Perimeter Security

In today's world our perimeter to be secured is not just the immediate physical of building walls, fences and borders.

by Michael Smith

While the Great Wall of China did something for that country by way of protection and a good perimeter fence and watchtowers may guard and protect a military or such installation, we must consider today, in the world of computers and the Internet, also and especially our virtual perimeter. This, in many case, is rather fluid.

While many companies, institutions, and others, place guards at their entrances, require passes of all kinds of levels, have fences, intruder sensors, and much more, despite the fact that they work rather on an international level, and have all manner of anti-virus protection and all manner protection against all manner of intrusions, by way of firewalls and such, few, so it would appear, have a policy in place to ensure that sensitive and mission critical data is not taken out by employees, especially temporary staff, or disgruntled staff, on removable medis such as floppy discs (yes, I am showing my age here, for I even remember when they, in fact, were floppy and rather big as well), to CDs/DVDs, USB flash memory, or even small removable USB hard drives.

We all have seen what can happen – and I am sure we all wonder where that data that was thus lost is now – when the likes of the British government offices sent data, very sensitive data, unencrypted, around the country on CDs.

Apparently, the real problem is that the two departments concerned have different encryption tools and the receiving department would not have been able to read the data had the discs been encrypted. No one thought of those implications before? Doh?!?

This is very much like NATO with all its different kinds of weapons and even communications systems all of which could really have caused a great deal of trouble had we ever had to go to war with the Warsaw Pact in those days. Unlike us they all had everything interchangeable. Proper compatibility should have been thought of one would have thought but, it does not seem to be thus. But, alas, those that sit in ivory towers.

Encryption is but one thing.

That, however, which often – more often than not – gets forgotten as far as securing data is the “physical” security of it and securing the ports – not the shipping kind though.

Who has access to the USB ports and do they need to be able to remove data by downloading it on removable media?

Organizations go to all lengths to control access to a network from the outside but often have no policy and measures in place for securing the devices. This means that basically anyone can steal sensitive data by using a USB memory stick, for instance, or an iPod.

The question is to ask who has access in an organization who could compromise data, as this could be more important than the possibility of an external breach and resultant data theft.

Too often only the “break in” from the outside into the system is being considered as far as data and security is concerned and the he possibility of data theft from within an organization by an employee is often overlooked.

Today with flash memory devices getting smaller and smaller and also being “concealed” in other objects, such as pens, and also getting more powerful with ever more data storage capacity plugging in a USB stick and copying a large amount of data only takes from some seconds to something like ten minutes and USB sticks nowadays are so common and, in fact, part of work, that the fact that someone has one or more on his or her person says and means nothing to the security guards, for instance. Hence the protection has to be at a different level.

Music players too, such as an iPod or similar, straight-forward MP3 player can often store data aside from just music files and are therefore also a way in which data can leave your institution; a way in which someone can take out data who, maybe, should not be able to.

Also, such devices, whether players or memory sticks, and such like, can be used by someone with malicious intent, whether employee or not, to inject malware into a PC or an entire network. All it needs is access to computer that is not locked down, for instance.

It would appear that many organizations do not have any systems and policy in place that control who may access and especially copy data to removable media of whatever kind.

All it takes, as we have seen more than once, is a disgruntled employee – or even an ex-employee whose password and such is still active – to ruin the reputation of an organization or to hold it to ransom.

© M Smith (Veshengro), December 2008