Passwords, firewalls, encryption, two-factor authentication and access-control lists are among the tools available to information security professionals. Other options include system audits, patch management, network traffic monitoring and penetration testing. And a range of information security training programs and certifications are available to best use these tools.
But despite this arsenal and well-trained professionals securing networks and systems, businesses cannot completely stop the flow of proprietary data, trade secrets and confidential information leaving their organizations and ending up in the hands of competitors, journalists and whistleblowers.
There is a simple explanation for this problem, but not a simple solution to completely stop it.
Employees must have access to proprietary information to perform their job responsibilities. The problem is not the access, but what they can do with the information. The current attitude toward electronic data is that we must be able to access it from anywhere we are working -- and we should be able to share it with co-workers, business associates, vendors, etc., with the click of a mouse.
This ability to access and disseminate data quickly and easily is great from a productivity viewpoint, but frightening from a security perspective.
An example of how difficult it is for organizations to control information flow is demonstrated by how many people have accidentally sent a confidential e-mail to a distribution list when they meant to send it to an individual recipient. Another example involves some simple questions, such as how many people have unlabeled floppy disks, CDs or DVDs lying around their home or office? What's on them? What would happen if they were lost or stolen?
While many mechanisms used by employees to remove proprietary information are not sophisticated, most decision makers don't understand the threats their own employees pose. It is important for information security professionals to understand these threats and explain them to management in easily understood terms.
USB flash drives are one of the biggest threats to proprietary information. These are common and extremely useful. Many individuals reading this article probably have one in their pocket. The problem with these devices is that their small size belies the threat. These devices are about the size of a tube of lipstick and can store a large amount of data. A one-gigabyte USB flash drive costs less than $10.
Since most technology professionals are talking in terabytes, a one-gigabyte device seems like a "small storage capacity" device. But if we put this in perspective, a one-gigabyte device stores the equivalent amount of information as 694 floppy disks. It is possible to store a large amount of word processing, spreadsheet and PDF files on 694 floppy disks. If you take this one step further, a 16-gigabyte device stores the equivalent of more than 10,000 floppy disks -- all on an easily concealed and transported device. Combine this large storage capacity with the fact that it is not possible to buy a new computer without USB ports installed; it is easy to understand how data can be removed from an organization.
Explaining how much data can be removed by employees may cause management to support the control of who has the ability to copy data to a USB flash drive.
There are mechanisms that can be implemented to reduce data loss via these devices. On newer systems, it is possible to disable USB ports in the BIOS. While this limits data loss, it also prevents the use of other, helpful, devices. It
is possible to modify the Registry (XP SP2) to make USB devices read only. Create a new key,
HKLM\SurrentControlSet\Control\StorageDevicePolicies. Then create a REG_DWORD entry called "Write Protect." Set the value to "1" and USB flash drives will now be read only.
Another option that might work for some organizations is to set a Group Policy Object modifying permissions to the
file usbstor.sys (located at C:\Windows\system32\drivers on a Windows XP system), allowing access to "System" and perhaps "Administrator."
Most organizations will want a more granular solution, and commercial products are available that not only control
how USB flash drives are used, but also how other "portable data storage devices" are used, such as CDs, DVDs and
floppy disks. Enterprise tools, such as DeviceWall from
Centennenial Software, can restrict access on a time-limited basis, as well as provide logging capabilities.
Portable data storage devices are perhaps the most obvious way employees can sneak out data, although there are other, overlooked methods that are nearly as much of a threat to proprietary information as USB devices.
That threat includes - for several reasons -- online data storage sites. They are accessed using a Web browser and generally require no special software. Because the sites use HTTP for communication, they are difficult to block. And once data is stored on one of these sites it is accessible from any computer with an Internet connection.
An example of an online storage system is Google's Gmail. Most people aren't aware that it is possible to use the
storage capacity associated with a Gmail e-mail account for any type of file. As of this writing, the amount of
storage space available is nearly 5 gigabytes, which is enough space to store a large amount of data. All that is
required to make use of this space is to use the Firefox browser and the Gspace add on, which can be downloaded at
either http://addons.mozilla.org or
Once the add on is installed, you get a "Gspace" option in the tools drop-down menu. All you have to do is click on this menu item, which takes you to an interface that looks similar to an FTP client. A user logs into Gmail, highlights the file they wish to transfer, then clicks on an upload or download arrow to accomplish the desired task. Granted, the average employee does not generally have a Gmail account and does not use Firefox as their principal browser, so it should not take much to block access to Gmail.
Even if you block Gmail access, there are numerous other sites that an employee can access to transfer data out of a business.
Employees that own a Mac and have an iMac account will have an iDisk. On their Macs they will have an iDisk icon on their desktop that they simply "double-click" to open. Once opened, they will see files and folders as if they are actually located on their local system. In actuality, these files and folders are located on a remote server. Employees can access this online storage location through any browser, transfer files to the online server and, when they get open, find the files will be easily accessible.
Unfortunately, with the desire to have access to data "everywhere, all the time" the number of these types of sites keeps growing and is difficult to track. Many organizations try to "blacklist" these sites. But the problem is that it is difficult, if not impossible, to block them all. The author was at a location that attempted to block these sites and -- while several were blocked -- it was still possible to find and access a site that offered free online storage.
For those that wish to attempt to block these sites, here is a short list of some that are currently active:
It is important to recognize that while many of these are commercial sites that charge for their services, most offer fully functional trials. A seven-day trial may be all that is needed to transfer hundreds or thousands of documents.
Another threat to data are "lifestyle computing devices" -- things such as cell phones, PDAs, digital cameras and MP3 players. Because these devices do not have data storage and transfer as their primary functionality, decision makers will not see them as a threat to proprietary information and trade secrets.
