| The data enemy within
Title : The data enemy within
Source : http://www.backupanytime.com/whitepaper.htm
Posted : May 08
Copyright : backupanytime original content.
Redistribution as is : No permission required (with
credits)
Modification : With written permission from backupanytime..
You are here because you and your staff are genuinely concerned about securing your data. Paradoxically, you may be the greatest threat to the security of your data. How so? What can you do about it?
To answer these questions we must take a look at the administrator and user risks associated with company data.
The most obvious and stark danger is that presented by a disgruntled or unstable employee. There is little protection afforded to those who decide this risk is minimal based on a perceived level of contentment in the office at a particular point in time. Things change (inside and outside the office) as do people. Data is easily stolen, distributed, hidden, corrupted or destroyed. Having a system in place which allows you to retrieve your data is only one step along the data protection roadmap. We can provide a system which will make your data available to you but you are responsible for ensuring that the data in your office does not get in to the wrong hands.
Here are some examples of intentional user negative data interference. A note if you are low or uneasy at present. Please do not consider any of these methods as suitable for revenge in your office. They will cause significant damage and you will be caught.
Mass email:
This involves a user sending unsolicited confidential company or client information by company or non company email to targeted or general email lists. This simple and rotten deed can be devastating to any business.
USB hit and run:
This involves transferring data from a computer to a USB key for distribution from another location at a later data. In addition, the data could be deleted from the source computer by the perpetrator leading to the data being available to everyone but the company. In extreme cases this could be held for ransom. Unfortunately, most perpetrators do not seek ransom fearing being caught and therefore the issue does not become resolvable at any price. Responsible companies are increasingly disabling USB ports on office computers.
Remote access:
Sharing of legacy passwords and lack of password procedure after employee resignation or dismissal leads to a scenario in which an employee long gone can pick their moment and non identifying location to login from to distribute or destroy critical data. This method can be used with official company log in accounts provided by management or unofficial log in accounts which can easily be configured.
Key logger
This requires some (but not much) computer knowledge. This method involves installing a silent application on targeted computers which will record keystrokes or even detailed screen recordings. This in turn provides the offender with critical information, passwords (possibly including banking details) for all used application and personal correspondence of the computer user. The information may then be used as required by the offender.
Virus, malware, spyware:
In a stable company environment it is an ongoing task to protect systems from malware. If someone with insider information is intent on spreading malware throughout the system, the levels of I.T. management and expense and data risk increases significantly.
Correspondence forwarding:
You have no disgruntled ex employees. Your system is working fine. You are missing no data. Your data is not being distributed. You have no security concerns. Not so. Who is reading your email? It is all too easy to set a divert on emails for a copy to go elsewhere and this can be used discreetly as a competitive advantage by ex staff members working in a competing company. Its’ not science fiction. It is very easily setup and can go undetected for extended periods (even years) with all copy mail going to an anonymous free email address.
Social engineering:
Social engineering is the term used to describe attempts to acquire passwords and insider information by simply asking for them under the guise of being a person of correct privilege. This is very common and unfortunately very effective. All staff members must be made aware of protocol and instructed to adopt firm procedures when dealing with requests for passwords. If you phoned your web hosting company and requested ftp passwords for your website, you may be given them after answering a few cursory questions which may have corresponding answers of a predictable nature for persons whom you are known to. Conversely, if you call your bank and request passwords they will come by post to you at your recorded address regardless of the rapport between you and the operator. It is this later type of security you should be aiming towards in your organisation.
To this point we have addressed some general detail regarding the grave dangers to data security from people with questionable intentions. Now we will have a look at some of the dangers posed by genuine staff members.
Poor passwords:
Just about everyone today has numerous passwords for various situations such as work log on, online banking, email, home computer etc. These passwords should not be personally identifiable or guessable. In addition they should not be shared. Sharing passwords results in two serious risks. The most considered one being that the password will get in to the wrong hands. The later, less considered and equally serious risk is that if more than one person knows the password then tracing activity to get to the root of a problem is very difficult as knowing which password was used does not tell you who was using it.
Manual procedures:
All manual procedures present a risk. If a manual process is inherent to the smooth running of the system, it will at some point fail as we humans are a complicated breed of a thoughtful and inconsistent nature. Manual procedures must where practicable be replaced by automated and verifiable systems. In the example of data backup, a manual procedure can cause backups to be missed due to incorrect procedure adoption, absent administrator or administrator busy with other tasks up to and including forgetting to run the procedure.
Loss of device:
Losing a device (such as a mini USB device) is all too easy. This is happening with greater frequency and with more and more serious consequences as adequate data protection becomes more expected and the volumes which can be held and lost on USB devices increases. USB device loss and laptop theft are increasing as a risk factor to business data every year.
Home systems:
No home is or should be treated as a business environment. Home access to office computer systems therefore broadly increases data risk. Remote users must adhere to procedure to the point of using connection to the office as if they were in the office at that point in time. This has to include even unpaid time the user decides to spend working while at home. Connections to the office should be password protected and family members should never be given access.
Failure to encrypt:
Expect to lose data. That may sound like a flippant and questionable statement. It is not. It will happen some day. If you ensure no one else can read it (by encrypting it) and you have a backup, then you will survive intact. If you do not expect to lose data, you can not objectively prepare for it. The media constantly criticized companies in data loss scenarios. If these data loss victims have adequately encrypted the data and have viable backup copies, they have dealt with the situation correctly.
In summary:
The data enemy within is not necessarily a deviant. The data enemy within is better measured by a lack of protection rather than an in company personality test. If you do not have policy and procedures in place to deal with the data enemy within, you are at a serious an unnecessary risk level.
"Data outages can not be totally
avoided. They can and must be prepared for"
Think backup, think backupanytime.
|
