Document Security

Protecting sensitive information both inside and outside of the firewall


Outside the Firewall
Document security outside the firewall is quite simple. Once digital files leave your network for legitimate use, they are mostly out of your control. The one thing that distinguishes electronic assets from physical assets is that they can be in more than one location at once; in fact, when they leave your network maliciously, they are gone forever. That is the troubling truth about electronic documents.

Do not think that passwords are going to keep things safe either. As with documents inside the firewall, if someone with malicious intent comes across a password-protected document, odds are it can be opened. Passwords can often be guessed. If not, there are numerous commercial tools to crack passwords on practically any type of file.

My favorite file password cracking tools (www.elcomsoft.com) can crack practically any type of file password: PDF, ZIP, Word, Excel, Outlook — you name it. As with many security-related tools, these are legitimate business tools, but all it takes is someone with ill-intent using them in malicious ways to create problems for your business. Obviously you can’t control all documents outside the firewall all of the time, but there are some solutions that every business leader needs to have on his or her radar.

What Can Be Done
Controlling document security is actually pretty tricky. It takes a combination of savvy network administrators, policy supported by management and enforced with technology, educated users and a little bit of luck. The most important thing to get a handle on document security is to determine what is located where. This begins with information classification and ends with knowing where the files are actually stored. There are vendors such as Kayseon (www.kayseon.com) and StoredIQ (www.storediq.com) that specialize in helping with both. If the budget is limited for now, network administrators and security managers can perform a scan of the network for open shares and improperly secured files. Once the weaknesses are uncovered, a simple tweaking of network access controls can do wonders. The problem with this more manual method is that it is inefficient given the number of documents constantly coming and going.

Other technology solutions include data leak prevention (DLP) by companies such as Verdasys (www.verdasys.com) and digital rights management (DRM) by companies such as Liquid Machines www.liquidmachines.com). Other preventative tools — especially for protection outside the firewall — include encrypting laptop hard drives and USB thumb drives. You can even require users to encrypt documents at the file level using ZIP compression and encryption before they leave the network. The only problem is that relying on users for security controls such as this is often unreliable.

Regardless of the technologies you use to protect your electronic documents, you must get your users involved. It is imperative to make everyone aware of what is at risk. User education is never 100-percent reliable, but it is better than nothing at all. Furthermore, if you do end up having a document-related security breach and can prove company policy and employee comprehension, your business will have something to fall back on.
I would venture to claim that no organization — regardless of size or industry — is immune to document security weaknesses. Now is the time to start getting things under control.

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent information security assessments. He has authored/co-authored seven books on information security including “Hacking for Dummies” and “Hacking Wireless Networks for Dummies” (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at kbeaver@principlelogic.com.