Unfortunately, You Can’t Handcuff Laptops To Employees’ Wrists
- By Katharine Hadow, Len Gangi
- Oct 19, 2009
It’s hard enough to protect sensitive corporate data stored on your premises inside locked offices. It is even harder to protect the information that walks out the door, inside USB keys, laptops and PDAs. If those electronic devices are lost or stolen (12,000 U.S. laptops go missing every week, according to the Ponemon Institute), often the information on them is infinitely more valuable than the devices themselves. Corporations need policies and procedures to keep the information on electronic devices secure.
The time lost in tracking down missing devices is costly. Penalties for loss of data, and of course, lost customer confidence, can wreak havoc on businesses. Security officers may wish that when employees go roaming, they could handcuff their laptops to their wrists. A combination of automated data security solutions and practical policies is easier to implement.
Policies Needed To Prevent Data Loss
Protecting sensitive information is one of the most critical processes in any organization. The more interesting and profitable it is, the more information travels, and more often than not without safeguards or formal authorization. When data leaks into the wrong hands, it becomes a security breach that can be irrecoverable in respect to the business impact that results.
What information makes a valuable target?
Intellectual property, e-mail lists, customer databases, and other proprietary and confidential information are targeted for their monetary and strategic value. Customer databases and proprietary information files are frequently stolen by employees leaving the organization. Users can easily access corporate information, and can secrete it on small storage devices.
With today’s globally connected computing environments, more people have access to more information than ever before, sometimes even information unrelated to their jobs. Outsourcing, offshoring and contracting create still more opportunities for data and intellectual property to be lost, as these arrangements often necessitate access to sensitive information residing on enterprise servers.
Every time an employee leaves the building or network carrying information on a portable device, the information is at risk. Cheap and lightweight memory is a blessing for business -- until the gadget carrying it gets lost. Then the enterprise exposes itself to adverse publicity, loss of customer confidence, and even financial penalties.
Moreover, those traveling devices can expose the entire network not only to data loss but to extensive disruption rendering business systems inoperable and impairing revenue. A network is only as secure as its leakiest endpoint. Administrators may take elaborate precautions to secure a mainframe or servers. Yet, if administrators cannot access remote machines because they belong to traveling salespeople, for example, they still risk losing the information on the remote machines (or worse if the machines can still access the enterprise servers.)
Leaky endpoints are conduits to otherwise secure networks. They route data out, and Internet threats in. If you don’t have a policy and a method of monitoring and enforcement, you will never know when data goes missing. You can’t find out who has stolen the data. You won’t know what has been taken without your knowledge or authorization. You can’t be sure whether anything malicious has taken residence in your computer network.
Sometimes breaches put lives at risk.
Marine One, Pentagon and soldier deployment in Iraq data available for free.
When classified technical information about Marine One, the U.S. Presidential helicopter, was discovered in a public folder on a computer in Teheran, Iran, it was traced to a leak in summer 2008, from a military contractor’s computer via a P2P file-sharing network.
Classified information obviously must be diligently protected. In transit and at rest, NSA Type I encryption renders the information unintelligible to anyone without the need to know.
Encryption uses the computer’s mighty processing power to turn the information in a file into indecipherable gibberish. Typical encrypted text looks something like this.
D91172E6C30776967C3714A0F1B34BC58922540DD0DBA0AEE5A1AB73EE191B5039E4EFE102FFABDE6FEB9D712C222
70250A7A57710D6E5B0C9696B9A7CB217ED7BCAD1C56A43FC52B9E793337ED789668F7BECF9B3BDE2D37E72BE09943
2C1F1BC76B24550E1932765FABA9EA86BD54CB28D65690BE61
Only with the proper authorization and “key” can it be decrypted into human- or machine-readable form.
When top secret data physically leaves a secure facility, it must travel by special courier, who may or may not handcuff the container to the wrist.
Only rigorously-enforced policies can prevent breaches such as when P2P file-sharing imperiled the Marine One technical information. Other documents now floating around on the P2P networks include the Pentagon’s ‘entire secret backbone network infrastructure diagram, complete with IP addresses and password change scripts’, Iraq status reports, and lists of soldiers posted in Iraq with social security numbers among others. These are just a few examples of data loss threatened when P2P clients installed on computers within secured networks exposed confidential data to unauthorized access.
Data Loss Overview
Viruses and Trojans used to top the list of information and computer system threats; today it’s the threats from within that keep IT security administrators awake at night. Those threats take two main forms: devious employees purposely stealing information, and careless loss. When employees take work home, telecommute or check e-mail on the move, they are more likely to access the network remotely via an unsecured network, placing confidential corporate information in harm’s way. Hackers may sniff on wireless networks (War Driving) and steal unencrypted data from touring laptops.
Typically, data loss happens when:
- A business network allows employees unrestricted access to corporate data.
- Employees use e-mail to transfer sensitive work files to their personal e-mail addresses, or copy them onto removable media.
- Telecommuting employees access the corporate network from remote locations without using secure connections (e.g. IPsec SSL VPN).
- Business e-mail is accessed on a kiosk computer in an unsecured environment
- Company laptops are used in unsecured public wireless hotspots.
- Mobile devices carrying sensitive company information are misplaced or stolen.
- Outsourcing/offshoring arrangements allow unrestricted access to corporate networks.
- Employees maneuver around complacent company security policies (e.g., disabling anti-virus/ firewall programs).
In the absence of Data Loss Prevention practices -- applied to all users, data and access points -- data can be stolen or lost with no one within the enterprise the wiser.
