October 28, 2011 at 12:03 am
Comments posted to this topic are about the item Employee Slurping
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
October 28, 2011 at 3:14 am
In most of my places of work USB ports have been disabled and special encrypted company USB drives could be specifically requested and limited time granted when data transfer via USB was required. Optical drives were disabled too so that data could not be written.
The advantage of being locked down so heavily was not just the reduction of risk in data loss, but also the reduction of risk from uploads - from software installed, to viruses from home pcs, to users putting dodgy data onto the system.
Maybe it's because I've worked in financial services for a long time and the heavily regulated nature makes everyone much more paranoid, but it's certainly good practice in my opinion. Of course when internet filtering works on a blacklist as opposed to a white lists so that things like the Dilbert File Transfer site manage (since nobody in an IT department would ever blacklist anything to do with Dilbert) you've gotta wonder whether it's a plaster trying to solve a crack on a dam.
October 28, 2011 at 4:01 am
Even with the perfect security system there is always ways around it. Social engineering, bribery, threats. Someone wants to know something and perhaps you as DBA execute the query or install the root kit.
However, that does not mean we should give up, there are lots of improvements to be done and securing usb is one thing.
If I on the other hand were to lift up my computer to the desktop and swap the harddrive, not one would probably ask me about it. However, if an econom does it, there should be some raised eyebrows.
October 28, 2011 at 4:18 am
I am not convinced there is that much gain to be made by taking action which demonstrates lack of trust in staff. Anyone in a dev or DBA position is likely to be trusted with data which should not be made public. If they are determined, they will be able to get it off the premises and use it nefariously. Of course data should be appropriately secured but permanent staff need to be trusted to look after it sensibly - there is little other option. Anyone showing any other propensity should get the Spanish Archer pronto.
October 28, 2011 at 4:31 am
call.copse (10/28/2011)
I am not convinced there is that much gain to be made by taking action which demonstrates lack of trust in staff.
I don't think such measures are about displaying a lack of trust - we are all trusted by our managers etc but explaining to the risk departments / external auditors / regulators that 'it's Ok there's a vulnerability because they know their staff would never use it' is asking for trouble.
In the same way that you have to report on liquidity and manage changes correctly, it indicates that your business is 'healthy' by dint of the checks and balances in place. It is part of the proof by elimination used for making external parties happy. Of course, proof by elimination is not actually a valid form of proof but it is still one of the most common forms of validating to auditors etc. that you you are low risk
October 28, 2011 at 5:38 am
Why the focus on software and systems policy solutions? I had to smile at the concern over a 20 gig usb stick, when I take home a 250 gig laptop every day! The answer to this is not to lock the toolbox, and, for example, stop me from putting a presentation onto a USB stick and hence force me to risk travelling with my laptop.
In fact, I would go further: it is extremely dangerous for an organisation to trust in software security measures. These provide a false sense of security, tempting companies to ignore other measures such as clear security policies, solid recruitment and other HR procedures, and strong corporate culture of taking care with company information.
So what is IT's role? Essentially it consists of keeping an audit trail, so folk know they'll be tracked down if they do something wrong, and limiting a user's access to the things he really needs. Don't put your sensitive and/or business-critical data in the hands of anyone who won't use it in their daily role. And sure, limit access to the super-sensitive data on your network by restricting it to carefully controlled, USB-disabled workstations, and just hope Tom Cruise and Ving Rhames don't show up!
October 28, 2011 at 5:49 am
following that logic, only 'approved' computers should be able to connect to the company network. It doesn't make much sense to block the USB devices on company computers when anyone can bring is home computer and plug it in.
And about someone changing the hard drive, if someone has a portable computer, it's quite easy to remove the hard drive out of anyone sight
October 28, 2011 at 8:52 am
Any PC side security measures, whether it be software, configuration, or hardware, can be circumvented by a determined user. The most effective security measures are those implemented on the back end.
- It all starts with authentication and authorization. Don't grant everyone in the department access to every database; that's totally unnecessary. Identify employees as belonging to specific case usage groups, and then grant those domain groups only the logins and permissions they require. If you have 100 people in your IT department, really only a handful of them need access to SQL Server at all. Every logic account should start out with mimimal "public" access, and permission to specific objects can then be granted on an as needed basis.
- The same goes for application login accounts; these only need exec permission on stored procedures. They don't need select permission on tables or "view schema" permission. If a hacker gains access to a least privillage application account, they can do nothing with it, if they can't query system or application tables and don't even know the names or paramters of the hanful of procedures they can execute.
- A SQL firewall or email alerts can notify the DBA when an account is doing something suspicious or out of the ordinary like executing T-SQL commands on non-existing objects or executing SQL statements that include all columns and no WHERE clause.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 28, 2011 at 9:08 am
IceDread (10/28/2011)
Even with the perfect security system there is always ways around it. Social engineering, bribery, threats. Someone wants to know something and perhaps you as DBA execute the query or install the root kit.However, that does not mean we should give up, there are lots of improvements to be done and securing usb is one thing.
If I on the other hand were to lift up my computer to the desktop and swap the harddrive, not one would probably ask me about it. However, if an econom does it, there should be some raised eyebrows.
Hopefully, no one in the IT department is susceptible to bribery or threats. However, physical access and social engineering is a potential weak point in any organization. If someone can poke their head in the server room, then all they have to do is announce the following:
"Hey guys, we've got Starbucks coffee, dounuts, and Chick-fil-a biscuits in the break room. Help yourselves!"
Within moments, they have the server room all to themselves.:-P
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 29, 2011 at 10:17 am
Eric M Russell (10/28/2011)
IceDread (10/28/2011)
Even with the perfect security system there is always ways around it. Social engineering, bribery, threats. Someone wants to know something and perhaps you as DBA execute the query or install the root kit.However, that does not mean we should give up, there are lots of improvements to be done and securing usb is one thing.
If I on the other hand were to lift up my computer to the desktop and swap the harddrive, not one would probably ask me about it. However, if an econom does it, there should be some raised eyebrows.
Hopefully, no one in the IT department is susceptible to bribery or threats. However, physical access and social engineering is a potential weak point in any organization. If someone can poke their head in the server room, then all they have to do is announce the following:
"Hey guys, we've got Starbucks coffee, dounuts, and Chick-fil-a biscuits in the break room. Help yourselves!"
Within moments, they have the server room all to themselves.:-P
Actually I heard a tale of a security company that tested security and they had their guys go straight in to the server room at a customer and installed a root kit, no questions were asked.
Social engineering is a bitch.
November 4, 2011 at 12:11 pm
Eric M Russell (10/28/2011)
IceDread (10/28/2011)
Even with the perfect security system there is always ways around it. Social engineering, bribery, threats. Someone wants to know something and perhaps you as DBA execute the query or install the root kit.However, that does not mean we should give up, there are lots of improvements to be done and securing usb is one thing.
If I on the other hand were to lift up my computer to the desktop and swap the harddrive, not one would probably ask me about it. However, if an econom does it, there should be some raised eyebrows.
Hopefully, no one in the IT department is susceptible to bribery or threats. However, physical access and social engineering is a potential weak point in any organization. If someone can poke their head in the server room, then all they have to do is announce the following:
"Hey guys, we've got Starbucks coffee, dounuts, and Chick-fil-a biscuits in the break room. Help yourselves!"
Within moments, they have the server room all to themselves.:-P
As long as people are in the equation, security is never air tight.:-D
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
November 4, 2011 at 12:19 pm
TravisDBA (11/4/2011)
As long as people are in the equation, security is never air tight.:-D
Ha, as long as we have people, I think security is holds water like a colander.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply