RE: Physical Security & Protecting Information

["Duston Sickler" <dustons () abswebb net>]

I have seen some of these products.  I believe Adobe will do this as
well.  I have not however, rant into a software package that can prevent
screen shots from being taken.

Duston Sickler
Abacus Business System, Inc.
http://www.abswebb.net

-----Original Message-----
From: ullmic6 () web de [mailto:ullmic6 () web de] 
Sent: Monday, March 17, 2003 12:23 PM
To: security-basics () securityfocus com
Subject: Re: Physical Security & Protecting Information


Today at the Cebit I saw a product by a company called airzip called
document secure that let's you contol the access rights on a document
level. You can allow a person to only view a document. The person then
will not be possible to print it or save it somewhere if you don't allow
it. The product basically creates a wrapper around the doc that stores
this info. If you have extremly sensitive information you might use a
tool like this to prevent this documents to be walked out of your
systems on disk, USB sticks or paper.



On Fri, 2003-03-14 at 01:17, Philip Storry wrote:
> Hello discipulus,
>
> Thursday, March 13, 2003, 3:13:44 AM, you wrote:
>
> d> I've read about corporate espionage cases where a perpetrator at 
> d> one company busts into the network of another company and stumbles 
> d> into a directory named "Proposals" of all things but employees who 
> d> walk out the front doors carrying protected information seems just 
> d> as damaging or more so to me.
>
> There's not much that you can practically do here, I think.
>
> The problem is that although there are many good technical and 
> procedural methods of ensuring that only authorised people have access

> to your systems - and therefore your information - there are few 
> technical or procedural things you can (realistically) do to control 
> what those authorised people do with the information they have access 
> to.
>
> Content security systems (like Mimesweeper) can check outbound emails,

> and block anything that contains project codenames. But that won't 
> stop someone printing it out and putting the paper in their briefcase.
>
> Because this is such a low-tech crime, you're left with policy and 
> procedure as your only tools.
>
> You should consider making it policy that information does not leave 
> your sites, without written permission from a senior person. This will

> cause trouble for those that telework, however. You could also brief 
> security staff on what to look for - keep them appraised of new 
> storage media (like those nifty USB pen drives), and give them the 
> authority to do random stop and search jobs.
>
> Make sure that all emails and documents have - by policy - a 
> boilerplate on them saying who owns that intellectual property. Tacky,

> but it might be useful in a court of law - and it reminds employees of

> the stark reality.
>
> All of these safeguards (except boilerplating, which could be enforced

> via templates etc.) are the sort of things people get complacent on 
> very quickly, because they stand in the way of people working. Within 
> six months of implementing them, senior people will be signing off 
> that John Smith can take home "anything relating to projects X, Y and 
> Z" simply because they don't want to sign it off three times - even 
> though John Smith doesn't actually work on Y and Z.
>
> So really, the only defence against this is contractual. All employees

> must sign an NDA, stating that they will not divulge proprietary 
> intellectual property. Make them sign it, and understand why they are 
> signing it. Don't make it too draconian - you don't need the ability 
> to search their home, for instance. (That's what law enforcement 
> agencies are for.) But you should make it clear that if they steal, 
> they'll be sued. Having to spend that pay rise you got when switching 
> jobs on legal fees is not an attractive proposition.
>
>
> Finally, it should be pointed out that many companies won't actually 
> accept stolen IP, because it's a legal minefield. But NDA's make it 
> difficult for both the person acting as a conduit as well as the 
> ultimate recipient, and may make employees who were only casually 
> thinking about it think twice.
>
> Nothing, however, will stop the determined person who's miffed at the 
> company and leaving for a competitor. Nothing except the competitor's 
> honesty and their own legal team's advice, anyway. :-)
>
> --
> Best regards,
>  Philip                            mailto:phil () philipstorry net