Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nine Ways to Stop Industrial Espionage

CmdrTaco posted about 8 years ago | from the just-unplug-em dept.

351

An anonymous reader writes "IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button. The corporate crown jewels are usually left open and exposed to the IT guys. So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?" I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.

cancel ×

351 comments

Sorry! There are no comments related to the filter you selected.

Keep them happy? (5, Funny)

BlackCobra43 (596714) | about 8 years ago | (#15832104)

I suggest a steady supply of red Swingline staplers.

Re:Keep them happy? (4, Funny)

Joe The Dragon (967727) | about 8 years ago | (#15832167)

and no TPS reports

Re:Keep them happy? (0)

Anonymous Coward | about 8 years ago | (#15832175)

Yeah, but do the staplers run Linux?

Re:Keep them happy? (1)

Millenniumman (924859) | about 8 years ago | (#15832485)

Yeah, but you really need a beowulf cluster to get enough power.

Re:Keep them happy? (4, Funny)

neonprimetime (528653) | about 8 years ago | (#15832177)

But from a corporate perspective, Red Swingline staplers are a fire hazard.

Seperation of Duties (2, Insightful)

deviantphil (543645) | about 8 years ago | (#15832239)

That is what we do in my shop. Usually there are still some people who can reek havoc on things...esp. people who know what they are doing.

From my personal experience, unless properly implemented...which it usually isn't, seperation of duties is just a joke for security and makes legitimate work take 2x as long.

Re:Seperation of Duties (1)

andrewman327 (635952) | about 8 years ago | (#15832519)

It is not just the technology guys who have access. There are departments of companies where even interns work with protected information. Rank and file employees have stolen credit card numbers to which they had access as parts of their jobs. This is a much bigger issue than just sysadmins.


As far as keeping the IT people happy, try celebrating sysadmin appreciation day [sysadminday.com] next year.

2 BUGS IN FIREFOX (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15832371)

FYI: There are two long time bugs in Firefox of great annoyance:

1- Copy feature of copy and paste
2- Sometimes firefox can't use the arrow keys.

In addition, scrolling with page up and down does not seem to work well when there are frames. But maybe that's not a bug.

Patched (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15832436)

Get the patch here [opera.com]

just don't invent anything (0)

paughsw (620959) | about 8 years ago | (#15832124)

just don't invent anything and you will have no spies

Easy! (-1, Flamebait)

jesser (77961) | about 8 years ago | (#15832134)

Don't hire those commie, intellectual-property-hating, "information wants to be free" Slashdot readers!

Re:Easy! (0)

Anonymous Coward | about 8 years ago | (#15832252)

Ok, we've ruled them out, now we have our pick of the stupid people and the evil people.

Easy! (4, Funny)

murphyslawyer (534449) | about 8 years ago | (#15832142)

I suggest a finely crafted nam-shub that will turn them all into jargon-spewing corporate zombies*. That should take care of any free will problems they might have. *Aircraft carrier may be required. Some restrictions apply. Well, I gotta get back to work...ne mi ba se fa no li sa ba fu

Re:Easy! (1)

Scarblac (122480) | about 8 years ago | (#15832184)

Seems I'm not the only one to recently re-read Snow Crash :-)

Re:Easy! (2, Funny)

Indy1 (99447) | about 8 years ago | (#15832298)

nothing that couldn't be fixed with a little Reason :)

http://en.wikipedia.org/wiki/Reason_(weapon_system ) [wikipedia.org]

Re:Easy! (1)

Mayhem178 (920970) | about 8 years ago | (#15832366)

In Mafia-run America, Reason sees you!

Re:Easy! (1)

Mayhem178 (920970) | about 8 years ago | (#15832328)

I happen to have this awesome bitmap for you all of you /. posters to look at. Ever heard of Asherah?

* snicker snicker evil laugh *

Encrypting backup (communication and storage) (5, Insightful)

amanda-backup (982340) | about 8 years ago | (#15832161)

Backed up data is especially vulnerable. In many environments, while lot of work is done on network security, secure management of backup data is not given due concern. Since backup data has sometimes all of the important information at a single place, it is a juicy target for espionage. Data should be encrypted while moving to a backup sever (especially while using a online backup service over the internet) and definitely encrypted while it is stored on the backup media (tape, CDs etc.).

Re:Encrypting backup (communication and storage) (1)

Ludedude (948645) | about 8 years ago | (#15832465)

Doh! That's why when I was relieved from my last job as Director of IT they didn't send me my severance pay until I returned all the backup tapes ;)

Re:Encrypting backup (communication and storage) (1)

igb (28052) | about 8 years ago | (#15832561)

But key management in encrypted backup environments is tricky. Not impossible, but tricky. Who holds the decryption keys? Well, anyone who might be involved in recovery. And thereby hangs the tale.

Your staff are the jewels... (5, Insightful)

patrixmyth (167599) | about 8 years ago | (#15832166)

A company is worthles without it's employees. Select good people, pay them well and treat them fairly. Next question... How do you remove paranoid executives from positions of power and stop them from inflating operating costs through needless and morale busting authoritarian technology.

Re:Your staff are the jewels... (3, Insightful)

kevin_conaway (585204) | about 8 years ago | (#15832209)

I came in here to say pretty much the same thing:

  • Hire good people. If you're not sure about a persons integrity, don't hire them!
  • Keep them happy. Pay them well and treat them fairly.

Thats really all there is to it

Re:Your staff are the jewels... (4, Interesting)

TheCarp (96830) | about 8 years ago | (#15832397)

There is something thats often overlooked. Good leadership is important. You will normally hear me ranting about the pay disparities between the top and the bottom, and I am not backtracking here, I don't think anyone should be getting multi million dollar salaries... but all that aside...

Bad leadership is worst than none. Good leadership is important. Good leaders, team leads, managers are people who make you not just work, but actually WANT to work for them. People who you can be like when everything else hits the fan, its not just that you care about your job, but you actually respect them and want to work because you know they will get shit if you fail.

Pay is nice, but its community and social pressures that people really respond to. Its that "we are all in this together" attitude that binds a team together and makes them really get the job done. I think the most important aspect of a leader is the ability to catalyse that in his team.

The best defense against this sort of thing is teams that are close enough that no member would betray the team because, they would be betraying people who they respect.

This is one reason why I like working for nonprofits that are doing things that I like, where I can get behind the corperate mission and be proud to be a part of what we are doing. Hence, I work in healthcare.

-Steve

Re:Your staff are the jewels... (1)

dwandy (907337) | about 8 years ago | (#15832489)

I don't think anyone should be getting multi million dollar salaries
That's a pretty broad statement ... how come the blanket "anyone" ?

