This week there has been some breaking news about Vice Presedential candidate Sarah Palin’s Yahoo e-mail account becoming compromised. We’re not here to discuss the politics, but the security. Part of this story does revolve around the politics; Mrs. Palin has been accused of using free e-mail services to conduct government business – because it is not subject to the same monitoring and archiving as government e-mail.
That’s where the inclusion of politics end.
The point that I want to make, is that no matter how hard you try to keep data (or bending of the rules) inside of your organization, at some point, those protections are bound to fail. Why? Because someone always builds a better mouse trap, and someone always builds a better mouse.
As some examples that we’ve seen in the past, the latest being the e-mail controversy. The government installed the ability to monitor and archive e-mails for accountability, so officials (allegedly) take their e-mail elsewhere. You place epoxy in your USB ports to keep intellectual property internal to the company, and the staff use firewire drives to do the same. You epoxy the firewire, and they e-mail it. You install a (signature based, which is only as good as the signatures) e-mail content scanner, so the staff used places like Amazon S3 to upload that. You block file sharing websites, proxies and so on. The staff set up a server on one of these and use a crossover cable to connect and upload the content. I think you get the drift. The story never ends.
Now, that’s not to say that appropriately managing your risk in these type of situations isn’t appropriate. By all means, practice defense in depth! Sometimes just a little bit of defense is enough to discourage the casual offender, which may be just enough. No matter how much you defend (to the point of making it too secure, i.e. unusable), that person willing to go the extra mile with the mini-pc and crossover cable will always be willing to go that extra mile.
The point? Evaluate and manage your data ex-filtration to an appropriate level of risk; there is a diminishing level of return! Develop an appropriate and comprehensive method of dealing with a breach when it does happen.
…because it will eventually happen.