This action might not be possible to undo. Are you sure you want to continue?
Inside the network, there are, of course, employee computers. Depending on what type of business you
have and how big it is, you may also have file servers, network printers, point-of-sale terminals, automated
paint mixers, and what have you. Because there is such an unbelievable variety of networks, we have no
choice but to gloss over much of the detail.
Business Data Security
The employee's computer or "workstation" has been a source of contention since the first days of its
existence. The very term, which should perhaps be "employer's computer" typifies the conflict. Employees
always want more; employers are (or should be) trying to reign in abuses and hold on to their tenuous
The problem is that today's personal computers, which are primarily Windows systems, make it very easy
for the user to not only move data around, but also programs which change the way the system works.
These programs have complete control over the computer, and if they contain malware, such as virus, they
can spread like wildfire. Nowadays, even documents, such as email or spreadsheets, can contain programs
("macros") which can infect a system. Application security settings will block some of these attacks, but
when security gets in the way of what a user wants to do, they will happily disable it. It is common for
programs or websites to instruct users to disable security settings in order to get a feature to work. Because
technology has changed so quickly, most computer users simply have no way of knowing what actions are
safe and what are not. When they are risking their own PC at home, it is one matter. When their actions
can disrupt a corporate network, it is another.
Another issue is with corporate help desks. The more the employee changes the computer, the less they
will be able to get help. The helpdesk support or local IT person simply has no way of understanding
how the system has been changed, what may be causing the problem, and how to undo it. Applications
on Windows very often interfere with each other. In a large company I worked with it would take months
of testing for them to add applications to their PC desktops in order to sort out problems with all of their
other required applications.
Besides exposing a PC to malware, employees who install programs can open a company up to licensing
issues and liability. A program you bought one copy of for a special task may spread around the network.
Users may bring in software they use at home and install it on a company PC. Users may download and
install pirated software. A surprise BSA audit can lead to substantial fines.
UNIX™, a traditional business operating system, and PC systems derived from it, like Linux™ and Mac
OS X™, have a decades-old and well tested multi-level security which allows an administrator to set
up the computer and restrict what a user can do with it. Microsoft introduced a similar system with
Windows NT™ and its security has been improving in recent years. In fact, Windows Group Policies,
setting permissions for groups of users on a network and enforcing them on individual PCs, is a powerful
tool in large companies. Even when the same person owns and uses the computer, setting up a separate
administrator and user account limits the amount of damage that a virus can do.
An alternative or addition to locking down systems is the use of virtual machines or imaging software
which can quickly restore the state of the system to some earlier point. When a user makes a change
and the system stops working, the system is reset and the change is wiped out. This can be especially
useful when the employee has a legitimate need for more freedom (such as testing out new software). The
downside is that, if they do not carefully back up their documents, they will be lost on every reset. This
works particularly well in lab settings where users have network home directories; all of their files are
saved elsewhere and the workstations themselves are expendable.
As with many security issues, you must strike a balance between protecting your network and letting
employees customize their tools. Different people work and organize in different ways, and sometimes
using a different tool can make large productivity gains for particular people, especially if they are building
on prior experience. Having a selection of approved options and knowing when to make exceptions can
go a long way.
It seems that there is a constant stream of security holes and bug fixes which need to be downloaded and
applied. Not installing patches in a timely manner exposes your systems to unwarranted risk and most
systems (Windows™, Linux™, Macintosh™, etc) have automated systems for downloading new updates.
Many serious virus outbreaks attack systems which should have been patched.
Business Data Security
On the other side, new patches sometimes break things, especially if you have a complicated software
setup. Large companies generally solve this problem by having a test machine which is updated first. If
the test machine works, the rest of the PCs can be updated. Regular backups make it easier to undo a bad
update as well.
A very common but largely unreported problem with small business and home users is how to safely set
up a new PC. I recently helped to set up a new machine which came with Windows XP Service Pack 2
(released in 2004). There have been hundreds of security patches for Windows XP since that time. A new
PC connected to the Internet without those updates can be broken into within minutes, much less time
than it takes to download all of the new software required to protect it. Microsoft provides tools for large
companies to centrally manage updates without connecting to the Internet, but small businesses are out of
luck. Apple allows you to download all of their latest patches on one computer, put them on a disk and
move them to the new computer without connecting the new computer to the network. With Windows, I
had to use an obscure third-party tool18
to accomplish this.
