Security Basics mailing list archives

RE: Physical Security & Protecting Information


From: "Mike Heitz" <mikeheitz () upshotmail com>
Date: Mon, 17 Mar 2003 09:05:11 -0600

In a situation like you are describing, it would be very difficult to
stop this behavior unless Mary steps forward and reports it. I've worked
in a few Fortune 500 data centers, and could have easily strolled out
with any number of CD's or tapes filled with vital company information.
Even if a company has set security rules in place regarding taking
physical items (CD, tape, paperwork) out of the office, it still has to
be enforced.

I would think that if someone has access to the information in some way,
if they want to get it out of the building they will find a way. I'm not
sure there is a sure-fire method anyone has come up with to combat that.

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: discipulus [mailto:discipulus () attbi com] 
Sent: Wednesday, March 12, 2003 9:14 PM
To: security-basics () securityfocus com
Subject: Physical Security & Protecting Information

Hi, 
 
I've read a lot of posts on this list and others and a good deal of 
security related articles on this site and others like
http://www.sans.org 
and http://www.cert.org  Most of what I have read focuses on network 
and/or computer security but I haven't found very much information that 
focuses on physical security, specifically in the area of protecting 
confidential proprietary company information. 
 
Here's a scenerio that should clarify what I'm trying to explain: 
 
Bob who works as a developer for StealOurStuff inc. tells Mary in 
the next cube that he's had a job offer from a competitor, plans to 
quit soon but hasn't told anybody.  In the afternoon the following day, 
Mary notices Bob loading up a box with CDs, floppies and other media, 
including reams of documentation.  She also notices Bob loading this 
box into the trunk of his car at the end of the day. 
 
What can be done to keep this type of potential compromise from 
happening?  From my perspective, even if you have armed  
security guards that check bags & boxes going in and out of a 
building, people can still find creative or not so creative ways to 
get it out.  A standard CD isn't that big and flash cards are even 
smaller.  Are there ways to keep someone from getting the information 
in the first place or at least record what they've obtained?  How
do you do this when they haven't yet provided notice they are
leaving and still have access to loads of confidential information?
 
I've read about corporate espionage cases where a perpetrator 
at one company busts into the network of another company and 
stumbles into a directory named "Proposals" of all things but 
employees who walk out the front doors carrying protected information 
seems just as damaging or more so to me.

Any insight would be appreciated.

Thanks


Current thread: