Document Security

Oct. 27, 2008
Protecting sensitive information both inside and outside of the firewall

Documents, documents everywhere. Electronic files such as Word documents, PDF documents and spreadsheets not only outline the past — they are also the lifeblood of most organizations. No matter what the function, practically everyone in every business creates and stores electronic documents. They are something we all have in common, and they are the essence of why we use computers. More importantly, the contents of these documents and how they are being managed are placing a lot of sensitive information and businesses at risk.

The mere existence of electronic documents is not a bad thing. The problem starts when people do not realize what can (and often does) happen to the information in their documents. Think about it — outside of more specific data stored on your organization’s database servers, electronic documents contain pretty much anything and everything related to your business. They often house information about all of your employees and customers as well.
From intellectual property to sensitive details on your employees, to confidential customer records, there is a lot of information you cannot afford to lose or have compromised. But interestingly, this information security issue is not on the radar of the people creating these files. And more alarming, it is typically off the radar for network administrators and information security managers. That does not reduce its importance.

Inside the Firewall
The biggest problem with electronic documents is that they are scattered everywhere — literally. From servers, to desktops, to mobile devices and beyond, in any given organization there are literally tens if not hundreds of thousands of electronic documents stored all over the network because it is convenient. People create files on their local computers, they may save them off to a server share, or they may even share them right off their hard drive so others can access them. Many files are often copied to smartphones and removable storage. Perhaps worst of all, most people use the new-world file repository — the ultimate place to save documents — their e-mail boxes.
In a given environment, any plain vanilla user on the network typically has access to more information that he or she needs. In fact, as part of my internal security assessments, I will login as a regular user (with no administrator privileges) and perform searches across the network to see what I have access to. It is often pretty alarming what is available. I have seen:

• Critical software source code stored on a developer is local hard drive;
• Customer health records accessible on a quality assurance test system;
• Network diagrams including passwords to network infrastructure systems;
• Personal, financial and family-related information an executive had stored on her computer; and
• HR files, including salary and employee review information.

Sure, this is sort of a needle-in-the-haystack type of exercise, however, this kind of sensitive information can usually be found (and accessed) in less than an hour using rudimentary search methods. Imagine what can be done by a “trusted” employee on the network that has nothing but time. The big deal is that users (typically all users) on the network have access to documents containing information they should not have access to otherwise. There is usually no malicious intent on the front-end when people are storing documents. Again, it is a convenience issue. But when bored, curious or spiteful, employees have access to this juicy information, and the outcome can be detrimental.

Here are the underlying problems of document security inside the firewall:
• Many network files and folders are shared out to everyone in a sloppy ad-hoc fashion for temporary access and then forgotten.
• Many network users share their local hard drives or specific folders so anyone, regardless of intent, can browse around to see what is available.
• Drives and folders are often made accessible to everyone on the network by administrators in the name of convenience, since creating and managing groups can be tedious.
• When a need-to-know control system is not established and everyone has access to all documents, there is little to no accountability.
• Network administrators are usually so overburdened that they do not have time to proactively monitor who is accessing what. Even worse, they are rarely going to detect when unauthorized access has occurred.
• Relying on password protection at the document level can be futile unless the strongest of encryption and passphrases are used — which is very rare.
• Management often believes that employees are not going to do anything bad — especially since they passed a background check and had good references (yeah right) — so why bother locking down all the documents across the enterprise?

Oversights and ignorance serve up a great recipe for security breaches that will often go undetected until it is too late.

Outside the Firewall
Document security outside the firewall is quite simple. Once digital files leave your network for legitimate use, they are mostly out of your control. The one thing that distinguishes electronic assets from physical assets is that they can be in more than one location at once; in fact, when they leave your network maliciously, they are gone forever. That is the troubling truth about electronic documents.

Do not think that passwords are going to keep things safe either. As with documents inside the firewall, if someone with malicious intent comes across a password-protected document, odds are it can be opened. Passwords can often be guessed. If not, there are numerous commercial tools to crack passwords on practically any type of file.

My favorite file password cracking tools (www.elcomsoft.com) can crack practically any type of file password: PDF, ZIP, Word, Excel, Outlook — you name it. As with many security-related tools, these are legitimate business tools, but all it takes is someone with ill-intent using them in malicious ways to create problems for your business. Obviously you can’t control all documents outside the firewall all of the time, but there are some solutions that every business leader needs to have on his or her radar.

What Can Be Done
Controlling document security is actually pretty tricky. It takes a combination of savvy network administrators, policy supported by management and enforced with technology, educated users and a little bit of luck. The most important thing to get a handle on document security is to determine what is located where. This begins with information classification and ends with knowing where the files are actually stored. There are vendors such as Kayseon (www.kayseon.com) and StoredIQ (www.storediq.com) that specialize in helping with both. If the budget is limited for now, network administrators and security managers can perform a scan of the network for open shares and improperly secured files. Once the weaknesses are uncovered, a simple tweaking of network access controls can do wonders. The problem with this more manual method is that it is inefficient given the number of documents constantly coming and going.

Other technology solutions include data leak prevention (DLP) by companies such as Verdasys (www.verdasys.com) and digital rights management (DRM) by companies such as Liquid Machines www.liquidmachines.com). Other preventative tools — especially for protection outside the firewall — include encrypting laptop hard drives and USB thumb drives. You can even require users to encrypt documents at the file level using ZIP compression and encryption before they leave the network. The only problem is that relying on users for security controls such as this is often unreliable.

Regardless of the technologies you use to protect your electronic documents, you must get your users involved. It is imperative to make everyone aware of what is at risk. User education is never 100-percent reliable, but it is better than nothing at all. Furthermore, if you do end up having a document-related security breach and can prove company policy and employee comprehension, your business will have something to fall back on.
I would venture to claim that no organization — regardless of size or industry — is immune to document security weaknesses. Now is the time to start getting things under control.

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent information security assessments. He has authored/co-authored seven books on information security including “Hacking for Dummies” and “Hacking Wireless Networks for Dummies” (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at [email protected].