Virus and Spyware Detection
For Windows PCs, anti-virus and spyware protection programs are simply required. They are primarily
designed to find malicious programs once they are on your system, but some also catch incoming viruses
in emails and downloads before they can do damage. Once a virus is on your computer, these tools provide
options to try to remove them. Unfortunately, the only completely safe method of removing an infection
is to reinstall the system and it is a good idea to keep good backups of your documents.
For non-Windows systems, like Macintosh and Linux, viruses do not exist and spyware is rare. This is
partly due to lower market share making them less valuable targets and partly due to security conscious
design making them more difficult targets, but there is no reason why malware may not become a problem
in the future. I run anti-virus software on my Macintosh computer primarily to keep from sending viruses
to Windows users by accident.
Malware detectors are useless without constant updates. They can only detect problem programs once a
security researcher detects them "in the wild" and adds them to a list. There are a number of products out
there, a couple of which are completely free and of good quality.
Controlling the changes a user can make to the computer is one way of limiting the spread of infections or
security violations. Another is to try to prevent infections from getting off the computer. Individual PCs
can run their own firewall called a software firewall. Like a hardware firewall, a software firewall limits
what traffic can get in and out and adds an additional layer of protection. Software firewalls slow down the
spread of viruses inside your network, make it harder for attackers who have compromised one computer
to attack another, and make it more difficult for spyware to phone home. If a PC is badly compromised,
an attacker will simply turn the firewall off, so the protection is not absolute.
Windows PCs since XP™ Service Pack 2, Macintosh computers with OS X, and any recent Linux or UNIX
systems all come with software firewalls. There are commercial packages for Windows XP which replace
the substandard built-in firewall. Businesses with Macintosh systems will likely want to spend some effort
customizing its firewall which is very powerful but not set up well out of the box.
Passwords, Biometrics, and Keychains
Password management has always been a difficult problem for non-technical users and even for many
technical users. A good password is difficult to guess and easy to remember. These do not go well together.
Computer users should not use the same passwords for different purposes, should change them frequently,
Business Data Security
and should not have a new password be based on an old password (e.g. oldpassword2). Oh, and
passwords should not be written down. If an employee actually tries to follow this advice, they will quickly
have a dozen or more cryptic passwords for different accounts and, unless they have a photographic
memory, will be calling their local IT person to have a password reset on a daily basis.
One simple technique for creating easy to remember yet difficult to guess passwords is one I have
used for years. Take a quote or phrase:
When the wind is southerly I know a hawk from a handsaw.
Take its initials, including proper capitalization and punctuation: WtwisIkahfah. It looks like
gobbledygook, would never be cracked by an automated password guesser (dictionary attack), and
is still memorable. After a few times, typing it becomes automatic.
Playing with numbers and punctuation a little makes the technique even better: “To be or not to
be, that is the question.” could become: 2bon2btit? Use a phrase you will remember, but not
one that someone would obviously associate with you, like a motto or favorite saying. If chosen
well, you can even provide a reminder hint in programs which allow it so you can remember what
quote you chose. For instance, "mad" might be a good reminder for the first quote if you know
Shakespeare (the preceding line is “I am mad but north north-west.”)
What more often happens is that a user has one password they use for everything, and, when forced to
change it, they tack a new number on the end of it. If they need anything more complicated (their software
forces them to have a complex password), they write the password down somewhere near the computer.
This is an unworkable situation. As we discussed in "Guard Your Secrets", a lock is useless if the attacker
can readily obtain or guess the key.
Some people propose biometric security to replace passwords. Biometrics means that the "password" is
based on some unique characteristic of a person, such as a fingerprint, voice print, or a retinal pattern. The
idea is that a biometric is unique, the user cannot forget it, and an attacker cannot easily steal it. It is an
interesting idea, but most current plans are hopelessly optimistic.
