The crime of data theft is one of the most under-reported and difficult to detect crimes of the 21st century.
Data is the currency of the information age. Hackers, spammers, and other computer criminals are in a constant arms race with security professionals as they seek to find new ways to steal information. As the amount of digital information increases every year, it becomes increasingly difficult to prevent its unauthorized disclosure.
John McCumber, a very seasoned information security professional, once shared with me that at a minimum, the essential steps to safeguarding information include at least five steps:
- Identify what information resources you have
- Prioritize your information resources in terms of business significance
- Determine the “states” in which you must protect the information (storage, transmission, processing)
- Implement security countermeasures that reduce your residual leve of risk to an acceptable level
- Re-evaluate your resources and corresponding countermeasures over time
Information security is as much art as it is science. As a community resource, I’ve decided to post major stories related to data theft to raise awareness of the frequency and variety of data theft.
Stories related to data theft in the news
Workplace data theft runs rampant BBC On-Line
ChoicePoint data theft Fallout Spreads to 145,000 Internet News
Congressional Testimony on Theft of Electronic Data US House of Representatives
Data theft affects 145,000 nation wide MSNBC
Lock that USB port to stop casual data theft Engadget
Suspect in SJ Medical Data Theft to be in Court CBS
Atlantis Resort on Paradise Island Admits Data Theft NewsInferno.com
50 million identities stolen in US Washington Post
Ford discloses employee data theft UPI
Data breaches worst ever last year Seattle Times
Portable storage devices: the curse of convenience InfoWorld
Wave of Data Theft Causes Corporations to Consider Network Risks Aon Focus
USB Devices offer Old-School Way to Steal Data CNet
Time to Get Physical (Physical Security and Data Theft) Redmond Magazine
Data Theft Detective Work Begins at the Office TechTarget
Beware Christmas Data Theft Dangers, Warn Police ComputerWeekly
Data Theft grew 650% over past three years US Department of the Interior
Ubiquitous Technology, Bad Practices Drive Up Data Theft Washington Post
Arrest in Wells Fargo Data Theft SFGate
University Suffers Massive ID Data Theft ZDNet (yikes- George Mason is my alma mater!)
Guidance Software Investigating Stolen Data InternetNews
The MarketPlace Report: Consumer Data Theft National Public Radio
Prevent Data Theft Using Removable Devices Get Safe Online Coalition
Data Theft by Camera Phone The Institute of Internal Auditors
Data Theft in Arizona EHealth Confidentiality Policies
Don’t Let Data Theft Happen to You New York Times
Former Bank Employees Are Charged In Data Heist InformationWeek
Scope of bank data theft grows to 676,000 customers ComputerWorld
Police Probing Data Theft from Information Security Company Employee Baltimore Sun
MCI Data Theft Intensifies Encryption Debate eWeek
Data for 600,000 Time Warner Employees MIA Cnet
Bank Alerts Customers to Data Theft Washington Post
Insiders May Pose Biggest Data Theft Risk SiliconValley.com
Security Pro says Companies Face Some of their Biggest Data-Theft Threats from their own Employees Red Herring
iPods Open Backdoor for Data Theft VUnet
Money Lost on Piracy and Data Theft CSO Online
Julius Baer Confirms Data Theft Finextra
Stories from information security mailing lists
Computer Containing Airline Ticketing Info Stolen InfoSec News
Data Theft: Ethics Example ST-ISC
Another Laptop Stolen Containing Banking Records ST-ISC
Bank Rhode Island Customer Information Stolen InfoSec News
A Tough Lesson on Medical Privacy ST-ISC
Law Office Theft ST-ISC
Wells Fargo Data Theft ST-ISC
Firms Loses Secrets of 180,000 clients InfoSec News
Motions Set in Technology Espionage Case InfoSec News
Info-Theft in Japan is Setting Price of Personal Data ST-ISC
Hacker Gets Acxion Custom Information InfoSec News
Game Biz Mystified by Code Theft InfoSec News
The Wells Fargo Example Focus-Virus
Laptop Security Full Disclosure
University of Miami discloses privacy data disclosed Dshield
Healthcare Security Incidents: Summary Incidents list on SecurityFocus
Security with USB Devices Pen-Test list on SecurityFocus
Coke Says Insider Got Personal Data on 450 other Employees InfoSec News
Sacked Staff Turn to Sabotage InfoSec News
Removable USB Devices DShield
Removable USB Devices (continued) DShield
How to Foil Data Thieves InfoSec News
USB Port & Access Protection SecurityBasics
802.11b USB Wireless Stick WindowsSecurity
Disable USB on a Per User Basis Focus MS
USB and Smart Drives SecurityBasics
Tags:
Data theft is a topic that I feel very strongly about. Over the past five years, IT organizations have rapidly matured their network security architectures by integrating firewalls, intrusion detection systems, anti-virus and anti-spam products. The state of information security at most organizations’ network perimeter has improved by an order of magnitude. That’s the good news.
The bad news is that information security is not entirely about protecting networks, it is really about protecting data. Concurrent with the rapid improvement of network security, there has been a vast proliferation of personal media players (e.g. iPods) and portable storage devices. In the past quarter, Apple sold more than 14 million iPods, bringing the total number of iPods in the world to over 42 million. Firewalls, intrusion detection systems, and anti-virus technologies don’t do anything to protect against data theft that occurs with portable USB devices. As global networks converge and computers become increasingly accessible, security must from being network centric to being data centric.
In 2005 I created a small application named slurp.exe that ran off of iPods. Slurp was created to show how easy it is to steal large amounts of data from corporate PCs using mobile devices like iPods, and it reinforced the fact that organizations desiring comprehensive security must have strategies in place that address the endpoint.
I released slurp publicly as a “crippleware” application that had reduced functionality (I didn’t want it to become a tool of hackers and script kiddies). The results were surprising! I received scores of e-mail messages from security professionals, IT leaders, iPod users, and the media. In July 2005 there began a community consciousness that the security implications of data storage devices must be considered. I recently released slurp 2.0; you are welcome to download it to assess the vulnerability of your data on corporate systems.
I recently downloaded an evaluation copy of the DeviceWall application from Centennial Software. This entry on my web site details my impressions of the product.
Bottom Line Up Front:
It was very easy to set up and once running, DeviceWall completely blocked devices running slurp. I was particularly impressed with DeviceWall’s integrated auditing feature that keeps track of all attempts to connect and use external storage and communication devices. This was an unexpected add-on that proves very useful.
In every case, DeviceWall successfully protected against unauthorized use of external computing devices (such as USB thumbdrives, iPods, CDROMs, 802.11 wireless and the like).
Detailed Review:
DeviceWall is a policy centric, role-based access control mechanism for defining very specific privileges and security constraints in a Microsoft Windows environment. It is promoted as an “intelligent PC lockdown” application for endpoint security. (A brief point of clarification: endpoint security is synonymous with host security).
Based on my continued interest in data theft, I decided to take it for a test drive to see if it lived up to its description.
DeviceWall has a clean, efficient user interface for creating security policies pertaining to PDAs, optical drives, storage devices, and communication ports. Like many other enterprise security components, DeviceWall has two major components: a DeviceWall Server (for maintaining policy information and audit logs) and DeviceWall clients (software agents that enforce security policy on end-user workstations).
Installation of the server was a snap; I was up and running in a few minutes.*
The use of the application is fairly intuitive. An administrator selects a device (or class of related devices) and then selects the corresponding privileges that he wants a user or group to have with the selected device. If the administrator decides not to restrict privileges, he can still configure DeviceWall to audit the use of PC devices.
This auditing mechanism could be very useful in an organization that is not certain what their risk level is nor what device types employees need to be maximally productive.
As organizations who have had a major security incident can attest to, it is much less expensive and time consuming to review what happened in a security incident by checking security audit logs than it is to try to forensically reconstruct data from an exploited computer.
My initial test was to restrict USB thumbdrive and iPod device permissions for the user “Abe.” After restricting device privileges for the “Abe” account, I tried logging in and using my slurp application to grab business files from the hard drive. DeviceWall intercepted the connection and prevented me from slurping any data. So far, so good.
DeviceWall helps administrators keep track of changes to security policies through a policy change long (pictured above). This is especially important, as most organizations’ security policies change over time and it is essential to be able to grant users privileges that are congruent with the current policy. I made several changes as a DeviceWall administrator; each of the policy changes were appropriately logged.
DeviceWall can optionally provide users with log in information on what resources they are allowed to use (and remind them that their actions are being monitored). In the example above, I was logged in with an administrator account and had unrestricted access to all devices. The pop-up warning is a convenience message that can be disabled; I like leaving it on thought - it looks like it could help keep honest people honest.
Occassionally special needs arise, that merit a change to a system’s configuration. If a user needs temporary access to an input-output device they may contact a system administration, who may then grant them temporary privileges across the network. What is interesting about this set up to me is that when a user contacts and administrator to get temporary access, he must provide an access code that is unique to his computer. This is clever, as it prevents against “social engineering” attacks where a user attempts to gain access to another system under a false pretext.
In the example above you can see that Abe, Heather, and members of the “users” group all have privileges to use Palm OS Devices. Privilege assignment can be as simple or complex as you desire. DeviceWall allows the assignment of privileges by user groups. This is very helpful, as administrators can assign privileges based on roles (e.g. salesman, accountant, IT helpdesk, VP) which drastically reduces the amount of administration required for maintaining the security policies over time.
In this example you can see that Heather has read permissions for USB flash disks, but may not write to such devices. If a user does not have explicit permissions for a given device type, they may still inherit privileges based on the groups that they belong to.
If two sets of conflicting privileges exist for a given user, the more restrictive permissions are applied. This is generally a good thing, as it can prevent against loop-holes where a user obtains privileges inappropriate for their realm of responsibilty.
Conclusions:
The good
- Comprehensive protection against a wide spectrum of data theft threats to workstation PCs and laptops.
- Protected against slurp.exe and other attempts to directly subvert system security.
- Extremely granular control over what device types may be used by specific users and groups.
- The GUI is easy to use.
- Provides mechanisms for granting temporary access to users.
- Easily to maintain through policy driven enforcement.
- Integrates with Windows Active Directory.
- Software agents can be deployed remotely.
The bad
- The DeviceWall server requires prerequisites of SQL Server and the IIS web server. While neither SQL Server or IIS are difficult to set up, if your IT staff don’t have them running already it will add a small amount of additional overhead to your IT operations.
- A scriptable / programmable API for controlling access on remote computers is not bundled with the application. An API would helpful to have (to enable automation of some security policy changes).
- As best as I can tell, DeviceWall does not currently integrate directly with Security Incident Management (SIM) applications like ArcSight and Intellitactics. It would be helpful to be able to integrate DeviceWall’s audit data with a SIM tool.
Overall
DeviceWall is a capable application for locking down PCs and protecting corporate data. While DeviceWall was active on my test set up, I could not find any methods of subverting its security. Organizations with strict requirements for data confidentiality and integrity should consider DeviceWall as a possible solution.
* If you don’t already have a running copy of Microsoft IIS web server and the SQL Server database, set up could take much longer.
Tags:
