Low-Tech Information Security
By Jeff Gainer
It was an odd request, so I rephrased the client's question: "So you're worried that your employees might be copying software to floppies for their personal use?"
"Well, yeah, maybe," The client representative, "Mike" agreed.
There was something too vague about this request, so I thought that there might be an unspoken requirement. "Well, there are some technical solutions. Converting all your workstations to diskless would be one option."
"How much would that cost?" he asked quickly. Too quickly.
It would be minimal, I replied, "You'll need a technician to program and swap new network cards, then remove the floppy drives. But it's not a huge conversion." The client only had a little over sixty workstations, spread across five buildings and some dockable, specialized devices for tracking inventory.
"Maybe we should do that," the client decided.
"What software are you worried about your employees stealing? You mean stuff like AutoCAD?"
"We've got all the install disks locked up." Mike looked pleased with himself. "We're more worried about customer lists, preliminary contracts, pricing systems."
"You mean like the central pricing database, with all the components and margin markups?" I asked
"Yeah, the one you wrote for us two years ago," Mike confirmed. "Everybody loves it, by the way."
"Well, Mike, I don't think most of your employees are technically savvy enough to figure our which data files to copy, and besides, most of them are pretty big and would require a lot of floppies. Besides, they're encrypted, hidden and the user rights are locked down pretty tightly."
"Can we monitor what they try to copy to floppies?"
"Technically, yes, you can log every keystroke, but it's a tremendous amount of data, and who's going to looking in the haystack for a needle that might not exist-you?"
Mike nodded. He certainly didn't have the time, and knowing Mike, he wouldn't delegate such a sensitive task to anyone but a few already overworked colleagues.
"So what you're really worried about, Mike, is that one of your salesmen might copy some data, jump to a rival firm--"
"Exactly! And I'm particularly worried about "Phil" and "Gary." Those two would not only sell their own mothers, they'd promise free overnight delivery!"
Ahah! The real requirement! "The big problem, here, Mike, is not technical. These guys don't understand what a data file is. If one leaves, we can check his files to see what he deleted, or more accurately, flagged for later deletion. But stealing the info is easy. Ho clicks on his contact management software and say 'Print Everything,' and it does. He puts the papers in his briefcase and walks out the door with your customers and everything he's learned about them over the years.
Mike was looking a little sobered now, so I changed the subject, slightly. "Mike, you know I tried my hand at sales a few years back as a stockbroker. And I learned a couple of good security stories." Mike was leaning forward now. "Things weren't really automated then, at least not on our desks. We keep out customer info in books, journals listing everything we knew about the client and all their transaction on one or two pages. When a broker was ready to jump ship-and they jumped a lot-he discreetly put one or two binders of these client files in his briefcase each night, stopped by an all-night Kinko's on the home and copied everything. They brought the originals back in the morning. Then he hustles over to the new firm and begin calling like a madman.
"Then there's dumpster diving. Very unethical, very messy, generally looked down on by everybody, but digging through dumpster can yield some very specific information about a client. If nothing else, it has here name, address, and phone number. A transaction, type of security, and an amount. Very useful information for an unscrupulous broker."
"Ever happen to you?"
As a matter of fact, it had. I had worked in a building with two brokerage firms. I worked for the conservative white-shoe "one-investor-at-a-time" firm. Upstairs was a more freewheeling place, "Dewey, Cheautum and Howe." "Mignon," our branch manager, was the very picture of a conservative, old-style money manager. "Blaine," the branch manager of DCH was younger; I recall that usually wore loud ties and a cocky smirk.
One morning, chatting around the coffeemaker, it seemed that everyone had a common concern. CDH brokers had been calling our clients with very specific investments. Mignon promised to investigate.
During a staff meeting two days later, Mignon revealed that she had found the source of the problem. The building's custodial had been carrying our trash upstairs and storing in a closet at the DCH offices. They had been receiving a generous cash bonus for each bag of our trash. Trade confirm carbons were sorted out and distributed for DCH brokers.
Mignon's first solution was to order a dozen crosscut shredders. And later that day, Mignon had found herself alone in the elevator with Blaine. She stopped the elevator and quietly told Blaine that if DCH brokers did not stop calling our clients immediately, she would initiate an SEC investigation. Some, if not all of the DCM brokers, including Blaine himself, would likely got to prison. And when they got out, they would certainly be banned from the securities business for life. "And the calls stopped," I concluded.
"So maybe we need some shredders," Mike ventured.
"Yes, you do. But remember, chance of data theft or damage isn't just external. Every treat you've indicated is internal." Mike nodded in agreement. "Then, Mike, technology probably can't do all that much to help you. Security is more than technology: you have locks on the gates outside, and lock on the doors. You need a broader focus on security, but for non-technical questions, you need another opinion-from a security expert. Security is not just technical solutions."
Several days later, a Saturday, Mike left me a voice mail, saying that one of the sales staff had been terminated and the next time I was at the client site that I should freeze his network account and distribute his leads and customers to the rest of the sales force.
Although it was a Saturday morning, I went directly to the client's office, and, as I had expected, there was Phil, sitting in his office with a hang-dog expression, fiddling at his keyboard. He looked up. "I guess you know I got fired. So I need you to help me out. I have a job interview for another sales position Monday. How can I print out my leads?"
I shook my head, genuinely sad. "Phil, you know I can't do that."
I left his office, went to the lobby, said hello to the weekend receptionist. I logged in as an administrator and locked Phil's account. "Did anyone tell you Phil had been terminated?"
"Really?" the receptionist looked incredulous. "I had no idea. But I did think it was odd he was here, since he never works on Saturdays."
Phil came into the lobby, walking quickly. "That was not a nice thing to do," he muttered as he hurried toward the exit.
# # #
Mr. Gainer is a software process management consultant and writer. His management and technical articles have appeared in numerous publications and he is a frequent contributor to Cutter IT Journal, and the Cutter IT Journal email Advisor. He can be reached at email@example.com or on the Web at http://www.jeffgainer.com. Mr. Gainer lives in Grand Junction, Colorado, and Menton, France.
(c)2002 Cutter Information Corp. All rights reserved. This article has been reprinted with
the permission of the publisher, Cutter Information Corp., provider information resources for IT professionals
This article originally appeared in the Cutter IT E-Mail Advisor, a supplement to Cutter IT Journal. www.cutter.com/itjournal.
Return To jeffgainer.com.