Discussion in 'Business & Enterprise Computing' started by -Sk3tChY-, Aug 28, 2019.
-Sk3tChY- are you Mitch?
As has been said a few times: there's what you know, and there's what you can prove. You're dipping your toes into some potentially scary waters here, regardless of how "good old bloke" the client is.
Make sure all this stuff that "everybody knows and has been told" is in writing and formally acknowledged. The reality is that the solutions you're proposing won't stop anyone. "Security theatre" is absolutely the correct term for what is going on. And if that's what everyone wants, and the contract is in writing, then so be it.
IF you think anyone here throws their hands up in the air and has a cry, you're sorely mistaken. We simply don't promise what we can't deliver.
Lets say you get what you want - even inside a modest budget - say 3-4 days work with a mild subscription component. How are you going to show the business that the ~20k invested is going to show a return? Remembering that a return in this case looks like;
* Recorded block of the offending action (that is, trying to exfil data)
* Using that audit log to discipline or terminate staff offending this rule
* Sufficient evidence to support a insurance claim that the business did enough to protect its IP from exfil
All of this requires auditing. Which you aren't doing.
You haven't reduced anything. You've added complexity for no appreciable benefit against an actor looking to take something. This mythical user that is being gently reminded "hey don't take data home" basically doesn't exist. The one that does want to is simply going to work around your incomplete and flawed solution to do so.
You have literally no idea what you're talking about. I've done more work on Single User and SMB entities than you - as well as full blown government and enterprise.
Until they put a dollar figure on what they are willing to spend to get this, its a fleeting desire.
Can you? You've built your own pki deployment with automatic trusted root distribution to perform MITM ssl inspection now have you? I thought you weren't doing complex or enterprise things...
Security absolutely comes in layers, but the single basic thing that you need to do before anything else is to be able to audit who did what, when and where. If you aren't logging all of this - which is absolutely out of scope of SMB - you aren't doing the bare minimum. The next step is to report on it.
Technically, with enough know how every solution is that. I can think of a pretty easy way to dump tbs from my highly secure workplace.
However, with all the metadata attached to the dumped files, it'd be tricky to distribute without getting caught. People have been.
We even log all printed works and have a hex code on the bottom of each sheet. The printer wont even print without a swipe. Prior to that, I saw payroll records from another state sitting in my local printer.
Lets expand on this, and look at Users, Controls and Impact.
UserA will never take data home
UserB will take data home to work on it for the company, but never use it for personal commercial gain
UserC wants to take the data and use it to further his own means.
We implement USB Blocking and Webmail/Dropbox blocking and some basic DLP scanning on outbound e-mail.
UserA - is now less happy, because they can't check their hotmail from the work computer
UserB - has less productivity, because they can't work on stuff at home in the manner they had in the past
UserC - Puts database in password protected zip and e-mails it from outlook.
UserC is the guy you are trying to stop, and the controls proposed do nothing to achieve that goal, while still having a material impact on Users A and B.
so in summary, OP should say to client:
"Hi mr client, I can do what you're asking but please understand (in writing) that this will not in any way provide an impediment for employees seeking to steal company IP. Detection and prevention is only possible with a large DLP project that includes major changes to your workflow and budget.
PS: if you're scared about employees leaving with IP, be nicer to them and have a strong contract so that if they do screw you you can sue them".
Clearly I'm not the only one who thinks that the threads from the OP are the same, just with different topics.
-Sk3tChY- - it's not that there's not a place for SMB questions here, it's the way you start your threads with quite convoluted pseudo-solutions and then respond to each post defending your solution. You don't need to - just accept that people will have different views (to each other, and to you), and you don't have to convince them that you're right. You can simply read what they have to say and either disregard it or take it on-board.
It may also be a more productive approach to ask more open questions (e.g. "I have an SMB customer who I've got set up like x, y and z. They've asked me about a, but I'm not sure about it/that they actually know what it involves. Are there any other quick wins/effective measures I could take that are suitable for a simple environment?") rather than come up with long-winded solution that people pick holes in, that you then feel the need to defend, which people pick further holes in, etc.
I hope this doesn't come across as me having a go at you. These are just my opinions as an observer, and I see the same scenario play out in every thread. While some good discussion does happen (once you wade through the anguish/unnecessary bluntness) I don't think it's the most effective or harmonious way to achieve what it is you want - find simple and cost-effective methods of securing your clients.
relevant to thread and security in general.
End of discussion.
802.1x is a thing
We whitelist devices at work, and then have exceptions in place anyhow for people who apply, because in the end, you have to trust that people are doing the right thing, there is no other way.
and then accept that you can't.
He said "there is no other way"! Good DAY sir!
No, no you don't. The business needs to make the decision to apply exceptions, not IT. We are there to enforce the policies and add guidance in their creation.
By adding exceptions for devices not controlled by the business you have no way to manage risks.
as long as someone accepts and understands that you can wipe your hands.
you can't have it both ways though.
well not with that attitude.
Haha true, but that's a problem for the internal investigators.
Hold an all staff must attend general meeting. Sack someone that has been known to have breached DATA policy and tell everyone they had clearly violated the business policy of DATA security and any other staff found to be doing the same will also be immediately terminated.
That is, make a very public example!
The above & disable the clipboard, etc, etc..
Have a screening gateway for entry/exit of files that needs approval.
Worked for a federal gov dept who had the above but citrix.
Even as a domain admin I could NOT copy anything to/from the network to my laptop.
Compartmentalise their work.
Get them to identify which files are to be secured and silo them.
Put all those files on an internal fileshare that can only be accessed on prem from specific computers that have their usb ports disabled in the bios and that can't route to the internet or any other network other than the fileshare.
Set the secured machines up with bit lockered hard drives and redirect all their desktop, my documents etc to save on the secured fileshare. Disable the print screen key via group policy.
Set them all up with a separate computer to do their normal email and to access day to day day files on O365.
Then tell them if they want to access the secured files go to the secured computer to work on them.