Slashdot Mirror
Nine Ways to Stop Industrial Espionage
An anonymous reader writes "IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button. The corporate crown jewels are usually left open and exposed to the IT guys. So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?" I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.
I suggest a steady supply of red Swingline staplers.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
I suggest a finely crafted nam-shub that will turn them all into jargon-spewing corporate zombies*. That should take care of any free will problems they might have. *Aircraft carrier may be required. Some restrictions apply. Well, I gotta get back to work...ne mi ba se fa no li sa ba fu
I ain't evil, I'm just good looking.
Backed up data is especially vulnerable. In many environments, while lot of work is done on network security, secure management of backup data is not given due concern. Since backup data has sometimes all of the important information at a single place, it is a juicy target for espionage. Data should be encrypted while moving to a backup sever (especially while using a online backup service over the internet) and definitely encrypted while it is stored on the backup media (tape, CDs etc.).
Amanda: Open Source Backup Software
A company is worthles without it's employees. Select good people, pay them well and treat them fairly. Next question... How do you remove paranoid executives from positions of power and stop them from inflating operating costs through needless and morale busting authoritarian technology.
"Don't you know you're going to shock the monkey?"- Peter Gabriel
It also says to completely seperate the outside and inside network, which means that employees have no email, no google, no internet access at all.
It mentions nothing about compartmentalized access rights to various databases, with a different division of admins having responsability and access to only their systems.
In fact, all it does talk about is transmission interception (which is much less common than those problems mentioned above), and data security.
When I was waiting for my TS clearance while working at the Pentagon (I had an interim clearance), I had to have an air force officer shadowing me the entire time, including, at points, typing for me as I dictated. The officer in question was not an IT person and had no idea what I was doing (or was supposed to do) with the UNIX systems under my care.
/; rm -rf *" at any point, or done many more subtle things, especially since I had to create accounts and such for Oracle or other applications.
I could have typed, or told him to type "cd
In the end, the only way you can police your IT people is to have IT people you can trust, which means that the managers have to know enough IT to know what is going on and what it means without micromanaging. Very few managers have that ability. Very few IT people have the management ability to cross-train into a high-level manager. I, myself, had to bring in someone else to help with the business/finance side when running my own company. I knew what I was doing but was simply not as good at the business side as the IT work and sales.
People try to make everything a technical problem, which is really the wrong approach. This ain't something you're gonna fix with fancy access control and slick hardware. No matter what you do (separation of duties, cryptography, trusted operating systems), all you'll succeed in doing is making life more annoying for your regular users, and demonstrate a huge lack of trust of your employees.
If you really want a solution, it's got to be as much policy as it is technology. I'd start with, oh, making your employees sign an NDA, and making sure they're aware of what is a company secret (most companies like Apple, Sun, IBM, etc, have classifications just like the government, e.g. "Apple Secret", "Sun Top Secret"). Make sure they know what those secrets mean, e.g. "Our documents labelled Top Secret will probably cause us to lose our dominant position in the market if leaked." Then, you implement auditing on your data storage. If your IT guys start reading company business strategy memos off the file server, you probably won't catch them when it happens. But if it becomes obvious that those memos were leaked, you can go back through the audit logs and see if anyone read them that shouldn't have, and act appropriately (though don't just assume that that person leaked the info).
Bear in mind that the technical part of this 'solution' will probably fail. What you're trying to do is paradoxical. You're saying, "I ultimately trust these guys with the security of all of my information, but I don't completely trust them with the security of all of my information."
The Right Reverend K. Reid Wightman,
Putting locks on the doors is not paranoia - indeed it prevents paranoia.
Putting locks on doors is a reasonable preventative measure that keeps honest people from opening them. It does not "stop industrial espionage."
TFA is Slashdotted, but the impression I get from the summary is that it's written from the mentality of trying to have a workplace that's protected against *dishonest* employees. Completely protecting against them is impossible. Making it extremely difficult for them to commit industrial espionage is possible, but the result is a workplace that isn't very fun - I know someone who used to work at the NSA, which obviously has similar protection concerns, and I'd never be able to put up with the level of surveillance and security they have.
