Re: Physical Security & Protecting Information

[ullmic <ullmic6 () web de>]

Nothing is perfect. But it takes at least a little longer to take
screenshots from a 400 page word document, then just to save it to a USB
stick. If this small security improvement is worth the money of the
product, I don't know.


On Tue, 2003-03-18 at 19:57, neil.buchanan () verizon com wrote:
> But what about print screens?  If I can access a document I can almost
> invariably make a copy of some sort.
>
> Neil Buchanan
> 610-407-2141
>
>
>
>
>
>
>                                                                                                            
>                       ullmic                                                                               
>                       <ullmic6 () web de>         To:       security-basics () securityfocus com                 
>                       Sent by:                 cc:                                                         
>                       ullmic6 () web de           Subject:  Re: Physical Security & Protecting Information    
>                                                                                                            
>                                                                                                            
>                       03/17/2003 01:23                                                                     
>                       PM                                                                                   
>                                                                                                            
>                                                                                                            
>
>
>
>
> Today at the Cebit I saw a product by a company called airzip called
> document secure that let's you contol the access rights on a document
> level. You can allow a person to only view a document. The person then
> will not be possible to print it or save it somewhere if you don't allow
> it. The product basically creates a wrapper around the doc that stores
> this info. If you have extremly sensitive information you might use a
> tool like this to prevent this documents to be walked out of your
> systems on disk, USB sticks or paper.
>
>
>
> On Fri, 2003-03-14 at 01:17, Philip Storry wrote:
> > Hello discipulus,
> >
> > Thursday, March 13, 2003, 3:13:44 AM, you wrote:
> >
> > d> I've read about corporate espionage cases where a perpetrator
> > d> at one company busts into the network of another company and
> > d> stumbles into a directory named "Proposals" of all things but
> > d> employees who walk out the front doors carrying protected information
> > d> seems just as damaging or more so to me.
> >
> > There's not much that you can practically do here, I think.
> >
> > The problem is that although there are many good technical and
> > procedural methods of ensuring that only authorised people have access
> > to your systems - and therefore your information - there are few
> > technical or procedural things you can (realistically) do to control
> > what those authorised people do with the information they have access
> > to.
> >
> > Content security systems (like Mimesweeper) can check outbound emails,
> > and block anything that contains project codenames. But that won't
> > stop someone printing it out and putting the paper in their briefcase.
> >
> > Because this is such a low-tech crime, you're left with policy and
> > procedure as your only tools.
> >
> > You should consider making it policy that information does not leave
> > your sites, without written permission from a senior person. This will
> > cause trouble for those that telework, however. You could also brief
> > security staff on what to look for - keep them appraised of new
> > storage media (like those nifty USB pen drives), and give them the
> > authority to do random stop and search jobs.
> >
> > Make sure that all emails and documents have - by policy - a
> > boilerplate on them saying who owns that intellectual property. Tacky,
> > but it might be useful in a court of law - and it reminds employees of
> > the stark reality.
> >
> > All of these safeguards (except boilerplating, which could be enforced
> > via templates etc.) are the sort of things people get complacent on
> > very quickly, because they stand in the way of people working. Within
> > six months of implementing them, senior people will be signing off
> > that John Smith can take home "anything relating to projects X, Y and
> > Z" simply because they don't want to sign it off three times - even
> > though John Smith doesn't actually work on Y and Z.
> >
> > So really, the only defence against this is contractual. All employees
> > must sign an NDA, stating that they will not divulge proprietary
> > intellectual property. Make them sign it, and understand why they are
> > signing it. Don't make it too draconian - you don't need the ability
> > to search their home, for instance. (That's what law enforcement
> > agencies are for.) But you should make it clear that if they steal,
> > they'll be sued. Having to spend that pay rise you got when switching
> > jobs on legal fees is not an attractive proposition.
> >
> >
> > Finally, it should be pointed out that many companies won't actually
> > accept stolen IP, because it's a legal minefield. But NDA's make it
> > difficult for both the person acting as a conduit as well as the
> > ultimate recipient, and may make employees who were only casually
> > thinking about it think twice.
> >
> > Nothing, however, will stop the determined person who's miffed at the
> > company and leaving for a competitor. Nothing except the competitor's
> > honesty and their own legal team's advice, anyway. :-)
> >
> > --
> > Best regards,
> >  Philip                            mailto:phil () philipstorry net