The Spy Who Flubbed Me: Intranet Security Begins with Education

back to portfolio

---

There are a lot of Hollywood spy movies that would have you believe that organizations are easily—and usually with a brilliant display of hand-to-hand combat—infiltrated by some shadowy cabal hellbent on taking the whole operation down from the inside.

Call them whatever you like—moles, sleepers, double agents, intelligence operatives—because it doesn't really matter; they're all part of the same diabolical conspiracy to steal your secrets with a tiny camera hidden in their bow ties.

While watching an elite team of secret agents storm a heavily guarded compound makes for great entertainment, confidential corporate information can also be compromised by carelessness or human error. And as much attention as we pay to the technology used to secure an intranet and its information, the weakest security link is actually the people your intranet is meant to support.

How do you prevent your organization's intellectual property from accidentally falling into the wrong hands after spending all those hours building a security infrastructure? It all begins with education.

Security and Its Impact

Applications and systems that drive vital processes are often referred to as "mission critical." But the most mission critical component of any organization—whether a private business, government institution or the military—is information. Everything else exists primarily in support of it.

According to the ASIS International report "Trends in Proprietary Information Loss"—a survey sponsored by PricewaterhouseCoopers, the U.S. Chamber of Commerce, and the ASIS Foundation—70 percent of a typical U.S. company's market value comes from its intellectual property.

The report indicates that, while approximately three-fourths of the respondents stated that information was vital to their company's success, only 55 percent were concerned about information loss and were actively taking the necessary precautions to safeguard their intellectual property.

But despite the importance of information, many companies don't assign a value to their intellectual property until litigation. And to compound this issue, employees are rarely taught how to handle the information that's entrusted to them with proper care and discretion. This poses a giant threat that can't be addressed through normal technological means.

Unfortunately, the value of information is often overlooked because it's intangible and somewhat difficult to quantify. However, as a mission critical component of your operation, information needs to be secured with the same vigor as the hardware and software managing it—even more so. It needs to be protected, not only from internal employees who aren't supposed to have access to it, but especially from those who would be more than happy to throw a monkey wrench into your operation by using the ill-gotten information against you or by selling your trade secrets to rivals seeking to gain a competitive advantage.

The Trends in Proprietary Information Loss report suggests that, among the survey participants, the losses of proprietary information and intellectual property fall within the range of $53 to $59 billion, citing the most common areas of risk as:

• Research and development
• Customer information
• Financial information
• Strategic plans

Security Through Education

Organization that address issues of security often do so at a very high level, thinking of all the worst-case scenarios. But while they're busy trying to fortify their compound from a rocket attack, they fail to notice the tiny gopher tunneling its way into the sub-basement on its way to the carrot farm.

Network servers can be hardened by setting up a demilitarized zone, or DMZ, to protect internal, private networks from being accessed by external users while access control lists (ACLs) and user authentication are used to identify privileged users and the resources to which they should have access.

Although these are important measures that need to be taken to ensure the integrity of your information, none of them will prevent well-meaning users from printing a confidential document, throwing it into their briefcase and carrying it out with them for an evening of work at the home office.

A thorough security infrastructure needs to include more than just technology; it must combine technology with employee education and a formal security policy dealing with proper conduct and the handling of sensitive information.

There are many vendor-neutral Web sites that you can reference to further your understanding of computer and information security:

• ASIS International Online
• CERT Coordination Center
• Computer Security Institute (CSI)
• iNFOSYSSEC
• SANS Institute
• SecurityFocus
• secureroot

Tips on Safeguarding Intellectual Property

The more familiar your employees are with the secure nature of the information around them and how to properly handle it—at the workplace, at home and while traveling—the more likely it will be to reduce or eliminate the possibility of accidental leaks due to carelessness.

