Hi Discipulus,
You are making a very good point here. While the media is focussing on worms, defacements and blackhat activity; security professionals and corporate management should worry about rogue members and disgruntled employees in their organization handling confidential information. >What can be done to keep this type of potential compromise from >happening? From my perspective, even if you have armed <sidenote>You can't keep knowledgeable and bold people from getting information they aren't supposed to. And we sure can't prevent employees from taking information they are supposed to work with, and sell it to the competition or use it in their advantage. </sidenote> Physical security controls, security awareness, policies and an appropriate and stimulating working environment can highly reduce the occurrence of physical information leakages by disgruntled employees. I strongly believe that sound security awareness practices, policies and a positive working environment are crucial. Physical security is PRIMARILY targeting intruders and controlling the risk connected with activities that might impair the security of the information due to physical attacks from non-employees. The corporate security should be made everyone's responsibility (e.g. clear desk,...). For example, in a situation like you presented, no external cd-rom's should be allowed in the first place. In addition, a close auditing record of WHOM using HOW many cd-rom's should be maintained. On these terms, a manager can then make the subject aware he is violating the company security policies. How things are handled from there on is up to the policies and professional judgement of the security officer in charge, possible agreements and generic incident handling. What you do not want to happen is "people ratting each other out to management". If this is starting to happen, you can be pretty darn sure, the once positive working environment will be torn to shreds under the weight of vengeance, retaliation, ... That's why implementing and enforcing security policies is very much necessary; company-wide! You do not want to give the subject a bad feeling, or make him feel like the scapegoat of the team. Dealing with information incidents should be made part of the overall routine, and be served as daily bread to the entire company. ** Adding bonuses to people who act as deputy-security officers for tracing potential untrustworthy personnel is a -very- (very) bad thing to do. While this is all very clear in our textbooks and audit plans, the objective we want to reach when dealing with human interfaces, maintaining security while handling their trust and protecting their privacy still is a tricky adventure in real world scenarios, and might turn out very ugly if not handled by experienced security officers and a very security aware management and personnel. And this is even a bigger challenge when dealing with international organizations (e.g. varying legalities)! As security officers, we are less trained in the field of Psychology and Law. I, therefore, strongly recommend teaming up with the HR (and legal) dept. when validating and finalizing policies, team sessions and security awareness trainings. >smaller. Are there ways to keep someone from getting the information >in the first place or at least record what they've obtained? How >do you do this when they haven't yet provided notice they are >leaving and still have access to loads of confidential information? Working with employees is primarily based on a trust relationship and access controls (e.g. RBAC) should be deployed based on proper data classification procedures and the according organizational level of employment (e.g. clerk, manager, junior staff, director, ...). A strict need-to-know approach should be used. Sometimes this is a burden for many large organizations, and is this principle goes right out of the window, in spite of added security. IMHO, this is the root (IMHO) of the problem you laid out: finding the correct balance between security and workability/functionality, while dealing with "human interfaces", and making sure you are not violating their privacy and fundamental rights (both under governmental and corporate protection). Each operating system can handle access control lists (e.g. Microsoft Windows, SUN Solaris,...) that fits your corporate needs, and includes the appropriate logging facilities. One way I might come to think of in tracing suspicious behaviour is to cross-check file access times/dates and user-id with time-trackers or time-sheets employees are supposed to fill out when working on projects. Ideally this will lead to: "Hey, why is Mr. Smith from Sales accessing folders he isn't supposed to be working on any more?" Please, keep in mind this posting is only trying to give you an indication dealing with security on this level is a very complex matter, taking many factors in account for being able to provide for an acceptable risk level. On a technical level, many authentication (AAA) means are possible, ranging from biometrics, over TACACS+, SSO to regular two-way authentication presented on a default Windows NT/2000/XP logon workstation, including extensive means of logging. We haven't discussed host based intrusion detection systems yet, nor did we discuss many other items in depth when dealing with this... ... so ... Anyone? Regards, Fil -- Filip Maertens (CISSP) http://www.compsec.be