dcsimg
Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Beware the 'pod slurping' employee

  1. #11
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Well, I've never worked at an IT company before but why not just glue the USB ports shut and make someone who needs to use the USB port go to an administrator computer and send whatever data they need to their computer.
    Like SirDice said USB had legitimate purposes + they'll just take it out another way. Email, floppy, print it out etc etc. It's hard to defend against users with legitimate access rights.

    Users take home work all the time. We'd rather it didn't happen but we acknowledge that it does and we try to manage the risks.

  2. #12
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Yeah, it's not just USB devices admins have to beware of. My old insurance agent pulled out a sheaf of papers from his cluttered desk one evening and bragged how he got a client list from his old agency. 5000 names, complete with social security numbers. I couldn't believe it. 5000 names and socials just laying around on his desk. Needless to say, I go elsewhere now for insurance.

    I hate to say it, but I prefer not to deal with ANY small or even medium size company with any personal or sensitive data if I can help it. It's amazing what's floating around out there on each and every one of us. The big companies suffer breaches, but at least they attempt to maintain some kind of data policies.

    Furthermore, I don't see how the gov't can regulate all these small offices and their data-handling practices. Sure, pass all the rules you want, but how are you going to enforce this chit?

    I gotta lot more horror stories if you want to hear them...

    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #13
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sure, pass all the rules you want, but how are you going to enforce this chit?
    It's easy since they don't pre-emptively enforce the laws, they do it after you screw up. We have to be HIPAA compliant... What does that mean? It means we send them a piece of paper saying "Honest guv, we are compliant". That's it. We aren't audited... nothing... But wait till we disclose data we aren't supposed to. In comes the gubmint and goes through our policies, procedures and implementations and checks them against our practices. They will then pull us apart for anything they don't think they like... and hang us out to dry for non-compliance...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #14
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    That's another dynamic with small businesses. Why or how would they ever have to disclose any data breach. I've posted a story previously about a mortgage broker who got hacked for DoS purposes. It took three days for this a-hole to decide to clean things up, and that was only at the behest of an FBI agent/client who refused to close a deal until things were fixed. Chit, this broker was running Kazaa on his network so he'd have some muzak. And frankly he could've cared less if he lost any client data to the cracker. Which raises another question...

    If an SMB loses sensitive client/customer data that ends up being used in, say, an ID theft, how can that theft ever be traced back to the SMB? The SMB's I see wouldn't even have a clue they lost anything sensitive.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  5. #15
    Senior Member JonnyFrond's Avatar
    Join Date
    Jan 2006
    Posts
    238
    Can't any spare USB ports be locked via a server policy on a network, or disabled via User policies or something like that if the concern is so high.

    I did the IT for a small publisher for a year and a half, being the only IT guy there with two servers and 40 odd computers and little experience, and full admin access, I spent my time learning as much as I could about NT Server, and I remember learning about security logs letting you know who was logging on and the like, so I am sure that it would not actually be that much of a problem to have it so that devices installed as a logable event and you would have thought that if you are not letting anyone plug anything in anyway, it is hardly going to clog up the logs every day.

    JFornonnyd
    Sarcasm is a way of life

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •