Foiling Data Thieves
How to keep a secret in the information age
By Kayte VanScoy
On June 3, Jeffrey W. Dorn of West Des Moines, Iowa, pleaded guilty in federal court to stealing client files from his employer, executive placement firm Spencer Reed Group. Dorn had used the files to find employment for one of the firm's clients and then had pocketed the commission. In one of nine cases prosecuted this year by the U.S. Department of Justice under the Economic Espionage Act (EEA), Dorn agreed to pay restitution of $15,920 to Spencer Reed.
Sixteen grand. No big deal, right?
Think again. Of the thirty-five cases prosecuted under the EEA since 1999, twenty-eight were committed by insiders or ex-employees, according to Department of Justice statistics, and few of the cases are as innocuous as Dorn's pilfering of client data. The 2002 Computer Crime and Security Survey, conducted jointly by the Computer Security Institute and the Federal Bureau of Investigation, states that one firm reported the theft of $50 million in proprietary information last year. Another reported $1.5 million lost from unauthorized insider access to data.
Unless your company has $50 million to spare, you'd better get serious about securing your data from threats inside and out. Now that the Internet, intranets, and extranets are commonplace, companies of every size and in every industry have a growing security risk inside their own walls, often from those in the highest levels of management.
"Companies naturally tend to look outward when they're in the process of fortifying their networks. However, internal sabotage or even inadvertent leaking of confidential information can be more damaging than a nameless, faceless threat," says Peter Lindstrom, director of security strategies at Hurwitz Group.
Fortunately, a wide array of technologies are available to protect businesses against the mistakes or malfeasance of their employees. Encrypting and authenticating every sensitive document is one route. Monitoring TCP/IP traffic, either by taking periodic snapshots or by scanning for keywords, is another method. None of the available technologies provides complete protection, however, and the greatest benefit comes from a combined approach.
But even with multiple technical safeguards in place, there is little that can make up for poor planning and lazy policy-making. "It sure is cheaper to buy one product and not have to worry about it," says Patrice Rapalus, Director of the Computer Security Institute (CSI). "Technology can help only if it is monitored properly, used properly, and not perceived as the ultimate fix." After hiring reliable employees, inform them how their place in the company relates
to their security access, and only then should technology back
up the plan.
Roles and Rights
The necessity for properly assigned roles is most apparent when relying on role- and rules-based file management for securing data. One such system is iManage's WorkSite (www.imanage.com), which bills itself as a collaborative content management system. iManage prevents any kind of content from being stored on local drives. At the center of the system is a content repository that intercepts "File Save" and "File Open" commands across the Microsoft Office suite, Lotus Notes, and Novell Groupwise.
After centralizing content, iManage allows system administrators to control access to files and to individual documents within them. Access rights may be used to determine who may read, edit, and destroy data. By assigning security levels to documents and files that correspond to security categories within a company's hierarchy, iManage "imposes a very controlled regime on any content without imposing any burden on the user," says Dan Carmel, VP of Marketing at the company. Content for which a user does not have password-protected clearance is not only irretrievable to that user, it is invisible also.
There are additional benefits to centralizing content, apart from security, including ease of collaboration and reduction of network traffic. Perhaps the biggest advantage to having a single point of access for secure data is that denying someone access to the system requires removing his or her name only once, as opposed to removing access to multiple documents and systems. By the same method, security access may be easily increased. "If Sally becomes the head of the project, you just change her role in the system. The key here is that this is an architectural problem. If the whole system is not architected around roles and security policies, you can't go back. You have to tear everything apart and redo your entire security mechanism, which is close to impossible," says Nandip Kothari, director of manufacturing industry solutions for iManage.
In fact, digital rights management (DRM) is powerful enough on
its own to provide a solid foundation for content security at many companies. Authentica (www.authentica.com) is a DRM solution robust enough to be used by the CIA for producing an electronic version of President Bush's daily briefing, which only sixty-five people are authorized to see. Authentica's PageRecall, MailRecall, and NetRecall products encapsulate individual units of content, whether they are single emails, PDF files, or Web pages, using both encryption and authentication. The originator of the document, not IT staff or management, assigns a window of time during which the document can be opened and whether a recipient may cut and paste, print, save, or forward it.
The author can even change permissions or the content of a document that has already been sent. Also, if the recipient of a forwarded document does not have an authenticated password, the information will appear as nothing more than a blob of encrypted data. In addition, printed documents can be watermarked with the recipient's name, making it difficult to distribute hard copies covertly. Finally, Authentica tracks the document and provides a report to its author of how many times it has been accessed, for how long, and whether or not it has been printed or forwarded.
Such document control and tracking can be critical for companies built around patented technologies and trade secrets, such as semiconductor manufacturers. "Frequently, semiconductor companies need to supply design documents to companies in Asia, so that those companies can bid on the cost to build their chips," explains Authentica's VP of Marketing, Jim Hickey. He continues, "After the semiconductor company picks one winner, they have two or three losers that then have their proprietary data. It's common for losing bidders to go and build knock-offs. The ability to simply remove the losing three bidders from the distribution list can make the difference between retaining and losing trade secrets."
