Read more hereQuote:
A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft.
Printable View
Read more hereQuote:
A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft.
That's a breach of policy in this organization.
You are not allowed to connect any device to any part of the network without the prior permission of the IT department.
Good point Tiger~
That is a reasonably common policy over here, and in more sensitive locations you are not even allowed to bring the devices on site (mobile phones, cameras as well!)
But I do sense a bit of FUD here? OK so I bring said device on site. Don't we have a policy which only allows access on a needs to basis? So, I should not even be able to see sensitive data, unless it is my job.
All this ties in with HR and your recruitment policy as well?
This has actually been a risk since CD/DVD burners and USB drives became common. Also, someone listening to an i-Pod isn't concentrating on their work...............that would actually attract attention in a professional environment, and where it does not they probably haven't anything worth stealing anyway? What is OK for goods inwards isn't the same in finance ;)
Well, its good that your organisation actually has a policy, however does that include USB sticks. I would be willing to bet even if it does you will still have employees connecting there USB sticks.
However lets be honest here, if an employee is out to steal business critical files from a company i don't think they'll be concerned whether or not the company policy allows them to connect an external device or not. :D
Plus even if they were caught, what is the punishment for a breach of policy. For example to install anything on my work PC i need IT to do it because of restrictions, not an uncommon policy and actually quite sensible, however for some reason Firefox installed fine for me, so i never bothered telling IT. Yesterday an IT technician came down and said he noticed Firefox while doing an 'update' the other day. I said that yes i had installed it myself and he said 'thats cool, just thought i'd remind you the policy prohibits this, but don't worry'
I wonder, how would a company proove they had stuff stolen by user X. Surely to proove that they would need to log, which user performed the search AND copied the files to an external drive, is that something that is generally logged?
EDIT: He he posting at the same time nihil.
Actually you make a good point that i forgot, the company that i currently work for does only give users access to folders that there manager identified they need access to, however i know that my last company just gave you full access!!! :eek:
Plus although that helps, it doesn't stop the user copying sensitive work that they are working on...
If I walk around any of my facilities and find a device, any device - thumb drives included, I will know whether the user is authorized because my staff are directed to forward all requests to me. If they aren't authorised I will look on the device to see what is there - I have the right to, per policy since they attached it to the work computer - and the policy states that breaches of policy may result in disciplinary action up to and including termination.
Can they sneak it by me... Maybe, but most users don't have the rights to allow the thumb drive to be installed so it's not a huge issue.
IIRC there's a GPO on windows that can be used to prevent access to USB mass storage devices...
We had this discussion at work (more than once) and we considered specifically implementing policies to stop thumb drives etc. We came to the conclusion that they posed no more of a risk for malware entry than floppy disks and no greater a risk to loss of data than existing CDRW drives or pen and paper even. Anyone who is going to steal data will almost certainly have legitimate business access to it anyway and they could print it and walk out with it under their arm.
Removal of personal or protectively marked materials is covered under all circumstances by other policies.
We considered this to be a people problem rather than a technological problem.
A lot of these reports seem to be FUD released by companies selling solutions to that particular 'problem'.
No. I asked the same question when this first came up.Quote:
ShippMA - I wonder, how would a company proove they had stuff stolen by user X. Surely to proove that they would need to log, which user performed the search AND copied the files to an external drive, is that something that is generally logged?
Hey Aspman , I just love the Official Secrets Acts..................legislation with teeth :D not like this namby pamby "Homeland Insecurity" or "Data Protection" crap?
;)
Well, I've never worked at an IT company before but why not just glue the USB ports shut and make someone who needs to use the USB port go to an administrator computer and send whatever data they need to their computer. :)
But really, this seems like a one step foward two steps back kinda thing. The more advanced technology gets, the easier it becomes for people to do malicious things with them...
This is going to be difficult..... Please note that a lot of the newer keyboards/mice are usb only.. It's kind of hard to connect a keyboard when the ports are glued shut.. Gluing the keyboard isn't an option either.. We all know that users, keyboards and coffee don't mix ;)Quote:
Originally posted here by Raion
Well, I've never worked at an IT company before but why not just glue the USB ports shut and make someone who needs to use the USB port go to an administrator computer and send whatever data they need to their computer. :)
Like SirDice said USB had legitimate purposes + they'll just take it out another way. Email, floppy, print it out etc etc. It's hard to defend against users with legitimate access rights.Quote:
Well, I've never worked at an IT company before but why not just glue the USB ports shut and make someone who needs to use the USB port go to an administrator computer and send whatever data they need to their computer.
Users take home work all the time. We'd rather it didn't happen but we acknowledge that it does and we try to manage the risks.
Yeah, it's not just USB devices admins have to beware of. My old insurance agent pulled out a sheaf of papers from his cluttered desk one evening and bragged how he got a client list from his old agency. 5000 names, complete with social security numbers. I couldn't believe it. 5000 names and socials just laying around on his desk. Needless to say, I go elsewhere now for insurance.
I hate to say it, but I prefer not to deal with ANY small or even medium size company with any personal or sensitive data if I can help it. It's amazing what's floating around out there on each and every one of us. The big companies suffer breaches, but at least they attempt to maintain some kind of data policies.
Furthermore, I don't see how the gov't can regulate all these small offices and their data-handling practices. Sure, pass all the rules you want, but how are you going to enforce this chit?
I gotta lot more horror stories if you want to hear them...
:mad:
It's easy since they don't pre-emptively enforce the laws, they do it after you screw up. We have to be HIPAA compliant... What does that mean? It means we send them a piece of paper saying "Honest guv, we are compliant". That's it. We aren't audited... nothing... But wait till we disclose data we aren't supposed to. In comes the gubmint and goes through our policies, procedures and implementations and checks them against our practices. They will then pull us apart for anything they don't think they like... and hang us out to dry for non-compliance... :rolleyes:Quote:
Sure, pass all the rules you want, but how are you going to enforce this chit?
That's another dynamic with small businesses. Why or how would they ever have to disclose any data breach. I've posted a story previously about a mortgage broker who got hacked for DoS purposes. It took three days for this a-hole to decide to clean things up, and that was only at the behest of an FBI agent/client who refused to close a deal until things were fixed. Chit, this broker was running Kazaa on his network so he'd have some muzak. And frankly he could've cared less if he lost any client data to the cracker. Which raises another question...
If an SMB loses sensitive client/customer data that ends up being used in, say, an ID theft, how can that theft ever be traced back to the SMB? The SMB's I see wouldn't even have a clue they lost anything sensitive.
Can't any spare USB ports be locked via a server policy on a network, or disabled via User policies or something like that if the concern is so high.
I did the IT for a small publisher for a year and a half, being the only IT guy there with two servers and 40 odd computers and little experience, and full admin access, I spent my time learning as much as I could about NT Server, and I remember learning about security logs letting you know who was logging on and the like, so I am sure that it would not actually be that much of a problem to have it so that devices installed as a logable event and you would have thought that if you are not letting anyone plug anything in anyway, it is hardly going to clog up the logs every day.
JFornonnyd