An Ounce of Prevention
There is an adage that says “an ounce of prevention is worth a pound of cure.” When it comes to the protection of trade secrets and/or intellectual property, this is doubly true. Many companies are being forced by legislation or contract to implement an effective incident response plan; the truly wise also consider preventing incidents in the first place.
One of the most common sources for network incidents is also a company’s greatest asset: its employees. When employees become unhappy, bad things can happen. When appropriate IT policies are enacted, companies can prevent many of these incidents from happening in the first place. The following are a few simple policies and actions for companies to consider.
Disable “auto-mount” on user computers. “Auto-mount” describes the process by which a computer automatically makes a connected device accessible for someone to use. For example, if a USB drive is connected to a Windows XP computer, the computer will mount the drive and assign it a drive letter. This makes it easy for a user to access the file data within the drive, and also makes it possible for data to be copied to/from the drive. By disabling this functionality, a user may connect a device to their computer, but will be prevented from transferring data between the device and the corporate network. Other operating systems have similar functionality even though they may call it by different names. The goal is to change settings so that a user cannot connect and use a storage device without IT department approval.
Disable “auto-run” on user computers. “Auto-run” describes the process that occurs when a user inserts a CD or DVD into a computer. The computer reads the files on the disk, and an EXE file (or similar) directs the computer to launch a specific application. A malicious program could be programmed to run by simply inserting a CD. Disabling the auto-run capabilities of a computer would reduce the chances of an “accidental” usage of software from within a CD/DVD disc.
Regulate usage of email and webmail accounts. User email data should be stored on a server that is backed up regularly. Companies may also prohibit the usage of webmail including web-based email services such as MSN, Yahoo, and Google. Webmail is a common way for users to transfer sensitive company file data outside of the company.
Audit users’ computers regularly. Regular audits of a user’s computer can reveal notable events that may allow a company to nip a problem in the bud. For example, reviews of Windows registry data can reveal connections of storage devices. Any devices which are not company property may be suspect and require further review. A regular audit of a system is a good way to make sure that policies are enforced. A competent forensic expert can review an image for any specific policy concerns that your company might have. Forensicon specializes in tailoring a review process which ranges from forensic preservation to reporting, and uses industry-standard tools and methodologies which stand up in court when needed.