The first problem is that a user can in fact lose a biometric or may not have one in the first place. I went
to school with a girl who had no hands and thus, no fingerprints. A significant number of war veterans are
now entering the work force who are missing limbs. ADA rules might expose a business to liability if they
excluded a potential employee from access due to an inability to use the security system.
The second problem is that biometrics are not exact. Taking measurements is a messy business. They
must be taken quickly, the employee is not exactly positioned each time, and the device has to take
into account minor changes such as dirty hands, stress or illness affecting voice, or a dirty lense. The
measurements must have a fair margin of error to ever let anyone in. On the other side, the security
device has to detect and deny reproductions such as voice recordings, photographs of a retina, or a gel
mockup of a finger. Generally what happens is the device denies legitimate employees on an irregular basis
and allows attackers to bypass security. As reproductions get more sophisticated, fooling even devices
designed to detect a heartbeat or capillary action, the problem becomes harder. Fingerprint scanners have
gotten a lot of negative attention from security researchers, being susceptible to balistics gel mockups,
transparencies, and even food-grade gummy-gel fingers [MythBusters-2006, MatsumotoEtAl-2002] all of
which are inexpensive and not obvious even when the security checkpoint is watched.
The third and most serious problem is that people leave copies of their biometrics everywhere they go and
have no way of changing them once the bad guys get a copy. Bad guys can record voices, lift fingerprints,
pick up traces of DNA, or position cameras to catch retinal or iris patterns. If you lose a credit card, you
can cancel it and get a new account number. How do you change a fingerprint? Biometrics will not solve
Business Data Security
the password problem any time soon. One common security rule of thumb is that authentication uses two
things: something you have (or are) and something you know, such as a username and a password, or a
debit card and a pin number. In that sense, perhaps biometrics are best used in place of the user name
rather than the password.
One good solution to the many passwords problem is a keychain or password vault. In one of my
companies, we had a computer lab. We had a number of locks, on server cabinets and media safes, that
several people needed access to. Rather than give everyone copies and try to keep track of them, we bolted
a locking cabinet to the wall, put the required keys inside, and gave each authorized employee a key to
the cabinet. When they needed a specific key, they went to the key safe, signed out the key, and returned
it when done.
The same general idea can be done with software. Web browsers generally allow you to store usernames
and passwords for websites so you do not have to type them in. You must then only remember the password
to your computer account or web browser and the website passwords can be quite cryptic or even random,
such as "g6%0knpoi2", which an attacker will never guess. In theory, passwords for mail, shared folders,
printers, and what have you can be stored in this way. The downside to this approach is that all of the
passwords are in one place, and, if they can be stolen, the attacker has everything. The password storage
used by Microsoft Internet Explorer and Outlook, for instance, can be raided by spyware. The Firefox web
browser stores its own passwords, and if some options are turned on, is generally safe.
On the Macintosh system, there is a feature called the Keychain which stores usernames, passwords, and
certificates for all applications. The passwords are protected by encryption and are unlocked by a single
password. You can also store secure notes, to safely record account numbers or safe combinations, for
instance. The biggest security features are first, that the keychain can be set to automatically lock itself in
a variety of circumstances, and second, that access to passwords is restricted to the application that created
them. If your Solitaire application starts asking for your email passwords, for instance, the Keychain will
ask you for permission. This stops many types of spyware in its tracks. It looks like Microsoft is slowly
moving in this direction and it may be the shape of things to come.
A last valuable tool is a smartcard or similar device. The employee carries a creditcard or USB drive sized
device which is attached to the computer when they log in. They must also generally type a PIN number.
They cannot login without the device and the device will not work without the PIN. Login is simpler and
thieves must both steal the device and guess the number. Of course, some process has to be in place for
dealing with employees who lose their smartcard, but an old card is easy to cancel and new cards are not
A PC is an easy target of attack from multiple directions. Spyware infections or remote break-ins can
be used to slurp documents over the network. Employees commonly leave themselves logged in when
they leave their work area, so someone who can physically access the machine can copy files and install
spyware. An attacker might steal the harddrive or the entire computer, especially in the case of an
employee's home office computer or a laptop. I have seen one case where an entire floor of an office
building was cleaned out by thieves with a truck over a weekend. Since renovations had been going on
that week, an extra truck and an extra work crew were simply not noticed. At several companies where I
have contracted, laptops were often stolen during broad daylight by both employees and intruders.
Even without theft, data can be exposed under standard warranty replacement contracts. When a harddrive
fails and is turned in for replacement, it may very well be repaired and resold as a refurbished drive,
complete with your confidential data [Sullivan-2006]. Once the harddrive has failed, it is too late to delete
critical information and hardware erasure methods will void your warranty. The only way to protect these
documents is to encrypt them before the hardware fails. Hardware which is being sold can be erased before
the sale. Broken hardware past its warranty can be dealt with easily by, for instance, drilling holes through
the harddrive and its platters. This can be a great way to get out frustration.
Business Data Security
Deleted files do not actually go away. They can be retrieved by a knowledgable computer user.
When deleting confidential files, it is important to realize that nothing is actually erased. All that happens
is that the space taken up by the file is marked as free for reuse. It may be minutes or months before the
space is actually written over by a new document. In the meantime, there are a number of tools which
can be used to recover the deleted data and hackers are familiar with them. Formatting disks works the
same way; the table of contents is cleared but all of the actual data is left as it is. In order to safely destroy
documents, they must be overwritten first and then deleted. A number of tools exist to do this, normally
referred to as secure deletion, and they will overwrite a document multiple times with gibberish to make
them very difficult to recover.
The best way to protect an important document is to encrypt it. Encryption is a complex subject, but, in
short, encrypting a document scrambles it using a code and only someone who knows the code can make
sense of it. Typically, you supply a password when encrypting and use the same password to get your
document back. Different encryption tools have different strengths. Like physical locks, there are tradeoffs
between complexity (how long it takes to encrypt/decrypt your data) and how much effort the attacker has
to go through to break the encryption. Breaking encryption usually involves large amounts of computer
processing, and, because computers get cheaper with time, it makes sense to use encryption which is
stronger than you need today to make sure it cannot be broken tomorrow. Generally, the "proprietary"
encryption built into many applications (e.g. MS Word, PK-Zip) is rather weak; someone can decode the
document quickly even without your password. As with deadbolts, there are published standards for good
encryption, such as IDEA or AES-256, which are well tested.
Data Hygiene: Cleaning Previously Deleted Files
When you are moving to an encrypted file solution, whether it involves encrypting individual files
or whole folders, you need to securely delete any old copies on your hard drive. This includes any
old copies of confidential data you may have already unsecurely deleted and which thieves can
readily access. How do you get rid of those? There are two decent solutions, neither of which is
The first involves wiping the entire drive with a security tool, reinstalling, and copying the files (now
encrypted) back. This is essentially the nuclear bomb solution which is crude and extraordinarily
effective at removing any leftover traces of just about anything, but may be too disruptive, especially
if you have a few machines to change over and people needing to get work done in the meantime.
You might still apply this solution whenever the machines are reinstalled in the normal course of
The second solution is not quite as effective, but is simple and a bit less destructive. Essentially, you
want to force the system to overwrite any free space on the drive, erasing leftover data. Just create
a really big file, filling most of the drive, and securely delete it. On PCs, there are tools to do this
for you. CIPHER.EXE on Windows XP and Windows Server OSes, and the Disk Utility on OS X
("Erase Free Space"). This technique does not necessarily wipe out old file names and so forth (if
you use names and social security numbers or some other sensitive data in your file names) and has
mixed results on Linux/UNIX systems [GarfinkleMalan-2006].
For the truly paranoid (or the truly bound by litigious clients) this second technique can even be
used periodically as part of a data-hygiene policy.
Encrypting individual files is difficult enough that it may lead to unsafe practices if it is your only solution.
First, it is inconvenient to have to encrypt/decrypt individual documents. Second, you need to worry about
cleaning up readable (called cleartext) copies you or your office program may make while working on
them. A safer and more convenient method is to encrypt whole folders or whole drives. Tools will decrypt
Business Data Security
the files automatically as you use them. You can use a single password, or some tools let you store a key on
a removable device you can lock up at night. You can work on multiple files at once and cleanup is easier.
