• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 287
  • Last Modified:

outbound content compliance

I am building a system which prohibits certain files from leaving the building.  Looking for options.  Auditiing will be turned on, but it does not prevent this stuff.  We are looking at:
CD's but no cd burners
read only memory card readers ?
email attachment blocking.

How to keep your private files from being emailed or copied out to the world when the employees are at work?
6 Solutions
You don't.

This is NOT a technology problem. This is a personnel and policy issue.

Say you put this system in place, and HR says "No one should be mailing out the file named SALARIES." and you put in some filter that looks for an E-Mail with an attachment named "SALARIES".

So Jane renames the file "MyWork" and sends it out. Ooops.

Or Bob puts the file into an encrypted archive named SECURE. Even if you have a content scanner, it won't be able to examine the content, it's encrypted.

How about floppies? Parallel-port hard drives? Printed paper?

If you have so little trust in your employees, then perhaps they shouldn't be working for you.
carl_legereAuthor Commented:
this may sound hypocritcal because I have answered EE questions with " you don't " before, but that is not the answer I'm looking for.  I am nearing the end of a costly, two year struggle suing a expat that stole files by a variety of techniques.  The value of forensic evidence and audit trails is high, but I would prefer to spend resources on eliminiating the risk.

With new compliance requrements, there are many ways to achieve this, I'm simply soliciting information from people who may have been down this road before.
Well, I *have* been down this road before. I've implemented E-Mail security for an government agency with specific legislated info security requirements.

There are many softwares that *claim* to achieve this, yes. But the facts, not the marketing fluff, are that this gets very expensive very quickly, and there is no such thing as absolute protection. If someone wants to smuggle your company info out, and you're not prepared to take measures like the CIA takes with Langley or the NSA takes with Fort Meade, then your money is probably better spent elsewhere.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

I accomplish this by using a watchguard appliance with the smtp proxy.
i have to agree with PsiCop.  the fact is there are going to be many ways to get around this.  

if email is enabled and attachment blocking is enabled, how does that stop a user from using there own web based email and attaching the files there.

what about the situation that user brings in a usb cd/writer or usb key?  

even let's say that you block the email sites for all users, and disable attachments in outlook, what stops the user from all the possible other protocols.  

if you are really concerned about this issue,
disable the usb ports on the machines, and disconnect network from the internet.  in the event a user could transmit data via radio or a cellular connection, your building needs to have sufficient insulation and have interface that these methods do not work either.  while you are it, turn off all the electricity to the computers and buildings, this makes it extremely difficult to send files.

wth that said, even the NSA has had data stolen.  the only real solution is that you have a policy.

just put cameras above each persons workstation.
i guarantee alot of your problems will be solved LOL
carl_legereAuthor Commented:
Of course there is a policy.  Problem is you just can't fire these particular people, they are independant contractors.

Our search was inspired by PGP desktop's netshare application.  It encrypts folders ( a good thing) but you have to enter the passphrase to open the folder, which means that if they email themselves the file they will know the passphrase.  So we need a way for them to have thier PC know the passphrase without the end user knowing it.  If they email themselves the file, it is just encrypted gibberish.

I might be close with this solution:

they offer three factor authentication to encrypted files.
1. the password
2. usb keyfob which talks to the workstation software and allows access to files
3. PKI with a local server running


Now if they get the files AND the USB keyfob and the software that runs it all, they cannot decryopt the file because they are missing #3

If they have #2 and #3 they can't read another users' file

If they have #1 and #3, ha ha

If they email themselves the file they are still missing #3
File-Save As ?

File-Print ?

You can fire contractors and you can hold them personally liable for their actions.
Hey, Carl.

Even, if you manage to lock down absolutely EVERYTHING, the contractors have to have a working HCI output device (a monitor) to use the documents you're trying to prevent them to copy, right?

Well, now imagine a rogue contractor taking a lot of screen shots :D OK. Let's say, you've foreseen this and have been able to disable the feature in the workstation. Still, he/she might take them with a cellphone camera that is so common nowadays and tiny enough to easily pass the full body cavity search :P

What you need is a public execution! A fake one if it can be pulled off. Hire somebody just for the sake of example to make it clear for everyone how painful can it be, to cross the line. Otherwise your work environment will soon resemble the Sci-Fi movies where humans are x-ray photographed every time they arrive to work and their memories erased every time they leave the site.
carl_legereAuthor Commented:
come on guys.  I am an intelligent person, I have over 500000 points on this system.  I know comming into this that it is a almost rediculous question.  But alas I am asking for suggestions.  

Looking at data is not prohibited, printing is not prohibited because it will be logged and audited.  What we endevor to stop is sending large amounts of raw data home or elsewhere.

Why is there a line in the sand drawn at "prohibit large amounts of data?"
If they print the records out and take them home of thier own work, they would amass a database of about 300 records per year.  For them to have access to this much data is acceptable.
If they access other people's data (which because of this operation cannot be prohibited, just tracked) and they printed another users's 300 records per year, we would know they were up to something.

They would need at minimum to steal 1000 records to begin being a risk or hit the 'radar' that they are up to no good.  It would be very easy to grab 1000 records and send them home if we don't plug that hole via the raw database.  IF they printed finished reports (1000 of them) we would know by the tracking system and do something about it.  We merely endevor to prohibit a mass leak of data.  And any leak of pure electonic transfer is to be avoided.  If they print it, that is ok.  If they screenshot it or cellphone camera it, we beleive this to of minimal risk because of the amount of effort involved.

You could review your audit trails for the contractors, and every couple of days, have a nice chit-chat with them about their activities.
That won't keep them from using technology to get information out of the building, but it will tell them that you are watching them very closely.

Like everyone else has said, things have a way of leaving.  Everyone's junk drawer at their home probably has a few pens, pencils, post-it notes and paper clips that
were bought by their employer.  But if you have the resources to monitor the supply closet, you can corner Bob and ask why he needs a new pen twice a week.
carl_legereAuthor Commented:
funny thing is I used to loose all my pens TO my job, not FROM my job.
With free internet access use a free webmailer upload up to 2 GB of data encoded with steganography in pictures and your done.

One could also pgp an excel sheet convert it to base64 and copy & paste it into a webform...

There are too many ways to export valuable data, if you want to start auditing, block internet access.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Tackle projects and never again get stuck behind a technical roadblock.
Join Now