ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Security Of Corporate

Updated on October 22, 2011

Corporate data is an important possession of marketing strategies, product designs, underway deals and project plans which could be a treasure trove if in the hands of competitors. Security of customer data is just as important, perhaps more so, since there are audit and compliance risks associated with such leaks. So today, we will discuss how the data leaks out of companies and what can be done to prevent this.

Employees of this age are more digitally empowered than ever before, courtesy the ever-increasing number of gadgetries and technologies. This empowerment needs to be checked and reined in. For example, there are many Bluetooth enabled cell-phones which can be used to wirelessly transfer data off the office laptops which are also Bluetooth enabled. Also, think about hazards of unchecked BIOS access combined with bootable CDs. An employee can easily by-pass login authentication of his own or anyone else' PC simply by setting CD as the first boot device and inserting CD of his choice.

This is where things can go wrong as this bootable CD could be a Linux OS specially designed for breaking into systems by changing admin passwords. Or it could be a full fledged forensic analysis CD which means exact copies of hard-disk images can be created and burned.

This is possible with RW drives because all bootable CDs are not required to remain in the drive after booting up, and thus freeing up the drive for operations. Couple this with USB access and attacker can do all sort of malicious activities from using external storage devices to sniffing the data off or installation of Trojans or network sniffing.

If the USB bootable option is present and accessible for turning it on, things can become easier and smoother for attackers given the speed and storage capabilities of USB devices. These scenarios depict attempts to subvert security right at the boot-level, but there is a lot that a disgruntled employee can do after legitimately logging into his own computer.

For example, he can send his own files to some free web-mail account or upload those using online backup sites. Or, he may perform LAN reconnaissance and upload the data online, or to a USB or CD device in order to avoid suspicion due to network traffic congestion. And if these devices on the client's side are blocked, the disgruntled employee can plug in someone else's network cable in his private laptop, or can even plug his laptop into an unused network port, which is not very difficult to find out, and copy the data using LAN sharing.

Issues

A part from data copying, the risk of malicious installations remains pertinent. This in-turn opens up more possibilities, for example, data espionage through key logging and local data capturing. In majority of the cases, the intranet e-mail exchanges usernames and passwords in plain text. Once this information is sniffed, attacker can check e-mails of other users locally or if web-access is available, can do it from outside the office premises as well.

Moreover, an attacker may create reverse SSH tunnel to make his proxy-shielded PC available from home or may undermine or set up Remote Access rights. When all else fails on the network and client-side access side, the option of printing out sensitive information and taking them away remains an option. The networked printers just add another level of complexity where a remote accomplice can be called into action.

Wireless access has opened new doors of corporate intrusions. There are several academic studies which show how to simply use a WiFi enabled laptop to war-drive, that is, scan an area for beacons announcing presence of companies and examine their security strength. With a plethora of wireless hacking tools available for free over the internet, the risks remain high. Add to this the availability of high-gain antennas and we have remote attacks ready.

More recently, a new genre of threat has arrived: fake Access Points that lure unsuspecting genuine users to connect to an attackers AP thinking to be the company's real AP.

Lastly, threats from unauthorised physical access to hardware cannot be ruled out. There are eavesdropping devices that can be attached say between a CPU and its keyboard cable to sniff the key presses. Or simply think about wastebasket junk that often contains lot of interesting information. At an extreme level, even the monitor radiations can be picked up from a distance to capture information.

The investment in securing a company's data depends upon the risk a company can take. And for that, it is for the top management to allocate adequate funds for making sure that their exposure level is within acceptable limits. The most obvious countermeasures include having a network monitoring system to keep an eye of outgoing data, especially through e-mails.

Although, e-mail monitoring looks rudimentary, it is one of the most misused office facilities. Next comes blocking the unnecessary client level access privileges. Bluetooth, infra-red and WiFi top the chart. Then comes USB - though it remains dangerous but is often required and is not always easy to block it out completely. For this, either it can be made read-only or there could be a centralised USB plugging machine under supervision of a security resource. The protection of information from theft is not always easy but by keeping data secure through mandatory encryption (at file system as well as document level) helps, particularly when laptops and USB disks go missing. Most of the client side restrictions can only be applied in a centrally administered network, like, MS Active Directory in a Microsoft environment.

Finally, security should be considered as an on-going exercise, rather than one-off implementation to ward off emerging threats.

Comments

    0 of 8192 characters used
    Post Comment

    No comments yet.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://hubpages.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)