What's That Smell?
But what if a leak is not as predictable as losing trade secrets or unauthorized access to internal files? What if the leak is more overt, originating in a simple email or instant messaging application, and what if it is malicious, intending to slander the company or wreck its stock price? What if, for instance, the perpetrator doesn't try
to print, forward, or cut and paste that sensitive internal memo, but instead actually retypes it and posts it to the Internet? If the scenario sounds far fetched, perhaps you haven't seen a Web site called InternalMemos.com. It has long been clear that the Internet will be a continuing source of unpredictable security woes for business, but such sites demonstrate that even the smallest amount of electronic data can pose a threat if it is allowed to seep out of a company's purview.
Where DRM and file management provide the benefit of specificity, sniffers offer a broader means of monitoring network traffic. Long an indispensable anti-hacker tool, sniffers are now finding a home in internal network analysis. Vericept (www.vericept.com) offers the natural-language-based sniffer VIEW, a plug-and-play hardware device that screens for pre-programmed words and security categories. "It literally takes minutes to set up," says Michael Reagan, senior VP at Vericept. "Or, if a company requests, our linguists can come in and create customized categories. A large pharmaceutical company will want to protect its formulas from being leaked. A software company will want to make sure its source code is safe," he says. It doesn't matter where a keyword or phrase turns up in the network traffic, whether across company email, in Web mail like Hotmail or Yahoo Mail, in an instant messaging or Web-based chat session, or even through telnet or FTP. Restricted content is quarantined inside the company's network and a security officer is alerted to review it. (For more information, see the sidebar, "Wall Street Sneaks.")
"One of our clients is a large California brokerage firm," says Reagan. "When they installed VIEW, they actually caught bank account numbers and social security numbers being sent via email. It was clear, however, that this was an inadvertent slip, because the emails were being sent between one trusted source and another, but the information was being sent unencrypted. This let the firm know that they had to reassess their educational program and make sure that everyone understood how to maintain the security of their information," he says.
Another linguistic sniffer that works in a similar fashion to Vericept is MailMarshal (www.marshalsoftware.com). "They can cut and paste into a Word document and put that into a Zip file and put that into CRAM file. We unwrap all these things," says Steve Bachman, President for Marshal Software in the Americas. "Our product will bounce that email back and remind the sender that he can't send this information out of the system. Then we quarantine it for later examination," he adds.
Peer or Competitor?
Importantly, sniffers can also monitor the use of peer-to-peer software, an increasing data security threat. When peer-to-peer software, such as Kazaa, is installed, it finds, opens, and releases the contents of all specified files into the peer-to-peer network. Those files could include only those in a given folder on a local hard drive, or it could be much more intrusive. "Most employees on corporate networks not only have a C drive, but network drives as well, which could give any Kazaa user access to all the information on the company's network. As a result, Vericept is getting tremendous interest in our ability to give companies visibility into who is installing these peer-to-peer clients," says Reagan.
In one threaded discussion on Slashdot.org, Kazaa users discussed what sorts of files could be found just by casually surfing the Kazaa system. Reports ranged from stock reports to internal phone lists, salary histories, and Social Security numbers. A usability and privacy study on Kazaa conducted by Hewlett-Packard and the University of Minnesota found that 61 percent of all searches performed for ".dbx" turned up at least one Outlook Express inbox file, undoubtedly the result of setting up the program improperly.
Putting It Together
Sifting through the available software and hardware options for security, in addition to developing a sensible security policy for your company, will probably require either the designation of a top-level manager, the hiring of a outside consultancy, or both. Most of the software vendors profiled here provide some level of consulting assistance to customers, but two that specialize on the consulting side are Solutionary (www.solutionary.com) and Rovia (www.rovia.com).
"Before you can protect information, you really need to go through a lot of steps," says Andres Nanneti, chief strategy officer at Rovia. "You have to categorize and classify your information," he says, citing such familiar government classifications as "Top Secret" and "Classified But Restricted" as examples of discrete categories of information.
Solutionary's Director of e-Security, Christopher Meinders, agrees that categorization of data is the first priority. "A company must decide how critical the data is to its business functions. I ask them to think, 'If the public got a hold of it, how bad would it hurt you?'"
After classifying data, access to the data needs to be controlled. "Then you have to decide what you want to protect and what is worth all these efforts," he adds. Nanneti says that companies focus too often on accessas in who has access to whatwhile failing to focus on what someone can do with information once it has been accessed. Therefore, assigning permissions is an equally important task. The next step is to identify and classify the users of the system. After users are classified, their ability to manipulate and disseminate information can be restricted appropriately.
Finally, says Nanneti, a company must decide what level of data protection will work for it. "Protection is the opposite end of the scale from convenience. The more you protect, the more inconvenient it is for users," he explains, adding that most companies will need three or four different software solutions for a complete umbrella of electronic security. Likely, both authentication and encryption will be required.
One thing is certain: No amount of electronic security can protect a company from a truly determined rogue employee. "Nothing's bulletproof, right? We can't prevent someone from taking a picture of the screen with a camera," says Authentica's Hickey.
