Slashdot Mirror
Nine Ways to Stop Industrial Espionage
An anonymous reader writes "IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button. The corporate crown jewels are usually left open and exposed to the IT guys. So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?" I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.
Backed up data is especially vulnerable. In many environments, while lot of work is done on network security, secure management of backup data is not given due concern. Since backup data has sometimes all of the important information at a single place, it is a juicy target for espionage. Data should be encrypted while moving to a backup sever (especially while using a online backup service over the internet) and definitely encrypted while it is stored on the backup media (tape, CDs etc.).
Amanda: Open Source Backup Software
A company is worthles without it's employees. Select good people, pay them well and treat them fairly. Next question... How do you remove paranoid executives from positions of power and stop them from inflating operating costs through needless and morale busting authoritarian technology.
"Don't you know you're going to shock the monkey?"- Peter Gabriel
It also says to completely seperate the outside and inside network, which means that employees have no email, no google, no internet access at all.
It mentions nothing about compartmentalized access rights to various databases, with a different division of admins having responsability and access to only their systems.
In fact, all it does talk about is transmission interception (which is much less common than those problems mentioned above), and data security.
"that can so easily be bribed to steal them and hand them over to a competitor"
Here is an idea. Pay them enough that this isn't a real temptation. Risking it all on a fast score isn't worth it, if you will be risking much.
I will not mourn that which I never had to lose. - Unknown
The author obviously is not an expert in his field. I was having my doubts when we was suggesting that administrators ought not to be able to delete content in intermediate storage. Then cam the the final blow: He suggested using AES for data signing. AES is symmetric and not suitable for that task.
LedgerSMB: Open source Accounting/ERP
They missed one biiiiig issue there... In the US, Europe, Japan and Australia, there are good laws that they can use to come after you... If you move work to India, China or similar, its virtually impossible to get anything from that individual - hence the person has much less worry about doing something illigal...
Peter.
Don't forget that unlimited knowledge also endangers the IT workers. It doesn't matter if you're a former boy scout if some bad guys want the information badly enough to threaten your family... and don't think that there aren't such people out there.
Security people know this. They know the only real solution is being very transparent about the fact that the IT person can't help them no matter how much pressure is applied.
It's easier for us to think about the corrupt employee since, gosh, we would never hire him. Nobody is safe from somebody willing to use violence to get what they want, and that's a scary thought.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
That is what we do in my shop. Usually there are still some people who can reek havoc on things...esp. people who know what they are doing.
From my personal experience, unless properly implemented...which it usually isn't, seperation of duties is just a joke for security and makes legitimate work take 2x as long.
People try to make everything a technical problem, which is really the wrong approach. This ain't something you're gonna fix with fancy access control and slick hardware. No matter what you do (separation of duties, cryptography, trusted operating systems), all you'll succeed in doing is making life more annoying for your regular users, and demonstrate a huge lack of trust of your employees.
If you really want a solution, it's got to be as much policy as it is technology. I'd start with, oh, making your employees sign an NDA, and making sure they're aware of what is a company secret (most companies like Apple, Sun, IBM, etc, have classifications just like the government, e.g. "Apple Secret", "Sun Top Secret"). Make sure they know what those secrets mean, e.g. "Our documents labelled Top Secret will probably cause us to lose our dominant position in the market if leaked." Then, you implement auditing on your data storage. If your IT guys start reading company business strategy memos off the file server, you probably won't catch them when it happens. But if it becomes obvious that those memos were leaked, you can go back through the audit logs and see if anyone read them that shouldn't have, and act appropriately (though don't just assume that that person leaked the info).
Bear in mind that the technical part of this 'solution' will probably fail. What you're trying to do is paradoxical. You're saying, "I ultimately trust these guys with the security of all of my information, but I don't completely trust them with the security of all of my information."
The Right Reverend K. Reid Wightman,
background checks and references will solve nearly all bad egg problems. the IT people I've worked with through the years take the security and safety of data as a matter of personal pride. No one is going to pwn3d our machines or data, dammit! The problem we've had in corporate america is dishonesty in executive level, that's cost us tens of billions. IT people just mainly need to not get lazy about security practices and updates, and not let employees do that either, that's the biggest issue with corporate data today.
I am someone who is currently interning for a large fortune 500 tech company who is about to do some drastic changes to the way we do our business (today, actually). There's some serious lay offs going down here, garunteed. The business and marketing folks are as good as out the door. Us tech guys? Pfft, nothing to worry about. The fact is the reason your tech guys have you by the proverbial balls is because you're not educated enough to do their job. Heh, but the fact is, most anyone who has powerpoint and mediocre social skills can do your job. They reach their glass ceiling long before you do, however. They picked a trade with high security and low possibility of advancement. You picked a field with low security but high possibility of advancement. You can't have both unless you run your own business. Sorry.
If you're paranoid about your employees, then they are unhappy with you. The nature of most people is to be faithful to good leaders. Sure, there are exceptions to this rule, but I think it's pretty clear to me, that you do not have the faith of those you manage. Either that or you do not have faith in those you manage. The two generally play hand in hand. I'm with CmdrTaco on this one... I can't imagine having to be paranoid about those on your payroll. Remember, you have the power, and tech guys are becoming more and more common each day. Make them happy with you and then you'll have little to worry about. Make them happy with your company and then you'll have little to worry about.
And the #1 reason most SA's and programmers get frustrated with managers? The internal policy inhibits innovation instead of improving it. I had a manager whose personal policy was "to hell with policy" and I gotta say, he was the best boss I ever had. I know, for myself, if I want to do the best job I can. If policy interferes with that, then I feel as though I'm doing a bad job against my will. If this continues, yes, I'll hate my job, and I'll feel like it's the company's/manager's fault.
I rambled a little, but hopefully you can garner some advice from that.
Finder of the any key.
Espionage is a real concern. But the solutions in this article are worse than the problem. THe real solutions include:
1) Mandatory Access Controls (for example SELinux) on systems that hold confidential information.
2) Data encryption for confidential information using public/private key encryption. AES is NOT an answer here though you can use it for session encryption with Diffie-Hellman, etc. if necessary.
3) Training and loyalty of employees is critical.
4) Separation of duties, powers, and responsibilities.
But I guess this is harder than just throwing technology at such a problem.
LedgerSMB: Open source Accounting/ERP
Studies have shown the most effective deterrent to theft is moral/ethical. If an employee has a good relationship with the company and their managers then they are unlikely to steal from the company, even if they know they won't be caught. If you treat your employees well, are understanding about their problems, and cultivate your relationship you have little to worry about. Talk to them and learn what their goals are and help them achieve it. Do they want to move up into management? Do they want to go to night school and become a programmer or a public relations person? Help them do it. If your employee has money problems, you should be the first person they come to, confident that you will help them work it out either with financial counseling, a pay raise, saving them money by letting them telecommute, or even loaning them the money they need and repaying it from their wages. You employees should not live in fear of being fired or laid off. If they aren't working out they should know you will talk to them and come up with either a new position for them in the company or help them find work elsewhere, while keeping them on in the mean time. Employees should know they are trusted, for breaking that trust is a deterrent. Employees should have a stake in the company, either stock or a bonus plan so they feel their hard work and good behavior means something.
If all of the above is taken care of, you employees will be a lot less likely to steal or do anything else to put the company out (like quit without notice). There is always the rare anti-social personality disorder, but that is a pretty rare case. If, however, you develop a "strictly business" relationship with your staff that is mercenary and impersonal you may have problems. When people don't care about their employer or dislike their employer and feel that they are in danger of being fired at any time, or their job outsourced, they will respond in kind. If the only reason you pay them is because it makes you more money in the long run, why shouldn't they sell the customer database or source code? If you hire mercenaries and treat them like mercenaries, don't be surprised when they act in their own best monetary interest.
If you decide to treat your employees like you are at war with them and need to be defended against them, you're likely to have more problems than any technical solutions you implement will benefit you. There are products that will build a relational model of your network and log all traffic and access to resources based upon DHCP IDs and the like. Between such a system and a good set of untouchable logs for your access controls you can develop an independent group to monitor your staff. If you really need it though, your company is already pretty doomed as your employees probably don't care anyway and are just doing the minimum necessary to get paid.
