Portable Devices: Security Best Practices for Preventing Data Leakage
Every company has precious data it needs to protect. While every organization's needs are unique, some best practices can go a long way toward preventing data leakage.
During my two decades of working in IT, I've seen a lot of crazy things. Perhaps one of the most surprising (at least for me, anyway) is how so many companies don't seem to realize the value of their data. I'll be the first to admit that large corporations usually take security very seriously. However, I've lost count of the number of times owners of small and midsize businesses have told me that security isn't important to them because they don't have any data that's worth stealing. Inevitably, even the smallest companies have data such as customer contact information, human resource items, financial documents and prototype designs. In fact, a few years ago a friend's auto-parts company was nearly driven out of business when a competitor managed to steal the company's internal parts catalog, which listed all of its suppliers. My point is that whether you're operating a global enterprise or a one-person startup, your data is probably more valuable than you think. It might be valuable to competitors who want to increase their own market share, or to a disgruntled employee who wants revenge against the company. In any case, one of the best ways you can protect your data is to stop data leakage. In other words, you need to prevent someone from being able to walk out the door with your data.
So, how can you stop data leakage? Over the years, I've seen organizations take some pretty drastic measures to prevent data leakage. For example, in the mid-1990s, I did a security audit for a client that was confident that it had solved the problem of data leakage by removing the floppy drives from all of its workstations (this was almost unheard of at the time). However, I was still able to get data out of the organization by connecting a digital camera to a PC serial port (USB ports didn't exist yet) and copying data to the camera's memory.
A few years later, a lot of organizations began to realize that high-capacity USB storage devices made it possible to copy large volumes of data to a removable storage device. For a while, a popular solution was to disable all of the USB ports by filling them with epoxy. Although relatively effective, this solution was short sighted because disabling the USB ports often caused other problems. For instance, I once got a phone call from someone who wanted to know how to get epoxy out of a USB port because he suddenly needed to use a USB scanner.
While it's easy to look back on some of the early attempts at controlling data leakage and laugh, the drastic measures that some organizations used to take only underscores the importance of protecting your data against unauthorized use.
Understanding the Challenge
Protecting your data against leakage is one of the toughest security challenges that you're likely to face. The reason is simple. Stopping data leakage is different from blocking access to data. In most of the cases that I've heard, the users who were responsible for data leaks had legitimate access to the data. Therefore, the challenge isn't preventing users from accessing data, but rather controlling what they can do with the data once they have access to it.
The first step in meeting this challenge is to figure out how data could potentially be leaked. Only then can you take the necessary steps to prevent data leakage. Although I'm going to talk about several ways in which data is commonly leaked, it's important to realize that every organization is different and that you'll likely have some vulnerabilities that are unique to your own organization.
USB Storage Devices
The biggest source of data leakage (or, at least, the source that receives the most attention) has got to be USB storage devices. In recent years, the consumerization of IT has only made this problem worse. On a recent occasion, for example, I was browsing the electronics aisle at Target and found some 250GB USB hard drives on sale for $25. Sure, that's a great deal, but think about that from the perspective of a user who has bad intentions. For 25 bucks, it's possible to steal hundreds of gigabytes worth of data. As if that isn't bad enough, Windows is designed to make the theft as simple as possible. The user simply plugs in the USB hard drive and the OS automatically recognizes it and prepares it for use. The user doesn't have to worry about installing drivers or formatting the disk. Hence, someone with minimal computer knowledge could conceivably steal large volumes of data.
So, what can you do to prevent USB-based data leakage? There are several possible solutions. One option is to use Group Policy settings to control USB access. Unfortunately, this isn't a great option. Access to USB devices on Windows XP and Windows Vista is controlled by hardware ID. Because each make and model of a USB device has its own hardware ID, it's impractical to build a policy that restricts every USB storage device. Some organizations have created policies that block all hardware but allow exceptions for hardware devices that are deemed to be necessary. However, maintaining such a policy is tedious, and it's easy to make a mistake that could disable your workstations.
The other problem with such policies is that they're designed to prevent USB devices from being installed. If a USB storage device has already been used on a PC, then the PC already contains the required registry entries and the user will be able to continue using the device unless you create separate policies to block existing device drivers.