Re:Your staff are the jewels... (4, Insightful)

Chris_Stankowitz (612232) | about 8 years ago | (#15832402)

The question was "So how do you protect your corporate crown jewels from staff..." Both you and the GP are thinking a bit small here for starters, you will not screen every employee/contractor 100% of the times to a degree that you can rule out them turning on you. You're also not taking into account trivial things like someone with a drug problem, gambling problem, etc that even with good pay and fair treatment can potentially become a liability. The list goes on. The first thing that needs to happen is propper access controls, people that don't need to access sensitive material need not have it either by defualt or design. Limiting the number of people with access t othe information will not only help to narrow down the number of people that could have given out secrets after the fact it will deter many as they know they can't easily hide. The question also can not be answered quite that easily, it requires many measures. Far to many IMO to cover in one post or even all the entires to follow. CS-

Re:Your staff are the jewels... (1)

MindStalker (22827) | about 8 years ago | (#15832484)

Given, yes, you should limit security to those who only need it. The point is as well you shouldn't waste excessive amount of money on security when hiring good people and being a good team leader can do so much more. A tight knit community of workers will know which ones have the drug or gambling problems anyways. Its really not as easy to hide as you believe.

Easier solution (1)

Hoi Polloi (522990) | about 8 years ago | (#15832451)

For IT people I've found you need only two simple words, "FREE PIZZA"

Re:Your staff are the jewels... (0)

Anonymous Coward | about 8 years ago | (#15832290)

You know, I was going to write a long, drawn out rant after I RTFA, but this summed it up nicely without causing my blood pressure to go up.

In the IT world, as long as you pay your people a fair rate, and empower them to do what they need to do without giving them needless, completely illogical constraints (i.e., having your key to the IT closet taken away by a completely paranoid boss).

In the Corporate world, I agree with one of the other posters in that the article COMPLETELY forgets physical access (the password sticky note) and social engineering (what was it, 40% of the end users would give up their passwords for chocolate?) You can encrypt whatever you want, if that particular user has access to the live data that you need, and can decrypt it in order to work on it, it is potentially vulnerable to social engineering.

Re:Your staff are the jewels... (3, Insightful)

syntaxglitch (889367) | about 8 years ago | (#15832313)

With an emphasis on treating people well, in both monetary compensation and personal respect. Corruption and abuse of power are bred when a person's authority and influence exceed their perceived value to the organization. Compare to stories about abuses of power by school teachers/administators or police--both occupations that are given too little value or too much authority.

Re:Your staff are the jewels... (2, Insightful)

harrkev (623093) | about 8 years ago | (#15832341)

pay them well and treat them fairly.
Do such employers exist? I have never seen one.

Re:Your staff are the jewels... (0, Troll)

Anonymous Coward | about 8 years ago | (#15832369)

Select good people, pay them well and treat them fairly.

uoi OBVOIUSALLY do not have a MBA or other advanced Business degree as that above statement flies in the face of Everything tought to you at the best Business schools.

Next thing you are going to start preaching heresy that experience is more valuable than certifications, bringing the IT department food on a regular basis improves the work attitude and the bigest heresy.... If you treat them like human beings they will actually stick around of be happier at work.

The sad part is that the above bit of fiction seems to be the operation standard across the country in corperations. IT is understaffed and underpaid in contrast to their duties and responsibilities. Yet the morons in the executive floor can not understand why when a "valued" employee can not afford to live anywher but the slums because he is only getting 1/2 of what he needs to live where he works, he jumps ship without warning (giving warning = getting your walking papers right there).

Also, the Executives are also dumbfounded why IT get's all pissed off during a hiring freeze when they hire 3 new assistants for the Marketing and sales departments yet are told that another IT person is not in the budget, try again next year. (marketing assistant makes MORE than the IT guys do)

No this is not some podunk company, it's comcast. I left the place because the managers and executives are idiots, complete blathering idiots.

Answer? American Corperations are lead by the stupidest and dumbest people on the planet. THAT is why employees get pissed and take off with a DLT of everything they can get their hands on, or a portable drive they brought in a week before they quit to copy all databases they can get their fingers into. They can go to the competition and get wages they deserve and ride like a king doling out insider info for the next 3 years.

Only answer is to either get rid of the idiots (unlikely as money breeds stupidity) or let it all sort it's self out in the end.

Re:Your staff are the jewels... (0)

Anonymous Coward | about 8 years ago | (#15832400)

Never run a company with many employees have you?

It will teach you many things about human nature - you will be appalled.

Re:Your staff are the jewels... (5, Insightful)

Hoi Polloi (522990) | about 8 years ago | (#15832432)

I wish there was a way to stop the leadership from looting the company and handing out extravagent severance pay for failed execs, massive bonuses even when the company is struggling, etc. The damage an IT guy can cause pales in comparision to what the CEO and the board can cause.

Re:Your staff are the jewels... (2, Insightful)

dwandy (907337) | about 8 years ago | (#15832455)

A company is worthles without it's employees. Select good people, pay them well and treat them fairly. Next question... How do you remove paranoid executives from positions of power and stop them from inflating operating costs through needless and morale busting authoritarian technology.
But this precludes the McEmployeeisation of IT.
From an MBA perspective, tech replaces people. So if you can implement tech to monitor/stop people from doing anything when you don't treat them fairly, (or when you hire substandard* people...or whatever) then there is the perception of a long-term cost savings.

*meaning someone who might work for less than market. -for a variety of reasons, including (but not limited to) their intention to 'steal' the difference in their income and the market value....

Re:Your staff are the jewels... (1)

tbannist (230135) | about 8 years ago | (#15832482)

This has to be repeated. Pay the people who have access to your companies confidential information as if they had access to your companies confidential information. Treat them well and they will treat the company well. Employees who are happy don't sell company secrets to the highest bidder. The president/CEO of the company is not the only one who's important.

paranoia will destroy ya (3, Insightful)

rumblin'rabbit (711865) | about 8 years ago | (#15832170)

I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.
That's kind of a dumb comment. Hasn't CD heard the saying "trust everyone but cut the cards"? Putting locks on the doors is not paranoia - indeed it prevents paranoia.

Re:paranoia will destroy ya (4, Insightful)

blincoln (592401) | about 8 years ago | (#15832277)

Putting locks on the doors is not paranoia - indeed it prevents paranoia.

Putting locks on doors is a reasonable preventative measure that keeps honest people from opening them. It does not "stop industrial espionage."

TFA is Slashdotted, but the impression I get from the summary is that it's written from the mentality of trying to have a workplace that's protected against *dishonest* employees. Completely protecting against them is impossible. Making it extremely difficult for them to commit industrial espionage is possible, but the result is a workplace that isn't very fun - I know someone who used to work at the NSA, which obviously has similar protection concerns, and I'd never be able to put up with the level of surveillance and security they have.

I'm with CmdrTaco - hire people you think you can trust. If you're proven wrong, fire them. Don't give people access to sensitive data until they've proven that they're trustworthy, and if you have something that can't leak outside the company no matter what, don't put it somewhere that anyone else can get to it.

Re:paranoia will destroy ya (4, Insightful)

rumblin'rabbit (711865) | about 8 years ago | (#15832422)

Of course you hire people you trust.

But back in reality land, sometimes things go wrong. People are not always what they appear to be, and a good employee can sometimes become embittered. Assuming otherwise is naive, and perhaps a little arrogant. Are you such a good judge of character that you can pick out the sociopaths from the crowd? Might I suggest you aren't.

And apart from malfeasance, sometimes people make mistakes. Sometimes they type "rm -r *" when they are not in the directory they think they are in.

I'm not suggesting massive security measures, but reasonable steps can go a long way. Even moderate security is worthwhile and, I think, appreciated by the employees.

P.S.: CD stands for CmdrDaco (apparently). Apologies to CT.

Re:paranoia will destroy ya (1)

GMontag (42283) | about 8 years ago | (#15832365)

I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.

That is just what he wants you to think.

Article text (3, Informative)

Anonymous Coward | about 8 years ago | (#15832171)

Clicky clicky page impressions clicky clicky. Or just read it here:

---

Nine Ways to Stop Industrial Espionage
by Calum Macleod - European Director of Cyber-Ark - Wednesday, 2 August 2006.

If we're honest every one of us imagine what we'd do with a few million in the bank. The yacht in Cannes, the private jet in Nice, possibly our own football team, and maybe a few other high maintenance accessories top our list of must-haves. But of course the question is how to get there. Working till I'm too old to enjoy it is one option but of course there is an alternative; the lottery, online poker, a rich widow, stocks and shares - increasingly risky these days - or why not simply help myself to something very valuable.

After all if I'm working in IT I probably have access to the corporate crown jewels. And that could be anything; source code for the next money spinning application that will be released, credit card details for thousands of customers. Recently a Coca-Cola employee and two accomplices were arrested in Atlanta for allegedly stealing confidential information from the Coca-Cola and trying to sell it to PepsiCo.

In fact it's actually quite easy because if I'm working in IT I have access to systems with all kinds of privileged information. Here is my employer thinking that his M&A data is safe and I'm allowed to a free access to the servers storing the data. I can help myself to whatever I want and no one will ever know. And of course it's much easier now than it was when I first started this job. Then I somehow had to get out of the building with everything under my arm, but now I have dozens of ways to get it out. Just make my choice - mobile, USB stick, email attachments, VPN access from home and no one will ever know! And of course it may not even be my employer, just some company that we provide outsourcing services for - it's never been easier!

The problem often lies in the fact that we are constantly tempted because the corporate jewels are literally just lying around where anyone can find them. The problem for today's enterprise is that the transfer of information is increasingly time-critical and the traditional approaches such as FTP and secure email are awkward to manage, and often lack the security mechanisms that sensitive data demands, thus making the risk of leakage very possible. And where it becomes really challenging is when you need to share information with business partners. So here are a few suggestions

>Do not expose your internal network

The process of transferring files in and out of the enterprise must be carried out without exposing and risking the internal network. No type of direct or indirect communication should be allowed between the partner and the enterprise.

Make sure that intermediate storage is secure

While information is waiting to be retrieved by the enterprise or sent to the business partner, it must reside in a secure location. This is especially critical when the intermediary storage is located on an insecure network, such as the enterprise's DMZ, outsourced site, or even the internet.

But encryption and other security mechanisms are not helpful if the security layers where the data is being stored can be circumvented, for example by a systems administrator. Encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications. It is important to have a single data access channel to the storage location and ensuring that only a strict protocol, that prohibits code from entering, is available for remote users. In September 2004, an unauthorized party placed a script on the CardSystems system that caused records to be extracted, zipped into a file, and exported to an FTP site. The result was the exposure of millions of credit card details and the eventual demise of CardSystems.

Ensure that Data at Rest is protected

The cornerstone of protecting storage while at rest is encryption. Encryption ensures that the data is not readable and thus maintains its confidentiality. But encryption that places high demands on managing is ineffective. By using transparent key management there is absolutely no need for user level or administrator level encryption key management or awareness, and the use of advanced cryptographic protocols, such as AES 256bit for both storage and session encryption and signing, guarantees the protection of the data :

Protection from data deletion, data loss

The protection of data by encryption is simply one part of the problem. Files may be accidentally or intentionally deleted or changed. Always keep older versions, ensuring an easy way to revert to the correct file content or recover from data deletion.

Protection from data tampering

Data inside protected storage must be tamper proof by integrating authentication and access control that ensures that only authorized users can change the data. In addition, to ensure that data manipulation that somehow bypasses the access control doesn't go unnoticed, digital signatures must be employed to detect unauthorized changes in the files.

Auditing and monitoring

Comprehensive auditing and monitoring capabilities are essential for security for several reasons. First, it allows the enterprise to ensure that its policy is being carried out. Secondly, it provides the owner of the information with the ability to track the usage of its data. Thirdly, it is a major deterrent for potential abusers, knowing that tamper-proof auditing and monitoring can help in identification. Finally, it provides the security administrator with tools to examine the security infrastructure, verify its correct implementation and expose inadequate or unauthorized usage.

End-to-End network protection

Security must also be maintained while the data is being transported over the network. The process of transferring data must be in itself secure. Users that store or retrieve data must be authenticated, sometimes using strong authentication mechanisms. In addition Access control must ensure that users only take appropriate action, and that only authorized actions are carried out.

Auditing is required to ensure that a detailed history of activities can be reviewed and validated

A sophisticated user management scheme along with strong authentication capabilities is essential. Access control must allow the ability to departmentalize the data and the access to it, and detailed logs auditing and tracking of every activity must be available.

Process Integrity

As data transfer is an essential part of a larger business process, it is critical to be able to validate that this step in the process was executed correctly. This requires the solution to provide auditing features, data integrity verification and guaranteed delivery options.

It's always comforting to know that there is still some honesty in the business world when we hear about Pepsi's action in alerting their main competitor. But I guess we have to accept that this is the exception rather than the rule; so who's deciding today whether to alert you to the fact that your corporate jewels are being hawked around, or are they just accepting that fate has dealt them a favourable hand.

Narrowminded author (5, Insightful)

CogDissident (951207) | about 8 years ago | (#15832172)

The author is completely forgetting to mention the sticky note with the root password that half of these companies have on the side of people's monitors because they force a password change every 3-6 months to something arbitrary.
It also says to completely seperate the outside and inside network, which means that employees have no email, no google, no internet access at all.
It mentions nothing about compartmentalized access rights to various databases, with a different division of admins having responsability and access to only their systems.

