Lessons From High School

Old-school, no-tech mistakes can lead to data leakage

12:55 PM -- I have a teenager in high school now, so I'm constantly agonizing over how to prepare her and steer her to do the right thing in the face of the inevitable pressures, distractions, and drama that come with high school. And I know that no matter how hard we try to protect, guide, and educate her, at some point along the way, like any teenager, she'll probably do something stupid.

End users, too, inevitably make mistakes, and sometimes they have nothing to do with technology. You could be running the best data leakage prevention tools in the world and all it would take for a major data breach is for your friendly receptionist to hold the door for an employee lugging a big box out of the building -- one that just happens to contain sensitive documents and media.

It's these little things that your employees do that are still the most common and overlooked sources of data leaks and exposure. The misplaced laptop, the email sent to the wrong guy, sensitive documents left lying on the photocopier machine: These old-school mistakes still represent major security holes today, a study released this week by the Information Security Forum (ISF) found. (See Study Reveals Overlooked Sources of Leaks.)

In the nearly 900 data leakage incidents ISF studied, many occurred by human, not technological, error -- through conversations overheard in a coffee shop or airplane, or losing track of their laptops or storage media.

Marcus Ranum, one of the pioneers in firewall and IDS technology, says the industry over-complicates security and that much of the problem is common sense. Ranum puts it this way: "Security is very simple: Don't do something stupid and you should be just fine." (See Ranum's Wild Security Ride.)

Humans by nature are mostly trusting, of course, and therefore can be gullible. And the bad guys know it and take advantage of it. Think about how many exploits require a user to click on a link for them to execute. No click, no worries.

So if it really boils down to counting on your users to avoid screwups, what chance in heck do you have to keep your data safe? You can't shadow each and every decision your users make any more than I can stay glued to my teenage daughter 24/7.

Some organizations put their employees and users to the test: Secure Network Technologies Inc., which conducts social engineering exploits for its clients, was recently hired by a financial institution to determine just where its human security vulnerabilities lie. It wasn't pretty: Posing as auditors at one branch, they were ushered into a conference room to "work," and were even able to suck documents off users' machines right under their noses with a U3 USB stick. They convinced the users that the USB drive contained a printer diagnostic program. (See Social-Engineering Employees.)

Oh -- and beware. If an intruder has a coffee mug and a weak bladder, he'll likely blend right into the organization: Steve Stasiukonis, vice president and founder of Secure Network Technologies, found that carrying around a mug and visiting the restroom regularly helps him avoid arousing suspicion.

It's the same old mantra for prevention here: education and awareness. ISF recommends enforcing security policies so that there are real consequences for user screwups that leak sensitive data. In the end, all you can do is hope your policies and training have sunken in so that your employees do the right thing and think twice before they lead the "photo copier repairman" to your networked multifunction printer/copier -- and OMG, right to a connection to your network.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Secure Network Technologies Inc.
  • Information Security Forum (ISF)