What to do: Reminders should be sent to employees about authorizing third parties. Identify the source by asking questions, not making assumptions.
7. Optical media: In June 2010, an Army intelligence analyst was arrested after being charged with stealing and leaking confidential data to public networks. Sources claim the analyst did so by bringing in music CDs labeled with popular recording artists, using this medium only as a guise. Once he had access to a networked workstation, he would access the classified information he had authorized credentials for and store the data on the "music" CDs in encrypted archives. To help cover his tracks, the analyst would lip sync to the music that was supposedly stored on the CDs while at his workstation. Recordable media that appear to be legitimate can and has been used to piggyback data in and out of networks. And, like the thumb drives mentioned above, they can be used as a source for network infection.
What to do: As with the USB tip, it's important to implement and enforce asset control and policies around what devices can enter the environment and when. And then follow that up with frequent policy reminders.
8. Hindsight is 20/20: While much of this list focuses on mitigating threats that capitalize on digital technology, we shouldn't forget that the human mind is also very effective at storing information. Who is watching you when you log into your desktop? Where are your hard copies stored? What confidential documents are you reading on your laptop at the coffee shop, airplane, etc.?
What to do: The best safeguard is being conscious and alert about this threat whenever working on sensitive material -- even if it means stopping what you're doing momentarily to observe your surroundings.
9. Smartphones and other digital devices: Today, phones do more than just allow you to call anyone in the world from anywhere; they're full-functioning computers, complete with Wi-Fi connectivity, multithreaded operating systems, high storage capacity, high-resolution cameras and vast application support. And they, along with other portable tablet-like devices, are starting to be given the green light in business environments. These new devices have the potential to pose the same threats we've seen with notebooks and thumb drives. What's more, these devices also have the potential to elude traditional data-leak prevention solutions. What's to stop a user from taking a high-resolution picture of a computer screen, and then emailing it over a phone's 3G network?
What to do: The same rules for USB devices and optical media apply here. Implement and enforce asset control and policies around what devices can enter the environment and when.
10. Email: Email is frequently used within businesses to send and receive data; however, it's often misused. Messages with confidential information can easily be forwarded to any external target. In addition, the emails themselves can carry nasty viruses. One targeted email could phish for access credentials from an employee. These stolen credentials would then be leveraged in a second-stage attack.
What to do: With email security, source identification is key. Identify the sender using technology such as PGP, or a simple array of questions before sending sensitive information. Access control to broad alias-based email addresses should be enforced. And policy and reminders should be sent out to employees.
Derek Manky is a project manager at Fortinet's FortiGuard center.
Read more about wide area network in Network World's Wide Area Network section.