Nine Ways to Stop Industrial Espionage 351
An anonymous reader writes "IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button. The corporate crown jewels are usually left open and exposed to the IT guys. So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?" I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.
Baby sitters don't work (Score:5, Interesting)
I could have typed, or told him to type "cd
In the end, the only way you can police your IT people is to have IT people you can trust, which means that the managers have to know enough IT to know what is going on and what it means without micromanaging. Very few managers have that ability. Very few IT people have the management ability to cross-train into a high-level manager. I, myself, had to bring in someone else to help with the business/finance side when running my own company. I knew what I was doing but was simply not as good at the business side as the IT work and sales.
You don't. (Score:4, Interesting)
And then, make absolutely sure you never forget the pass phrases, or whatever method you use to secure your side of the key.
All the backups in the world won't protect you from forgetting that vital phrase.
Oh, and it has to be non-obvious.
That being said, a good keylogger will most likely sniff that out, so if someone in IT is really after the goods, and is willing to face legal flak to get it, you're still back at the point of being stuck, unless you ensure all the business folk maintain their own machines away from IT, and support them entirely themselves, to a secure enough level that they won't fall victim to an attack when they connect to the corporate network, or a trojan in an email.
Like all solutions, the most workable is to ensure if someone is guarding secrets that are that potent and valuable, you make sure it's not worth their while to go scurrying off with them.. In other words, you treat them well, and remunerate them according to the value of their task..
If you force your IT staff to work over long hours, stiff them on their working conditions all for a flat low rate, you're asking for trouble.
Give them good conditions, and good pay (going to excellent pay for those sysadmins that are responsible for the really tasty info), and you're far less likely to suffer.
Technical solutions just won't work, as the people who know most about it are the ones you don't trust. Which defeats the whole object.
Check them carefully (Score:3, Interesting)
A few years ago, I was working in a company where we were developing products for sale to a few Federal groups. We interviewed numerous people for these jobs. One that was interesting was a chinese women living in C. Springs, married to a USA soldier. She had a masters in C.S. from china. At first, she was not all that interested. But once I mentioned the groups that we were selling to as well as discussed exactly what we were doing, she got very interested. Obviously, we shot that down as soon as she expressed interest in who were dealing with.
Upon cheaking her out, we found out was that she was a chinese national, but told us she was american citizen.
In another case, we had a guy that we interview another job. He was claiming to have a CS degree with loads of Linux experience. But when asked a set of questions, he missed them badly.
- How do you create a new process; you spawn it(did not know fork or exec).
- How do start a new process upon boot up (from the kernel or a central repository; he did not know about
/etc or /etc/rc.d/).
- asked about genearl sorts and only knew quicksort and bubblesort, but could not explain quicksort.
- did not know discrete math.
All in all, what I have found out is that you first have to check ppl very carefully. Then you still have to limit ppl to what they get to. Hopefully with vista, the MS world will start having security. That remains to be seen.Re:Your staff are the jewels... (Score:5, Interesting)
Bad leadership is worst than none. Good leadership is important. Good leaders, team leads, managers are people who make you not just work, but actually WANT to work for them. People who you can be like when everything else hits the fan, its not just that you care about your job, but you actually respect them and want to work because you know they will get shit if you fail.
Pay is nice, but its community and social pressures that people really respond to. Its that "we are all in this together" attitude that binds a team together and makes them really get the job done. I think the most important aspect of a leader is the ability to catalyse that in his team.
The best defense against this sort of thing is teams that are close enough that no member would betray the team because, they would be betraying people who they respect.
This is one reason why I like working for nonprofits that are doing things that I like, where I can get behind the corperate mission and be proud to be a part of what we are doing. Hence, I work in healthcare.
-Steve
Threaten them, use spikes, seeds (Score:5, Interesting)
Then the death squad goes after the techs and asks some unconfortable questions, talk about broken kneecaps and burning family houses.
Heck, you can even seed different addresses for each admin (if one is doing the mailing, the other only sees the SQL tables)...