Different products accomplish this in different ways with somewhat different security, convenience, and
Ok, if you have all of your important documents encrypted, what happens when one of your employees
is run over by a bus? How do you access all of their encrypted documents? The low-tech solution is one
I have employed many times. When working on a client's systems, I would simply print out the top level
passwords for a system (the root password) and have them put the paper in a safe. If I left their service
or was otherwise unavailable, they had access to their systems. The root password could be used to reset
any of my other passwords even if they did not know them. It is also simple to store the password to a
password file or keychain in this manner.
This works well for managing a few critical passwords that only change on a scheduled basis, but is more
difficult when more users are involved and they are encouraged to change their passwords frequently. Enter
something called key escrow. Key escrow is a process where multiple passwords can be used to access the
same data. Typically, an employee would have one password they used for their encrypted folder and an
administrator would have a master password which could access the folders of all employees. Tools which
implement key escrow, such as Windows XP's Encrypted File System or the Macintosh encrypted home
folders, are becoming common. The downside, of course, is you again have a single password which can
do great damage in the hands of an attacker.
One last consideration is data hygeine. There are a number of places that your confidential data may end
up by accident which need to be cleaned up from time to time, such as your web browser's cache files,
your operating system's virtual memory, and free space on your hard drive. Web browser's have options
to clear private data, which can be used every so often, or the browser's files can be placed in an encrypted
folder. Virtual memory (also called paging or swap) is an operating system feature where the hard drive
is used to keep the system running when you run out of real memory. Applications and data that are not
being used are moved to the slow disk drive to clear space in the fast system memory for applications that
need it. In the process, confidential data such as passwords and sensitive documents you are editting may
get saved on the disk where atackers can find it. Operating systems can be set up to encrypt virtual memory
(configurable on Windows Vista, Apple's OS X, Linux; 3rd party tools on XP). Clearing hard drive free
space is discussed in Data Hygiene: Cleaning Previously Deleted Files.
Backing Up Documents
For the most part, back up and recovery is not a security concern per se and is a complex subject in its
own right. We will touch on some security specific issues here.
Backing up documents is important to protect yourself against attackers who may want to destroy data
instead of or in addition to copying it. Many attackers will not draw attention to themselves by destroying
data on any large scale, but tampering with data, particularly financial records or log files, is a serious
issue. Regular backups will allow you to compare copies of records and detect discrepencies. In the case
of log files, they contain valuable forensic evidence that will help you and the authorities in investigating
a crime. Any attacker gaining access to a system will attempt to alter or destroy them. It is critical that logs
be written to a remote location, which is a feature in many software or hardware tools.
Mirroring or high availability systems (RAID) which make copies of data across several disk drives are
not backup systems for purposes of security. Mirrored hard drives are clones of each other; if an important
document is deleted or modified on one drive, it will immediately be deleted or modified on the other,
leaving no one the wiser. A backup system must take snapshots of files at a particular point in time so that
documents can be restored to some previous state when they are needed.
Backing up encrypted files can be tricky. You either need to store passwords with the backups (since they
change over time) or store the data unencrypted. In either case, the backups must be physically secure or a
Business Data Security
thief will simply steal them instead of the computer. I have seen many cases where companies store backup
tapes unlocked right on top of the system being backed up. Not only does this make a thief's job easy,
it guarantees that a fire which destroys the computer destroys the backup as well19
. Small, fire-resistant
media safes are convenient and inexpensive protection for small businesses.
Storing data unencrypted prevents problems when the passwords get separated from the data or if the tool
you used to encrypt them is no longer used. PCI/DSS requires that backups containing customer account
information (the PAN, or Primary Account Number, specifically) be encrypted [PciSsc-2006 § 3.4]. In
this case, you will want to deliberately store the data and passwords in separate, secure, locations. Media
safes and secure offsite storage may be good options for protecting your media and both can protect from
fire, accident, and other losses.
Test your backups or they might not be there when you need them.
Oh, and test your backups occasionally. An administrator at a Canadian agency recently wiped out an
accounting system with $38 billion in accounts by accident and then found out that the backup tapes were
unreadable [Maxcer-2007]. I'll bet he's looking for work.
This action might not be possible to undo. Are you sure you want to continue?