Things have improved a bit in Windows 7 and Windows Server 2008. These OSes offer policies for restricting write access to removable storage devices, but even these policy settings may be insufficient for organizations requiring granular device control (see Figure 1).
[Click on image for larger view.]
|Figure 1. Windows 7 and Windows Server 2008 offer Group Policy settings to restrict data from being written to removable media.|
A better solution is to use a third-party product that's specifically designed to prevent USB storage devices from being used. The only such product that I've personally used is GFI EndPointSecurity, which does a good job; there are comparable products available from other vendors.
Mobile devices are another huge source of data leakage. After all, users typically store e-mail messages, documents, calendar entries, contacts, and other sensitive data on their tablets and smartphones.
The biggest thing that you can do to prevent mobile devices from being a source of data leakage is to use effective security policies. In other words, set a policy requiring devices to use complex passwords. You should also force devices to be locked after a couple minutes of inactivity. That way, if a user accidentally leaves a device unattended, the device will lock itself and nobody will be able to access the data stored on the device without knowing the user's password.
You can also take advantage of some of the security features that are found in your management software. For example, if you use Microsoft System Center Mobile Device Manager, or if your mobile devices are connected to Exchange Server 2007 or 2010, it's possible to perform a remote wipe. In other words, if a mobile device is lost or stolen, you can initiate a remote self-destruct sequence that resets the device to its factory defaults, thereby insuring that no data remains on the device. Of course, it's ultimately up to the users to either report the lost device to the IT department or to initiate the remote wipe themselves.
Another way in which it might be possible to prevent data leakage related to a lost or stolen device is for the user to re-trieve the device before it can be compromised. While this probably sounds like a tall order, it could be easier than you think. Most of the newer tablets and smartphones are GPS-enabled, and some of them can even transmit their location.
For example, if a Windows Phone 7 device is lost or stolen, the user can log in to her Windows Live account, go to the Devices page and use the Find this phone feature to determine the phone's current location (see Figure 2). Windows Live will actually display a map pinpointing the present location of the device.
[Click on image for larger view.]
|Figure 2. Windows Live is able to track down a lost or stolen Windows Phone 7 device.|
Hard Drive Theft
Another potential source of data leakage is hard drive theft. Hard drive theft isn't quite as common as leakage related to mobile devices or USB storage devices, but it does happen. Luckily, there are several easy steps that you can take to prevent this type of leakage.
If you're concerned about workstation hard drive theft, your best option is to use thin clients that connect to virtual desktop infrastructure (VDI) sessions. That way, there's absolutely no data stored on the workstation. If VDI isn't an option, your next-best option is to redirect the user profiles so they're stored on a network server. This will help prevent user's documents from being stored on the workstations. While you're at it, I recommend using case locks and encrypting the hard drives with Microsoft BitLocker.
When it comes to server hard drives, the first step in theft prevention is to use good physical security. You should have locks on the server room door, and the room should be equipped with surveillance cameras. It's also worth noting that many servers have an alerting mechanism that can send out an e-mail or a text message if the server's case is opened.
Although it's important to prevent server hard drive theft, it's unusual to have a situation in which a drive is stolen out of a server. Instead, thieves usually try to steal backup tapes or the entire server. In a way, this makes sense. For starters, stealing a tape or an entire server is probably faster than stealing a hard drive (depending on whether the drives are externally accessible). But more importantly, servers tend to use RAID arrays; therefore, a thief would have to steal all of the drives in an array and then install them in the correct order in a compatible system in order to get any data. Stealing the entire server (or a backup tape) is just easier.
In order to prevent data leakage related to server theft, you should use strong passwords (including BIOS passwords), and all drives should be encrypted. The goal is to keep your data inaccessible to a thief who's gained physical possession of the server.
In the case of backup tapes, encryption and password protection is a must, but there is one more thing you should be doing to prevent data leakage: Schedule your backups to finish around the time you arrive in the morning. This way a thief can't steal the tape out of the tape drive because the backup will still be running. If the backup finishes when you arrive in the office, you can immediately move the tape to a secure location before it can be stolen.
Think Like a Thief
There are a number of ways in which you can prevent data leakage. However, every organization is different, so you will likely need to supplement the techniques that I've outlined with safeguards that are specific to your own organization. Remember, the key to good security is to think like a criminal.