If you think it is science fiction, or fear mongering, come and work for a casino in any Central AM country...
I personally left a place because I was scared - higher staff was regularly followed, I heard bad things about the company, and we had more and more armed people at the entrance. I also heard (from my colleage), that our previous sysadmin was chased down the street by the neighbour casino owner with a gun in the hand, shouting "I kill you bastard" over some customer list that the guy "administrated".
Want 1st person experience: how about police calling me, that a gentlemen wants to talk about one of our employees, who supposedly stole data from a caribbean country's casino. The guy looked like a headhunter/killer to me, who kept calling me for 2 weeks, every day, offering more and more for the person's address or any tip where the person could be met (killed??). And that was back in Europe, and the guy came from the islands
Oh well you can make some other measures, like at one place, they sniffed all IM traffic, read all emails, and made it forbidden to take anything into the office. First usb drives, cds floppies. Later cell phones, walkmans, ipods. ANYTHING. They were as well beleived to go thru the lockers.
Of course I cannot (and do not want to name people, places, etc). All I can say, is that I am done with that industry, even though they pay a lot better than others in southern countries.
Re:Bribed (Score:4, Interesting)
I never got bribed. I was hoping all the time.
My workplace is schizoid about trust (Score:5, Interesting)
Instead he let the outside I.T. consultants have complete control. My experience and professional references were to no avail. It was three months before I got a key to the server room, and this is in a small, 50 person insignificant business. All the while the outside consultants (who retain full remote access to all systems and networking equipment) could do whatever they want.
The network drives were wide open among departments. No restrictions. Performance reviews, salary spreadsheets were all available to the entire staff with the thought that "no one knows the files are there so it's okay" was good enough.
When I suggested that we could start locking down departmental network folders to restrict access to sensitive data it set off a freakish firestorm of discussion about who could be trusted for these special folders. But... the whole time they'd been wide open! Now suddenly it was an emergency to lock them down and no one could be trusted with the data.
Later on my boss was working on a business pitch in Word. He'd brought in a temp to help with the layout and now he wanted to give it his own special touch. But he was having formatting issues. He wanted my help, but.... I couldn't look at the document!
He said it was sensitive and he didn't want me to see it but at the same time I had to diagnose his formatting problem and tell him how to straighten it out. So it was okay for a one-day temp to see it, but not the IT Manager that he himself hired that has responsibility for protecting all of his data.
A few more months and I'm out of here. It's the craziest place I've worked, and I used to work at an urban police department so I've seen crazy.
offshore your work (Score:1, Interesting)
Send your work to China where laws against industrial espionage are stronger and it's harder to bribe employees.
Oh wait a minute..............
[satire off]
Re:I had a boss who kept something in his desk . . (Score:2, Interesting)
Having recast the unfortunate incident as gross incompetence (perhaps not too far from the truth?) I chose to take the fullest possible advantage of the situation. Sorry, kids - morals are great, but Number One comes first! There's an IT shop in a Midwest town which I'm sure still curses my name when it is spoken; but my income has more than doubled since then, I don't get adrenaline rushes on my way to work anymore, I don't feel like I'm working in the IT equivalent of a labor camp, I actually like and respect my coworkers - I wish I had done everything on purpose, it would've been a sweet example of Machiavellian perfection. As it stands, it was merely a marvellous coincidence.
Oh, and I don't do management. I'm firmly convinced that people will rise to their own level of incompetence - this level is mine.
Trusting the temps (Score:5, Interesting)
Anyway, I put a picture of Claudia Schiffer in a evening gown on my PC as background wallpaper. A few days later I get escorted by an armed guard to the human resources office about a kilometer away and get fired for 'creating an environment conducive to sexual harassment'. Since I had all the codes and badges to access the loading dock, I was tempted to just rent a truck, drive up, and take all the printers and either dump them in the ocean or sell them myself. Of course, according to Hewlett-Packard, I was 100% trustworthy because I passed a marijuana piss test so I was beyond suspission were the items to be found missing.