Data loss consequences can range from monetary damage due to penalties, financial loss mitigation and legal costs, re-constructing processes, impediments to business continuity, to losing the faith of customers and business partners. Regulatory compliance requirements are complex, and expanding at an accelerated pace; more than 25 US states have passed breach notification laws requiring companies to notify customers whose personal information has been compromised.
There should be no doubt that retrieving lost data and cleaning up compromised data are costly and time-consuming. The cost of data breach recovery increases each year; the average cost per record lost or compromised was $202 in 2008 up from $197 the previous year. Corporate stakeholders should be especially concerned that 88 percent of breach incidents were traced to insider negligence.
The cost of prevention is four times less than the cost of a single security breach. Any organization with valuable information should have a plan in place to prevent its loss.
Data Loss Prevention Policies Return Control
Data loss prevention, or DLP, is a continuous security process designed to protect data anywhere: in storage, as it moves across the network, or in external transmission. An efficient data loss prevention system controls data wherever it is on the network, checks illegal dissemination of information, secures data as it is being communicated, enables business exchanges of information with no fear of third-party access, monitors users of data, and identifies security breaches through an automated enforcement process. Finally, it warns users and IT professionals with an alert system when it detects unauthorized intrusion or broadcast.
DLP solutions are typically customized to companies’ unique requirements and are integrated with the internal processes to manage the flow of information into, within and outside the work environment. Automatically encrypting certain types of files restricts access only to intended recipients when e-mailed. DLPs define use policies, ensuring that employees access only data they need. They also deter malicious users by tracking usage patterns and transmission, and by checking illegal access or downloads.
Best Practices for Data Loss Prevention
Best Practice 1: Create and maintain an information security and data classification policy that clearly identifies and controls the handling and storage of proprietary, confidential and sensitive information -- continuously expand user awareness.
Best Practice 2: Have and enforce a data loss prevention policy that includes monitoring and incident handling processes. In some industries, data loss prevention policies are already mandatory. Sarbanes-Oxley, for example, already requires these policies for publicly-held companies. Be sure you are familiar with breach notification laws and how to engage law enforcement entities.
Best Practice 3: Give IT professionals the flexibility they need to administer, especially in emergencies Centralize the command and control of all devices on the network, including those that leave the building. Centralized management allows IT staff to update settings on each device remotely, instead of having to visit each desk, or having to wait until traveling staff bring their computing devices to the home office.
Best Practice 4: Avoid time-consuming or difficult data loss prevention solutions Policies requiring too many passwords or difficult-to-remember sequences are policies bound to be thwarted. Make compliance as easy as possible for all users.
Data loss policies must apply to everyone with access to network information. Security will fail if top management, because of their lofty importance, choose to exempt themselves from applying the secure policies and procedures implemented. This is a real life example: a government department has at its head an individual who does not like the idea of being forced to change their password regularly and therefore, is exempt from doing so. This in turn has allowed the number two in command to also be exempt from changing their password regularly.
Best Practices For Traveling Devices
Best Practice 5: Authenticate, encrypt and minimize sensitive information on traveling devices Minimize the need for data to travel. Further, without proper access, encrypt the information to render it useless. If a flash drive, laptop or other traveling device contains encrypted information, even if it is lost, the data can remain safe.
Best Practice 6: Encrypt the traveling devices themselves Traveling devices themselves can be encrypted at the boot level, so that even if someone found or stole the laptop, they could not access the operating system. This adds an extra level of security, especially for devices that can connect to networks.
Best Practice 7: Implement Two-Factor Authentication with Online Status Responder
For company-issued devices, encrypt all information with two-factor authentication. The two factors can be something the user “knows,” such as a password; something the user “is,” a personal characteristic such as a fingerprint; or something the user “has,” such as a digital file stored either on the computer or on an auxiliary device such as a USB key. If the digital file is a digital certificate, it is kept on file with the company that issued it, (called a certificate authority) such as Comodo CA. If the device is lost or stolen, the IT department can notify the issuing certificate authority. If that certificate authority has an Online Certificate Status Protocol, it can nullify the certificate immediately. If a thief (or even a discharged employee) tries to use the device without permission, the files remain encrypted and unavailable.
Endpoint Security As A Business Driver
Data security procedures succeed when they are aligned with human factors. Security software should protect all nodes unobtrusively, without a heavy-handed “one-size-fits-all” policy approach that thwarts users.
Endpoint security solutions need to be flexible enough to scale with organizational growth, yet protect against increasingly sophisticated threats. Unobtrusive and accommodating security software opens up resources to computer users, shielding them but not weighing them down.
- At a holistic level, an endpoint security solution must achieve the following:
- Control access to the network: who is accessing, what is being accessed, what’s entering, what’s being taken out.
- Control permissions and restrictions.
- Protect the network from external threats.
- Protect the network from the endpoints through quarantine and access control.
- Be flexible and scalable for continuous protection.
- Protect data in motion and data at rest through encryption and access control.
- Enable centralized management for implementations and updates from a single point across all endpoints in the network.
Following best practices will ensure that users are in tune to the importance of minimizing data leaks. Enforcing encryption in business communication, understanding and classifying corporate information, enabling data access on a need-to-know basis, monitoring endpoints for unusual user behavior, and ensuring compliance with corporate security policies, together with a robust security infrastructure go a long way in preventing data loss within the organization.
Securing sensitive data is critical for competitive advantage and customer trust. Sometimes a strong data loss prevention policy can mean the difference between life and death.
About the Authors
Katharine Hadow is manager of public relations at Comodo.
Len Gangi is Vice President of Enterprise Solutions at Comodo in Jersey City, N.J.