Mamma Mia!

by Calum Macleod

Here we go again. If the news is to be believed, it seems that an employee at Ferrari just could not resist it and helped himself to a few secrets. Not only that, but according to the news an employee at a competitor couldn't resist the temptation when offered the chance to gain some inside info. After all what man in his right mind could resist the temptation of getting the inside gossip. We're all curious and live in a world where we daily try to steal a lead on our competitors and every little bit of info helps. So there we have it a court battle ensues between Mclaren and Ferrari!

Now it's clear that Ferrari chiefs are not avid readers of CERT reports. If they had been this might all have been avoided. After all CERT revealed late last year with their study into sabotage, particularly in the IT world, was frequently carried out by disgruntled employees who had been passed over for promotion, and who had privileged access to information. It appears from what Ferrari are saying that their employee became rather agitated after he wasn't promoted to a senior position after his old boss left. Apparently his behaviour, according to his employers, was not exactly ideal. If they'd read the CERT report they would have detected the warning signs and who knows this might never have happened.

As an "armchair" sometimes fan of F1, I think that it's fair to say that it's highly unlikely given their rather extensive use of IT in everything they do that the information that was allegedly "relocated" just happened to be lying around in some hand written notes. The ability to help one's self to highly sensitive and valuable, confidential information has never been as easy as it is today because virtually all that information is in digital format. Data files on servers. And whether the allegations against the employee are right or wrong in this case, it does not change the fact that organisations are playing a dangerous game when they underestimate the risk posed by the disgruntled insider determined to wreak havoc, or the insider who is just simply a bumbling idiot who is an accident waiting to happen.

Sensitive information requires extra-care. Just as you would not leave your valuables lying around in the garage, sensitive information requires a different management approach. When sensitive information is compromised, the implications for the organisation can be catastrophic - like not winning maybe. Access and distribution of sensitive information such as financial reports, clinical trial results, technical design, etc., is something that many organisations have not addressed adequately. Data must be secure, tracked, privacy should be maintained, and strict auditing should be applied.

Information leaks in all forms are occurring with increasing frequency today within some of the largest and most important organizations and enterprises. These breaches, whether inadvertent or as part of a coordinated attack, release highly sensitive information into the larger market where it is used to damage the originating organization's business, competitiveness and reputation, and also significantly impacts the privacy and confidence of their customers, partners and vendors.

Common solutions such as mail (CDs in the post for example), e-mail or FTP suffer from several disadvantages. Distributing vast number of documents via mail is cumbersome and hard to track. FTP solutions are not reliable or secure. E-mail solutions, including encrypted e-mails, are also not reliable because they are dependent on the recipient's e-mail infrastructure. Large files or encrypted files often tend to fail e-mail security policies and bounce back. Organisations need global accessibility and connectivity while maintaining security.

So what steps should be taken to protect information. Well here are some basic steps that can be taken

1. Information needs to protected from unauthorized modification, deletion, and exposure. Encryption and other security mechanisms are not helpful if someone hacks the computer and circumvents the security layers. For instance, encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications. In order to build multi-layered security, a sterile environment must exist to accommodate and protect the security infrastructure.
2. Ensure you have visual auditability - owners of information need to actually see what happens with their information at all times. Combined with auto-logging and auto-alerting, it ensures that an organisation has a prevention and detection mechanism.
3. Separation of duties must be possible between the owners of the information and the administrators of the information. In other words there is no need for the IT Manager to be reading employee contracts, unless of course he or she is doubling as head of HR!
4. Dual control ensures that highly sensitive data can only be accessed provided it has been authorised by another person. Similar to the concept of dual keys it ensures that access will only be allowed based on secondary confirmation. If an employee cannot simply walk into the CEO's office and pick up a copy of the latest M&A transaction, then they shouldn't be able to open a file on a server either, unless of course the board value the input from IT staff in making M&A decisions.
5. Data should always be backed up in encrypted form, and kept encrypted even while on backup media, to prevent unauthorised disclosure.
6. And access should be controlled based on user location. In other words it's not the employers' responsibility to help an employee show-off to the cute blonde in the Internet Café. Make sure that if the information is for internal use only then that's exactly where it stays...

No organisation is immune to the risk of exposure, embezzlement, embarrassment. There is no such thing as the 100% trustworthy work force, and especially when you're outsourcing or using contract staff. How many organisations can echo the sentiments they have been cheated by someone and they have no idea when. And they make up their mind that it has to come to an end. But then they don't do anything and it happens again and again - Will they ever learn? - Mamma Mia there they go again!!

Calum Macleod is European Director of Cyber-Ark Software. Find out more at www.cyber-ark.com.

Send a comment about this article to editor@itwales.com.