I didn't steal anything from them, but I was tempted to because I was so pissed at them. Of course, it came as no surprise to anyone that a few years later the morons who run H-P would just roll over and let Carly trash the entire company to the point where they felt relieved that they could finally get rid of her by giving her 28 million dollars to just...go...away.
So, a word to the wise young people, don't work for insane morons like Hewlett-Packard if you want to have a long and prosperous career in the IT or electronics industry. Choose your employer carefully; believe all crazy rumors about your company management, study Dilbert seriously, be flexible, and always ready to just jump ship at any better job offer. The old mentality and social contract between employer and employee is over.
Re:Keep them happy? (Score:3, Interesting)
None of which helps you any when you're the manager trying to keep such things from happening. Which was what this story was about.
The problem is that if you don't take vengeance, either by yourself or through the legal system or some equivalent, then people will keep on stabbing your eyes and stealing your teeth, since they can get away with it. Following the old adage means that there is no punishment for mistreating you, and so you will be mistreated for fun and profit.
That's a really nasty choice there - either take revenge and contribute to the problem, or don't and be crushed by those who see you as defenseless and therefore easy prey. Dead if you don't, damned if you do.
Re:Encrypting backup (communication and storage) (Score:3, Interesting)
There is a "rule" in the security field: If someone has physical access to a machine, you cannot make it secure. Why? Someone could boot the machine with a Live CD and bypass any security that is in place. You could even install a rootkit. Even encryption doesn't help since the system has to know the key at some point, and with a rootkit, you have that key too. Now, before any discusses removing optical drives, or BIOS passwords, this is IT and they know how to install a drive and bypass the BIOS security. They could always pull the drive and drop it into a separate machine that isn't protected. There are lots of ways to make it harder, but you can't make it impossible.
That's why there is a push for trusted computing modules on "secure" systems. The key or unencrypted data only exists within that module, and can't be accessed from the outside. It doesn't solve the problem if the attacker has an unlimited amount of time, (they could tap into any connectors and view the raw data that way), but it makes it a lot harder. (Imagine soldering a few hundred connections...)
Personally, I would like to see an OS that is put onto a ROM and cannot be updated without pulling it and bringing it to a special machine. Sort of like a Windows XP cartridge or something. While much harder to update the OS, it also prevents rootkits or other malicious changes to the OS from being installed. When updates come out, you pull the cartridge, go to $ELECTRONICS_STORE, and plug it into their machine. After a few minutes, your updated OS is ready and you take your cartridge home.
There's never a guarantee, but you can try (Score:3, Interesting)
Honestly, while those good pieces of advise, the naivety of so many Slashdotters surprises and depresses me. In very small companies, that may be all you need. And for business that don't have big revenue numbers or deal with innovation, espionage isn't much of an issue. I don't think a plumbing company needs to worry about espionage.
But banks, credit card companies, investment firms and brokerages, they do. As do many of the companies doing R&D in drugs, electronics, software, etc. When millions of dollars are at stake on pieces of information that can be copied to a USB flashdrive the size of a quarter, a smart businessman will not assume everyone can be trusted.
As IT professionals as well as hobbyists, we are used to having lots of access and power. It's what makes our jobs easier, more enjoyable and exciting. By nature we tend to be lazy and impatient, not wanting to do something in 4 steps when it can be done in 2 or 3 steps. We like to find ways to automate processes of all sorts. And we often are overworked and underappreciated.
Which means the IT profession is a good breeding ground for corruption. Roger Duronio felt like he wasn't being fairly compensated. Even when he got a year-end bonus of THIRTY-EIGHT THOUSAND dollars on top of his $100,000+ per year salary, he felt cheated. He wanted the full $50,000 bonus he could have received. So he gutted the companies servers, costing the entire business millions of dollars. He also tried to profit on this action, betting stocks would fall quickly enough for him to short sell at a profit (he failed there). Eventually he was caught, tried and found guilty. He really screwed up good, because he ended up not getting anything that he wanted, destroyed his career forever, betrayed both his family and co-workers, and hurt the image of Systems Administrators everywhere.
Roger Duronrio is not the first IT professional to have done something like this. His actions were amazingly succesful compared to many others, and the company was very much willing to publically bring the case to trial. But you can do searches on FBI cases for all sorts of similar situations.
Trust is really just saying you have faith in someone. No technology, procedures or policies can precisely mirror the emphereal nature of that faith. Which is why you don't rely on one or two or three methods to protect yourself and your business. You rely on hundreds of different methods and protections. It's called security in layers, and is such an essential concept of security that people always forget about it.
The article focuses a great deal on encryption, which is most definitely a good idea for all sensitive data in an organization. But that won't help you if you can't trust the keyholder. So what do you do? Well first off, you don't encrypt everything with one key. You use lots of different keys for different data, and lots of different keyholders. You break keys apart so a person only holds part of a key and two people need to work together in order to decyprt data. Or you use an external, third-party entity to escrow the keys. Better yet, you do all of those things, and more.
Re:Your staff are the jewels... (Score:3, Interesting)
Any statistics or did you just make that up?
The numbers as I recall are the top 1% controls 30%, the top 10% of people controls more than 50% of the total wealth, the next 40% controls the rest and the bottom 50% breaks even between debt and assets. Further, I think in 2004 there were 8 people in the top 1% that had not been born into that position (inheritance). There are lots of studies out there that show numbers on this and the US census data supports the trend although they ignore incomes over 1 million dollars and just assume anyone making more than 1 million makes exactly 1 million for historical reasons.
Hard work includes bettering yourself, by learning, and also includes inventing something.
I think you haven't been paying attention. Most inventors make very little profit compared to the financiers. Assuming you invent something cool, all on your own, in order to get it to market and manufacture you're looking at giving up maybe 90% of the profit. As a result, for every dollar you make someone who has done nothing except inherit a pile of money to finance your venture is making nine dollars. This is called monetary condensation. People with money make more money with that money by doing nothing and money slowly consolidates into fewer and fewer hands until there is a revolution and the poor take it and redistribute it.
That's likely what that statistic is showing.
You need to take some basic economics. Monetary condensation is pretty much established as a fact of the marketplace.
No, its not fine. The basics aren't free, and I fail to see why I should have to pay for some fatass to sit in their trailer (which is also being paid for by me) to eat potato chips...
Because otherwise they are mugging you. Or because otherwise, once all the money has consolidated, they are burning down your house and taking back the money you did not earn. Or because regardless of how hard you work, you become one of them when the economy collapses and there is no work for you.
Give everyone the basics, and you'll have a huge majority of people doing nothing but being provided those basics by the hard working minority.
Yeah because no one works for luxuries... oh wait yes they do. People want to work and do things. If they have no desperate need to work, they are simply more likely to be choosy about what they do and are a lot more likely to take chances which results in more innovation and more progress.
Starvation is a pretty good motivator to get a job, I would say.
No it isn't because to get that job you have to apply, which is uncertain and wait an amount of time. Starvation is good motivation to kill you and take your wallet.
decides to break into your house to steal your TV. See, people WON'T just be happy being given the basics.
Except that is not what happens in places with more socialism than the US. Their crime rates are amazingly lower than ours. People commit crimes when they are desperate more than anything else. If a person has their basic needs, they are not desperate and the risk/reward scenario becomes a lot harder for them. I read about an old man last year who shot the mailman so the police would put him in jail. He was losing his house and was going to be out on the street. He didn't want to hurt anyone particularly, he was just scared and wanted to be fed and sheltered and provided medical care. It is sad that he was driven to such desperate measures, but a lot of people are driven to violence by even less. Ask the mailman if he would rather have had 5 % of his taxes go to taking care of such people rather than to one of the many projects the government wastes our money on.
Really? Where's the greater risk?
Look to the example above. If you are going to be living on the streets, robbery and possibility of jail is not so bad. If you already have a home and food, the possibility of losing your freedom is much more important to you.