Suggestions on how to stop users copying/emailing corp docs and accessing on other machines?

Discussion in 'Business & Enterprise Computing' started by -Sk3tChY-, Aug 28, 2019.

  1. BAK

    BAK Member

    Joined:
    Jan 7, 2005
    Messages:
    1,197
    Location:
    MornPen, VIC
    2SHY, waltermitty and NSanity like this.
  2. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,799
    Location:
    Brisbane
    As has been said a few times: there's what you know, and there's what you can prove. You're dipping your toes into some potentially scary waters here, regardless of how "good old bloke" the client is.

    Make sure all this stuff that "everybody knows and has been told" is in writing and formally acknowledged. The reality is that the solutions you're proposing won't stop anyone. "Security theatre" is absolutely the correct term for what is going on. And if that's what everyone wants, and the contract is in writing, then so be it.
     
  3. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,153
    Location:
    Canberra
    IF you think anyone here throws their hands up in the air and has a cry, you're sorely mistaken. We simply don't promise what we can't deliver.

    Lets say you get what you want - even inside a modest budget - say 3-4 days work with a mild subscription component. How are you going to show the business that the ~20k invested is going to show a return? Remembering that a return in this case looks like;

    * Recorded block of the offending action (that is, trying to exfil data)
    * Using that audit log to discipline or terminate staff offending this rule
    * Sufficient evidence to support a insurance claim that the business did enough to protect its IP from exfil

    All of this requires auditing. Which you aren't doing.

    You haven't reduced anything. You've added complexity for no appreciable benefit against an actor looking to take something. This mythical user that is being gently reminded "hey don't take data home" basically doesn't exist. The one that does want to is simply going to work around your incomplete and flawed solution to do so.

    You have literally no idea what you're talking about. I've done more work on Single User and SMB entities than you - as well as full blown government and enterprise.

    Until they put a dollar figure on what they are willing to spend to get this, its a fleeting desire.

    Can you? You've built your own pki deployment with automatic trusted root distribution to perform MITM ssl inspection now have you? I thought you weren't doing complex or enterprise things...

    Security absolutely comes in layers, but the single basic thing that you need to do before anything else is to be able to audit who did what, when and where. If you aren't logging all of this - which is absolutely out of scope of SMB - you aren't doing the bare minimum. The next step is to report on it.
     
    Last edited: Sep 3, 2019
    freaky_beeky and Dilbery like this.
  4. Myne_h

    Myne_h Member

    Joined:
    Feb 27, 2002
    Messages:
    10,999

    Technically, with enough know how every solution is that. I can think of a pretty easy way to dump tbs from my highly secure workplace.
    However, with all the metadata attached to the dumped files, it'd be tricky to distribute without getting caught. People have been.

    We even log all printed works and have a hex code on the bottom of each sheet. The printer wont even print without a swipe. Prior to that, I saw payroll records from another state sitting in my local printer.
     
    Last edited: Sep 4, 2019
  5. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,297
    Lets expand on this, and look at Users, Controls and Impact.

    UserA will never take data home
    UserB will take data home to work on it for the company, but never use it for personal commercial gain
    UserC wants to take the data and use it to further his own means.

    We implement USB Blocking and Webmail/Dropbox blocking and some basic DLP scanning on outbound e-mail.

    UserA - is now less happy, because they can't check their hotmail from the work computer
    UserB - has less productivity, because they can't work on stuff at home in the manner they had in the past
    UserC - Puts database in password protected zip and e-mails it from outlook.

    UserC is the guy you are trying to stop, and the controls proposed do nothing to achieve that goal, while still having a material impact on Users A and B.
     
    scrantic, 2SHY, ir0nhide and 8 others like this.
  6. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,508
    Location:
    Adelaide
    so in summary, OP should say to client:

    "Hi mr client, I can do what you're asking but please understand (in writing) that this will not in any way provide an impediment for employees seeking to steal company IP. Detection and prevention is only possible with a large DLP project that includes major changes to your workflow and budget.

    PS: if you're scared about employees leaving with IP, be nicer to them and have a strong contract so that if they do screw you you can sue them".
     
    cvidler likes this.
  7. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,645
    Location:
    Sydney, Australia
    Clearly I'm not the only one who thinks that the threads from the OP are the same, just with different topics.

