Sorry for the absence folks – my day job is taking up more of my brain than I really can afford these days.

Today’s lesson…

Working through a whole lot of issues, we keep coming back to the discussion (endless discussion) about “high capacity data devices and how they can be used to steal all of your information (, burn down your house and sell your children)”. Let me get it out of the way now.

It’s a bullshit discussion.

I think I’ve ranted about this before, but I’ll rant about it again…

We’re not going to spend $x thousands or hundreds of thousands of dollars plugging an unplug-able hole – technical preventative controls are ALWAYS fragile. There are people out there (you know who you are) who think that using a glue gun on ausb port is a good idea. People who (I interviewed a few of them) think that it’s reasonable to seize an iPod if it is seen on an employee’s desk during a walk around.

I think they’re wrong – completely freaking wrong.

Dave (I think) originated the quote: “The harder you squeeze your employees, the more they leak.” and I’m in total agreement. Give people the tools to do their job and they will. Give them tools to make their lives easier and more balanced, and they’ll work harder for you than you thought. Compress them and limit them with a bunch of arbitrary fragile rules… well, you get what you asked for.

Of course they could steal the company crown jewels. For most companies, the really good stuff fits in less than 6″ of printout. With a modern printer, you can reasonably get 8 readable pages per sheet (4 on each side)… that’s a 1.5″ thick printout… which fits in a purse (or European-style man’s accessory bag). Are you going to search every employee on their way out?

Note that this is from the perspective of working in the financial industry somewhere… if you work in an environment where you need to search bags in and out, well, either you’re looking for *DANGEROUSLY EXPLOSIVE LIQUIDS* or you have a real reason with proper risk adjudication and appropriately trained personnel. Please go about your business.

The real outcome of all of this is simple. We don’t need new laws or new controls for each new technology that comes along. Good controls are designed to supersede minor technological change.

To reduce the likelihood of intentional data theft, we should look at controls in this way:

Preventative controls
– identity management (authentication and authorization)
– effective access controls on unstructured data (you only have access to that which you need for your job)
– effective access controls on structured data (it’s really not possible to dump the whole database to a local file – either through api only access or other means)

Detective controls
– review system accesses for DLQR (Doesn’t Look Quite Right) behaviours – the middle of the bell curve isn’t the problem.
– review key unstructured data for DLQR – file access times/personnel that don’t make sense.
– watch for behaviours in employees that are indicative of “getting ready to leave” – if your line managers can’t see it coming, retrain or get new line managers.

Compensating controls
– understanding at the absolute top of the organization that you cannot prevent all leaks, you can barely prevent malicious leaks, and you’d rather concentrate your available budget on preventing mistakes – the risk is up to the executive to understand and the authority for spending comes from *their* ability to stomach the potential outcomes of accepting the risk.
– cultivate relationships with forensic experts and law enforcement – when bad things happen, you’ll be ready to cope in a way which is most effective.

Of course, you need to articulate all of the above in policy, standards, guidelines, procedures and risk acceptance statements. If you didn’t document it, it’s not done.

One last thing – when you’re talking about risk with executives, try this one… instead of referring to legal, regulatory and reputation risks, talk about “orange jumpsuit”, “lose your house”, and “look like a fool” risks. Seems to have excellent traction here.

Until next week, please let me know how off base you think I am. Stay tuned for “How to prove the utility of an infosec interviewee in four questions.”

[tags]ranting, ipod security, information security controls, risk acceptance[/tags]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.