In fact, all it does talk about is transmission interception (which is much less common than those problems mentioned above), and data security.

Re:Narrowminded author (-1)

Anonymous Coward | about 8 years ago | (#15832210)

There is a rat in separate.

Re:Narrowminded author (1)

CogDissident (951207) | about 8 years ago | (#15832291)

You're correct, there is a rat in separate. However I mis-spelled it as seperate, wherein the 5th character 'e' is incorrect and should be an 'a'.

If your going to correct someone's spelling like a Spelling Nazi, at least do it well.

Re:Narrowminded author (0)

Anonymous Coward | about 8 years ago | (#15832355)

Read it again.

There is "a rat" in sep arat e.

Re:Narrowminded author (1)

gstoddart (321705) | about 8 years ago | (#15832562)

The author is completely forgetting to mention the sticky note with the root password that half of these companies have on the side of people's monitors because they force a password change every 3-6 months to something arbitrary.

Oh, God, I wish it was 3-6 months. I really do.

We seem to be on a 4-6 week schedule for some systems. And we have a bunch of disparate systems which variously change in groups and individually, usually without any warning. You end up with a laundry list of passwords, mostly separated by the 'entropy number' which is somewhere in your password (or three passwords, each modified by an increasing integer). Usually when I try to log into a server, I end up going through a series of passwords to figure out where in my progression of passwords on that machine I might be.

I can't come up with a secure password that I change that often and still actually remember it.

Draconian password policies, IMO, make the network less usable, and possibly less secure.

And, in larger organizations where lots of people need the password, it ends up being kinda moot anyway -- cause if you changed it, suddenly a lot of people wouldn't be able to get access, and would screw up their day.

Bribed (2, Insightful)

4pins (858270) | about 8 years ago | (#15832179)

"that can so easily be bribed to steal them and hand them over to a competitor"

Here is an idea. Pay them enough that this isn't a real temptation. Risking it all on a fast score isn't worth it, if you will be risking much.

Re:Bribed (1)

dr_dank (472072) | about 8 years ago | (#15832311)

Paying them enough to avoid temptation of bribery isn't practical in most situations. Publicly traded companies are slaves to the shareholders; they won't stand idly by and let them heap cash on the replaceable drones on the off chance that they could pass secrets along. Even if they're six figure earners, a competitor can alway ante up enough cash to turn an employee into a spy.

Re:Bribed (1)

Bastardchyld (889185) | about 8 years ago | (#15832583)

The problem with simply paying your employees more is quite simple. This just drives up the cost of the product for the consumer, this in turn will drive up the value to the competitor, this will only ensure that the competitor pays more for the information.

There are somethings that it is not cost effective to protect against, i.e. terrorist checkpoints at all grocery stores.

IT professionals are payed much higher, in relation to their education/experience level, than most other fields. If you think that you are worth more than you are being payed in your position, then document it and make a case to your manager.

You can't fix a problem simply by throwing money at it.

I had a boss who kept something in his desk . . . (1)

mmell (832646) | about 8 years ago | (#15832185)

he said they were my family jewels. I agreed to pay my (then) employer back for some useless training if I left the company in less than a year.

The damage to their corporate IT infrastructure was minimal and easily repaired, I got my family jewels back, and since they fired me they can't collect the $5000+ for classroom training - and all for proving to them that I was grossly incompetent (but not so incompetent as to start an investigation into corporate sabotage).

My god, I'm scum!

Article is stupid (3, Insightful)

einhverfr (238914) | about 8 years ago | (#15832201)

The author obviously is not an expert in his field. I was having my doubts when we was suggesting that administrators ought not to be able to delete content in intermediate storage. Then cam the the final blow: He suggested using AES for data signing. AES is symmetric and not suitable for that task.

Just to clarify (5, Insightful)

einhverfr (238914) | about 8 years ago | (#15832319)

Espionage is a real concern. But the solutions in this article are worse than the problem. THe real solutions include:

1) Mandatory Access Controls (for example SELinux) on systems that hold confidential information.
2) Data encryption for confidential information using public/private key encryption. AES is NOT an answer here though you can use it for session encryption with Diffie-Hellman, etc. if necessary.
3) Training and loyalty of employees is critical.
4) Separation of duties, powers, and responsibilities.

But I guess this is harder than just throwing technology at such a problem.

Re:Just to clarify (1, Funny)

Anonymous Coward | about 8 years ago | (#15832425)

4) Separation of duties, powers, and responsibilities.

Have we learned nothing from the Bush administration. Separation of powers only supports terrorism.

AES & archival storage (1)

coyote-san (38515) | about 8 years ago | (#15832521)

You encrypt the data with a symmetrical cipher such as AES and a random key, then encrypt that key with PK. You can have multiple copies of the encrypted symmetrical key, e.g., any enterprise-level system will have a "recovery key".

Paranoia RPG (1)

Hoi Polloi (522990) | about 8 years ago | (#15832563)

Sounds like a good Paranoia [wikipedia.org] scenario. I'm Ultraviolet and love the computer!

Re:Article is stupid (0)

Anonymous Coward | about 8 years ago | (#15832383)

I got CRM, but not yours:

Warning: session_start():
open(/home/groups/h/he/hermesweb/htdocs/demo/herme s/misc/locks/sess_995c69947cb127edf6822cbc4c5f3
d 35, O_RDWR) failed: Read-only file system (30) in
/home/groups/h/he/hermesweb/htdocs/demo/hermes/i ndex.php on line 17
Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/groups/h/he/hermesweb/htdocs/demo/hermes/ind ex.php:17) in
/home/groups/h/he/hermesweb/htdocs/demo/hermes/i ndex.php on line 17
Warning: session_start(): Cannot send session cache limiter - headers already sent (output
started at /home/groups/h/he/hermesweb/htdocs/demo/hermes/ind ex.php:17) in
/home/groups/h/he/hermesweb/htdocs/demo/hermes/i ndex.php on line 17
Warning: Cannot modify header information - headers already sent by (output started at
/home/groups/h/he/hermesweb/htdocs/demo/hermes/ind ex.php:17) in
/home/groups/h/he/hermesweb/htdocs/demo/hermes/i ndex.php on line 49

Nothing to see here. (1)

citizenklaw (767566) | about 8 years ago | (#15832219)

Please move along. This article is lame and devoid of content. All of those measures are well and good but does not take into consideration one thing: human stupidity. The weakest link in the chain.

Case in point: Why on God's blue earth does the VA authorized somebody to copy a database into a laptop? This happened also to other firms and companies. If I were to easily get a file from someone's PC it would be quite easy. Boot the PC with a Linux distro, mount the drive, connect a USB drive and go. No one would ever know I was there. Most users are plain stupid and don't even think about encryption or obfuscation.

