To USB Or Not To USB

A US agency announced that they were going to give USB drives to its employees in order to mitigate against the risk of data loss and eliminated the use of unsanctioned USB storage. The USB keys have encryption and are password protected - so it all looks good. However, they seem to have missed out on a number of important issues… unless they have additional software based management in place then there is nothing to stop people from using their own devices. USB keys are frequently mislaid (which is why data loss is an issue) however, most people have more than one - ‘just in case’. Not all data is equal (when it comes to data loss) and so there needs to be policy based on content. If the information is sensitive, then it should be encrypted, if it isn’t then perhaps it doesn’t need to be encrypted. USB keys are most often used for transferring benign information such as presentations - by encrypting it and making it harder to share, people will look to at other ways to transfer the information.

The idea of company issued USB flash drives is not a new one - but remember to think through what people actually use them for rather than assuming it is always for sensitive information.

March 26, 2008 | Filed Under IT equipment, data-loss, security | Leave a Comment 

But It Has To Be Fixed

It was reported in the news that a CD marked ‘Home Office’ and ‘Private and Confidential’ was found behind a keyboard when a system was taken to be repaired. The data was encrypted but it raises an interesting problem: How should you fix systems which contain sensitive data? Sensitive here doesn’t just mean customer information (although that is obviously important) it also means intellectual property as well.

If repairs can be done on-site, then that is obviously the best way as the data will not wander off. However if a system has to be taken away for repair then there is a possibility of data-loss. A new process or procedure may need to be developed and put into operation.

What is the data on the system, does it contain sensitive information, if so, then how will you protect it when it is offsite? If the failure is not a hard drive then perhaps that can be removed and stored safely on-site while the system is repaired. Alternatively, perhaps the disk needs to be completely erased (and the OS re-installed) before it goes away - this would need to be done in another system as the original one is broken. (It’s all backed up… isn’t it?!?!)

If it is the hard disk that has failed and perhaps it is going to a data recovery service then ask a few questions - how will the drive be looked after when it is offsite, is the data encrypted, does it matter if it goes missing? what would happen if it was lost while out of your control?

March 10, 2008 | Filed Under IT equipment, data-loss | Leave a Comment 

It’s all in the copier

Following on from a previous post, I wondered how many people had thought of the lowly photocopier as a source of data and therefore at risk of data-loss? New, well not that new, photocopiers have hard disks to cache information before it’s printed along with network access - so? Now let’s just think what might be on those disks, let’s say the photocopier is at quarter or year end. and its on the executive floor or even just a sales floor. While many things are sent by email, more often than not board papers, sales numbers and last minute deals are all printed out for use in meetings or FAX’ing to customers. So, all this information will therefore be on the hard disk - now. what if a person wearing the appropriate uniform came in to ‘fix’ the system or perhaps just to service it and swapped out the hard disks. It sounds a little far fetched, but it has happened - and enough for copier (and printer) manufacturers to begin offering encryption on the hard disks in their systems.When looking for sources of data loss, it pays to think out-of-the-box - the data might be in more places than you first imagined.

February 27, 2008 | Filed Under IT equipment, data-loss, security | Leave a Comment 

I work here, honest guv!

It was reported that a ‘fake’ clerk has been stealing iPod’s from a particular US supermarket chain. How can this happen? The answer is: very easily. He would wear the correct uniform and then act like he worked there - and finally just walk out the door with the stock. While it may seem funny that such a thing can happen I wonder how easy it would be to do the same thing at your place of work? Social engineering is one area where we currently don’t do enough to prevent such attacks. Many companies have name badges, but home many times have you challenged someone whose badge you cannot see? Or, how often have you been challenged when your’s is not visible? I would think it is not many - or even any.
Perhaps it is time to change and becoming a little more enquiring as to who people are - especially if they are carrying IT equipment out of the office?

February 27, 2008 | Filed Under IT equipment, security | 1 Comment