I'm with CmdrTaco - hire people you think you can trust. If you're proven wrong, fire them. Don't give people access to sensitive data until they've proven that they're trustworthy, and if you have something that can't leak outside the company no matter what, don't put it somewhere that anyone else can get to it.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Espionage is a real concern. But the solutions in this article are worse than the problem. THe real solutions include:
1) Mandatory Access Controls (for example SELinux) on systems that hold confidential information.
2) Data encryption for confidential information using public/private key encryption. AES is NOT an answer here though you can use it for session encryption with Diffie-Hellman, etc. if necessary.
3) Training and loyalty of employees is critical.
4) Separation of duties, powers, and responsibilities.
But I guess this is harder than just throwing technology at such a problem.
LedgerSMB: Open source Accounting/ERP
Studies have shown the most effective deterrent to theft is moral/ethical. If an employee has a good relationship with the company and their managers then they are unlikely to steal from the company, even if they know they won't be caught. If you treat your employees well, are understanding about their problems, and cultivate your relationship you have little to worry about. Talk to them and learn what their goals are and help them achieve it. Do they want to move up into management? Do they want to go to night school and become a programmer or a public relations person? Help them do it. If your employee has money problems, you should be the first person they come to, confident that you will help them work it out either with financial counseling, a pay raise, saving them money by letting them telecommute, or even loaning them the money they need and repaying it from their wages. You employees should not live in fear of being fired or laid off. If they aren't working out they should know you will talk to them and come up with either a new position for them in the company or help them find work elsewhere, while keeping them on in the mean time. Employees should know they are trusted, for breaking that trust is a deterrent. Employees should have a stake in the company, either stock or a bonus plan so they feel their hard work and good behavior means something.
If all of the above is taken care of, you employees will be a lot less likely to steal or do anything else to put the company out (like quit without notice). There is always the rare anti-social personality disorder, but that is a pretty rare case. If, however, you develop a "strictly business" relationship with your staff that is mercenary and impersonal you may have problems. When people don't care about their employer or dislike their employer and feel that they are in danger of being fired at any time, or their job outsourced, they will respond in kind. If the only reason you pay them is because it makes you more money in the long run, why shouldn't they sell the customer database or source code? If you hire mercenaries and treat them like mercenaries, don't be surprised when they act in their own best monetary interest.
If you decide to treat your employees like you are at war with them and need to be defended against them, you're likely to have more problems than any technical solutions you implement will benefit you. There are products that will build a relational model of your network and log all traffic and access to resources based upon DHCP IDs and the like. Between such a system and a good set of untouchable logs for your access controls you can develop an independent group to monitor your staff. If you really need it though, your company is already pretty doomed as your employees probably don't care anyway and are just doing the minimum necessary to get paid.
Hire honest staff and treat them like human beings so they're not inclined to rip you off. If you catch someone ripping you off, press charges.
You can also create audit trails logging to multiple machines, each controlled by a different employee so that a conspiracy would be needed to avoid being caught. Reading and understanding those logs is, however, very expensive. Its also the kind of mind-numbing job that could leave an otherwise honest IT employee open to committing theft.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
But back in reality land, sometimes things go wrong. People are not always what they appear to be, and a good employee can sometimes become embittered. Assuming otherwise is naive, and perhaps a little arrogant. Are you such a good judge of character that you can pick out the sociopaths from the crowd? Might I suggest you aren't.
And apart from malfeasance, sometimes people make mistakes. Sometimes they type "rm -r *" when they are not in the directory they think they are in.
I'm not suggesting massive security measures, but reasonable steps can go a long way. Even moderate security is worthwhile and, I think, appreciated by the employees.
P.S.: CD stands for CmdrDaco (apparently). Apologies to CT.
The casino, bookie guys do not need rules and regulations. Feel free to take their data (usually cystomer lists), it is full of spikes/seeds (phone numbers, email and land addresses that belong to the owners), so when the data is sold and used (callcenter, email spam/etc) the mails get back to you.
.... so he was pretty determined.
Then the death squad goes after the techs and asks some unconfortable questions, talk about broken kneecaps and burning family houses.
Heck, you can even seed different addresses for each admin (if one is doing the mailing, the other only sees the SQL tables)...
If you think it is science fiction, or fear mongering, come and work for a casino in any Central AM country...
I personally left a place because I was scared - higher staff was regularly followed, I heard bad things about the company, and we had more and more armed people at the entrance. I also heard (from my colleage), that our previous sysadmin was chased down the street by the neighbour casino owner with a gun in the hand, shouting "I kill you bastard" over some customer list that the guy "administrated".
Want 1st person experience: how about police calling me, that a gentlemen wants to talk about one of our employees, who supposedly stole data from a caribbean country's casino. The guy looked like a headhunter/killer to me, who kept calling me for 2 weeks, every day, offering more and more for the person's address or any tip where the person could be met (killed??). And that was back in Europe, and the guy came from the islands
Oh well you can make some other measures, like at one place, they sniffed all IM traffic, read all emails, and made it forbidden to take anything into the office. First usb drives, cds floppies. Later cell phones, walkmans, ipods. ANYTHING. They were as well beleived to go thru the lockers.
Of course I cannot (and do not want to name people, places, etc). All I can say, is that I am done with that industry, even though they pay a lot better than others in southern countries.
The first thing to do is to read the extensive documentation on this subject.
If it's possible, the BOFH has already done it.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
I worked for a company that said if you get bribed keep the money and turn in the person bribing you. If the charges stick you'll get an additional $1000.00.
I never got bribed. I was hoping all the time.
At my workplace management has so many conflicting opinions on internal security it's laughable. When I was brought in as IT Manager I couldn't even get admin access to anything because my boss didn't know who I was (even though he's the one that hired me.)
Instead he let the outside I.T. consultants have complete control. My experience and professional references were to no avail. It was three months before I got a key to the server room, and this is in a small, 50 person insignificant business. All the while the outside consultants (who retain full remote access to all systems and networking equipment) could do whatever they want.
The network drives were wide open among departments. No restrictions. Performance reviews, salary spreadsheets were all available to the entire staff with the thought that "no one knows the files are there so it's okay" was good enough.
When I suggested that we could start locking down departmental network folders to restrict access to sensitive data it set off a freakish firestorm of discussion about who could be trusted for these special folders. But... the whole time they'd been wide open! Now suddenly it was an emergency to lock them down and no one could be trusted with the data.
Later on my boss was working on a business pitch in Word. He'd brought in a temp to help with the layout and now he wanted to give it his own special touch. But he was having formatting issues. He wanted my help, but.... I couldn't look at the document!
He said it was sensitive and he didn't want me to see it but at the same time I had to diagnose his formatting problem and tell him how to straighten it out. So it was okay for a one-day temp to see it, but not the IT Manager that he himself hired that has responsibility for protecting all of his data.
A few more months and I'm out of here. It's the craziest place I've worked, and I used to work at an urban police department so I've seen crazy.
I worked as a permanent temp in a Hewlett-Packard printer factory in Camas, Washington. I was in a room with a loading dock all alone with about a thousand printers, brand-new, boxed and ready-to-ship. My job was to select several printers a day at random and disassemble them so that the parts could be used to make prototypes of new printers. It was cheaper to hire a permanent temp employee to disassemble printers than it was to fill out the paperwork to get the parts from the assembly line before they were made.
Anyway, I put a picture of Claudia Schiffer in a evening gown on my PC as background wallpaper. A few days later I get escorted by an armed guard to the human resources office about a kilometer away and get fired for 'creating an environment conducive to sexual harassment'. Since I had all the codes and badges to access the loading dock, I was tempted to just rent a truck, drive up, and take all the printers and either dump them in the ocean or sell them myself. Of course, according to Hewlett-Packard, I was 100% trustworthy because I passed a marijuana piss test so I was beyond suspission were the items to be found missing.
I didn't steal anything from them, but I was tempted to because I was so pissed at them. Of course, it came as no surprise to anyone that a few years later the morons who run H-P would just roll over and let Carly trash the entire company to the point where they felt relieved that they could finally get rid of her by giving her 28 million dollars to just...go...away.
So, a word to the wise young people, don't work for insane morons like Hewlett-Packard if you want to have a long and prosperous career in the IT or electronics industry. Choose your employer carefully; believe all crazy rumors about your company management, study Dilbert seriously, be flexible, and always ready to just jump ship at any better job offer. The old mentality and social contract between employer and employee is over.