Remember, in the end it all comes down to a single person doing something really stupid.

Baby sitters don't work (5, Interesting)

evought (709897) | about 8 years ago | (#15832225)

When I was waiting for my TS clearance while working at the Pentagon (I had an interim clearance), I had to have an air force officer shadowing me the entire time, including, at points, typing for me as I dictated. The officer in question was not an IT person and had no idea what I was doing (or was supposed to do) with the UNIX systems under my care.

I could have typed, or told him to type "cd /; rm -rf *" at any point, or done many more subtle things, especially since I had to create accounts and such for Oracle or other applications.

In the end, the only way you can police your IT people is to have IT people you can trust, which means that the managers have to know enough IT to know what is going on and what it means without micromanaging. Very few managers have that ability. Very few IT people have the management ability to cross-train into a high-level manager. I, myself, had to bring in someone else to help with the business/finance side when running my own company. I knew what I was doing but was simply not as good at the business side as the IT work and sales.

Re:Baby sitters don't work (4, Funny)

christopherfinke (608750) | about 8 years ago | (#15832470)

I could have typed, or told him to type "cd /; rm -rf *" at any point
Wouldn't it have been more efficient to have him type "rm -rf /"? If you're using Air Force officers as typists, please don't waste our tax dollars on unnecessary shell commands.

Re:Baby sitters don't work (1, Insightful)

Pig Hogger (10379) | about 8 years ago | (#15832473)

When I was waiting for my TS clearance while working at the Pentagon (I had an interim clearance), I had to have an air force officer shadowing me the entire time, including, at points, typing for me as I dictated. The officer in question was not an IT person and had no idea what I was doing (or was supposed to do) with the UNIX systems under my care.
This is appaling! I understand that to be in the military entails having a lot of stupid, senseless mind-numbing work, but this has to be the very lower bottom of the barrel.

I cannot fathom the damage this shall do to one's self-esteem, both for the typer and the typee!!!

At least, shoveling out outhouses or peeling 1 ton of potatoes has a purpose that is easily understandable...

Outsourcing (3, Insightful)

loony (37622) | about 8 years ago | (#15832227)

They missed one biiiiig issue there... In the US, Europe, Japan and Australia, there are good laws that they can use to come after you... If you move work to India, China or similar, its virtually impossible to get anything from that individual - hence the person has much less worry about doing something illigal...

Peter.

protecting the employees (3, Insightful)

coyote-san (38515) | about 8 years ago | (#15832228)

Don't forget that unlimited knowledge also endangers the IT workers. It doesn't matter if you're a former boy scout if some bad guys want the information badly enough to threaten your family... and don't think that there aren't such people out there.

Security people know this. They know the only real solution is being very transparent about the fact that the IT person can't help them no matter how much pressure is applied.

It's easier for us to think about the corrupt employee since, gosh, we would never hire him. Nobody is safe from somebody willing to use violence to get what they want, and that's a scary thought.

Corporate IT? (1)

den_erpel (140080) | about 8 years ago | (#15832231)


The corporate crown jewels are usually left open and exposed to the IT guys. So how do you protect your corporate crown jewels from staff


Simple, I use Linux and set up a number of Linux servers :). Here; that' all I need to protect my stuff from corporate IT.

With any other topic, this would just have been sad, ...

Re:Corporate IT? (1)

$RANDOMLUSER (804576) | about 8 years ago | (#15832344)

Must Consult Someone Experienced...

IT staff? (1)

Intron (870560) | about 8 years ago | (#15832237)

I've never had a boss worried about IT staff. On the other hand, I've been told many times to keep confidential documents out of the hands of Sales. It is assumed that they will immediately go to a higher bidder.

Re:IT staff? (1)

neonprimetime (528653) | about 8 years ago | (#15832267)

I've never had a boss worried about IT staff

Me neither. At the bank I work at, my manager keeps wanting to get us developers more and more access, not less. The more we have, the quicker we can do our job.

The IT staff isnt usually the problem (1)

grapeape (137008) | about 8 years ago | (#15832258)

In the last company I was with the bigger problem were the masses of employees that had their passwords taped to their monitor. Or the overly helpful ones that would open and hold the secured doors just because they saw someone holding a box. Want free access to the processing room and card cutter, just tell them your deliving flowers. Most IT staff's are at least competent enough to guard against the obvious. With social engineering so easy to do, why would someone bother with trying to sway those who generally know better? If your IT people are that untrustworthy you probably either need to screen better employees or take a look at what you might be doing to make them willing to sell you out for a song.

Re:The IT staff isnt usually the problem (1)

infosec_spaz (968690) | about 8 years ago | (#15832442)

It is not so much the lowlings who tape their password on their monitors you need to worry about, it is the UNIX, or Windows admin who posts the root or admin password on theirs. I would not have an admin who would do this, so I have very little to worry about. Not to mention, when someone gives a 2 week notice in IT, we just wave it, and have them escorted out of the building ASAP. General users have very little access to very sensitive information, with a few exceptions. If someone is high enough up, or does a sensitive enough job, they are watched like a hawk, and generally, we use 2 person integrity. Trust them just enough, but let them know you are watching. That has always been my moto.

You have to eventually trust your users and staff (1)

Fallen Kell (165468) | about 8 years ago | (#15832260)

It is just that plain simple. Most any hardware/software protections will have weaknesses in them that can be bypassed. Eventually someone will need to have access to the data that it is "protecting" and that person will still be at risk of the same issues you are asking to protect against. The administrators will absolutely need to know how to use the hardware/software inside and out if you expect them to be able to do their job and keep the system working properly. There is almost always a way to get to the data, trust me on this. The best way you can keep this from happening is to treat your employees with respect, pay them fairly, and keep the work environment in proper order. If your employees are happy to work for you, they are much less likely to engage in an activity that will hurt their company.

If however you do go to a hardware/software solution, well, all you have done is add complication to your environment; added extra places where your critical data can be forced offline and unaccessible; added new unknown equipment/software that your staff will need to be trained how to use and maintaine. All this will do is drive home the fact that the company does not trust its employees and makes those employees feel unappreciated and untrusted. This will simply cause the moral to drop in the affected departments making it more likely that someone may consider doing the exact thing you are trying to prevent.

double trouble (1)

EddieBurkett (614927) | about 8 years ago | (#15832262)

What are we going to do once the IT guys get those invisibility devices? There will be no stopping them!

limit employee access to information by ... (1)

ei4anb (625481) | about 8 years ago | (#15832265)

putting as little information as possible on each web page and force them to click "next" and wait for countless adds to load before they can see the next dribble of info.