    -Sk3tChY- - it's not that there's not a place for SMB questions here, it's the way you start your threads with quite convoluted pseudo-solutions and then respond to each post defending your solution. You don't need to - just accept that people will have different views (to each other, and to you), and you don't have to convince them that you're right. You can simply read what they have to say and either disregard it or take it on-board.

    It may also be a more productive approach to ask more open questions (e.g. "I have an SMB customer who I've got set up like x, y and z. They've asked me about a, but I'm not sure about it/that they actually know what it involves. Are there any other quick wins/effective measures I could take that are suitable for a simple environment?") rather than come up with long-winded solution that people pick holes in, that you then feel the need to defend, which people pick further holes in, etc.

    I hope this doesn't come across as me having a go at you. These are just my opinions as an observer, and I see the same scenario play out in every thread. While some good discussion does happen (once you wade through the anguish/unnecessary bluntness) I don't think it's the most effective or harmonious way to achieve what it is you want - find simple and cost-effective methods of securing your clients.
     
    millsy likes this.
  8. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    14,174
    Location:
    Canberra
    2SHY, elvis, looktall and 1 other person like this.
  9. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,497
  10. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,730
    Location:
    Brisbane
    802.1x is a thing
     
  11. trevor68

    trevor68 Member

    Joined:
    Jun 28, 2001
    Messages:
    4,359
    Location:
    Canberra
    We whitelist devices at work, and then have exceptions in place anyhow for people who apply, because in the end, you have to trust that people are doing the right thing, there is no other way.
     
  12. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    64,912
    Location:
    brisbane
    and then accept that you can't.
     
  13. BAK

    BAK Member

    Joined:
    Jan 7, 2005
    Messages:
    1,197
    Location:
    MornPen, VIC
    He said "there is no other way"! Good DAY sir!
     
    power likes this.
  14. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,730
    Location:
    Brisbane
    No, no you don't. The business needs to make the decision to apply exceptions, not IT. We are there to enforce the policies and add guidance in their creation.

    By adding exceptions for devices not controlled by the business you have no way to manage risks.
     
    millsy likes this.
  15. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    64,912
    Location:
    brisbane
    as long as someone accepts and understands that you can wipe your hands.

    you can't have it both ways though.
     
  16. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,497
    well not with that attitude.
     
    millsy, power and JSmithDTV like this.
  17. trevor68

    trevor68 Member

    Joined:
    Jun 28, 2001
    Messages:
    4,359
    Location:
    Canberra
    Haha true, but that's a problem for the internal investigators. :)
     
  18. GoneFishin22

    GoneFishin22 Member

    Joined:
    Jun 28, 2008
    Messages:
    0
    Hold an all staff must attend general meeting. Sack someone that has been known to have breached DATA policy and tell everyone they had clearly violated the business policy of DATA security and any other staff found to be doing the same will also be immediately terminated.

    That is, make a very public example!

    Move on.
     
    Last edited: Sep 26, 2019
  19. Yak

    Yak Member

    Joined:
    Jan 9, 2005
    Messages:
    249
    The above & disable the clipboard, etc, etc..
    Have a screening gateway for entry/exit of files that needs approval.

    Worked for a federal gov dept who had the above but citrix.
    Even as a domain admin I could NOT copy anything to/from the network to my laptop.

    Yak.
     
    GoneFishin22 likes this.
  20. domsmith

    domsmith Member

    Joined:
    Nov 7, 2002
    Messages:
    295
    Compartmentalise their work.

    Get them to identify which files are to be secured and silo them.

    Put all those files on an internal fileshare that can only be accessed on prem from specific computers that have their usb ports disabled in the bios and that can't route to the internet or any other network other than the fileshare.
    Set the secured machines up with bit lockered hard drives and redirect all their desktop, my documents etc to save on the secured fileshare. Disable the print screen key via group policy.

    Set them all up with a separate computer to do their normal email and to access day to day day files on O365.

    Then tell them if they want to access the secured files go to the secured computer to work on them.
     

Share This Page

Advertisement: