Many organizations have recognized that their most valuable assets are stored in electronic format on their computer systems. Because of this, businesses have dedicated vast resources to purchase, install, configure and maintain a wide range of security mechanisms to protect their data. Firewalls, intrusion detection systems, anti-virus software, multi-factor authentication products and encryption solutions are just a handful of the products that are implemented to protect intellectual assets. In addition to products, premium salaries are provided to IT professionals that have security training, experience and certifications. Despite the amount of time, effort and resources that are dedicated to protecting propriety data, there is nothing that can completely stop the flow of data out of an organization.
Flash Drives and Other Portable Media
Much has been written about USB flash drives and the threat they pose to corporate data (see “Portable Data Storage Devices: Security Nightmare,” July 2005, Security Technology & Design). Despite these warnings, trade secrets are leaving organizations on these devices. The reason is simple, the devices look innocuous, they serve the same purpose as the ubiquitous floppy disks of the past, and all computers have USB ports on them. It requires no technical expertise to copy data to one of these devices. The issue is that these devices can store thousands of files on them and provide the ability to copy the files to nearly any computer currently in use today.
While it becomes easy to recognize that USB flash drives can pose a threat, many businesses overlook portable “lifestyle” devices that appear innocuous on the surface but have the ability to store large amounts of data. MP3 Music players and Digital Cameras both have the ability to store data other than just music and images — they can store any type of digital data. It is difficult to comprehend that a device that can store the entire works of the Grateful Dead can also store databases, spreadsheets and presentations.
Businesses that allow employees to download iTunes and connect personal iPods to their computers are also providing an opportunity for the employee to download proprietary information to those same iPods. In a recent case, we were able to identify that a former employee had copied 45,000 files to an iPod prior to her departure.
Online Data Storage
Because people want to have access to their data from anywhere in the belief that it will improve their efficiency, online data storage sites have become extremely popular. These sites provide the ability to store data on an Internet-accessible server, so a person can access data from anywhere. While not designed to be nefarious, employees can just as easily copy proprietary information to these sites as they can to a flash drive. Keep in mind that many of these sites provide several gigabytes of storage for free.
While not everyone realizes this, the space allocated by Google for GMail e-mail accounts can also be used for file storage. The Windows shell extension GMail Drive (www.viksoe.dk/code/gmail.htm) places a drive letter in Windows Explorer enabling users to drag and drop files into their GMail storage space just like they would on a local drive.
While not free, Mac users with a MobileMe account have access to a similar feature called iDisk. Some security professionals will erroneously believe that iDisk is not a threat because they use Microsoft Windows in their organizations. Unfortunately, files stored using iDisk are accessible on any operating system using a browser. But more importantly, files can be uploaded to iDisk from any operating system using a browser.
There are numerous online storage options including, ElephantDrive (www.elephantdrive.com), Box.net (www.box.net), and DropBox, (www.getdropbox.com). While the ability to store files online is frightening, many of these sites provide the ability to share files with anyone.
IMs, E-mails and Blogs
Other methods that employees can use to leak confidential information is by using communication channels that are not monitored by their employer. Instant messaging, personal cell phones and Web-based e-mail, such as Hotmail, Gmail and Yahoo Mail, can be used to bypass the monitoring of corporate phone and e-mail accounts. Organizations should seriously think twice about providing consumer-grade instant messaging programs on their systems. Because they do not log their communications and are not monitored by the employer, why would they be used? Most business professionals have cell phones, home phones and office phones with voice mail capabilities. In addition, they generally have at least one e-mail account. Why would they need to use instant messaging?
Another way employees can disseminate information is through the creation of blogs. A blog, or Web diary, can be created in a matter of minutes, requires no technical skill or training and costs nothing to create. An employee can easily post proprietary information on a blog simply as a lark, “Can you believe my company is about to do this…?” or as a means to get even for some real or imagined slight, “My company treats me like dirt, well I can’t believe it, after all I just developed this new…!” Posting the announcement of new products with associated pictures prior to the official release and announcement can cause havoc for a business.
Non-Technology-Driven Examples
While many security professionals will look for technical solutions to protect proprietary data, many significant sources of data loss have more to do with human nature than with technology.
As an example, one of the best brainstorming tools for an organization is a white board in a conference room. Diagramming business plans, expansion ideas and network topology can help visualize problems or challenges so that they can be easily resolved. And if something spectacular is developed on the white board, the most common method of keeping the idea from being destroyed is to simply write in big bold letters “Do Not Erase!!” The cause for a data leak in this scenario is when the white board is facing a wall of the conference room that is glass from floor to ceiling. Anyone walking by can now see this information and will know it is important. Vendors, consultants, business associates and guests can easily collect the information from the white board by memorizing key points, quickly jotting notes or taking pictures with a cell phone. In my opinion, writing “Do Not Erase” equates to “Please Steal This Information.”
Another common source of data leakage is the media interview. While most business professionals will look on the media interview as a source of free advertising (unless they are being interviewed about a product failure or similar topic), they fail to recognize that good journalists are actually good investigators. Through training and experience, they have learned how to get right to the heart of a topic. And when being interviewed, people are inclined to be helpful and will offer up information voluntarily. This can lead to leaks about upcoming product launches, mergers and acquisitions, layoffs, etc.
Comments about confidential information can alert a competitor to a market segment they had overlooked, a new service offering they had missed or an opportunity to undermine a proposed merger or acquisition. Comments about poor performance, issues or challenges can cause panic among employees and investors.
Regardless how intelligent the company representative may be, the journalist has more experience participating in interviews. It is important to remember that there is no such thing as “off the record.” An “off the record” comment can simply be attributed to an “unnamed source” or an “anonymous source.” And stating that certain topics are off limits does not mean that the journalist will not ask about those topics anyway.
Several years ago I had the good fortune to be interviewed by CNN. Prior to the interview, I stated that there was one topic I would not discuss. During the two hour interview I was asked about the “forbidden” topic six times. And each time it was presented with a slightly different spin or angle. For this reason, it is recommended that whoever is designated as a media spokesperson undergo media training prior to an interview in order to understand the process and be prepared for tough questions.
Trade Shows
A situation that provides numerous opportunities for data leakage is at trade shows and conferences. Presenters will often include confidential information in their slides and handouts in an effort to appear knowledgeable and helpful. Sharing information that few others know gives one a sense of empowerment, “I know something you don’t know!” But it is also a way to provide an advantage to competitors.
Many trade shows provide networking opportunities where people can meet and perhaps extend their network of industry contacts. Many of these are informal activities where alcohol is served. Because the atmosphere does not feel like a work environment and inhibitions are lowered due to alcohol consumption, people are more likely to share confidential information. The phrase, “I shouldn’t be telling you this but…” is commonly overheard in these surroundings. Add a flirtatious member of the opposite sex and trade secrets will be shared frequently and willingly.
For some, the concept of people unwittingly or cavalierly sharing confidential information is absurd. But think about how people use cell phones. Nearly everyone has witnessed a person shouting confidential information into their cell phone while in a public space. I learned a lawyer’s strategy in a lawsuit by simply following him down the jetway onto a plane. He was completely unaware of his surroundings.
Corporate Espionage
For those that consider some of these data leaks unimportant or low-risk, keep in mind that there are groups of people who specialize in corporate espionage and competitive intelligence. They look for inadvertent leaks of confidential information. This can be a serious business pursuit. The Society of Competitive Intelligence Professionals was created for those whose main interest is competitive intelligence. This is not a group of spies wandering around in trench coats, these are people who are involved in “…the legal and ethical collection and analysis of information regarding the capabilities, vulnerabilities and intentions of business competitors.”
But there are those who take the concept of competitive intelligence and corporate espionage to the next level. These are individuals who will purchase and use covert listening devices and recorders as well as keystroke capture hardware and software. One only has to look at sites like Spy World (www.spyworld.com) and Spylife.com to see that affordable equipment is accessible to anyone who takes the time to look for it. I initially thought that these sites catered to those who were living on the fringes of society, and the equipment did not necessarily perform as promised. I had the opportunity to ask an FBI agent who was responsible for covert surveillance installations whether these consumer-grade products actually worked. He said they worked, but then he smiled and said, “Our stuff works better.”
Preventing data leaks requires multiple layers of protection. In addition to standard security tools and mechanisms, employees must be trained to create a culture of security, to recognize and embrace the value of protecting trade secrets. But even more importantly, an organization must aggressively pursue and reprimand — using legal recourse if necessary — to punish those that share company secrets.
John Mallery is a managing consultant for BKD, LLP, one of the ten largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of “Hardening Network Security,” which was published by McGraw-Hill. He can be reached at [email protected].