Here are 10 tips that every organization and its employees should know about safeguarding intellectual property:

1. Formal request procedure: Permissions should never be assigned on an ad hoc basis. Access to confidential information needs to be granted through a formal request procedure, authorized by the requesting person's superiors, and managed by a single group. A formal request procedure allows you to maintain a valid audit trail; and while this formality may not be necessary for very small organizations, it's vital for mid- to large-scale organizations.
2. Base access on need-to-know: Just because two users are from the same department doesn't automatically mean they should have the same permissions. Access to secure information should be granted on an individual, need-to-know basis—not by a whole department. And the more secure the information, the truer this is.
3. Never transmit unencrypted information: Users need to be aware of how unsafe it really is to send information through an unencrypted medium such as e-mail or an open fax line. If information must be sent by e-mail, you need to ensure that it won't be intercepted or modified by encrypting the message. One of the more widely used methods to do this is public/private key encryption (also know as asymmetric encryption).
4. Never leave printouts in plain view: When printing sensitive information, always retrieve it from the printer immediately. Users who print large amounts of documents have a tendency to leave a stack of paper lying at the printer. And this is especially the case when the printer is not in close proximity to the person doing the printing such shared network printers.
5. Secure your copies: It's sometimes necessary to make copies of documents—such as when shipping information that's too big to send by e-mail to clients or remote employees—onto CD-ROM, diskette, or flash media. These data storage mediums need to be packaged and shipped in a secure manner and treated with the same discretion as internal data. And the recipients of this information must abide by the same rules regarding proper handling.
6. Lock PCs with a password: PCs that have been logged into the network should never be left unattended without locking it with a password.
7. Information lifecycle: When confidential information is no longer needed it should be destroyed or archived in a secure facility.
8. Beware of social engineering: Unlike hackers who try to crack computer systems and networks with technology and stealth, social engineering is based on human interaction—the IT equivalent of the "fast con." A potential intruder uses basic psychology and double talk to try to get users to divulge personal and/or confidential information. A typical example of a social engineering routine is a hacker who calls an unsuspecting user pretending to be from IT. He will claim that there's something wrong with the network in that part of the building and, after a series of benign questions, will slip in with the "kill question"—usually, "Oh, and by the way, just so we can update our records, what's your log-on password again?"
9. Loose lips sink ships: Care must be taken when discussing internal matters in public where conversations can be easily overheard.
10. Password management: The issue of passwords is discussed below.

Tips for Password Management

One of the most difficult habits I've tried to help users overcome is the selection and handling of their passwords. Regardless of all my efforts at convincing them that they should choose passwords that can't be easily guessed, they still insist on "Fluffy" or "Rover."

Here are some password tips to keep in mind:

• Avoid using the same password for more than one account, service or resource.
• Passwords should contain at least five mixed characters—a combination of uppercase letters, lowercase letters, numbers and special characters.
• Never use plain English words as passwords in order to avoid "dictionary attacks"—hackers using programs that cycle through all words in a dictionary to guess a user password. If you do select a plain English word, consider splitting it up with a number.
• Avoid picking easily guessable passwords that represent items found near your work area, names of family members or pets, birthdays or telephone numbers.
• Passwords should be changed every few months.
• Never write your password down, but if you must, keep it locked away in a safe place.
• Privileged users with access to confidential information should never share their user ID's and passwords with non-privileged users.

Conclusion

Security should always be considered a preventative measure rather than a reactive one. All it takes is for one incident to open people's eyes, but by then the damage would have already been done.

This need to secure company information has been further highlighted by the increased prevalence of Digital Rights Management (DRM) software—tools that enable content owners to control who can access, duplicate, and distribute information. In fact, Microsoft Office 2003 has even included DRM functionality in its new suite.

But regardless of the tools and methodology you decide to implement, the extent of your security measures should reflect the type of information you own and is highly dependent on the level of security required by the organization. Many employers require their employees to sign Non-Disclosure Agreements (NDA) or, in the case of many government and military facilities, to obtain a NATO Clearance Level.

The biggest lesson you need to take away from this is that security involves more than just hardware and software; it involves educating users about the value of information because it may very well be Inspector Clouseau, not James Bond, who brings down the organization.

---

Copyright © 2003 Paul Chin. All rights reserved.
Reproduction of this article in whole or part in any form without prior written permission of Paul Chin is prohibited.