RE: Securing workstations from IT guys

["Petter Bruland" <pbruland () fcglv com>]

Hmmm

If you find someone you cannot trust and that person is doing harm to
the corp, then the person should be fired.
And before you do that, you better make sure that once the person is
fired, he/she cannot get back in through some back door that the person
made. Also, make sure that the way of "capturing" the offender is done
in a legal manner. Like if you do use some spy software or key logger,
it's in the policy manual to cover you from any legal action that the
fired person might take.

Moving files to USB drives or encrypting them seems like a jolly good
idea, but this means more work for the person using the files, which
means it won't work. If you have to add an extra step for an end user,
the end user will find a way to avoid that extra step... that's just
human nature :-)

What should be done is that all files are saved to a network share where
only the people who needs to access the files, can. No need for Help
Desk / non admin IT staff to have access to ANY corp files what so ever.

I might be repeating a lot of similar posts here, but it's really not
that complicated to fix this issue with the proper ACLs set on network
shares.

-Petter

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Brad Bendily
Sent: Tuesday, November 27, 2007 10:30 AM
To: security-basics
Subject: Re: Securing workstations from IT guys

On Nov 26, 2007 9:13 PM, Lim Ming Wei <mwlim () pacific net sg> wrote:
> Use encryption program to encrypt those files.  Password function in 
> the normal MS Word application does not help.  If you have problem 
> installing the program.  You might want to consider saving the file in

> an alternative storage media such as a USB Thumb drive.

Yeah, this is a good point, something like truecrypt could do this very
well.
www.truecrypt.org

--
Have Mercy & Say Yeah