[ISN] No Easy Fix for Internal Security

InfoSec News isn at c4i.org
Tue Aug 17 05:45:31 EDT 2004


By David Raikow 
August 16, 2004 

Opinion: The idea of banning portable storage media in the workplace
sidesteps the fact that internal security is a human issue, not a
technical one.

Not too long ago, the Gartner Group raised a minor dustup in the IT
community by releasing a report claiming that portable storage media -
including consumer devices such as cameras and MP3 players with
built-in or removable memory - represent a new security threat to
corporate networks.

While I am almost always happy to see people talking about security
beyond firewalls and virus scanners, this particular case represents a
classic example of the way in which the tech community - including the
media - regularly bungles security issues.

According to the Gartner Group, these devices have grown so easy to
use, and place so much memory within such small and innocuous physical
packages, that they represent a dangerous new mechanism for employees
to steal data or introduce malicious code into corporate networks.

The Gartner report simultaneously sensationalized and diminished a key
security issue by taking it out of context and presenting it as a new
problem tied to specific technologies. The media and much of the tech
community, in turn, leaped to the worst possible conclusion from the
Gartner report: that the real issue was whether businesses should ban

Internal data security is not a new problem, nor is it strictly
speaking a technical one; employees have been stealing business
records since businesses have been keeping them. Banning iPods will
stop nothing. While there are some exceptions, there is very little
data of value that an employee would need a gigabyte of memory to
remove from an office. You can fit a lot of credit card numbers on a
floppy disk, or for that matter, on a piece of paper.

So, how should businesses address this issue?

Internal security is an enormous topic, but the first step is to
recognize it as a human, rather than a technical problem. If an
employee can access a specific piece of data, he or she can steal it,
no matter what technological precautions you may take. Human issues
require complex, nuanced responses, and they rarely have a "silver
bullet" solution.

The best precaution you can take is to know your employees. Before you
give someone access to your valuable data, it is entirely appropriate
for you to take reasonable steps to be confident that they are
trustworthy. Keep in mind, however, that it's important to be
completely upfront with the applicant about those steps.

When making a new hire, ask applicants hard questions, check credit
reports and really interview references; don't take anything at face
value. Respect for staff's privacy is both ethical and necessary to
maintain a productive work environment; nevertheless, managers must be
held responsible for awareness of staff's personal qualities,
interpersonal dynamics and morale. Don't snoop - Big Brother in the
workplace accomplishes nothing but making employees miserable - but
know your people, who should be trusted, and how far.

No, striking a balance isn't easy. But keep in mind that the primary
role of technology in this process should lie in maintaining
appropriate limitations on access to data. Know what information
individual employees need to do their jobs - and what they don't.

Use network authorization and authentication systems, account
restrictions and OS-level permissions to make sure staff can easily
access appropriate data but nothing else. Make liberal use of internal
firewalls, encryption and intrusion-detection systems to detect and
block attempts to circumvent your access controls. These systems
should be as transparent as possible to your employees; think of them
as the digital equivalent of locks on filing cabinets and office

Last, and definitely least, if removable media remain a particular
concern, consider taking technical steps to prevent them from
interfacing from your network. I would definitely not recommend
banning cameras and MP3 players from the office, but there is nothing
necessarily wrong with preventing them from being plugged into office
computers or other equipment.

Several vendors offer software products that can disable or limit
access to FireWire and USB ports, including Zone Labs, Symantec,
SecureWave and Verdasys.

Keep in mind that these measures are pointless unless they also
include steps for disabling CD and DVD burners, Zip drives and other
writable media. This approach can require substantial investments in
time and money, restricts legitimate and useful functionality, and is
far from foolproof. But in high-security environments, it can provide
some additional protection when used in conjunction with other

Understanding that some of the biggest threats to your network come
from the inside is crucial to a realistic assessment of your security
needs. Looking for a simple answer to a complex problem, however, is
just asking for trouble.

More information about the ISN mailing list