Security threats Toolkit
Story: Video: Why you should encrypt your data
Encryption isn't enough
Remote destruction capabilities AND self destruction triggers are also required.
Why?
Stuff gets stolen and lost all of the time. While todays encryption technology might be sufficient to put up a fight not worth the trouble that might not be the case 3, 6 or 12 months from now. So all the thief has to do is to sit on the data until some exploit gets public or other nifty crack tools (this is also a hint to those in law enforcement sitting on confiscated PC's they still haven't broke open).
Another is the sacked employee that gets a bit disgruntled. When disabling an account that should also turn on the self-destruction for remote equipment. For the same reason remote equipment should have some triggers to activate self-destruction (yes, that will give rise to support calls by brass level managers very upset indeed).
Yet another is making sure that disposed of equipment really gets wiped out before ending up in the hands on third-parties. Plenty of quality information ends up in waste bins in one form or another.
And finally, bad internal IT procedures often are a reason why resupplied company equipment make for interesting reading about some department for another department.
Most certainly the above should be a hint to not allow any equipment that isn't 100% legally owned by the company in question. For one, USB ports are very dangerous indeed. But so are WiFi, BlueTooth, IR and 1394 ports. Seminars and other forms of business gatherings truly are about information sharing, just not as foreseen by those with decision making powers. Blinded by possible prospects all raised fingers against the dangers of easy business information sharing are waived away to allow for easy, and "user friendly", access. As is often the case, "user friendly" is often "cracker friendly". Since most companies don't have the time nor the resources to keep up with all the security advisories related to the ever growing number of "user friendly" technologies. Thing to remember is: if keeping up with the latest security patches and advisories is so important then what does that mean for equipment that's not kept up-to-date deliberately?
And yes, don't bet on single platform solutions as well. One simple way to circumvent such "solutions" is to make data cross platforms (since data should be universal; unless one wishes to enforce their solution on all of their customers and clients as well). Fax, e-mail, hard copy, photos, etc. Really, companies should guard their waste disposal as much as they do their Internet gateways. Most however, do not.
So encrypt all you want but don't underestimate the power of those who have a say in fields of purchasement, finance, budgets, PR, marketing, management, legal and sales. Often their lack of understanding and accountability in fields of IT security results in very serious holes indeed. All in the best interest of the company of course, but nonetheless.
Arrogance kills, but so does ignorance.
Problem is, today plenty of so called experts are ignorant. Or worse, arrogant. To sum it up: greed kills.
Take USB. That got adopted so fast it's nearly impossible to secure today. What idiot allowed for some sort of "one size fits all" solution that practically requires Local Administrator privilege (in Windows) to work as advertised with auto-run capabilities enabled? Even stranger, why did companies adopt it? Why bother with encryption, self-destruction policies, security measurements, audits and what not if such "functionality" is deemed required for business reasons. Just open up the back door and be done with it. Would that be a sound company policy? Never mind root kits.
As long as security is second place then hello Towering Inferno (a 33 year old movie in which sorry and oops comes after the fact). How much have we learned since then... Just visit the average business conference with a crackers mind to find out.
Full Talkback thread