Not a technical problem (5, Insightful)

giminy (94188) | about 8 years ago | (#15832273)

People try to make everything a technical problem, which is really the wrong approach. This ain't something you're gonna fix with fancy access control and slick hardware. No matter what you do (separation of duties, cryptography, trusted operating systems), all you'll succeed in doing is making life more annoying for your regular users, and demonstrate a huge lack of trust of your employees.

If you really want a solution, it's got to be as much policy as it is technology. I'd start with, oh, making your employees sign an NDA, and making sure they're aware of what is a company secret (most companies like Apple, Sun, IBM, etc, have classifications just like the government, e.g. "Apple Secret", "Sun Top Secret"). Make sure they know what those secrets mean, e.g. "Our documents labelled Top Secret will probably cause us to lose our dominant position in the market if leaked." Then, you implement auditing on your data storage. If your IT guys start reading company business strategy memos off the file server, you probably won't catch them when it happens. But if it becomes obvious that those memos were leaked, you can go back through the audit logs and see if anyone read them that shouldn't have, and act appropriately (though don't just assume that that person leaked the info).

Bear in mind that the technical part of this 'solution' will probably fail. What you're trying to do is paradoxical. You're saying, "I ultimately trust these guys with the security of all of my information, but I don't completely trust them with the security of all of my information."

rubbish (2, Insightful)

rubycodez (864176) | about 8 years ago | (#15832292)

background checks and references will solve nearly all bad egg problems. the IT people I've worked with through the years take the security and safety of data as a matter of personal pride. No one is going to pwn3d our machines or data, dammit! The problem we've had in corporate america is dishonesty in executive level, that's cost us tens of billions. IT people just mainly need to not get lazy about security practices and updates, and not let employees do that either, that's the biggest issue with corporate data today.

Who implements these nine ways? (1)

MasterC (70492) | about 8 years ago | (#15832293)

After skimming the article I get their point that, basically, you shouldn't trust your IT staff. So my question is then who do you get to implement the suggested nine ways? If you say "the IT staff" then WTF is the point? If not the IT staff then who? The board? Hah! The secretaries? Hah!

I guess that leaves a 3rd party solution (read: consultants) and if your company trusts outsiders more than your own employees then there are bigger problems to solve.

And I have just the process for you to solve those bigger problems! Just buy my book or pay my consulting fees and I will personally guide you through the process.

I would be (1)

avatar4d (192234) | about 8 years ago | (#15832296)

worried about employees considering:

"Approximately 70 percent of computer hacks come from within a company"
  - http://www.cbrweb.com/articles/fightinginternalcri me.asp [cbrweb.com]

(Of course the numbers vary based on the source, but I recall other sources being higher than that)

Advice from a tech guy :-P (3, Insightful)

Rafajafar (217298) | about 8 years ago | (#15832302)

I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.


I am someone who is currently interning for a large fortune 500 tech company who is about to do some drastic changes to the way we do our business (today, actually). There's some serious lay offs going down here, garunteed. The business and marketing folks are as good as out the door. Us tech guys? Pfft, nothing to worry about. The fact is the reason your tech guys have you by the proverbial balls is because you're not educated enough to do their job. Heh, but the fact is, most anyone who has powerpoint and mediocre social skills can do your job. They reach their glass ceiling long before you do, however. They picked a trade with high security and low possibility of advancement. You picked a field with low security but high possibility of advancement. You can't have both unless you run your own business. Sorry.

If you're paranoid about your employees, then they are unhappy with you. The nature of most people is to be faithful to good leaders. Sure, there are exceptions to this rule, but I think it's pretty clear to me, that you do not have the faith of those you manage. Either that or you do not have faith in those you manage. The two generally play hand in hand. I'm with CmdrTaco on this one... I can't imagine having to be paranoid about those on your payroll. Remember, you have the power, and tech guys are becoming more and more common each day. Make them happy with you and then you'll have little to worry about. Make them happy with your company and then you'll have little to worry about.

And the #1 reason most SA's and programmers get frustrated with managers? The internal policy inhibits innovation instead of improving it. I had a manager whose personal policy was "to hell with policy" and I gotta say, he was the best boss I ever had. I know, for myself, if I want to do the best job I can. If policy interferes with that, then I feel as though I'm doing a bad job against my will. If this continues, yes, I'll hate my job, and I'll feel like it's the company's/manager's fault.

I rambled a little, but hopefully you can garner some advice from that.

Re:Advice from a tech guy :-P (0)

Anonymous Coward | about 8 years ago | (#15832439)

"Us tech guys? Pfft, nothing to worry about."

I work for the same large company as you, I'm guessing, and I would be VERY CAREFUL before assuming that. Some of the guys down here have been regaling me with lovely stories of how their buddies got themselves tossed out in some previous layoffs.

Don't mean to scare you, though - you in Reston or Dulles?

Re:Advice from a tech guy :-P (0)

Anonymous Coward | about 8 years ago | (#15832570)

By that logic, IT guys like you are doomed because (1) any guy with a GED and an ITT degree can build servers and (2) help desks can be outsourced to India. Have fun flipping burgers.

Duh? (1)

DarthVain (724186) | about 8 years ago | (#15832303)

Seems pretty simple to me. Pay your employees well and be a good employer.... It will be much more difficult to find an employee if you inspire loyality. At the very least the employee will not want to loose a good thing and not risk it. Pay your employees squat, and treat them like garbage, well you get what you deserve. Fin.

Criminals need a goal (1)

lymond01 (314120) | about 8 years ago | (#15832309)

People are generally trusted implicitly because there isn't any gain to doing something wrong in the workplace. While it's not hard to think up reasons to commit a cybercrime, most people don't really gain anything by it, so why bother doing it? And if you are going to gain something by it, you're likely going to be on the list of suspects.

I equate it to seeing all those big plate glass windows in store fronts, and yet there's nary a brick through any one of them. Only time there is, is when someone wants something inside and can't get it another way -- and then they're easily caught.

Not Just I.T. But Also LEO (0)

Anonymous Coward | about 8 years ago | (#15832310)

IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button.

If you're a cop, just flash your badge.

It doesn't hurt if your gun is visible.

You don't. (3, Interesting)

malkavian (9512) | about 8 years ago | (#15832315)

About the only way to keep the info out of the eyes of the sysadmins is to use heavy encryption on every file you want to store safely.
And then, make absolutely sure you never forget the pass phrases, or whatever method you use to secure your side of the key.
All the backups in the world won't protect you from forgetting that vital phrase.
Oh, and it has to be non-obvious.

That being said, a good keylogger will most likely sniff that out, so if someone in IT is really after the goods, and is willing to face legal flak to get it, you're still back at the point of being stuck, unless you ensure all the business folk maintain their own machines away from IT, and support them entirely themselves, to a secure enough level that they won't fall victim to an attack when they connect to the corporate network, or a trojan in an email.

