Security Basics mailing list archives
Re: Physical Security & Protecting Information
From: ullmic <ullmic6 () web de>
Date: 19 Mar 2003 20:00:20 +0100
Nothing is perfect. But it takes at least a little longer to take screenshots from a 400 page word document, then just to save it to a USB stick. If this small security improvement is worth the money of the product, I don't know. On Tue, 2003-03-18 at 19:57, neil.buchanan () verizon com wrote:
But what about print screens? If I can access a document I can almost invariably make a copy of some sort. Neil Buchanan 610-407-2141 ullmic <ullmic6 () web de> To: security-basics () securityfocus com Sent by: cc: ullmic6 () web de Subject: Re: Physical Security & Protecting Information 03/17/2003 01:23 PM Today at the Cebit I saw a product by a company called airzip called document secure that let's you contol the access rights on a document level. You can allow a person to only view a document. The person then will not be possible to print it or save it somewhere if you don't allow it. The product basically creates a wrapper around the doc that stores this info. If you have extremly sensitive information you might use a tool like this to prevent this documents to be walked out of your systems on disk, USB sticks or paper. On Fri, 2003-03-14 at 01:17, Philip Storry wrote:Hello discipulus, Thursday, March 13, 2003, 3:13:44 AM, you wrote: d> I've read about corporate espionage cases where a perpetrator d> at one company busts into the network of another company and d> stumbles into a directory named "Proposals" of all things but d> employees who walk out the front doors carrying protected information d> seems just as damaging or more so to me. There's not much that you can practically do here, I think. The problem is that although there are many good technical and procedural methods of ensuring that only authorised people have access to your systems - and therefore your information - there are few technical or procedural things you can (realistically) do to control what those authorised people do with the information they have access to. Content security systems (like Mimesweeper) can check outbound emails, and block anything that contains project codenames. But that won't stop someone printing it out and putting the paper in their briefcase. Because this is such a low-tech crime, you're left with policy and procedure as your only tools. You should consider making it policy that information does not leave your sites, without written permission from a senior person. This will cause trouble for those that telework, however. You could also brief security staff on what to look for - keep them appraised of new storage media (like those nifty USB pen drives), and give them the authority to do random stop and search jobs. Make sure that all emails and documents have - by policy - a boilerplate on them saying who owns that intellectual property. Tacky, but it might be useful in a court of law - and it reminds employees of the stark reality. All of these safeguards (except boilerplating, which could be enforced via templates etc.) are the sort of things people get complacent on very quickly, because they stand in the way of people working. Within six months of implementing them, senior people will be signing off that John Smith can take home "anything relating to projects X, Y and Z" simply because they don't want to sign it off three times - even though John Smith doesn't actually work on Y and Z. So really, the only defence against this is contractual. All employees must sign an NDA, stating that they will not divulge proprietary intellectual property. Make them sign it, and understand why they are signing it. Don't make it too draconian - you don't need the ability to search their home, for instance. (That's what law enforcement agencies are for.) But you should make it clear that if they steal, they'll be sued. Having to spend that pay rise you got when switching jobs on legal fees is not an attractive proposition. Finally, it should be pointed out that many companies won't actually accept stolen IP, because it's a legal minefield. But NDA's make it difficult for both the person acting as a conduit as well as the ultimate recipient, and may make employees who were only casually thinking about it think twice. Nothing, however, will stop the determined person who's miffed at the company and leaving for a competitor. Nothing except the competitor's honesty and their own legal team's advice, anyway. :-) -- Best regards, Philip mailto:phil () philipstorry net
Current thread:
- Re: Physical Security & Protecting Information, (continued)
- Re: Physical Security & Protecting Information Lists (Mar 18)
- Re: Physical Security & Protecting Information Mike Dresser (Mar 18)
- RE: Physical Security & Protecting Information Duston Sickler (Mar 19)
- Re: Physical Security & Protecting Information Todd (Mar 17)
- Re: Physical Security & Protecting Information discipulus (Mar 17)
- RE: Physical Security & Protecting Information Filip Maertens (Mar 17)
- Re: Physical Security & Protecting Information discipulus (Mar 17)
- Re: Physical Security & Protecting Information pablo gietz (Mar 19)
- Re: Physical Security & Protecting Information A B (Mar 17)
- RE: Physical Security & Protecting Information Mike Heitz (Mar 17)
- Re: Physical Security & Protecting Information ullmic (Mar 20)