Nine Ways to Stop Industrial Espionage 351
An anonymous reader writes "IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button. The corporate crown jewels are usually left open and exposed to the IT guys. So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?" I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.
Keep them happy? (Score:5, Funny)
Re:Keep them happy? (Score:4, Funny)
Re:Keep them happy? (Score:5, Funny)
Seperation of Duties (Score:2, Insightful)
That is what we do in my shop. Usually there are still some people who can reek havoc on things...esp. people who know what they are doing.
From my personal experience, unless properly implemented...which it usually isn't, seperation of duties is just a joke for security and makes legitimate work take 2x as long.
Re:Seperation of Duties (Score:2)
As far as keeping the IT people happy, try celebrating sysadmin appreciation day [sysadminday.com] next year.
Trusting the temps (Score:5, Interesting)
Anyway, I put a picture of Claudia Schiffer in a evening gown on my PC as background wallpaper. A few days later I get escorted by an armed guard to the human resources office about a kilometer away and get fired for 'creating an environment conducive to sexual harassment'. Since I had all the codes and badges to access the loading dock, I was tempted to just rent a truck, drive up, and take all the printers and either dump them in the ocean or sell them myself. Of course, according to Hewlett-Packard, I was 100% trustworthy because I passed a marijuana piss test so I was beyond suspission were the items to be found missing.
I didn't steal anything from them, but I was tempted to because I was so pissed at them. Of course, it came as no surprise to anyone that a few years later the morons who run H-P would just roll over and let Carly trash the entire company to the point where they felt relieved that they could finally get rid of her by giving her 28 million dollars to just...go...away.
So, a word to the wise young people, don't work for insane morons like Hewlett-Packard if you want to have a long and prosperous career in the IT or electronics industry. Choose your employer carefully; believe all crazy rumors about your company management, study Dilbert seriously, be flexible, and always ready to just jump ship at any better job offer. The old mentality and social contract between employer and employee is over.
Re:Trusting the temps (Score:4, Insightful)
Re:Keep them happy? (Score:5, Insightful)
Re:Keep them happy? (Score:4, Insightful)
I can't agree more. IT people bear the load of clueless PHBs all the time and it's usually the clueless PHB who does things that break everything then bitches at IT when it takes a while to fix.
Treat your IT staff like gods, for that is what they are. Without them your technology company will fail. Pay them well, for they deserve it; if they make one 2AM trip to the office a year because someone working late bollocksed something on the day of a project deadline then the increased salary is worth it. Paying them minimum/market salary for their position won't inspire loyalty. It will just keep them looking for a better offer. Go 20% above average and you'll see more loyalty.
Include benefits. Pay for their mobile phone, get them a good one that they choose. Pay for their Internet access at home - it will pay for itself when you avoid some of those 2AM callouts. Get them a killer laptop PC. Keep it updated. If they are making a lot of callouts get them a company car; even a small runabout will make them happy if they don't have to wear out their own pride and joy coming into work out of hours.
Also, get more IT staff. We have 2 people in our building servicing about 25 people. They are kept reasonably busy but not too busy that there isn't time for them to duck out here and there and manage their lives or take a day of leave here and there.
Give them the flexibility to do their job. They need an expense account and the ability to make (justified) purchasses without the messing about of manager approval (ie. replaceing dead components). Obviously there has to be limits set there -ie, any purchase over $500 should require a manager's signature. Red tape for run of the mill tasks is just annoying and is a good reason for IT staff to move elsewhere; if they feel you want to oversee every little purchase they make they will feel like you're reserving the right to second-guess them.
That brings me to the final part... trust them. Trust is recriprocated. If you don't trust them, they won't trust you. If you trust them a reasonable amount they will feel more comfortable about trusting you in return. If they feel you don't trust them they will start to be surreptitious in their dealings and you will lose visibility into what they're doing.
Finally, if it's that important that IT shouldn't be exposed to it then encryption can help. If it's already coded by the time it gets to the network/disk then they won't be able to access or sell it anyway.
Make sure you have good justification for that when you do it; the HR database with everyone's personal details is on good example of something that you could justify encrypting because the details are private and even IT doesn't have a right to see other employee's details.
Re:Keep them happy? (Score:3, Interesting)
None of which helps you any when you're the manager trying to keep such things from happening. Which was what this story was about.
Re:Keep them happy? (Score:3, Insightful)
Re:Keep them happy? (Score:3, Insightful)
I suggest that
Re:Keep them happy? (Score:5, Funny)
Of course not. When the Fuhrer tells you to kill Jews, you just do it, right? It doesn't matter that it counts as "bad", "in a civilized society" we obey the alpha male without question.
Damned straight! Put that goddamned hippy back in his place. I'll bet he takes pencils from work, too...
Re:Keep them happy? (Score:2)
Easy! (Score:5, Funny)
Re:Easy! (Score:2)
Re:Easy! (Score:3, Funny)
http://en.wikipedia.org/wiki/Reason_(weapon_syste
Re:Easy! (Score:2)
Re:Easy! (Score:2)
* snicker snicker evil laugh *
Encrypting backup (communication and storage) (Score:5, Insightful)
Re:Encrypting backup (communication and storage) (Score:2)
Re:Encrypting backup (communication and storage) (Score:3, Insightful)
Re:Encrypting backup (communication and storage) (Score:3, Interesting)
There is a "rule" in the security field: If someone has physical access to a machine, you cannot make it secure. Why? Someone could boot the machine with a Live CD and bypass any security that is in place. You could even install a rootkit. Even encryption doesn't help since the system has to know the key at some point, and with a rootkit, you have that key too. Now, before any discusses removing optical drives, or BIOS passwords, this is IT and they know how to install a drive and bypass the
Re:Encrypting backups with public keys (Score:3, Insightful)
But someone has to keep the private keys. Do you trust that person? Is it practical to have only one person controlling the keys? If they are out of town and you need to do a restore, you're screwed.
Anyway, none of this does any good if the admin can access the data as it is in production. G
Your staff are the jewels... (Score:5, Insightful)
Re:Your staff are the jewels... (Score:4, Insightful)
I came in here to say pretty much the same thing:
Thats really all there is to it
Re:Your staff are the jewels... (Score:5, Interesting)
Bad leadership is worst than none. Good leadership is important. Good leaders, team leads, managers are people who make you not just work, but actually WANT to work for them. People who you can be like when everything else hits the fan, its not just that you care about your job, but you actually respect them and want to work because you know they will get shit if you fail.
Pay is nice, but its community and social pressures that people really respond to. Its that "we are all in this together" attitude that binds a team together and makes them really get the job done. I think the most important aspect of a leader is the ability to catalyse that in his team.
The best defense against this sort of thing is teams that are close enough that no member would betray the team because, they would be betraying people who they respect.
This is one reason why I like working for nonprofits that are doing things that I like, where I can get behind the corperate mission and be proud to be a part of what we are doing. Hence, I work in healthcare.
-Steve
Re:Your staff are the jewels... (Score:2)
Re:Your staff are the jewels... (Score:2)
Re:Your staff are the jewels... (Score:2)
I was curious if you'd stick with the 'anyone' or if you'd back down some more than anything. And I guess you did with the bit about people having larger estates than others, so you're OK with people making a ton of change, you'd just like to see a more equitable distribution of the wealth.
I'd not have agreed with you in the past, but I'm mellowing in my old age.
Re:Your staff are the jewels... (Score:3, Insightful)
I still think that in general terms capitalism is the best system...
I think if you look at what countries are doing a regulated capitalism with a healthy dose of socialism for medical care and basic necessities seems to be the best solution anyone has tried on a large scale. In reality, I think this is a bit of a cop out though. Communism is more efficient for small units than capitalism, but breaks down when the units get too large. For example, very few people would argue that capitalism is a good mode
Re:Your staff are the jewels... Communism (Score:3, Informative)
With a family unit, absolutely. But in a family unit, there is typically a head of the household who is ultimately responsible for the family's economic wellbeing,
Re:Your staff are the jewels... (Score:3, Insightful)
A social safety net also encourages people to sit back, do nothing and just take take take, at the expense of those of us that work hard.
You work hard eh? Me too. That does not mean most people who make the most money do though. Most of the wealth in this country is controlled by people who simply inherited it and did not work for it at all. It is a myth that hard work is the way to earn money. Statistically, that is just not the case. People who have money to start with make money by doing nothing.
If y
Re:Your staff are the jewels... (Score:3, Interesting)
Any statistics or did you just make that up?
The numbers as I recall are the top 1% controls 30%, the top 10% of people controls more than 50% of the total wealth, the next 40% controls the rest and the bottom 50% breaks even between debt and assets. Further, I think in 2004 there were 8 people in the top 1% that had not been born into that position (inheritance). There are lots of studies out there that show numbers on this and the US census data supports the trend although they ignore incomes over 1 mil
Re:Your staff are the jewels... (Score:3, Insightful)
Or we could build a great wall! Or a pyramid!
Hell, I think space exploration is a worthy pursuit for mankind, but I feel extremely wary of anything like an Official National Goal. We've got enough problems with the ruling party's unofficial national goals as it is*. No need to encourage them. But seriously, a National Goal is only possible
Re:Your staff are the jewels... (Score:2)
then I am a self described socialist.
You repeated yourself. :)
Re:Your staff are the jewels... (Score:4, Insightful)
Re:Your staff are the jewels... (Score:2)
Easier solution (Score:2)
Re:Your staff are the jewels... (Score:4, Insightful)
Re:Your staff are the jewels... (Score:2, Insightful)
Re:Your staff are the jewels... (Score:5, Insightful)
Re:Your staff are the jewels... (Score:3, Insightful)
But this precludes the McEmployeeisation of IT.
From an MBA perspective, tech replaces people. So if you can implement tech to monitor/stop people from doing anything when you don't treat them fairly, (or when you hire subs
Re:Your staff are the jewels... (Score:2)
Re:Your staff are the jewels... (Score:2)
paranoia will destroy ya (Score:4, Insightful)
Re:paranoia will destroy ya (Score:5, Insightful)
Putting locks on doors is a reasonable preventative measure that keeps honest people from opening them. It does not "stop industrial espionage."
TFA is Slashdotted, but the impression I get from the summary is that it's written from the mentality of trying to have a workplace that's protected against *dishonest* employees. Completely protecting against them is impossible. Making it extremely difficult for them to commit industrial espionage is possible, but the result is a workplace that isn't very fun - I know someone who used to work at the NSA, which obviously has similar protection concerns, and I'd never be able to put up with the level of surveillance and security they have.
I'm with CmdrTaco - hire people you think you can trust. If you're proven wrong, fire them. Don't give people access to sensitive data until they've proven that they're trustworthy, and if you have something that can't leak outside the company no matter what, don't put it somewhere that anyone else can get to it.
Re:paranoia will destroy ya (Score:5, Insightful)
But back in reality land, sometimes things go wrong. People are not always what they appear to be, and a good employee can sometimes become embittered. Assuming otherwise is naive, and perhaps a little arrogant. Are you such a good judge of character that you can pick out the sociopaths from the crowd? Might I suggest you aren't.
And apart from malfeasance, sometimes people make mistakes. Sometimes they type "rm -r *" when they are not in the directory they think they are in.
I'm not suggesting massive security measures, but reasonable steps can go a long way. Even moderate security is worthwhile and, I think, appreciated by the employees.
P.S.: CD stands for CmdrDaco (apparently). Apologies to CT.
Re:paranoia will destroy ya (Score:3, Funny)
Of course it does! What spy would want to have this conversation at the monthly meeting:
Article text (Score:3, Informative)
---
Nine Ways to Stop Industrial Espionage
by Calum Macleod - European Director of Cyber-Ark - Wednesday, 2 August 2006.
If we're honest every one of us imagine what we'd do with a few million in the bank. The yacht in Cannes, the private jet in Nice, possibly our own football team, and maybe a few other high maintenance accessories top our list of must-haves. But of course the question is how to get there. Working till I'm too old to enjoy it is one option but of course there is an alternative; the lottery, online poker, a rich widow, stocks and shares - increasingly risky these days - or why not simply help myself to something very valuable.
After all if I'm working in IT I probably have access to the corporate crown jewels. And that could be anything; source code for the next money spinning application that will be released, credit card details for thousands of customers. Recently a Coca-Cola employee and two accomplices were arrested in Atlanta for allegedly stealing confidential information from the Coca-Cola and trying to sell it to PepsiCo.
In fact it's actually quite easy because if I'm working in IT I have access to systems with all kinds of privileged information. Here is my employer thinking that his M&A data is safe and I'm allowed to a free access to the servers storing the data. I can help myself to whatever I want and no one will ever know. And of course it's much easier now than it was when I first started this job. Then I somehow had to get out of the building with everything under my arm, but now I have dozens of ways to get it out. Just make my choice - mobile, USB stick, email attachments, VPN access from home and no one will ever know! And of course it may not even be my employer, just some company that we provide outsourcing services for - it's never been easier!
The problem often lies in the fact that we are constantly tempted because the corporate jewels are literally just lying around where anyone can find them. The problem for today's enterprise is that the transfer of information is increasingly time-critical and the traditional approaches such as FTP and secure email are awkward to manage, and often lack the security mechanisms that sensitive data demands, thus making the risk of leakage very possible. And where it becomes really challenging is when you need to share information with business partners. So here are a few suggestions
>Do not expose your internal network
The process of transferring files in and out of the enterprise must be carried out without exposing and risking the internal network. No type of direct or indirect communication should be allowed between the partner and the enterprise.
Make sure that intermediate storage is secure
While information is waiting to be retrieved by the enterprise or sent to the business partner, it must reside in a secure location. This is especially critical when the intermediary storage is located on an insecure network, such as the enterprise's DMZ, outsourced site, or even the internet.
But encryption and other security mechanisms are not helpful if the security layers where the data is being stored can be circumvented, for example by a systems administrator. Encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications. It is important to have a single data access channel to the storage location and ensuring that only a strict protocol, that prohibits code from entering, is available for remote users. In September 2004, an unauthorized party placed a script on the CardSystems system that caused records to be extracted, zipped into a file, and exported to an FTP site. The result was the exposure of millions of credit card details and the eventual demise of CardSystems.
Ensure that Data at Rest is protected
The cornerstone of protecting storage while at rest is encryption. Encryption ensures that the data is not readable and
Narrowminded author (Score:5, Insightful)
It also says to completely seperate the outside and inside network, which means that employees have no email, no google, no internet access at all.
It mentions nothing about compartmentalized access rights to various databases, with a different division of admins having responsability and access to only their systems.
In fact, all it does talk about is transmission interception (which is much less common than those problems mentioned above), and data security.
Re:Narrowminded author (Score:2)
Oh, God, I wish it was 3-6 months. I really do.
We seem to be on a 4-6 week schedule for some systems. And we have a bunch of disparate systems which variously change in groups and individually, usually without any warning. You end up with a laundry list of passwords, mostly sepa
Bribed (Score:2, Insightful)
Here is an idea. Pay them enough that this isn't a real temptation. Risking it all on a fast score isn't worth it, if you will be risking much.
Re:Bribed (Score:2)
Re:Bribed (Score:4, Interesting)
I never got bribed. I was hoping all the time.
Article is stupid (Score:4, Insightful)
Just to clarify (Score:5, Insightful)
1) Mandatory Access Controls (for example SELinux) on systems that hold confidential information.
2) Data encryption for confidential information using public/private key encryption. AES is NOT an answer here though you can use it for session encryption with Diffie-Hellman, etc. if necessary.
3) Training and loyalty of employees is critical.
4) Separation of duties, powers, and responsibilities.
But I guess this is harder than just throwing technology at such a problem.
AES & archival storage (Score:2)
Paranoia RPG (Score:2)
Baby sitters don't work (Score:5, Interesting)
I could have typed, or told him to type "cd
In the end, the only way you can police your IT people is to have IT people you can trust, which means that the managers have to know enough IT to know what is going on and what it means without micromanaging. Very few managers have that ability. Very few IT people have the management ability to cross-train into a high-level manager. I, myself, had to bring in someone else to help with the business/finance side when running my own company. I knew what I was doing but was simply not as good at the business side as the IT work and sales.
Re:Baby sitters don't work (Score:5, Funny)
Re:Baby sitters don't work (Score:2, Insightful)
This is appaling! I understand that to be in the military entails having a lot of stupid, senseless mind-numbing work, but this has to be the very lower bo
Re:Baby sitters don't work (Score:2)
Re:Baby sitters don't work (Score:4, Insightful)
Terrorists and politicians trying to get bills passed also likely have a saying:
It doesn't matter how many times you fail; you only have to succeed once.
Outsourcing (Score:4, Insightful)
Peter.
protecting the employees (Score:4, Insightful)
Security people know this. They know the only real solution is being very transparent about the fact that the IT person can't help them no matter how much pressure is applied.
It's easier for us to think about the corrupt employee since, gosh, we would never hire him. Nobody is safe from somebody willing to use violence to get what they want, and that's a scary thought.
Corporate IT? (Score:2)
Simple, I use Linux and set up a number of Linux servers
With any other topic, this would just have been sad,
Re:Corporate IT? (Score:2)
IT staff? (Score:2)
Re:IT staff? (Score:2)
Me neither. At the bank I work at, my manager keeps wanting to get us developers more and more access, not less. The more we have, the quicker we can do our job.
re: sales (Score:2)
The IT staff isnt usually the problem (Score:2)
You have to eventually trust your users and staff (Score:2)
double trouble (Score:2)
Not a technical problem (Score:5, Insightful)
If you really want a solution, it's got to be as much policy as it is technology. I'd start with, oh, making your employees sign an NDA, and making sure they're aware of what is a company secret (most companies like Apple, Sun, IBM, etc, have classifications just like the government, e.g. "Apple Secret", "Sun Top Secret"). Make sure they know what those secrets mean, e.g. "Our documents labelled Top Secret will probably cause us to lose our dominant position in the market if leaked." Then, you implement auditing on your data storage. If your IT guys start reading company business strategy memos off the file server, you probably won't catch them when it happens. But if it becomes obvious that those memos were leaked, you can go back through the audit logs and see if anyone read them that shouldn't have, and act appropriately (though don't just assume that that person leaked the info).
Bear in mind that the technical part of this 'solution' will probably fail. What you're trying to do is paradoxical. You're saying, "I ultimately trust these guys with the security of all of my information, but I don't completely trust them with the security of all of my information."
rubbish (Score:3, Insightful)
Who implements these nine ways? (Score:2)
I guess that leaves a 3rd party solution (read: consultants) and if your company trusts outsiders more than your own employees then there are bigger problems to solve.
And I have just the process for you to solve thos
Re:Who implements these nine ways? (Score:3, Informative)
Person A implements control X.
Person B independently reviews it, checks for backdoors, etc.
Person C builds the software on machine Y.
Person D deploys the software in production.
Person E generates the necessary keys and puts them on machine Z and in the safe (to avoid inadvertent data loss).
Without the keys, nobody can get at the data. The only person with the keys is person E, but they don't have access to the code, and can't deploy code onto the production machine.
As an IT person I _want_ controls like the
Advice from a tech guy :-P (Score:3, Insightful)
I am someone who is currently interning for a large fortune 500 tech company who is about to do some drastic changes to the way we do our business (today, actually). There's some serious lay offs going down here, garunteed. The business and marketing folks are as good as out the door. Us tech guys? Pfft, nothing to worry about. The fact is the reason your tech guys have you by the proverbial balls is because you're not educated enough to do their job. Heh, but the fact is, most anyone who has powerpoint and mediocre social skills can do your job. They reach their glass ceiling long before you do, however. They picked a trade with high security and low possibility of advancement. You picked a field with low security but high possibility of advancement. You can't have both unless you run your own business. Sorry.
If you're paranoid about your employees, then they are unhappy with you. The nature of most people is to be faithful to good leaders. Sure, there are exceptions to this rule, but I think it's pretty clear to me, that you do not have the faith of those you manage. Either that or you do not have faith in those you manage. The two generally play hand in hand. I'm with CmdrTaco on this one... I can't imagine having to be paranoid about those on your payroll. Remember, you have the power, and tech guys are becoming more and more common each day. Make them happy with you and then you'll have little to worry about. Make them happy with your company and then you'll have little to worry about.
And the #1 reason most SA's and programmers get frustrated with managers? The internal policy inhibits innovation instead of improving it. I had a manager whose personal policy was "to hell with policy" and I gotta say, he was the best boss I ever had. I know, for myself, if I want to do the best job I can. If policy interferes with that, then I feel as though I'm doing a bad job against my will. If this continues, yes, I'll hate my job, and I'll feel like it's the company's/manager's fault.
I rambled a little, but hopefully you can garner some advice from that.
Oh stop it. (Score:4, Insightful)
This kind of self-aggrandizing claptrap is just annoying. There's no way you could do their jobs. You suffer from the delusion that anything that isn't technical is simple.
Why is it that when people say, "the fact is", "the simple truth is", or "the reality is", they're almost always wrong about the topic under discussion?
Alrighty. (Score:2)
And you have no idea what you are talking about. NONE. Good luck with that.
You don't. (Score:4, Interesting)
And then, make absolutely sure you never forget the pass phrases, or whatever method you use to secure your side of the key.
All the backups in the world won't protect you from forgetting that vital phrase.
Oh, and it has to be non-obvious.
That being said, a good keylogger will most likely sniff that out, so if someone in IT is really after the goods, and is willing to face legal flak to get it, you're still back at the point of being stuck, unless you ensure all the business folk maintain their own machines away from IT, and support them entirely themselves, to a secure enough level that they won't fall victim to an attack when they connect to the corporate network, or a trojan in an email.
Like all solutions, the most workable is to ensure if someone is guarding secrets that are that potent and valuable, you make sure it's not worth their while to go scurrying off with them.. In other words, you treat them well, and remunerate them according to the value of their task..
If you force your IT staff to work over long hours, stiff them on their working conditions all for a flat low rate, you're asking for trouble.
Give them good conditions, and good pay (going to excellent pay for those sysadmins that are responsible for the really tasty info), and you're far less likely to suffer.
Technical solutions just won't work, as the people who know most about it are the ones you don't trust. Which defeats the whole object.
Use PK encryption and recovery keys (Score:2)
The recovery keys should be well-protected. Think "one disc in safe in CIO's office, second copy with corporate lawyer, third copy in bank safety deposit bank"
Check them carefully (Score:3, Interesting)
A few years ago, I was working in a company where we were developing products for sale to a few Federal groups. We interviewed numerous people for these jobs. One that was interesting was a chinese women living in C. Springs, married to a USA soldier. She had a masters in C.S. from china. At first, she was not all that interested. But once I mentioned the groups that we were selling to as well as discussed exactly what we were doing, she got very interested. Obviously, we shot that down as soon as she expressed interest in who were dealing with.
Upon cheaking her out, we found out was that she was a chinese national, but told us she was american citizen.
In another case, we had a guy that we interview another job. He was claiming to have a CS degree with loads of Linux experience. But when asked a set of questions, he missed them badly.
- How do you create a new process; you spawn it(did not know fork or exec).
- How do start a new process upon boot up (from the kernel or a central repository; he did not know about
/etc or /etc/rc.d/).
- asked about genearl sorts and only knew quicksort and bubblesort, but could not explain quicksort.
- did not know discrete math.
All in all, what I have found out is that you first have to check ppl very carefully. Then you still have to limit ppl to what they get to. Hopefully with vista, the MS world will start having security. That remains to be seen.Re:Check them carefully (Score:3)
Hey, I couldn't explain quicksort either, and I have over 25 years experience in programming and system administration. Any time I need to sort something, piping through 'sort' usually works just fine, and I don't really need to know how it works...
Ethics (Score:5, Insightful)
Studies have shown the most effective deterrent to theft is moral/ethical. If an employee has a good relationship with the company and their managers then they are unlikely to steal from the company, even if they know they won't be caught. If you treat your employees well, are understanding about their problems, and cultivate your relationship you have little to worry about. Talk to them and learn what their goals are and help them achieve it. Do they want to move up into management? Do they want to go to night school and become a programmer or a public relations person? Help them do it. If your employee has money problems, you should be the first person they come to, confident that you will help them work it out either with financial counseling, a pay raise, saving them money by letting them telecommute, or even loaning them the money they need and repaying it from their wages. You employees should not live in fear of being fired or laid off. If they aren't working out they should know you will talk to them and come up with either a new position for them in the company or help them find work elsewhere, while keeping them on in the mean time. Employees should know they are trusted, for breaking that trust is a deterrent. Employees should have a stake in the company, either stock or a bonus plan so they feel their hard work and good behavior means something.
If all of the above is taken care of, you employees will be a lot less likely to steal or do anything else to put the company out (like quit without notice). There is always the rare anti-social personality disorder, but that is a pretty rare case. If, however, you develop a "strictly business" relationship with your staff that is mercenary and impersonal you may have problems. When people don't care about their employer or dislike their employer and feel that they are in danger of being fired at any time, or their job outsourced, they will respond in kind. If the only reason you pay them is because it makes you more money in the long run, why shouldn't they sell the customer database or source code? If you hire mercenaries and treat them like mercenaries, don't be surprised when they act in their own best monetary interest.
If you decide to treat your employees like you are at war with them and need to be defended against them, you're likely to have more problems than any technical solutions you implement will benefit you. There are products that will build a relational model of your network and log all traffic and access to resources based upon DHCP IDs and the like. Between such a system and a good set of untouchable logs for your access controls you can develop an independent group to monitor your staff. If you really need it though, your company is already pretty doomed as your employees probably don't care anyway and are just doing the minimum necessary to get paid.
Reasonable treatment (Score:5, Insightful)
You can also create audit trails logging to multiple machines, each controlled by a different employee so that a conspiracy would be needed to avoid being caught. Reading and understanding those logs is, however, very expensive. Its also the kind of mind-numbing job that could leave an otherwise honest IT employee open to committing theft.
easy and obvious solution. (Score:2)
If I am respected and payed what on par with others in my industry, I won't have a need to "Sell Your Secrets!
Trust and respect go a long way.
Cartoon (Score:2, Insightful)
Supervision (Score:2)
Make managers get off their lazy butts and actually peek in on their staff at work once in a while, just to "check up on things." Managers tend to become rooted to their desks and assume that the emails they receive from workers contain the truth, the whole truth, and nothing but the truth. While a good manager lets his/her employees get about their job, they never let the employees run the show. An IT department should be not just a reflection of good work, but good management.
And of course, they could w
The FBI/CIA/NSA (Score:2)
But I don't think there is a technical solution to this problem. Technical safeguards, yes. Solution? No.
A monito
Threaten them, use spikes, seeds (Score:5, Interesting)
Then the death squad goes after the techs and asks some unconfortable questions, talk about broken kneecaps and burning family houses.
Heck, you can even seed different addresses for each admin (if one is doing the mailing, the other only sees the SQL tables)...
If you think it is science fiction, or fear mongering, come and work for a casino in any Central AM country...
I personally left a place because I was scared - higher staff was regularly followed, I heard bad things about the company, and we had more and more armed people at the entrance. I also heard (from my colleage), that our previous sysadmin was chased down the street by the neighbour casino owner with a gun in the hand, shouting "I kill you bastard" over some customer list that the guy "administrated".
Want 1st person experience: how about police calling me, that a gentlemen wants to talk about one of our employees, who supposedly stole data from a caribbean country's casino. The guy looked like a headhunter/killer to me, who kept calling me for 2 weeks, every day, offering more and more for the person's address or any tip where the person could be met (killed??). And that was back in Europe, and the guy came from the islands
Oh well you can make some other measures, like at one place, they sniffed all IM traffic, read all emails, and made it forbidden to take anything into the office. First usb drives, cds floppies. Later cell phones, walkmans, ipods. ANYTHING. They were as well beleived to go thru the lockers.
Of course I cannot (and do not want to name people, places, etc). All I can say, is that I am done with that industry, even though they pay a lot better than others in southern countries.
Learn what you're up against (Score:5, Informative)
The first thing to do is to read the extensive documentation on this subject. [theregister.co.uk]
If it's possible, the BOFH has already done it.
This is not a new problem. (Score:2)
This problem is as old as doing business - and the solutions were found a very long time ago.
For example, how did a company keep its accountants honest, in the days when the accountants kept the books and made all the payments?
The solution was, basically, twofold: firstly, any transaction requires two people. (For example, the employee who actually issues checks is never the same as the employee who authorizes an expenditure.) Secondly, there is an "audit trail", i.e. for each transaction, there is a reco
Oh just see how Saddam Hussein did it (Score:2)
Go look up how those dictators kept a trusted bunch around and maintained them.
If you're going to be a paranoid dictator there's plenty of material around.
My workplace is schizoid about trust (Score:5, Interesting)
Instead he let the outside I.T. consultants have complete control. My experience and professional references were to no avail. It was three months before I got a key to the server room, and this is in a small, 50 person insignificant business. All the while the outside consultants (who retain full remote access to all systems and networking equipment) could do whatever they want.
The network drives were wide open among departments. No restrictions. Performance reviews, salary spreadsheets were all available to the entire staff with the thought that "no one knows the files are there so it's okay" was good enough.
When I suggested that we could start locking down departmental network folders to restrict access to sensitive data it set off a freakish firestorm of discussion about who could be trusted for these special folders. But... the whole time they'd been wide open! Now suddenly it was an emergency to lock them down and no one could be trusted with the data.
Later on my boss was working on a business pitch in Word. He'd brought in a temp to help with the layout and now he wanted to give it his own special touch. But he was having formatting issues. He wanted my help, but.... I couldn't look at the document!
He said it was sensitive and he didn't want me to see it but at the same time I had to diagnose his formatting problem and tell him how to straighten it out. So it was okay for a one-day temp to see it, but not the IT Manager that he himself hired that has responsibility for protecting all of his data.
A few more months and I'm out of here. It's the craziest place I've worked, and I used to work at an urban police department so I've seen crazy.
Codes of conduct (Score:3, Informative)
http://www.acm.org/constitution/code.html [acm.org]
http://www.sage.org/ethics.mm [sage.org]
Ask your IT colleagues if they've heard of them.
There's never a guarantee, but you can try (Score:3, Interesting)
Honestly, while those good pieces of advise, the naivety of so many Slashdotters surprises and depresses me. In very small companies, that may be all you need. And for business that don't have big revenue numbers or deal with innovation, espionage isn't much of an issue. I don't think a plumbing company needs to worry about espionage.
But banks, credit card companies, investment firms and brokerages, they do. As do many of the companies doing R&D in drugs, electronics, software, etc. When millions of dollars are at stake on pieces of information that can be copied to a USB flashdrive the size of a quarter, a smart businessman will not assume everyone can be trusted.
As IT professionals as well as hobbyists, we are used to having lots of access and power. It's what makes our jobs easier, more enjoyable and exciting. By nature we tend to be lazy and impatient, not wanting to do something in 4 steps when it can be done in 2 or 3 steps. We like to find ways to automate processes of all sorts. And we often are overworked and underappreciated.
Which means the IT profession is a good breeding ground for corruption. Roger Duronio felt like he wasn't being fairly compensated. Even when he got a year-end bonus of THIRTY-EIGHT THOUSAND dollars on top of his $100,000+ per year salary, he felt cheated. He wanted the full $50,000 bonus he could have received. So he gutted the companies servers, costing the entire business millions of dollars. He also tried to profit on this action, betting stocks would fall quickly enough for him to short sell at a profit (he failed there). Eventually he was caught, tried and found guilty. He really screwed up good, because he ended up not getting anything that he wanted, destroyed his career forever, betrayed both his family and co-workers, and hurt the image of Systems Administrators everywhere.
Roger Duronrio is not the first IT professional to have done something like this. His actions were amazingly succesful compared to many others, and the company was very much willing to publically bring the case to trial. But you can do searches on FBI cases for all sorts of similar situations.
Trust is really just saying you have faith in someone. No technology, procedures or policies can precisely mirror the emphereal nature of that faith. Which is why you don't rely on one or two or three methods to protect yourself and your business. You rely on hundreds of different methods and protections. It's called security in layers, and is such an essential concept of security that people always forget about it.
The article focuses a great deal on encryption, which is most definitely a good idea for all sensitive data in an organization. But that won't help you if you can't trust the keyholder. So what do you do? Well first off, you don't encrypt everything with one key. You use lots of different keys for different data, and lots of different keyholders. You break keys apart so a person only holds part of a key and two people need to work together in order to decyprt data. Or you use an external, third-party entity to escrow the keys. Better yet, you do all of those things, and more.
Re:Duh (Score:3, Insightful)
Management may feel they are being extremely generous and catering to the whims of many employees while the employees feel they are being ignored and abused. Communication? Naa. The employees in this kind of situation are sure that management isn't listening and doesn't really care.
This is the situation in probably 70-80% of the companies I have ever had any dealings with. When it gets real bad stuff develops legs - i.e., things disappear out the door seemin
Re:Say all you like about hiring good employees... (Score:2)
Don't most of those dongles now have serials that the manufacturers will look up, and tell you who bought them, anyway?