Nine Ways to Stop Industrial Espionage

An anonymous reader writes "IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button. The corporate crown jewels are usually left open and exposed to the IT guys. So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?" I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.

Article text

Clicky clicky page impressions clicky clicky. Or just read it here:

---

Nine Ways to Stop Industrial Espionage
by Calum Macleod - European Director of Cyber-Ark - Wednesday, 2 August 2006.

If we're honest every one of us imagine what we'd do with a few million in the bank. The yacht in Cannes, the private jet in Nice, possibly our own football team, and maybe a few other high maintenance accessories top our list of must-haves. But of course the question is how to get there. Working till I'm too old to enjoy it is one option but of course there is an alternative; the lottery, online poker, a rich widow, stocks and shares - increasingly risky these days - or why not simply help myself to something very valuable.

After all if I'm working in IT I probably have access to the corporate crown jewels. And that could be anything; source code for the next money spinning application that will be released, credit card details for thousands of customers. Recently a Coca-Cola employee and two accomplices were arrested in Atlanta for allegedly stealing confidential information from the Coca-Cola and trying to sell it to PepsiCo.

In fact it's actually quite easy because if I'm working in IT I have access to systems with all kinds of privileged information. Here is my employer thinking that his M&A data is safe and I'm allowed to a free access to the servers storing the data. I can help myself to whatever I want and no one will ever know. And of course it's much easier now than it was when I first started this job. Then I somehow had to get out of the building with everything under my arm, but now I have dozens of ways to get it out. Just make my choice - mobile, USB stick, email attachments, VPN access from home and no one will ever know! And of course it may not even be my employer, just some company that we provide outsourcing services for - it's never been easier!

The problem often lies in the fact that we are constantly tempted because the corporate jewels are literally just lying around where anyone can find them. The problem for today's enterprise is that the transfer of information is increasingly time-critical and the traditional approaches such as FTP and secure email are awkward to manage, and often lack the security mechanisms that sensitive data demands, thus making the risk of leakage very possible. And where it becomes really challenging is when you need to share information with business partners. So here are a few suggestions

>Do not expose your internal network

The process of transferring files in and out of the enterprise must be carried out without exposing and risking the internal network. No type of direct or indirect communication should be allowed between the partner and the enterprise.

Make sure that intermediate storage is secure

While information is waiting to be retrieved by the enterprise or sent to the business partner, it must reside in a secure location. This is especially critical when the intermediary storage is located on an insecure network, such as the enterprise's DMZ, outsourced site, or even the internet.

But encryption and other security mechanisms are not helpful if the security layers where the data is being stored can be circumvented, for example by a systems administrator. Encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications. It is important to have a single data access channel to the storage location and ensuring that only a strict protocol, that prohibits code from entering, is available for remote users. In September 2004, an unauthorized party placed a script on the CardSystems system that caused records to be extracted, zipped into a file, and exported to an FTP site. The result was the exposure of millions of credit card details and the eventual demise of CardSystems.

Ensure that Data at Rest is protected

The cornerstone of protecting storage while at rest is encryption. Encryption ensures that the data is not readable and

Learn what you're up against

[b1t+r0t]

The first thing to do is to read the extensive documentation on this subject.

If it's possible, the BOFH has already done it.

Codes of conduct

[cmaxx]

I don't know about other folk, but I subscribe to these:

http://www.acm.org/constitution/code.html
http://www.sage.org/ethics.mm

Ask your IT colleagues if they've heard of them.

Re:Who implements these nine ways?

[Cederic]

Person A implements control X.
Person B independently reviews it, checks for backdoors, etc.
Person C builds the software on machine Y.
Person D deploys the software in production.
Person E generates the necessary keys and puts them on machine Z and in the safe (to avoid inadvertent data loss).

Without the keys, nobody can get at the data. The only person with the keys is person E, but they don't have access to the code, and can't deploy code onto the production machine.

As an IT person I _want_ controls like these in place. I want to have to think very very hard about how I'd compromise my own systems, and then I want to put in place measures to prevent that.

