During the five months when Gary Min was stealing $400 million worth of proprietary information from a DuPont database, he downloaded and accessed more than 15 times as many documents as the next most active user of the system. But he wasn’t caught until after he left the company for a rival firm.
Min pleaded guilty last November to misappropriating DuPont data and is scheduled to be sentenced on March 29. His case is only the latest to highlight a lack of internal controls at many companies for dealing with insider threats. In February, a cell development technologist at battery maker Duracell admitted to stealing research related to the company’s AA batteries, e-mailing the information to his home computer and then sending it to two Duracell rivals.
Dealing with such risks can be challenging, especially in large corporations, says Tom Bowers, former manager of information security operations for the global security division of Wyeth Pharmaceuticals Inc.
“I am not at all surprised” about what happened at DuPont, says Bowers, who is now managing director at Security Constructs LLC, a Fleetwood, Pa.-based consultancy. “When you have a huge multinational like that, your security department is never really going to fully have any realistic idea of where or how the information is flowing,” he says.
But there are ways to mitigate the risks and keep track of what’s going on inside the firewall. Experts suggest taking the following steps:
1 Get a handle on the data. It’s impossible to set controls for sensitive and proprietary information on your network if you don’t even know where that data is.
An organization’s sensitive data is widely distributed throughout its network, says Eric Ogren, an analyst at Enterprise Strategy Group Inc. in Milford, Mass. Important data resides not just in databases, but also in e-mail messages, on individual PCs and as data objects in Web portals. Sensitive information also comes in many forms, including credit card and Social Security numbers. And trade secrets can be found in many types of documents and files, such as customer contracts and agreements and product development specifications, Ogren says.
Implementing one set of controls for all data types can be inefficient and impractical. Instead, categorize data and choose the most appropriate set of controls for each data class. Tools that automatically scan company networks and identify where sensitive data resides are available from vendors such as Reconnex Inc., Tablus Inc. and Websense Inc., and such products are growing in number. Many of these tools can be used to separate data into different categories based on policies defined by a company.
2 Monitor content in motion. As companies Web-enable their businesses and link up with networks belonging to partners, suppliers and customers, it is vital to keep track of what’s flowing over those networks. Content monitoring was a core “foundation piece” for Wyeth’s data protection strategy, Bowers says. With so many network “egress points” for data, it is vital to be able to monitor network traffic, he says.
Vendors such as Vericept Corp., Vontu Inc., Oakley Networks Inc., Reconnex and Websense all sell products that inspect e-mail, instant messaging and peer-to-peer file-sharing systems, as well as Web postings and FTP sites, for data that may be exiting a network in violation of company policies. The tools sit near network gateways and are designed to issue alerts when they find suspicious data packets. Many of the products can also be used to enforce actions such as blocking data or encrypting it when it leaves the network.
Such content-filtering tools allowed Wyeth to “look at everything coming in and going out of our networks,” Bowers says. “We monitored all ports and all protocols for content.”
3 Keep an eye on databases, which can contain a company’s informational crown jewels. You should know not only who’s accessing databases, but also when, where, how and why they’re doing so. Database monitoring tools that are designed to allow companies to monitor database access and activity are available from companies such as Imperva Inc., Guardium Inc., Application Security Inc. and Lumigent Technologies Inc. Such products are designed to keep an eye on what users and administrators are doing with their access privileges and either prevent certain actions — such as modifying, copying, deleting or downloading large sets of files — or send out alerts when someone attempts one of those actions. They also can provide clear audit trails that track when people try to act outside of corporate policy.
Encrypting sensitive data in databases is another measure companies should consider, if they haven’t done so already.
4 Limit user privileges. Most companies give employees far more access than they really need, says Amichai Shulman, chief technology officer at Imperva. Monitoring user access to mission-critical data and detecting unauthorized access to high-risk data are key steps to take.
Create access policies that limit users’ network privileges strictly to what is required for their jobs, and set controls for enforcing those policies, Shulman says. For instance, have controls that issue alerts when someone who might normally work with about 10 documents a day suddenly starts accessing a lot more, he says.
Making access control decisions on an “insider vs. outsider” basis is overly simplistic, says Matt Kesner, CTO at Fenwick & West LLC, a Mountain View, Calif.-based law firm. Sometimes an outsider may legitimately need equal or greater access to internal assets than what an insider would need. For example, Fenwick & West’s client extranets are used by clients to collaborate with the firm’s attorneys, Kesner says, noting that external users are sometimes “more interested in our data” than insiders.
5 Cover those endpoints. The proliferation of portable devices, such as laptops and handhelds, and removable media, such as USB memory sticks and iPods, makes it easier than ever for rogue insiders to walk away with gobs of corporate data. Companies must develop measures for centrally controlling and monitoring which devices can be attached to corporate networks and systems and what data can be downloaded, uploaded and stored on them. Doing that can be a challenge, but several tools are becoming available that promise to make the task easier, including products from Code Green Networks Inc., ControlGuard Inc. and SecureWave SA.
“When it comes right down to it, very few companies have put in place effective controls that enable them to monitor internal systems closely and allow them to follow the movement of data” on their networks, says Alex Bakman, CEO of Ecora Software Corp. That means breaches can go unnoticed for long periods of time, he says.
6 Centralize your intellectual property data. It’s not feasible for a large company to protect intellectual property scattered in multiple systems, says Ira Winkler, an independent security consultant and a Computerworld.-com columnist. Therefore, storing intellectual property data in a centralized document library system whenever possible makes for better security and information sharing, he says.
“Normally ‘putting all your eggs into one basket’ has a negative connotation,” Winkler says. But in this case, he says, it’s easier to protect one system than it is to protect numerous systems.
Find out more about Web 2.0 Security:
- Keeping Secrets in a WikiBlogTubeSpace World
- Your Gadgets Are Springing Leaks
- Web 2.0 Survival Tips
- See the full Web 2.0 Security report
- FAQ: Web 2.0 basics