Employee theft prevention 2

[m33sta]

Hi people here is the scenario,,,,
I work for a large DVD,Video,CDROM, and music CD replication company, recently our managing Director approached me and asked me to do a risk assesment on how easy it is with access to a CD or DVD that we produce to then get that data off site. OK ive thought of the obvious ones:- portable HDD and mp3 players, FTP and e-mail ect. So my first question is apart from the obvious ones are there any other ways of getting data off site? and my second question would be how do we enforce this? a classic example is contractors come on site with laptops these laptops are usually towards the top of the range so they are well equiped firewire, cd writers ect. we have a large factory floor producing thousands of dvds ect. 1 could easily go missing and end up in the laptops drive. so we cant ban laptops ect as they are integral parts of the working environment and we cant take specifications of each laptop that comes through the factory. So searching everyone as they enter the building, then watching them like a hawk throughout the day and finally searching them on the way out is not viable and a little intrusive. So how do I go about enforcing things in the areas of risk????to me it seems to be an all or nothing scenario, help please I am treading water on this one. Thanks in advance for all your suggestions.

 

[DrJavaJoe]

If these CD/DVD's where diamonds I'm sure you would find a way for them to not be walking away. You need to micro manage each department that can come in contact with this media. Follow the blank media in the door and thru production and out the door, at no time can the media be copied or unaccounted for, even if it means restricting hardware at that point in production. Treat them like Diamonds because once you get a law suit they'll cost you like diamonds.

"Two strings walk into a bar. The first string says to the bartender: 'Bartender, I'll have a beer. u.5n$x5t?*&4ru!2[sACC~ErJ'. The second string says: 'Pardon my friend, he isn't NULL terminated'."

 

[Dollie]

Do the contractors have to use their own laptops? Why not provide them with the tools they need and keep those tools (laptops) onsite? Other than shutting down e-mail and ftp, you could also look at forbidding the use of CD burners. However, that could be bypassed by using a flash drive (a USB portable hard drive the size of a key).

You need to do a bit of research to see what some large media corporations have done to protect themselves. I believe it was Fox that had internal problems and found one of their employees was putting movies out on the web before the release date.

I'll ask a few security friends that work for software mfrs how they handle it, or point them in the direction of this thread.

 

[lgarner]

The main risks that come to my mind have already been mentioned. The trick to a risk assessment is to come up with the threats and the cost to mitigate each one. Then you can come up with a plan.

Dollie is right: There very likely isn't a real requirement that contractors bring their own laptops. Provide a few workstations that they can use, and lock them down.

You can remove the removeable media drives from computers and probably disconnect USB ports. If someone needs a file they can request to have it put on the network. How often do people really need to copy files to CD-R, outside of the productions duplication systems.

Set up your firewall to block all everything possible, with only required exceptions. Block all FTP, for example, and allow access to only trusted sites. If you need to run an FTP server, make sure that only administrators have access to it so that employees can't publish whatever they want. Preferable, the group managing the security and public servers will be separate from anyone who has access to production files- remember that the security manager doesn't necessarily need the root passwords.

DrJavaJoe is also right, but the trick there would be to prevent someone from bringing in their own CR-R and burning it. Then you get into searching employees. Maybe worth it, maybe not.

I don't think that we can get terribly detailed in the forum. One place to look for ideas is something like a CISSP study guide. There are also a lot of security-related web sites like SANS which have papers and other information to give you ideas.

 

[willir]

m33sta

And make sure you do not have a wireless network running somewhere. If you have one, and it is essential, then lock it down / isolate it from the rest of the network. Bluetooth and other similar devices small enough to fit in a pocket can be a nasty hole.

I agree with trying to ban laptops (what about hand helds?). If the visitor needs their laptop, then see if they can check their DVD / CD drive at the gate.

In addition, and perhaps this is over the top. Hire a temp security person for the following scenario. The temp works on site for a period time, makes inquiries with associates on the CD's, and then tries to steal soemthing and is convientiently caught. Make a big scene on his capture. Obviously, the temp knows in advance that they are going to be caught and this is just a theatrical show. This type of visual demonstration may pass on the message - "we are watching and we will catch you".

 

[chiph]

Do the laptops need to be on the factory floor? What if you restrict them to the office areas only?

You could have a sign on the doors to the factory:

No data storage devices (laptops, flash drives, mp3 players) beyond this point

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[SF18C]

willir

That is deviously brilliant! Star for that idea, I like when some thinks with their mind on how to beat a technical challenge without technology!

SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!

 

[Dimandja]

The temp works on site for a period time, makes inquiries with associates on the CD's, and then tries to steal soemthing and is convientiently caught.

And the potentially inadvertently (there are unsuspecting contractors watching) ruined reputation of the temp? Hugely bad idea.

 

[Stella740pl]

I don't know if the show is a good idea at all - have no experience in the issue. But if you go down this route, can you hire a drama student for this? He/she, most likely, will not care much about his/her reputation in this industry, will not know the employees/contractors socially, probably had some training on changing his/her appearance, and will appreciate some extra money. Well, just a thought.

 

[skiflyer]

You need to close down a lot of loopholes, I'm sure we'll all miss one or two, but here are a few things which come to my mind.

1) This operation doesn't need an internet connection, in fact, most workplaces don't. There should be no computer in this environment which comes into contact with the DVD's and have an internet connection.

2) The few machines with an internet connection should have their optical drives pulled and USB ports de-activated.