CSI's Patrice Rapalus reiterates that technology is only part of the solution to electronic security. She notes, "It's an HR issue. It's an education issue. It's a policy issue. You have to do background checks. You have to train your staff. And you have to have good sound policies in place about what can and can't be done."
Wall Street Sneaks
"Simmons & Company has a very high standard on Wall Street. As far as compliance and ethics go, we're unblemished," says Lenny Schad, CIO of the Houston-based investment banking firm, which specializes in energy services. After the recent scandals in the financial services and energy industriesfrom Enron to Dynergy to Arthur Andersencoming out unscathed is a feat
in itself. "We've been sitting back and watching how easy it is for people to just skate on the ice and not pay attention to their ethical duty. We've been amazed at how quickly they've fallen, and all because they just weren't paying attention," he says.
After watching the Securities and Exchange Commission investigate firm after firm, Simmons decided to put preventative measures in place before disaster struck, choosing Vericept's VIEW plug-and-play hardware, which monitors TCP/IP traffic and quarantines improper transmissions across the network. "The SEC rules mandate that you capture and log all business communication, including inter-office memos, emails, and instant messaging. That's not new," Schad says, referring to the SEC's Rule 17a-4(f) digital archiving requirements, in place since 1993. The rules mandate that electronic communications related to business be stored with backups, be indexed, and be available for audit. Other regulations from the National Association of Securities Dealers (NASD) require that businesses monitor their stored correspondence for compliance issues, although the monitoring efforts can be random.
"The SEC and NASD rules really weren't on the forefront until recently," says Schad. Then came allegations last spring that Arthur Andersen had shredded documents and dumped electronic files related to its work with Enron. In May, Merrill Lynch was fined $100 million for emails that revealed the company was recommending stocks it knew to be bad bets. "Most companies were logging and capturing email to a certain degree, enough that they were in compliance. But they weren't paying much attention to how well they were doing it and whether or not it was accurate. The events in this past year made us realize that we had to be much more diligent in what we're capturing and much more proactive," he says.
Simmons installed Vericept to monitor the content of both email and instant messaging sessions, on top of the storage capability it already had in place. "If you're in the investment banking or trading industry, instant messaging is how you communicate with customers. It's like Excel for accountants," says Schad. Capturing and monitoring both sides of those instant messaging sessions would have been overwhelming for a 145-person firm like Simmons, which has only one compliance officer. "The bigger companies with massive compliance departments tried to respond to all this manually and it ate them for lunch," said Schad. Installing Vericept, he says, has allowed Simmons to maintain a compliance staff of one.
Getting Hip to HIPAA
"Healthcare is about to change its class
of protections to something much more like the financial sector. It's a huge change," says Dave Kirby, director of the Duke University Health Center Information Security Office. The change worrying Kirby
is coming from a new federal regulation known as the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA is complex, involving regulations on various aspects of healthcare and health insurance, but the one that concerns Kirby the most is the stipulation that any organization or individual dealing with health recordswhether they are doctors, hospitals, insurance companies, or employersmust make reasonable efforts to ensure patient confidentiality and guard against improper disclosure of information. As written, the privacy section of HIPAA is somewhat vague, but its impact is already abundantly clear.
"Clinicians are used to dealing with confidentiality, but this is an entirely alien issue to the IT side of healthcare," says Kirby.
The penalties for non-compliance with HIPAA are steep. The feds can fine an organization up to $25,000 per person each year in which it was non-compliant. For an individual, the sanction is a minimum of one year in prison and a $25,000 fine. The maximum is ten years and $250,000.
"This is not even about intending to hurt someone by revealing their medical information. You only have to have done it and known that you did it," explains Kirby. HIPAA excuses information that was leaked accidentally, such as an unauthorized person wandering into a room with X-rays up on a light board. However, it would not excuse electronic leaks, if reasonable measures could have prevented them. The technology does not only have to police itself; it has to outsmart the human factor, too.
"It's rarely for malice that leaks happen. It's normally for titillation or well-meaning concern," continues Kirby. When a doctor digs up the records of a basketball star's knee surgery, for instance, "or maybe you find out that John has HIV and you want to set up a prayer circle for him at your church. That sort of stuff is clearly illegal under HIPAA and I don't think the clinical culture has caught up with that yet," he says.
While no one technology is specified by HIPAA, Kirby explains that the key to HIPAA compliance is "a well risk-managed environment, technically, administratively, and physically." HIPAA does not require that an organization seek out unaffordable, exotic solutions, however. "The law says it has
to be 'practicable,' which basically means possible," he says.
Patrice Rapalus, director of the Computer Security Institute, predicts that HIPAA will bring sweeping security changes to every industry as each is forced to comply for various reasons. "A lot of organizations are looking at HIPAA to become a de facto standard," she says. She points out, however, that security problems are international in scope and not likely to change based only on a U.S. law. However, HIPAA applies even to foreign entities that exchange health information with the United States, so, eventually, its influence may resonate not only across industries but across continents.
Kayte's desk in her lower Manhattan apartment faces the Statue of Liberty and the Hudson River. She has written on technology and business for PC Computing, Smart Business, Business 2.0, Fortune Small Business and TheStreet.com.