They should. As an example, PDAs (Portable Digital Assistants) are not just contact resource managers any more. They are fully functional computers that can send and receive e-mail; send and receive text messages; surf the Internet; and create, store and transmit Microsoft Word, Microsoft Excel files and PDF files.
And what do many organizations allow their employees to do with personally owned PDAs? They allow them to connect to corporate computers so they sync their Outlook address books. In addition, they can copy over any files they want.
And when an employee leaves, what steps are taken to remove this proprietary information from personally owned PDAs? Very often, nothing is done and all the employee has to do is take her PDA to her new employer, hook it up to her new computer and copy over all the data from her previous employer.
Some organizations think they have eliminated this problem by providing employees with company-owned PDAs they have to return upon resignation or termination. But all an employee has to do is copy the data to a personal computer before returning it. Once again, the data is lost and out of the employer's control.
Another mechanism used to transmit proprietary information outside of an organization is instant messaging. Many organizations allow -- and even encourage -- the use of consumer-grade instant messaging applications by employees. This poses several problems, perhaps the most significant of which is that these types of communications are not being monitored or logged. This is one reason employees will use instant messaging to bypass monitoring of their activities.
This type of activity was brought to light during the Enron investigations. "The regulatory environment tightened
after government investigators examining Enron found that Wall Street energy traders used cell phones and instant
messages to bypass employer surveillance of their desk phones and e-mail."1
Add to this the ability for some instant message programs to send attachments, and the threat increases significantly. Because of this threat, organizations should seriously evaluate the need to use instant messaging. Most individuals have cell phones, office phones and home phones with voice-mail capabilities, in addition to an e-mail account. Now that most hand-held devices have the ability to send and receive e-mail, is it really necessary to use instant messaging? If an organization must have instant messaging, it should use an enterprise-grade product with the ability to log or archive communications.
While most information security professionals focus on the protection of digital information, it is important to remember that it only requires clicking on a printer icon in many applications to convert an electronic file into an easily transportable paper printout.
Many organizations have restrictions on using portable data storage devices, but are silent on removing paper documents. Paper documents can easily be concealed and removed. And once paper documents are removed, they can be easily converted back into electronic documents. Reasonably priced scanners exist that come bundled with optical character recognition (OCR) software.
The significance of using low-tech methods to steal information can be underscored by the Coca-Cola employee caught
with paper documents. "A company surveillance camera caught Coca-Cola employee Joya Williams at her desk looking
through files and "stuffing documents into bags," officials said. Then in June, an undercover FBI agent met at the
Atlanta airport with another of the defendants, handing him $30,000 in a yellow Girl Scout cookie box in exchange for
an Armani bag containing confidential Coca-Cola documents and a sample of a product the company was developing,
This problem becomes especially frightening when one realizes that many organizations allow executives to access their facilities 24 hours a day, seven days a week.
While the previous examples involve direct theft or dissemination of proprietary information, there are other indirect methods that are just as likely to cause information loss.
Many organizations have conference rooms with an internal wall comprised of glass from floor to ceiling. And often on the opposite wall is a large whiteboard that is used for brainstorming, outlining meeting details or summarizing conclusions. All of this data is designed to be transient and should only be relevant for those who attended the meeting.
But what invariably happens? Important information is often left on the board for future meetings or so it can be documented in a more permanent manner. To prevent the erasure of this information, people will write in bold, underlined characters, "do not erase," which is the equivalent of saying, "this is important." The author has been in organizations and seen business plans, network diagrams with IP addresses and host names and profitability statistics in plain sight on whiteboards. If information must be kept on whiteboards, spend a little extra and buy ones that have doors that will cover the board.
Another manner in which data is inadvertently disclosed is in restaurants and bars. People often meet to share a drink or a meal at the end of a busy day or workweek. Frequently, the conversation turns to work-related subjects. These conversations continue when servers and bartenders are serving food and drinks. Business professionals often do not recognize these people as a threat because they are "invisible."
The problem with ignoring those in service industries, is how do you know that that is there only job? What if they are moonlighting to make extra money to pay off debt or save money for an expensive vacation? Or what if the spouse of your server works for a direct competitor? They will be more than happy to pass along overheard information.
While it is not possible to completely stop the flow of proprietary information out of an organization, it is possible to reduce the flow significantly.
Perhaps the most important mechanism is to apply the "principle of least privilege." This means that employees should have access to only the materials needed to perform their job responsibilities.
Many organizations allow employees access to all files. This type of environment is easy to support, but it provides the ability for employees to find and perhaps disseminate proprietary information that goes beyond their business need. Some organizations erroneously feel that this is not a problem because some of the materials are too complicated for everyone to understand. While not everyone will understand them, competitors certainly will.
Organizations also should require employees to sign non-compete and non-disclosure agreements. While these documents won't necessarily stop the loss of information, they can provide some legal recourse to regain control of information should it be sent to a competitor.
Other agreements that should be signed include non-solicit agreements. There are two types of non-solicit agreements. One prohibits employees from soliciting business from current clients when they leave; another prohibits employees from soliciting other employees to leave with them to work for a competitor or to start a competing business.
While there are numerous technical methods for preventing access to data from outside an organization, it is equally as important to control access from within. Even more important is controlling what employees do with that data.
1 Smith, E. B.
"Wall St. bloodhounds track IMs for clues." USA Today, September 18, 2003. Retrieved Nov. 12, 2007 from USA Today Web site: http://www.usatoday.com.
2 Day, K.
"3 Accused in Theft of Coke Secrets." The Washington Post, July 6, 2006. Retrieved Nov. 12, 2007 from The Washington Post Web site: http://www.washingtonpost.com.
John Mallery is a managing consultant with BKD, LLP in the Forensics & Dispute Consulting division. He may be
reached at firstname.lastname@example.org or 816-701-0267.