3) Wireless is right out.

4) I'd go as far as running a static IP system, no DHCP.

5) Check bags at the door. If someone needs a laptop, fine, but they're not bringing in the laptop bag, and they're ejecting that cd burner.

6) Lots of cameras.

7) Waivers, if all else fails, make sure you have a signature.

 

[Dollie]

An example of what can go wrong in the workplace:

http://www.thesmokinggun.com/archive/0317041foxwarez1.html

 

[gbaughma]

Micromanagement, IMHO, is never a good idea. Quality control and proper inventory, however, is.

Not all problems are technology problems; sometimes it's easier to hand-write an envelope that only gets sent out one time than to write a custom database inquiry to address the same envelope.

I tried to put myself in the same scenario; if I was running a CD Duplication company, how would I keep things from disappearing? The first couple of things that come to mind are not technology-based.

1) Does your company have a policy that allows for the lawful purchase of product you produce? It's certainly better, IMHO, to buy something, say, for 1/2 price as a "perk" than to risk my job over trying to walk out with something.

2) Do you have sufficient inventory control? In other words, if I'm going to have a run of 500 CD's, do I have to go sign out 500 blanks worth of material, and account for them after the run?

3) Is it clearly understood by staff that it is a terminatable offense to take a five-finger discount on product? (or to download/transfer/etc.)

4) Is it clearly understood (and signed by) vendors that they will not only lose your business, but their bosses will be notified and they will be prosecuted?

A "show" is never a good thing... it will leak that it was all for show, or someone will know the actor, etc. Never try to "scare" your employees like that; it's bad management.

If you have a shrinkage problem now, use positive reinforcement; perks for reduction in shrinkage. A locked box where someone could report suspicious activities, only reviewed by senior management. And if something shows up in there, do a full, QUIET, investigation.

Personally, I would start with inventory control. Examine your process and procedure for raw materials vs. output. Each shift should have a worksheet with materials used and products produced. All "scrap" or bad presses should be accounted for and destroyed. Stuff like that.

Then, I thought about the "extremes".

1) Video survelliance.
2) A "clean room" environment; everyone is required to change into overalls with no pockets, etc. instead of street clothes.
3) No electronics entering the building, whether it be non-company laptops, MP3 players/recorders, flash drives, etc.

You know, a though occurs to me that if you're worried about a vendor walking in with a laptop and downloading some songs about to go to press, I'd worry a LOT more about then plugging in a packet sniffer and compromising your entire network. <Shudder>

Just my $.02

--Greg

 

[CajunCenturion]

I am against the "temp show" idea for a couple of reasons. First, as already stated, the potential harm to the "criminal." Word of mouth can spread quickly and widely.

Second, becasue it is a show. It's not real. That is not how to get people to take you seriously.

Otherwise, there have been some great suggestions offered.

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[MDXer]

As a former consultant/contractor I'm not to sure how feesible it is to ban the use of their own laptops. If the guy is there as a Graphic Artist then by all means you can block them from using their own machines, but remember you'll have to purchase any software that you currently don't have that they require. When it comes to the contractors in equipment support roles this may not be as feesible in that many pieces of equipment have proprietary applications written for configuration and troubleshooting.

A good reliable and professional contractor will have the tools they require to do the job installed and properly Licensed. They also probably won't give you the installation media for their software because it will violate their License agreement. Also a contractor who values their career and reputation wouldn't be a person you would have to worry about.

&quot;Shoot Me! Shoot Me NOW!!!&quot;
- Daffy Duck

 

[m33sta]

Wow an amazing amount of responses in such a short amount of time, maybee I could sort out my entire life through forums????? er maybee not.Thanks for all the pointers it puts everything into a clearer light for me, I feel a bit more confident in reporting back to the old M.D now, cheers guys and gals

If you dont ask you wont get
Steve Poole
Technical Analyst
Cinram UK ltd

http://WWW.cinram.com

 

[SemperFiDownUnda]

gbaughma made good points.

To me this is a SOP issue. (SOP=Standard Operating Procedure)

Restricting technology will have to be an all or nothing thing. Heck unless you want to do full body cavity searches don't think you stop technology getting in.

Control the source media for 1. Like the diamond analogy ... if you can't account for the media at all times you are lost.

Control the media it is transfered too.

If you start to identify a area that is short on either area then tighten up that area.

An analogy I like to use with security is that many places handle security like putting up a fense around a garden to keep the rabits out. Many places tho seems to spend massive amounts of time, effort and money to put up a fense but only covering a portion of the perimeter.



Hope I've been helpful,
Wayne Francis

If you want to get the best response to a question, please check out FAQ222-2244 first

 

[mattaw]

I have worked in a highly secured environment, but it was constructed from the ground up to be that way. It doesn't necessarily have to be too expensive though.

The main security method was the clean desk, i.e. no media (cd, paper, whatever) whatsoever (secure or insecure) on the desk when you leave, allowing easy control of physical space.

Removable HDDs which following the same strategy were removed and secured on employee departure.

Locked screensavers mandatory. NO unlocked computers when someone is away from the desk. New initiative was a card system into the keyboard that was attached to you at all times, when you walk away you take your card out, the computer locks.

A software system that prevents access to media not cleared through central control, neat touch, when another computer used it outside the dept it invalidates it again so it has to be checked back in.

It was a good system, but as you can see it was planned for first.

Matthew

The Universe: God's novelty screensaver?