I don't know if you've noticed, but lists of seven seem to be all the rage these days. I wonder whether, to adopt the latest in IBM speak, the editors think of this as "constituent centric" numerology or whether five is simply too short and their imaginations have been failing short of ten. Either way, however, some of the resulting articles have been, (ahem, cough) "impactfull."
One of these, by Matt Roedell on CIO's advice site is entitled: Information Security: 7 Data Leaks you can't Ignore but should really have been titled: "Information security: 7 reasons to get rid of the PC"
For each enumerated leak he lists the risk, summarizes the patch, estimates its cost, and then discusses patch implementation. Here are the first three of these elements for each of his seven leaks:
- Leak #1
Sensitive information can leave your organization through USB mass storage devices such as thumb drives, IPODs and Digital cameras or other removable media
Risk Mitigation -> Block all USB mass storage devices
Approximate cost for hardware and 300 licenses -> $50,000
- Leak #2 Sensitive information can leave your organization when copied to a CD or DVD
Risk Mitigation -> disable all burners and remove burning software
- Leak #3
Sensitive information can leave your organization when a laptop is lost or stolen
Risk Mitigation -> enable whole disk encryption on all laptops
Approximate cost per laptop -> $200
- Leak #4
Sensitive information can leave your organization when a backup tape is lost or stolen
Risk Mitigation -> enable software or hardware tape encryption
Approximate cost per server license -> $800
- Leak #5
Sensitive information can leave your organization by being sent out your internet connection.
Risk Mitigation -> enable content packet inspection with the ability to block
Approximate cost -> varies based on member records
- Leak #6
Sensitive information can leave your organization when a rogue device such as a wireless router, laptop, hub, switch or any other unauthorized device is connected
Risk Mitigation -> enable layer 2 access switch port security
- Leak #7
Sensitive information can leave your organization when vulnerabilities are discovered and exploited.
Risk Mitigation -> perform monthly penetration testing on the internal and external network
Approximate monthly recurring cost -> $1,600
Notice that the costs he cites assume a Wintel infrastructure and are strictly limited to checks written to third parties -i.e. the support and implementation costs for these preventative policies are assumed to be irrelevant to the discussion.
Consider, for example, his discussion for Leak #2; the first of the two he shows as having no patch costs:
The solution is 3 fold
1- disabling the default windows burning capability through an AD GPO push to all workstations
2- Uninstalling all 3rd party burning software
3- Removing all employees from the PC local admin group and power users group (best standard practice anyway).
This prevents anyone from copying info to a CD without submitting a formal request to do so. When a legitimate request comes into your ticketing system, you can RDP to their workstation and install the 3rd party software. The software would then be uninstalled when they were finished. Another more manageable option is to assign the CD burning functionality to a smaller group of users which mitigates risk by requiring a ?standard? user to go to a trusted employee such as a supervisor to have information copied.
Look closely first at what he assumes and then at what he's saying and you'll see that the combination comes down to this bit of organizational advice: first pay to "empower users" by putting a fully supported dual core, 2GB, 3.2Ghz computer with a 90 million line OS on their desks, then pay to take away all the empowering functionality provided by that infrastructure.
The sad part is that his advice makes perfect sense and a lot of big organizations do pretty much all of what he suggests - but, you know, if I were selling Sun Ray I'd talk about getting rid of the middle man here.
In fact, people who do sell Sun Ray should get reprints of this article and give them to every tire kicker to come along because the process his prescription fits is comparable to ordering pizza with several extra toppings all of which you're allergic to - and therefore are best advised to hire someone whose job is to strip off these extra toppings so you can safely eat what you should have ordered in the first place.