- Internet & the Web
Security Of Corporate
Corporate data is an important possession of marketing strategies, product designs, underway deals and project plans which could be a treasure trove if in the hands of competitors. Security of customer data is just as important, perhaps more so, since there are audit and compliance risks associated with such leaks. So today, we will discuss how the data leaks out of companies and what can be done to prevent this.Employees of this age are more digitally empowered than ever before, courtesy the ever-increasing number of gadgetries and technologies. This empowerment needs to be checked and reined in. For example, there are many Bluetooth enabled cell-phones which can be used to wirelessly transfer data off the office laptops which are also Bluetooth enabled. Also, think about hazards of unchecked BIOS access combined with bootable CDs. An employee can easily by-pass login authentication of his own or anyone else' PC simply by setting CD as the first boot device and inserting CD of his choice.This is where things can go wrong as this bootable CD could be a Linux OS specially designed for breaking into systems by changing admin passwords. Or it could be a full fledged forensic analysis CD which means exact copies of hard-disk images can be created and burned.This is possible with RW drives because all bootable CDs are not required to remain in the drive after booting up, and thus freeing up the drive for operations. Couple this with USB access and attacker can do all sort of malicious activities from using external storage devices to sniffing the data off or installation of Trojans or network sniffing.If the USB bootable option is present and accessible for turning it on, things can become easier and smoother for attackers given the speed and storage capabilities of USB devices. These scenarios depict attempts to subvert security right at the boot-level, but there is a lot that a disgruntled employee can do after legitimately logging into his own computer.For example, he can send his own files to some free web-mail account or upload those using online backup sites. Or, he may perform LAN reconnaissance and upload the data online, or to a USB or CD device in order to avoid suspicion due to network traffic congestion. And if these devices on the client's side are blocked, the disgruntled employee can plug in someone else's network cable in his private laptop, or can even plug his laptop into an unused network port, which is not very difficult to find out, and copy the data using LAN sharing.
A part from data copying, the risk of malicious installations remains pertinent. This in-turn opens up more possibilities, for example, data espionage through key logging and local data capturing. In majority of the cases, the intranet e-mail exchanges usernames and passwords in plain text. Once this information is sniffed, attacker can check e-mails of other users locally or if web-access is available, can do it from outside the office premises as well.
Moreover, an attacker may create reverse SSH tunnel to make his proxy-shielded PC available from home or may undermine or set up Remote Access rights. When all else fails on the network and client-side access side, the option of printing out sensitive information and taking them away remains an option. The networked printers just add another level of complexity where a remote accomplice can be called into action.
Wireless access has opened new doors of corporate intrusions. There are several academic studies which show how to simply use a WiFi enabled laptop to war-drive, that is, scan an area for beacons announcing presence of companies and examine their security strength. With a plethora of wireless hacking tools available for free over the internet, the risks remain high. Add to this the availability of high-gain antennas and we have remote attacks ready.
More recently, a new genre of threat has arrived: fake Access Points that lure unsuspecting genuine users to connect to an attackers AP thinking to be the company's real AP.
Lastly, threats from unauthorised physical access to hardware cannot be ruled out. There are eavesdropping devices that can be attached say between a CPU and its keyboard cable to sniff the key presses. Or simply think about wastebasket junk that often contains lot of interesting information. At an extreme level, even the monitor radiations can be picked up from a distance to capture information.
The investment in securing a company's data depends upon the risk a company can take. And for that, it is for the top management to allocate adequate funds for making sure that their exposure level is within acceptable limits. The most obvious countermeasures include having a network monitoring system to keep an eye of outgoing data, especially through e-mails.
Although, e-mail monitoring looks rudimentary, it is one of the most misused office facilities. Next comes blocking the unnecessary client level access privileges. Bluetooth, infra-red and WiFi top the chart. Then comes USB - though it remains dangerous but is often required and is not always easy to block it out completely. For this, either it can be made read-only or there could be a centralised USB plugging machine under supervision of a security resource. The protection of information from theft is not always easy but by keeping data secure through mandatory encryption (at file system as well as document level) helps, particularly when laptops and USB disks go missing. Most of the client side restrictions can only be applied in a centrally administered network, like, MS Active Directory in a Microsoft environment.
Finally, security should be considered as an on-going exercise, rather than one-off implementation to ward off emerging threats.