Hacker attacks that bring down the network get a lot of attention, so companies concern themselves with protecting against those threats. But if your organisation is focusing on this type of security only, it's a little like putting all your efforts into preventing a bomber from blowing up the building but neglecting to worry about the burglar who sneaks in through a back door and makes off with all your valuables.
Unfortunately, the same security precautions that prevent DoS attacks, viruses and worms, and other high profile attacks may not be addressing a much more insidious problem: theft of company data for corporate espionage or other purposes. Yet the disclosure of your trade secrets to a competitor or the release of private company information to the media could, in some cases, result in a much greater loss than network downtime.
Let's look at what you should be doing to keep your data from walking out the door.
1. Practice the principle of least privilege
There are two opposing philosophies by which you can set your network access policies. The first, the "all open" policy, presumes that all data is available to everyone unless you explicitly restrict access. The second, the "least privilege" policy, operates on the assumption that all data is off-limits to a given user unless that user is explicitly given access to it. The latter is like the need-to-know policies of government intelligence agencies: Unless a user has a demonstrated need to have access to a particular file, he or she can't access it.
2. Put policies in writing
You may think it should be obvious that your employers are not to copy important company information and take it home or e-mail it outside the internal network without permission. However, unless you put such policies in writing and have workers sign off on it, you may be hard pressed to penalise them for violating that policy. Unwritten rules are much more difficult to enforce.
Your policies should be specific and give examples of what's prohibited. Workers may not understand, unless you spell it out, that e-mailing a company document as an attachment to someone outside the network (or even to their own home account) is just as much a violation of policy as copying that document to a USB drive and physically taking it out the door.
Wording of the policy, however, should make it clear that the prohibition is not limited solely to the examples you give.
3. Set restrictive permissions and audit access
The first step in protecting data is to set the appropriate permissions on data files and folders. It goes without saying that data on Windows networks should always be stored on NTFS-formatted drives so you can apply NTFS permissions along with any share permissions. NTFS permissions are more granular than share permissions and apply to users accessing the data on the local machine as well as over the network.
Give users the lowest level of permissions possible for them to get their work done. For example, give Read Only permissions to prevent users from modifying files. Learn more about working with NTFS permissions from this article.
You can also set up auditing on files and folders that contain sensitive data, so that you can see who accessed it and when. Learn more about auditing object access from this TechNet article.
4. Use encryption
Another advantage of storing data on NTFS-formatted drives is that you can apply Encrypting File System (EFS) encryption. EFS is supported by Windows 2000 and later operating systems and will prevent other users from opening the file even if they have NTFS permissions. With Windows XP/2003 and later, encrypted folders can be shared with other users by assigning them special permissions through the encryption dialog box.
One way data can be stolen is by stealing the entire computer, especially if it's a laptop. With Vista Enterprise and Ultimate editions, you can use BitLocker full drive encryption to protect data in case of theft of the computer. Read more about using EFS and BitLocker to protect against data theft here.
5. Implement rights management
Some data theft can be prevented by keeping the wrong people from being able to access that data using the methods above. However, what about theft by people that you need to give access to? You can use Windows Rights Management Services (RMS) and the Information Rights Management (IRM) feature in many versions of Office 2003 and Office 2007 to prevent users from forwarding, copying, and otherwise misusing e-mail messages and Office documents (Word, Excel, and PowerPoint files) that you send to them. Find out more about RMS/IRM here.
6. Restrict use of removable media
One of the most popular ways to sneak digital information out of an organisation is by copying it onto some sort of removable media or device. USB thumb drives are inexpensive and easy to conceal, and high capacity SD, CF, and other flash memory cards can hold a huge amount of data. Users can also copy files to their iPods or other MP3 players or to CD or DVD writers. You can permanently restrict the installation of USB devices by removing the ports physically or filling them with a substance. You can also use software to disable the use of removable devices on each individual computer or throughout the network.
In Vista, you can restrict use of removable media (USB devices and CD/DVD burners) through Group Policy. (See "What's New in Vista Group Policy."). For other operating systems, there are third-party products, such as Portable Storage Control (PSC) from GFI.
7. Keep laptops under control
Another way a user can make off with files is to connect to the internal network with a laptop or handheld computer, copy the files to its hard disk, and then take the computer off premises. You need to maintain control over what computers connect to your LAN, not just remotely but by plugging directly into a hub or switch onsite, as well.
You can use IPSec to prevent computers that are not members of the domain to connect to your file servers and other computers on the LAN. This paper explains how IPsec and Group Policy can be used for server and domain isolation.
8. Set up outbound content rules
Firewalls can do more than keep undesirable traffic out of your network. They can also keep specified traffic from leaving your network. Your data can walk out the door physically or can be sent out a virtual door via e-mail, peer-to-peer file sharing, etc. You can set up your firewall to block certain types of outbound protocols, such as those used by P2P software.
You can also set up your mail server to block sending of outbound attachments and block outbound content by keywords using content filtering appliances, software, or services such as:
9. Control wireless communications
Even if you block sending of certain types of data through your firewall or filtering systems, a determined person may be able to connect a company laptop to a different wireless network within range, one that doesn't have blocking mechanisms in place. Or he or she might connect the computer to a cell phone that has Internet access and use the phone as a modem.
Keep track of wireless networks that may be available from your company premises and, if necessary, take additional steps.
10. Beware of creative data theft methods
Remember that your data can walk out in many different formats. A user can print out a document and carry it out in paper form or a thief can steal printed documents from trash cans if the paper hasn't been shredded. Even if you've implemented a technology such as rights management to prevent copying or printing documents, a person could take a digital or film photograph of the content onscreen or even sit and copy the information by hand. Be aware of all the ways your data can leave the premises and take steps to protect against them.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
1%
1%
I reckon IRM is the way to go, it's probably the best practice to implement in large C-Level orgs. Helps manage mis-use. Restrict ~ Save, Print, Copy & Expire an RMS enabled information. Windows Rights Management has been around for about 3 years + and it's easy to implement in a Windows AD environment.....