Hire honest staff and treat them like human beings so they're not inclined to rip you off. If you catch someone ripping you off, press charges.
You can also create audit trails logging to multiple machines, each controlled by a different employee so that a conspiracy would be needed to avoid being caught. Reading and understanding those logs is, however, very expensive. Its also the kind of mind-numbing job that could leave an otherwise honest IT employee open to committing theft.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
This reminds me of an old cartoon, two pirates are burying a treasure chest on the beach. The pirate Captain is standing watch while holding a gun behind his back. The pirate crewman is down in the hole, digging. He looks up and says, "Just think cap'n, you and I will be the only ones who know where the treasue is buried!"
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I cannot fathom the damage this shall do to one's self-esteem, both for the typer and the typee!!!
At least, shoveling out outhouses or peeling 1 ton of potatoes has a purpose that is easily understandable...
Problem of course is the definition of "shit".
Management may feel they are being extremely generous and catering to the whims of many employees while the employees feel they are being ignored and abused. Communication? Naa. The employees in this kind of situation are sure that management isn't listening and doesn't really care.
This is the situation in probably 70-80% of the companies I have ever had any dealings with. When it gets real bad stuff develops legs - i.e., things disappear out the door seemingly all by themselves. Computers. Office supplies. Lamps. Pictures on the wall. Just about anything.
Management then realizes something is going on and needs to make drastic changes. Which, of course, piss people off even more.
At no point does either side communicate until about 80% of the staff has been replaced.
"The business and marketing folks are as good as out the door. Us tech guys? Pfft, nothing to worry about. The fact is the reason your tech guys have you by the proverbial balls is because you're not educated enough to do their job. Heh, but the fact is, most anyone who has powerpoint and mediocre social skills can do your job."
This kind of self-aggrandizing claptrap is just annoying. There's no way you could do their jobs. You suffer from the delusion that anything that isn't technical is simple.
Why is it that when people say, "the fact is", "the simple truth is", or "the reality is", they're almost always wrong about the topic under discussion?
Well, one way would be to not treat them like crap. Sorry to say, the IT people shoulder the brunt of user frustration. And maybe that's part of the job. But between being bitched at by morons who are probably the cause of the initial problem, being on-call whenever, wherever, and living with the constant fear of contractual replacement (as is the case in many support positions) or just plain old outsourcing. . . look. Businesses don't want to deal with the fact that their employees are people. You can't put that on a quarterly report, and it's not really something that most company policies I've come across takes into account. But the ONLY way you're ever going to keep that sort of information secure is to make sure that your IT people wouldn't even dream of stealing it, tampering with it, or auctioning it off to the highest bidder. You have to make sure they don't want to do that kind of thing. And when you're trying to build loyalty and trust, the carrot goes a lot farther than the stick.
Terrorists and politicians trying to get bills passed also likely have a saying:
It doesn't matter how many times you fail; you only have to succeed once.
Check out my sci-fi/humor trilogy at PatriotsBooks.
If you have bad people on your IT team, then you are fucked. It doesn't matter if you encrypt the data for backups. What about all the data that is being accessed all day long by various departments? The data is in a production enviornment and is, (as it needs to be) readily available to IT staff. (Think: "Help, my access to a deep share on the X drive has been dropped, please remap!") I have access to it all. If you are worried about bad employees then you should try a little harder to NOT hire them in the first place! I dont fuck around with data at work because I have morals and I dont want to get fired and or go to jail. Some people do not think this way. It is HR's job to weed these people out. Now, there is ALWAYS the exception where a good employee becomes disgruntled and does something stupid as retribution, but wtf are you gonna do? Tie everyones hands so that it makes their job harder, and less produtive than it already is? I am a BIG fan of monitoring employess actions. I do not feel as an invasion of my privacy. In fact I feel more secure and comfortable knowing that I am not going to be blamed for something because there is always some record of where I've been and what I have done. Besides, I don't own ANY of the hardware/software here, so who the hell am I to complain. Sometimes, Big Brother will save your ass!
"Patience is not a virtue, it's a waste of time."
So, a word to the wise young people, don't put clearly inappropriate things on your work computer that the company pays for.
This just isn't true.. Places who treat their workers badly tend to have a high employee churn and that costs the buisness dearly in the long run especially if it's technical staff who keep leaving. It also costs them in reputation with other buisnesses becuase they usually try to screw them too. You on the other hand have a reputation to maintain and I can tell you a good reputation is worth gold when it comes to finding new work. Take me for example.. I have a former employer who owes me about $20K right about now. I could have been a jerk about it.. shut down all his servers, sabatoged his buisness but I didn't. Turns out that benefited me in the long run since my current employer talked to a supplier of my former boss and got a glowing report back. That job may have sucked but this job is finally a place that treats me properly and gives me work I enjoy doing.
But someone has to keep the private keys. Do you trust that person? Is it practical to have only one person controlling the keys? If they are out of town and you need to do a restore, you're screwed.
Anyway, none of this does any good if the admin can access the data as it is in production. Going through a backup would be an unnecessary setup for most IT admins. I mean, if you know exactly what you want, just go in an copy it from the server.
I suppose you could go and implement security such that nobody has full access to the systems, but at some point you're just making it difficult for people to get their work done. I'd certainly never put up with it.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
I suggest that
Which of these two points is immoral in any way ?
So which one is it ? Are we civilized or thieves, murderers and rapists ?
Try to understand. I'm not advocating any course of action. I am simply saying that there is a price for sticking to non-confrontational methods. That price is that it leaves you defenseless against evil - the thieves, murderers and rapists, and oh yes, ruthless employers.
Chose whatever path you want, but don't do so just because a path had a witty saying as an advertisement; instead, carefully consider the likely consequences and requirements of each path.
But apparently the employee owes loyalty to his employer, to not sell him out to the highest bidder, and to the world, to not screw it up for his own profit, despite them owing him nothing. Funny how the responsibilities come up when talking about the employees, but employers can outsource all jobs to India and fuck their employees and that's just business like usual.
If the world owes you nothing, then you owe nothing to the world. If you owe something to the world, then the world owes you something. A relationship where only one party has responsibilities is unfair, and no one has a duty to uphold his end of an unfair relationship - the only exception being parents and really young children.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Mod the parent up?
I can't agree more. IT people bear the load of clueless PHBs all the time and it's usually the clueless PHB who does things that break everything then bitches at IT when it takes a while to fix.
Treat your IT staff like gods, for that is what they are. Without them your technology company will fail. Pay them well, for they deserve it; if they make one 2AM trip to the office a year because someone working late bollocksed something on the day of a project deadline then the increased salary is worth it. Paying them minimum/market salary for their position won't inspire loyalty. It will just keep them looking for a better offer. Go 20% above average and you'll see more loyalty.
Include benefits. Pay for their mobile phone, get them a good one that they choose. Pay for their Internet access at home - it will pay for itself when you avoid some of those 2AM callouts. Get them a killer laptop PC. Keep it updated. If they are making a lot of callouts get them a company car; even a small runabout will make them happy if they don't have to wear out their own pride and joy coming into work out of hours.
Also, get more IT staff. We have 2 people in our building servicing about 25 people. They are kept reasonably busy but not too busy that there isn't time for them to duck out here and there and manage their lives or take a day of leave here and there.
Give them the flexibility to do their job. They need an expense account and the ability to make (justified) purchasses without the messing about of manager approval (ie. replaceing dead components). Obviously there has to be limits set there -ie, any purchase over $500 should require a manager's signature. Red tape for run of the mill tasks is just annoying and is a good reason for IT staff to move elsewhere; if they feel you want to oversee every little purchase they make they will feel like you're reserving the right to second-guess them.
That brings me to the final part... trust them. Trust is recriprocated. If you don't trust them, they won't trust you. If you trust them a reasonable amount they will feel more comfortable about trusting you in return. If they feel you don't trust them they will start to be surreptitious in their dealings and you will lose visibility into what they're doing.
Finally, if it's that important that IT shouldn't be exposed to it then encryption can help. If it's already coded by the time it gets to the network/disk then they won't be able to access or sell it anyway.
Make sure you have good justification for that when you do it; the HR database with everyone's personal details is on good example of something that you could justify encrypting because the details are private and even IT doesn't have a right to see other employee's details.
I drink to make other people interesting!