Solved

outbound content compliance

Posted on 2006-11-09
14
264 Views
Last Modified: 2010-04-11
I am building a system which prohibits certain files from leaving the building.  Looking for options.  Auditiing will be turned on, but it does not prevent this stuff.  We are looking at:
CD's but no cd burners
read only memory card readers ?
email attachment blocking.

How to keep your private files from being emailed or copied out to the world when the employees are at work?
0
Comment
Question by:carl_legere
14 Comments
 
LVL 34

Accepted Solution

by:
PsiCop earned 200 total points
ID: 17910850
You don't.

This is NOT a technology problem. This is a personnel and policy issue.

Say you put this system in place, and HR says "No one should be mailing out the file named SALARIES." and you put in some filter that looks for an E-Mail with an attachment named "SALARIES".

So Jane renames the file "MyWork" and sends it out. Ooops.

Or Bob puts the file into an encrypted archive named SECURE. Even if you have a content scanner, it won't be able to examine the content, it's encrypted.

How about floppies? Parallel-port hard drives? Printed paper?

If you have so little trust in your employees, then perhaps they shouldn't be working for you.
0
 
LVL 18

Author Comment

by:carl_legere
ID: 17911118
this may sound hypocritcal because I have answered EE questions with " you don't " before, but that is not the answer I'm looking for.  I am nearing the end of a costly, two year struggle suing a expat that stole files by a variety of techniques.  The value of forensic evidence and audit trails is high, but I would prefer to spend resources on eliminiating the risk.

With new compliance requrements, there are many ways to achieve this, I'm simply soliciting information from people who may have been down this road before.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17911139
Well, I *have* been down this road before. I've implemented E-Mail security for an government agency with specific legislated info security requirements.

There are many softwares that *claim* to achieve this, yes. But the facts, not the marketing fluff, are that this gets very expensive very quickly, and there is no such thing as absolute protection. If someone wants to smuggle your company info out, and you're not prepared to take measures like the CIA takes with Langley or the NSA takes with Fort Meade, then your money is probably better spent elsewhere.
0
 
LVL 4

Assisted Solution

by:LBACIS
LBACIS earned 100 total points
ID: 17914600
I accomplish this by using a watchguard appliance with the smtp proxy.
0
 
LVL 2

Assisted Solution

by:mploschiavo
mploschiavo earned 50 total points
ID: 17921348
i have to agree with PsiCop.  the fact is there are going to be many ways to get around this.  

if email is enabled and attachment blocking is enabled, how does that stop a user from using there own web based email and attaching the files there.

what about the situation that user brings in a usb cd/writer or usb key?  

even let's say that you block the email sites for all users, and disable attachments in outlook, what stops the user from all the possible other protocols.  

if you are really concerned about this issue,
disable the usb ports on the machines, and disconnect network from the internet.  in the event a user could transmit data via radio or a cellular connection, your building needs to have sufficient insulation and have interface that these methods do not work either.  while you are it, turn off all the electricity to the computers and buildings, this makes it extremely difficult to send files.

wth that said, even the NSA has had data stolen.  the only real solution is that you have a policy.
0
 
LVL 8

Assisted Solution

by:ViRoy
ViRoy earned 50 total points
ID: 17926889

just put cameras above each persons workstation.
i guarantee alot of your problems will be solved LOL
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 18

Author Comment

by:carl_legere
ID: 17927374
Of course there is a policy.  Problem is you just can't fire these particular people, they are independant contractors.

Our search was inspired by PGP desktop's netshare application.  It encrypts folders ( a good thing) but you have to enter the passphrase to open the folder, which means that if they email themselves the file they will know the passphrase.  So we need a way for them to have thier PC know the passphrase without the end user knowing it.  If they email themselves the file, it is just encrypted gibberish.

I might be close with this solution:
http://www.safenet-inc.com/

they offer three factor authentication to encrypted files.
1. the password
2. usb keyfob which talks to the workstation software and allows access to files
3. PKI with a local server running

$1300

Now if they get the files AND the USB keyfob and the software that runs it all, they cannot decryopt the file because they are missing #3

If they have #2 and #3 they can't read another users' file

If they have #1 and #3, ha ha

If they email themselves the file they are still missing #3
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17927445
File-Save As ?

File-Print ?

You can fire contractors and you can hold them personally liable for their actions.
0
 
LVL 8

Assisted Solution

by:jako
jako earned 50 total points
ID: 17931726
Hey, Carl.

Even, if you manage to lock down absolutely EVERYTHING, the contractors have to have a working HCI output device (a monitor) to use the documents you're trying to prevent them to copy, right?

Well, now imagine a rogue contractor taking a lot of screen shots :D OK. Let's say, you've foreseen this and have been able to disable the feature in the workstation. Still, he/she might take them with a cellphone camera that is so common nowadays and tiny enough to easily pass the full body cavity search :P

What you need is a public execution! A fake one if it can be pulled off. Hire somebody just for the sake of example to make it clear for everyone how painful can it be, to cross the line. Otherwise your work environment will soon resemble the Sci-Fi movies where humans are x-ray photographed every time they arrive to work and their memories erased every time they leave the site.
0
 
LVL 18

Author Comment

by:carl_legere
ID: 17933414
come on guys.  I am an intelligent person, I have over 500000 points on this system.  I know comming into this that it is a almost rediculous question.  But alas I am asking for suggestions.  

Looking at data is not prohibited, printing is not prohibited because it will be logged and audited.  What we endevor to stop is sending large amounts of raw data home or elsewhere.

Why is there a line in the sand drawn at "prohibit large amounts of data?"
If they print the records out and take them home of thier own work, they would amass a database of about 300 records per year.  For them to have access to this much data is acceptable.
If they access other people's data (which because of this operation cannot be prohibited, just tracked) and they printed another users's 300 records per year, we would know they were up to something.

They would need at minimum to steal 1000 records to begin being a risk or hit the 'radar' that they are up to no good.  It would be very easy to grab 1000 records and send them home if we don't plug that hole via the raw database.  IF they printed finished reports (1000 of them) we would know by the tracking system and do something about it.  We merely endevor to prohibit a mass leak of data.  And any leak of pure electonic transfer is to be avoided.  If they print it, that is ok.  If they screenshot it or cellphone camera it, we beleive this to of minimal risk because of the amount of effort involved.

0
 
LVL 5

Assisted Solution

by:trarthur
trarthur earned 50 total points
ID: 17934048
You could review your audit trails for the contractors, and every couple of days, have a nice chit-chat with them about their activities.
That won't keep them from using technology to get information out of the building, but it will tell them that you are watching them very closely.

Like everyone else has said, things have a way of leaving.  Everyone's junk drawer at their home probably has a few pens, pencils, post-it notes and paper clips that
were bought by their employer.  But if you have the resources to monitor the supply closet, you can corner Bob and ask why he needs a new pen twice a week.
0
 
LVL 18

Author Comment

by:carl_legere
ID: 17934862
funny thing is I used to loose all my pens TO my job, not FROM my job.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18199089
With free internet access use a free webmailer upload up to 2 GB of data encoded with steganography in pictures and your done.

One could also pgp an excel sheet convert it to base64 and copy & paste it into a webform...

There are too many ways to export valuable data, if you want to start auditing, block internet access.

Tolomir
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now