RE: Physical Security & Protecting Information

["Filip Maertens" <filip () securax be>]

Hi Discipulus,


You are making a very good point here.  While the media is focussing on
worms, defacements and blackhat activity; security professionals and
corporate management should worry about rogue members and disgruntled
employees in their organization handling confidential information.

> What can be done to keep this type of potential compromise from 
> happening?  From my perspective, even if you have armed  

<sidenote>You can't keep knowledgeable and bold people from getting
information they aren't supposed to.  And we sure can't prevent
employees from taking information they are supposed to work with, and
sell it to the competition or use it in their advantage. </sidenote>

Physical security controls, security awareness, policies and an
appropriate and stimulating working environment can highly reduce the
occurrence of physical information leakages by disgruntled employees.  

I strongly believe that sound security awareness practices, policies and
a positive working environment are crucial.  Physical security is
PRIMARILY targeting intruders and controlling the risk connected with
activities that might impair the security of the information due to
physical attacks from non-employees.

The corporate security should be made everyone's responsibility (e.g.
clear desk,...). For example, in a situation like you presented, no
external cd-rom's should be allowed in the first place.  In addition, a
close auditing record of WHOM using HOW many cd-rom's should be
maintained.  On these terms, a manager can then make the subject aware
he is violating the company security policies.  How things are handled
from there on is up to the policies and professional judgement of the
security officer in charge, possible agreements and generic incident
handling.  

What you do not want to happen is "people ratting each other out to
management".  If this is starting to happen, you can be pretty darn
sure, the once positive working environment will be torn to shreds under
the weight of vengeance, retaliation, ...  That's why implementing and
enforcing security policies is very much necessary; company-wide!  

You do not want to give the subject a bad feeling, or make him feel like
the scapegoat of the team.  Dealing with information incidents should be
made part of the overall routine, and be served as daily bread to the
entire company.

** Adding bonuses to people who act as deputy-security officers for
tracing potential untrustworthy personnel is a -very- (very) bad thing
to do.

While this is all very clear in our textbooks and audit plans, the
objective we want to reach when dealing with human interfaces,
maintaining security while handling their trust and protecting their
privacy still is a tricky adventure in real world scenarios, and might
turn out very ugly if not handled by experienced security officers and a
very security aware management and personnel.  And this is even a bigger
challenge when dealing with international organizations (e.g. varying
legalities)!

As security officers, we are less trained in the field of Psychology and
Law.  I, therefore, strongly recommend teaming up with the HR (and
legal) dept. when validating and finalizing policies, team sessions and
security awareness trainings.


> smaller.  Are there ways to keep someone from getting the information 
> in the first place or at least record what they've obtained?  How
> do you do this when they haven't yet provided notice they are
> leaving and still have access to loads of confidential information?

Working with employees is primarily based on a trust relationship and
access controls (e.g. RBAC) should be deployed based on proper data
classification procedures and the according organizational level of
employment (e.g. clerk, manager, junior staff, director, ...).  A strict
need-to-know approach should be used.  Sometimes this is a burden for
many large organizations, and is this principle goes right out of the
window, in spite of added security.  

IMHO, this is the root (IMHO) of the problem you laid out: finding the
correct balance between security and workability/functionality, while
dealing with "human interfaces", and making sure you are not violating
their privacy and fundamental rights (both under governmental and
corporate protection).

Each operating system can handle access control lists (e.g. Microsoft
Windows, SUN Solaris,...) that fits your corporate needs, and includes
the appropriate logging facilities.  One way I might come to think of in
tracing suspicious behaviour is to cross-check file access times/dates
and user-id with time-trackers or time-sheets employees are supposed to
fill out when working on projects.  Ideally this will lead to: "Hey, why
is Mr. Smith from Sales accessing folders he isn't supposed to be
working on any more?"

Please, keep in mind this posting is only trying to give you an
indication dealing with security on this level is a very complex matter,
taking many factors in account for being able to provide for an
acceptable risk level.  

On a technical level, many authentication (AAA) means are possible,
ranging from biometrics, over TACACS+, SSO to regular two-way
authentication presented on a default Windows NT/2000/XP logon
workstation, including extensive means of logging.  We haven't discussed
host based intrusion detection systems yet, nor did we discuss many
other items in depth when dealing with this...

... so ...  Anyone?




Regards,

Fil

--
Filip Maertens (CISSP)
http://www.compsec.be