Obviously the extent and cost of such measures is directly related to the value of the data in question.

I certainly don't trust my IT staff.

Re:Narrowminded author

[riffer]

My wife worked for Nationwide for many years, doing some word processing initially and then application processing.
She, along with all the other employees in her teams, had no Internet access. In fact, all messaging was done internally with some sort of horrid AS/400-based application.
After a few years, employees were granted the ability to send and receive Internet e-mail. But only because it became impossible for them to do their jobs. However, they still did not have access to browse the net in any way.

Of course managers did have such access as did agents and others who'd need to use it. But for the low-level paper-pushers, it really wasn't necessary, and it's a smart move on Nationwide's part to prevent it

Of course their employee morale sucks and my wife left because of the general mis-treatment of employees, so it can backfire on you. Like any policy.

I don't think the author was narrowminded because they were focusing on espionage, so the primary concern was protecting the data from abuse by IT professionals, not just general security practices. I'll agree he should have mentioned something about role-based access controls, though.

Re:Trusting the temps

[scatters]

Particularly when the company in question has a very clearly articulated sexual harrasment policy. Used to work for HP, so I know this for a fact.

Re:Your staff are the jewels... Communism

[E++99]

Communism is more efficient for small units than capitalism, but breaks down when the units get too large. For example, very few people would argue that capitalism is a good model within a family unit...Communities of a few hundred people that formed communes could share resources, without running into the pitfalls of communism on a large scale.

With a family unit, absolutely. But in a family unit, there is typically a head of the household who is ultimately responsible for the family's economic wellbeing, who will impose work upon family members who should be contributing, but are not. Beyond that, family members have a different kind of moral responsibility to each other than do mere acquaintances, which makes this relationship more fitting.

But a commune of hundreds?? A commune of even 50 or less could only work if it was under a strict authoritarian rule, such as the former tribes of American Indians. But that would not be compatible with the taste we've developed for freedom and individuality. But even that wouldn't likely be efficient enough to let people survive. There were once 105 people who formed an independent communist government in Massachusetts. They were extrodinarily industrious and religious people. Yet after a couple years, very many had starved to death, and after some debate on how to manage to stop starving to death, their governor, William Bradford, wrote that, concerning their system of communism, "it was found to breed much confusion and discontent and retard much employment that would have been to their benefit and comfort." So he parcelled up and distributed ownership of the land to the families, making each responsible for their own production. The result was that "much more corn was planted than otherwise would have been," and they recovered, and thrived, invented Thanksgiving Day, yadda yadda, and went on to become the world's only superpower. (For non-(or ill-educated-)Americans, I'm talking about a group of families who called themselves Pilgrims and wore funny hats, who in 1620 procured a ship called the Mayflower, and established England's first colony in America, at Plymouth.) Bradfords expressed some amazing insights, 300 years before communism became all the rage.

This one paints the picture: "The women now went willingly into the field, and took their little ones with them to set corn; which before would allege weakness and inability; whom to have compelled would have been thought great tyranny and oppression."

And: "The experience that was had in this [communist system], tried sundry years and that amongst godly and sober men, may well evince the vanity of that conceit of Plato's and other ancients applauded by some of later times; that the taking away of property and bringing in community into a commonwealth would make them happy and flourishing; as if they were wiser than God."

And: "If [communism] did not cut off those relations that God hath set amongst men, yet it did at least much diminish and take off the mutual respects that should be preserved amongst them. And would have been worse if they had been men of another condition. Let none object this is men's corruption, and nothing to the [system] itself. I answer, seeing all men have this corruption in them, God in His wisdom saw another [system] fitter for them."

I'd love to see a society try the model of thousands of communities who share resources competing with one another in a capitalist market.

Indeed, if the communities are families, that works great. It existed in America, until less than 100 years ago, when the "New Deal" enabled children to relinquish responsibility for their older parents, and move out with their own children. And subsequent changes in law and society made marriage itself no longer a permanent institution, and we became a nation of individuals, rather than families.

A social safety net prevents desperation, which leads to violence and other n