Protecting Data from Inside the Enterprise
You can secure your data and access it too
By Hay Hazama

The term “security breach” conjures up images, propagated by the media and entertainment industry, of villains hacking into classified networks and stealing top-secret government files or banking codes. Seldom do we consider the man or woman in the next cubicle a corporate security threat. But more and more companies are realizing that the greatest threat to the integrity of their intellectual assets is not the faceless hacker -- it is their own staff. The scenario may not be as dramatic but the results are just as devastating.

The Perpetrators
Vista Research reports that more than 70% of security breaches involving losses over $100,000 occur from within the enterprise. How are people stealing all this information --carrying it out in boxes in the dark of night? Hardly. Given that about 60% of confidential data is housed on organizational PCs and laptops -- also known as endpoints -- potential thieves need only travel as far as their own computer to access confidential information. Most often, however, data security incidents are far from malicious, but rather the result of carelessness.

PCs and laptops house more information than ever before, and the communications ports built in to these machines enable data to be transferred from a computer with the click of a button or a mouse. USB ports, CD/DVD drives and WiFi connections are just some of the ways technology has enhanced data storage and transmission efficiency. But efficient data transport seldom aligns with secure data transport.

The MO
USB drives have revolutionized removable storage. 1 GB of information can fit on a device the size of a cigarette lighter. Over 35,000 different types of USB devices exist and more than 1 billion have been sold. While these devices were traditionally passive storage components, recent advances in U3 technology enable users to store applications and settings that can be automatically launched from the device itself via Autorun capabilities. This may be productive, but that productivity comes at a considerable cost to security, leaving enterprise networks open to the simple introduction of malware.

The size and storage capacity of USB devices makes them the ideal MO for disgruntled employees bent on mischief. The contents of a database can be downloaded in the time it takes to make a cup of coffee and the device can then be slipped into a pocket or purse. 39% of USB drive owners use these devices to transfer files from work to their home, so the loss of drives containing sensitive files can be just as damaging to the organization as theft. Such was the case with the Maryland Department of Natural Resources. An employee used a thumb drive to take work home and lost the drive, leaving the names and social security numbers of 1400 current and past employees exposed.

Unsecured CD/DVD drives pose a similar threat to data security. Lightweight and portable, CD/DVDs are another ideal method of saving and transporting information. As with USB storage, the benefits that removable media contribute to productivity can come at a high price to security. Viruses and worms can be quickly uploaded using a CD/DVD and while the medium is easily transported, it is also easily misplaced. In Atlanta, Georgia for example, a CD containing the names, addresses, and social security numbers of people using Medicaid and the state-run Peach Care insurance plan, was lost by an agency contractor. Over 2.9 million people, including children, were affected by the loss of a single CD.

Equally threatening to information security is the use of wireless technology, such as WiFi and Bluetooth. Both technologies allow increased mobility and are relatively cheap to deploy. WiFi access is quickly growing in popularity as more hotspots pop up each day. You cannot buy a notebook computer anymore without wireless capabilities and most new cell phones are Bluetooth compatible. Yet data transmitted via WiFi and Bluetooth can be easily intercepted by anyone with the right tools and a little patience. One method of this type of privacy invasion is called “Bluejacking” and involves using Rogue Access Points to remotely take over a computing device.

All of these security risks and nightmare scenarios have two things in common: they resulted from the use of endpoint communications ports and they are preventable. In the race for productivity, many companies have allowed their employees to utilize whatever means necessary to store and share information without adequate assessment of the potential risks involved. Government mandates such as SOX and HIPAA have helped raise risk awareness among CSOs and CIOs through compulsory compliance but the average employee may not be so security savvy.

Regaining Control
The first step that corporate IT departments need to take in protecting endpoint data is to identify the threats. Blindly implementing policy or reacting to existing security breaches will only provide a quick fix to an evolving problem. Management must first locate the devices and connections being used on their corporate network. This can be done using various software tools that can scan an organization’s network and identify current and historic connections, generating a report that describes who is using which devices and when.

Once potential vulnerabilities are highlighted, administrators can then develop corporate policies that outline the restrictions of data use on the corporate network. While simply turning off or deactivating endpoint communications ports might sound like a viable option, the reality is that in today’s workplace, employees are seldom tied to one desk and one computer 8 hours a day. The modern workforce is required to be increasingly mobile and often works out of home offices, hotels or anywhere an internet connection is available. The key to data security is effective management of these connections and proactive security countermeasures. Who is allowed access to which forms of data? How can that data be downloaded or transferred? What devices will be approved for data storage and how will they be protected from loss or theft?

A major health care facility in Memphis, Tennessee discovered that in an effort to efficiently store data, employees took it upon themselves to buy and use removable storage drives. The employees had good intentions but HIPAA requirements and best practices guidelines made this a potentially risky situation. Corporate IT managers stepped in and offered an option, the use of company issued encrypted drives that could be monitored and were only available to certain staff members. Policies were established that dictated which employees could use portable storage and communications devices as well as the specific devices that would be approved for use on the corporate network; seamless encryption of the device made this procedure safer and productive

Educating workers as to the relevance and necessity of information security guidelines is also a key part of policy implementation. As many corporate security breaches result from carelessness, alerting staff to the potentially damaging effects of seemingly benign actions such as taking home an unfinished project stored on a thumb drive, can significantly reduce the risk of data loss.

The final component in securing corporate endpoints is policy enforcement. While management may like to believe that policies are being followed simply because they exist, that is generally not the case. IT administrators must set up a process for monitoring policy violations either through physical observance or using technological tools. Banning iPods from the workplace is a policy that can be enforced through simple observation however, restricting the use of USB thumb drives may require electronic monitoring via software tools. There are several tools on the market today that can be centrally managed and integrate with existing network infrastructure such as Active Directory. These solutions can be used as part of an end-to-end solution suite or as a stand-alone monitoring and enforcement tool. Once these solutions are in place, IT staff can see who is attempting unauthorized access and can pass the information along to departmental management or human resources.

While endpoint security has traditionally been ignored in the press, high-profile data security breaches over the last year or so have put it front and center. A firewall will not protect data stored on a lost USB drive and anti-virus software cannot keep an employee from walking out the door with a CD containing sensitive financial data. The enemy of corporate assets is not necessarily outside the perimeter but within. But the good news is that not only can data security risks be reduced by controlling corporate endpoints but in many cases the threats can be eliminated by increasing security awareness, developing robust corporate policies and utilizing comprehensive and proactive tools for enforcement.

About the Author:
By Hay Hazama is Vice President of Research and Development for Safend.