Like all solutions, the most workable is to ensure if someone is guarding secrets that are that potent and valuable, you make sure it's not worth their while to go scurrying off with them.. In other words, you treat them well, and remunerate them according to the value of their task..
If you force your IT staff to work over long hours, stiff them on their working conditions all for a flat low rate, you're asking for trouble.
Give them good conditions, and good pay (going to excellent pay for those sysadmins that are responsible for the really tasty info), and you're far less likely to suffer.
Technical solutions just won't work, as the people who know most about it are the ones you don't trust. Which defeats the whole object.

Check them carefully (2, Interesting)

WindBourne (631190) | about 8 years ago | (#15832343)

A few years ago, I was working in a company where we were developing products for sale to a few Federal groups. We interviewed numerous people for these jobs. One that was interesting was a chinese women living in C. Springs, married to a USA soldier. She had a masters in C.S. from china. At first, she was not all that interested. But once I mentioned the groups that we were selling to as well as discussed exactly what we were doing, she got very interested. Obviously, we shot that down as soon as she expressed interest in who were dealing with.
Upon cheaking her out, we found out was that she was a chinese national, but told us she was american citizen.

In another case, we had a guy that we interview another job. He was claiming to have a CS degree with loads of Linux experience. But when asked a set of questions, he missed them badly.

  1. How do you create a new process; you spawn it(did not know fork or exec).
  2. How do start a new process upon boot up (from the kernel or a central repository; he did not know about /etc or /etc/rc.d/).
  3. asked about genearl sorts and only knew quicksort and bubblesort, but could not explain quicksort.
  4. did not know discrete math.
All in all, what I have found out is that you first have to check ppl very carefully. Then you still have to limit ppl to what they get to. Hopefully with vista, the MS world will start having security. That remains to be seen.

Ethics (4, Insightful)

99BottlesOfBeerInMyF (813746) | about 8 years ago | (#15832345)

Studies have shown the most effective deterrent to theft is moral/ethical. If an employee has a good relationship with the company and their managers then they are unlikely to steal from the company, even if they know they won't be caught. If you treat your employees well, are understanding about their problems, and cultivate your relationship you have little to worry about. Talk to them and learn what their goals are and help them achieve it. Do they want to move up into management? Do they want to go to night school and become a programmer or a public relations person? Help them do it. If your employee has money problems, you should be the first person they come to, confident that you will help them work it out either with financial counseling, a pay raise, saving them money by letting them telecommute, or even loaning them the money they need and repaying it from their wages. You employees should not live in fear of being fired or laid off. If they aren't working out they should know you will talk to them and come up with either a new position for them in the company or help them find work elsewhere, while keeping them on in the mean time. Employees should know they are trusted, for breaking that trust is a deterrent. Employees should have a stake in the company, either stock or a bonus plan so they feel their hard work and good behavior means something.

If all of the above is taken care of, you employees will be a lot less likely to steal or do anything else to put the company out (like quit without notice). There is always the rare anti-social personality disorder, but that is a pretty rare case. If, however, you develop a "strictly business" relationship with your staff that is mercenary and impersonal you may have problems. When people don't care about their employer or dislike their employer and feel that they are in danger of being fired at any time, or their job outsourced, they will respond in kind. If the only reason you pay them is because it makes you more money in the long run, why shouldn't they sell the customer database or source code? If you hire mercenaries and treat them like mercenaries, don't be surprised when they act in their own best monetary interest.

If you decide to treat your employees like you are at war with them and need to be defended against them, you're likely to have more problems than any technical solutions you implement will benefit you. There are products that will build a relational model of your network and log all traffic and access to resources based upon DHCP IDs and the like. Between such a system and a good set of untouchable logs for your access controls you can develop an independent group to monitor your staff. If you really need it though, your company is already pretty doomed as your employees probably don't care anyway and are just doing the minimum necessary to get paid.

Reasonable treatment (4, Insightful)

Spazmania (174582) | about 8 years ago | (#15832368)

Hire honest staff and treat them like human beings so they're not inclined to rip you off. If you catch someone ripping you off, press charges.

You can also create audit trails logging to multiple machines, each controlled by a different employee so that a conspiracy would be needed to avoid being caught. Reading and understanding those logs is, however, very expensive. Its also the kind of mind-numbing job that could leave an otherwise honest IT employee open to committing theft.

easy and obvious solution. (1)

B5_geek (638928) | about 8 years ago | (#15832374)

Pay us the money and respect that we deserve in our role. Stop treating us like criminals (use a security policy that makes sence, not the latest paranoia that the boss thought of.)

If I am respected and payed what on par with others in my industry, I won't have a need to "Sell Your Secrets!

Trust and respect go a long way.

Duh (1)

bostonkarl (795447) | about 8 years ago | (#15832388)

Don't treat you employees like shit and they wont steal from ya.

Re:Duh (2, Insightful)

cdrguru (88047) | about 8 years ago | (#15832501)

Problem of course is the definition of "shit".

Management may feel they are being extremely generous and catering to the whims of many employees while the employees feel they are being ignored and abused. Communication? Naa. The employees in this kind of situation are sure that management isn't listening and doesn't really care.

This is the situation in probably 70-80% of the companies I have ever had any dealings with. When it gets real bad stuff develops legs - i.e., things disappear out the door seemingly all by themselves. Computers. Office supplies. Lamps. Pictures on the wall. Just about anything.

Management then realizes something is going on and needs to make drastic changes. Which, of course, piss people off even more.

At no point does either side communicate until about 80% of the staff has been replaced.

Shoot first, ask questions later. (0)

Anonymous Coward | about 8 years ago | (#15832394)

"I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware."

The military seems to have a solutiion. Why don't you ask them?

10th way (-1)

Anonymous Coward | about 8 years ago | (#15832396)

Have a set of chairs ready.

Cartoon (2, Insightful)

ch-chuck (9622) | about 8 years ago | (#15832398)

This reminds me of an old cartoon, two pirates are burying a treasure chest on the beach. The pirate Captain is standing watch while holding a gun behind his back. The pirate crewman is down in the hole, digging. He looks up and says, "Just think cap'n, you and I will be the only ones who know where the treasue is buried!"

Crown jewels (1)

zanglang (917799) | about 8 years ago | (#15832407)

Protecting crown jewels? Oh if you've done any martial arts that's easy, you wear those protector thingies around your... Oh, you mean corporate crown jewels? Um.

Well, realistically speaking, you can't. If there was ever some sort of silver bullet on computer security, we wouldn't be readings about some blistering new 0day exploit on /. every few days or so. Welcome to the real, imperfect world of IT.

What you can do is at least see to it that good security policy is in place, e.g. secure passwords, firewalls, access levels, locked-down controls, yadda yadda, things one'd suppose be in TFA already (before it melted, anyway). And then you twiddle your thumbs and hope you don't piss the system administrator off.

