majority and all decisions are democratic. Most of the people simply work normal jobs and donate an equal share of the communal money which goes into a fund that pays for the housing, utilities and food all of which can be bought cheaper in bulk. A few of the communes are wholly invested in that all moneys are pooled. All of them seem quite stable and have waiting lists to get in since it offsets so many of the high cost of living in the area.
Wow, who would have expected RELIGIOUS BIGOTRY from a COMMUNIST??? The Pilgrims were neither zelots, nor dangerous, nor antisocial, nor exiled.
It is true they were not exactly exiled, but they certainly were religious zealots by most definitions of the term. As for dangerous, ask the people and animals they hung for copulation. All of this is pretty academic, however. The point is, the society they lived in and the technological level of their society was quite different from society in the US today and thus using them as a test case provides far to many variables to be useful compared to the many more current examples.
(Note, I'm not exactly a communist, but rather someone who likes to evaluate all economic models and combinations of models. I've never seen any economy that did not blend elements of socialism, communism, and capitalism and any attempt to create one would likely be disastrous. It is my opinion that increasing the size of the communist cells we now have would probably be more efficient and beneficial. That no more makes me a communist than it makes me a socialist or a capitalist.)
There is a need for violence??
You seem to have misread my statements. I spoke of a need to make a choice to commit violence or not, not a need for violence which is outside the scope of this discussion.
The error is in thinking that violence has an economic cause. It does not.
Statistics show a strong correlation between violence and not only poverty, but wealth disparity in particular. Since wealth disparity has a common psychological effect and since modern sociologists have been able to study these traits numerous cultures including transitions of wealth disparity, I don't think it is at all reasonable to conclude that there is no economic cause of violence. In point of fact, reducing wealth disparity tends to greatly reduce violence.
While I agree it's not up to the government to instill morality, immorality is nevertheless the cause of violence.
It is pointless to argue morality. It is, by definition, subjective. As for common ethics, it is a matter of which ethical code is subscribed to. Shooting a rapist attacking you is violent. The ethics of it, however, are a matter of debate. None of this is an issue that can be solved by a government, however, which is why the government must balance freedom with practical effects upon living conditions.
While I also agree that it's the responsibility of the governm
Leave the security cameras on. ... you guessed it, the cleanup crew. I'm going in tomorrow to fix up the thing, and find out what the hell they were running, too. Man, it's weird to have that happen.
Very recently, only two people still have office keys to my boss' office - him and his secretary. They recently changed the locks due to some weird things going on. Well, now that he's conveniently out of town for the week, the secretary came in this morning to discover that some douche screwed with her computer, which is now acting funny and can't connect, whereas the others work just fine. No one else has the keys except
This 'buy-n-burn' mentality that our "throw-away" society has recently come up with in the workforce is the dumbest thing yet to come out of our USA (well, actually destroying our natural resources is the stupidest. Even the programmers of C&C had that figured out; you get more $$ if you sustain your natural resources rather than pull 'em all up out at once, attack everything, go broke, and get slaughtered like a moron, but the GNP doesn't account for that at all.), and our country has done some really stupid and spiteful shit in the past. More burnout in employees means more espionage and you end up with a bunch of vengeful ex-employees preying on unhappy current employees. How stupid is that? I'm not bitter, really!!!
--I gots 99 problems but a new machine ain't one!
AMD! Asus! Whoot! 6 years!