How to minimize the risk of employees spreading critical information? [closed]

What’s common sense when it comes to minimising the risk of employees spreading critical information to rivalling companies?

As of today, it’s clear that not even the US government and military can be sure that their data stays safely within their doors. Thereby I understand that my question probably instead should be written as “What is common sense to make it harder for employees to spread business critical information?”

If anyone would want to spread information, they will find a way. That’s the way life work and always has.

If we make the scenario a bit more realistic by narrowing our workforce by assuming we only have regular John Does onboard and not Linux-loving sysadmins , what should be good precautions to at least make it harder for the employees to send business-critical information to the competition?

As far as I can tell, there’s a few obvious solutions that clearly has both pros and cons:

1. Block services such as Dropbox and similar, preventing anyone to send gigabytes of data through the wire.
2. Ensure that only files below a set size can be sent as email (?)
3. Setup VLANs between departments to make it harder for kleptomaniacs and curious people to snoop around.
4. Plug all removable media units – CD/DVD, Floppy drives and USB
5. Make sure that no configurations to hardware can be made (?)
6. Monitor network traffic for non-linear events (how?)

What is realistic to do in a real world? How does big companies handle this?
Sure, we can take the former employer to court and sue, but by then the damage has already been caused…

Thanks a lot

There are a variety of things that can be done. The are entire industries created around the very idea of “how do I keep information from leaking”. The ubiquity of static data-storage and wireless networks (both wifi and 3G/4G) make wired network-perimeter security less of the barrier than it was even 5 years ago.

As with all security, managing the exceptions can be very tricky. Yes, you can disable all USB ports, but that leaves USB keyboards, mice, and printers in the dark. You can disable all access to Facebook, but the Public Relations office will definitely need access. The extremely paranoid can ban all phones with cameras (lest someone phone-cam a doc and mail it to a competitor) but that’s really hard to make stick these days. And then there is the old fashioned method of taking home printouts to fax.

If someone really wants to leak information, it’s generally easy.

I can’t stress enough the impact that municipal scale high-bandwidth networks have on security posture. With nearly everyone with a camera in their pocket and a phone-plan able to accommodate pictures, 1-5 page documents can be sent with ease without ever touching the corporate LAN. If USB connections are enabled, many smartphones can expose local storage to a workplace computer and have files saved on it which can then be sent from the phone directly if not sneakernetted home and sent from there.

The phone-cam ‘attack’ is particular insidious since it leaves no log-traces on company equipment the way that USB-mounts potentially can.

The ironic thing about Internet-access restrictions blocking social networking sites and all known webmail providers is that it forces people onto their phones for the same service.

Big companies handle this by ignoring the hard to manage threats (see above for a good example of one) and managing the risks they can mange cheaply. That means:

• Blocking web-sites of any suspicious class (social media and webmail sites are big ban targets) and known web-proxy sites
• Recording all outbound email
• Enforce a captive-portal for internet access, requiring logon with corporate credentials before access is given
• Monitoring outbound email for private data using varying complexities of filters (big industry with this one)
• Ensuring least-privilege on the local network so people don’t have access to secrets they don’t need
• Using asset-inventorying software to monitor corporate hardware for change events
• Use event-log monitoring software to track hardware events such as use of removable media
• Set Group Policies to ban certain behaviors deemed unneeded in the workplace
• Using strong encryption on any WLANs in use

These days the network perimeter is not just at the WAN/LAN demarc, it touches every point of the network where data is released into analog form of any kind and the tools for exploiting such analog holes are getting ever better and ever more common. And other such things.

Check more discussion of this question.

Related posts:

1. Upgrading Ubuntu remotely: Howto minimize the risk of losing the server?
2. What security risks are there with employees using Dropbox?
3. Best Information Technology Blogs [closed]
4. hostname -f returns incorrect information. information that applies to another server
5. Is this a critical RAID error?