To catch a spy
My friend shook his head in frustration as he continued. He'd suspected that this spy--a co-worker at a government agency--was sending extremely sensitive information to others. Because of this, other co-workers had isolated the suspected spy from areas that provided access to computer networks. The idea was that while he was kept from accessing those areas, the security people would have a chance to complete their investigation so they could take further action.
WHAT THEY DIDN'T COUNT ON was an IT staffer ignoring the rules, and creating a security hole of massive proportions. And though my friend's organization was dealing with a bona fide spy, this scenario can happen in any corporation.
Because the agency handled such sensitive data, one of the primary security requirements was that no computer could have access to both the secure area on the organization's internal network while also having Internet access. The idea was to keep people from browsing through critical secrets, copying them, and then e-mailing them to people who weren't supposed to have them.
In this case, the suspected spy had called a buddy within the agency who set him up for access to everything he wanted, and also allowed him to keep his Internet connection. The suspect spy made good use of his access before anyone found out, and e-mailed as much information out as he could. Fortunately, the organization was also keeping an eye on its suspect, and noticed the activity on his account. It wasn't long before the suspected spy was arrested and charged. But before that had happened, the agency had substituted bogus information in the areas the spy was accessing. Fortunately, the damage--while still severe--was at least limited to being less than it could have been.
THE SPY WAS NABBED for several reasons, most of which had nothing to do with his Internet activities. But his access to both highly sensitive information and the Internet at the same time on the same computer certainly contributed to the damage he caused. Fortunately, the IT people he had contact with weren't trying to keep his activities secret. While they gave him access that would later prove to be in error, they kept good records, and helped trap him when the time came.
Now, the chances are pretty good that catching spies is pretty far down the list of your IT priorities. Most companies don't have to worry about guys in trench coats hanging out in the data center. But are you sure you don't have anything to worry about?
While most companies may not routinely provide access to things that affect national security, they still have secrets that others would like to know. For example, I'll bet your competition would love to have a look at your customer list. And I'll bet a lot of your employees would like to have a look at the salary figures for the people they work with. With many companies, there are trade secrets, secrets about new products or methods, or information about personnel that could cause great harm if leaked.
WHAT ARE YOU DOING about this sensitive information? Do you routinely make it possible for employees to copy this information into an e-mail? Can employees get to the designs, or the source code, or the recipes, or the chemical formulae? Are you sure?
Chances are, you probably aren't certain of what's available to whom, what can be easily found and copied into an employee's e-mail, and where it might be sent if someone in your company decides to share with the competition. There are, of course, a number of tools that will allow you to keep on top of such things, but they won't help if you don't have a handle on the problem in the first place.
You need to develop rules about what constitutes sensitive information. It's a good idea to also define levels of sensitivity, so that the trade secrets for the flagship cola drink, for example, aren't treated the same way as the employee phone directory. Then you have to define access rules so material that's really not all that sensitive--but still shouldn't be sent out freely--can still be accessed by anyone in the company, regardless of whether their computer has Internet access. The rules need to be detailed enough that there's no question about what's sensitive and what's not, but flexible enough so they can still work if things change. After the IT and the security staff draft proposed rules, they should be approved and sponsored by executives as highly placed in the company as possible so that they'll be followed. This is ideally a CEO-level responsibility.
While you're at it, this might be a good time to make sure which of your employees you can trust. When you've done that, let me know. Then we'll talk about those cool products that help you catch the bad guys.
Have you ever discovered a company spy? What methods do you use to protect sensitive information? TalkBack to me.
Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics. He writes regularly for ZDNet Tech Update.