Supervision (1)

Billosaur (927319) | about 8 years ago | (#15832423)

Make managers get off their lazy butts and actually peek in on their staff at work once in a while, just to "check up on things." Managers tend to become rooted to their desks and assume that the emails they receive from workers contain the truth, the whole truth, and nothing but the truth. While a good manager lets his/her employees get about their job, they never let the employees run the show. An IT department should be not just a reflection of good work, but good management.

And of course, they could wear leather outfits, hoods, and carry whips to keep people in line... fear can be a great motivator.

The FBI/CIA/NSA (1)

rolfwind (528248) | about 8 years ago | (#15832471)

and every other agency has been working on this problem with their workers since the beginning. And they still get problems with people selling their secrets. Despite their employees having to undergo the polygraph (pseudoscience, I know) every six months, etcetera. Still, perhaps they (or people once working there, if they wrote a book about the methods) would be a good start on the topic.

But I don't think there is a technical solution to this problem. Technical safeguards, yes. Solution? No.

A monitoring program, staffed by people isolated from the rest of the IT staff, that solely watches and logs which and what files get routinely accessed throughout the enterprise would be a good start. Is such a thing feasible?

Threaten them, use spikes, seeds (5, Interesting)

dindi (78034) | about 8 years ago | (#15832493)

The casino, bookie guys do not need rules and regulations. Feel free to take their data (usually cystomer lists), it is full of spikes/seeds (phone numbers, email and land addresses that belong to the owners), so when the data is sold and used (callcenter, email spam/etc) the mails get back to you.

Then the death squad goes after the techs and asks some unconfortable questions, talk about broken kneecaps and burning family houses.

Heck, you can even seed different addresses for each admin (if one is doing the mailing, the other only sees the SQL tables)...

If you think it is science fiction, or fear mongering, come and work for a casino in any Central AM country...

I personally left a place because I was scared - higher staff was regularly followed, I heard bad things about the company, and we had more and more armed people at the entrance. I also heard (from my colleage), that our previous sysadmin was chased down the street by the neighbour casino owner with a gun in the hand, shouting "I kill you bastard" over some customer list that the guy "administrated".

Want 1st person experience: how about police calling me, that a gentlemen wants to talk about one of our employees, who supposedly stole data from a caribbean country's casino. The guy looked like a headhunter/killer to me, who kept calling me for 2 weeks, every day, offering more and more for the person's address or any tip where the person could be met (killed??). And that was back in Europe, and the guy came from the islands .... so he was pretty determined.

Oh well you can make some other measures, like at one place, they sniffed all IM traffic, read all emails, and made it forbidden to take anything into the office. First usb drives, cds floppies. Later cell phones, walkmans, ipods. ANYTHING. They were as well beleived to go thru the lockers.

Of course I cannot (and do not want to name people, places, etc). All I can say, is that I am done with that industry, even though they pay a lot better than others in southern countries.

Learn what you're up against (4, Informative)

b1t r0t (216468) | about 8 years ago | (#15832503)

The first thing to do is to read the extensive documentation on this subject. [theregister.co.uk]

If it's possible, the BOFH has already done it.

Amazing! (0, Offtopic)

ms1234 (211056) | about 8 years ago | (#15832531)

No references to the invisible cloak?-)

This is not a new problem. (1)

njdj (458173) | about 8 years ago | (#15832536)

This problem is as old as doing business - and the solutions were found a very long time ago.

For example, how did a company keep its accountants honest, in the days when the accountants kept the books and made all the payments?

The solution was, basically, twofold: firstly, any transaction requires two people. (For example, the employee who actually issues checks is never the same as the employee who authorizes an expenditure.) Secondly, there is an "audit trail", i.e. for each transaction, there is a record of who authorized that transaction and what it was for. Verifying that a company does these things is part of a standard audit, that every public company must have.

The same principles can be applied to any area of a business. Companies which do not apply them to financial IT systems are asking for trouble.

Assume that someone will try to steal your secrets (0)

Anonymous Coward | about 8 years ago | (#15832550)

If you have enough employees, one of them will be rotten no matter what you do. Look at all the supposedly good Americans who have been caught been spying for the Soviets.

Having your secrets stored on computers makes them a little more vulnerable but they are also stored or embodied in other ways. A production process, for instance, is embodied in the equipment on the factory floor. You have to worry as much about the janitor as the IT staff. Maybe more. The janitor has access to the waste baskets.

Gimme a Break (0)

Anonymous Coward | about 8 years ago | (#15832553)

Internal fraud is a huge issue for many companies especially financial institutions. Thus the rationale for creating 1) control environments 2) control activities within those environments and 3) accountability for those activities in the environment which they exist. There is no such thing as perfect security and good luck figuring out whois honest or not.

Not possible to prevent (1)

orion67 (591651) | about 8 years ago | (#15832571)

I didn't read TFA (got tired of waiting for it to load...)

Obviously information loss can't be prevented. The best you can do is reduce the likelihood and the ease with which it can be accomplished.

Internal staff will always have access to information. People are corruptible. Even where extremely extensive security measures have been taken, people still manage information theft - government spies are a good example - don't forget that the best spies haven't been caught and we don't even know about them.

I always find if funny when companies get worked up over the security of a reporting solution I'm developing for them. For example, they might be concerned that people should not be able to e-mail reports outside the company. But they have no problem with someone printing off a report or copying it to a flash drive and mailing it out of the country using company postage meters...

There is also a severe productivity cost associated with these security measures. You could take a series of extreme security measures like:
  • Disallow flash drives and any other type of device that can store data, such as cell phones, memory cards, removable drives/disks, recordable CDs and DVDs, digital imaging devices, etc.
  • Disallow all remote connections to the outside world that could be used to copy data
  • Establish a security checkpoint through which all personnel must pass going in or out of your location. Conduct body searches for paper, media, and any other "banned" device or information.
  • Set up redundant information access protocols that require more than one person to be involved when accessing sensitive information.
  • Establish stiff penalties (dismissal) for the slightest violation of the rules
  • Establish significant rewards (big bonusus) for exposing the violations of others.
This might work, but where there is a will, there is a way. Plus, suddenly your company has turned into a hated Big Brother where no one wants to work because it just plain isn't any fun to be there. How much does this cost?

For many companies, a more reasonable approach might be:
  • Hire people that you think you can trust. Check references. Get to know them. Establish a culture of trust. Pay people what they are worth and be friendly with those that work for you.
  • Educate people on good information protection measures to reduce the likelihood of casual or accidental information loss.
  • Figure out what it would cost per year to implement a security measure. Don't forget the hidden costs (such as helpdesk calls when passwords expire frequently).
  • Compare the cost of security measures to the cost of information loss. Don't pay more for the barn door than you would for a new horse.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>