Do you know where your data is?
July 05, 2016
Network Security Basic Training Series: Data
In this fifth article of the series, we continue to explore some of the basic ways that businesses of all sizes can keep their networks safer. These include tools you can implement on your own and understand why taking action is so important to the safety of your business.
Today we will discuss the topic of data and ways to keep track of where sensitive data resides and where it is going.
So let’s begin with inventorying hardware and software.
It’s a common phrase used in the IT community that “you can’t secure what you can’t manage”, or another way to think of this is that you cannot secure what you don’t even know exists on your network.
In order to tackle the task of securing your company data, you first have to know that it exists in the first place. Many corporate users don’t realize where they may be putting their data, and many corporate network administrators and executives may not realize where their employees may be putting the data that runs their company.
First things first: do an inventory!
To get started, I recommend that you take inventory of what PCs, servers, laptops, tablets, and phones are on your network and able to connect to your shared drives, email, and other systems. If you already have an inventory, chances are it may reside in a spreadsheet or other document, and if it is a little outdated or not complete, it’s time to do it again.
Ideally you should have a system in place that is doing automatic inventory, and keeping a central database up-to-date with any new devices or changes to the systems that are being monitored. Before you do any type of inventory of corporate owned devices, be sure that you have permission (in writing) first before you start.
You should never scan any system that you do not own or don’t have approval to scan.
But what do I use to do an inventory?
There are many products available to help you do IT inventorying. Some cost money and others cost a LOT of money. What you choose is up to you and should match your particular requirements.
However, there is a FREE solution that I have used for years that may help get you started; It’s called Spice Works. I have used this product in the past to help me audit the local network that I am connected to and I even use this product at home to keep my home network inventory up-to-date.
What should I audit using these tools?
What you ideally want to audit is the PCs, laptops, servers, tablets, phones, and other devices that are connected to your network. Then from there, using these tools you would want to audit the software that is installed on the devices.
One of the features of the SpiceWorks tool is the ability to audit hardware, software, and even tell you the “health” of those devices. You can tell how much space is left on a hard drive, how much memory is installed on a device, and how much is in use, and I have even had the system tell me when the toner in my wireless printer was low so I could re-order it!
What about my data? How do I tell where it is?
Now that you have a high level overview of the devices on your network and what programs are installed on them, it’s time to move on to determining where your data is. This can be difficult without specialized tools that can scan your devices for data files (such as documents, spreadsheets, databases, etc.) and those tools are typically grouped into a category called “Data Loss Prevention” or “DLP” type of tools.
These can be very costly for the SOHO or SMB type of user, but for larger enterprises, they should be considered a requirement. Without a costly tool like DLP, you can take other steps to try and determine where data may reside.
Here are some of those steps:
- You can look at the devices on your network to determine if you see employees bringing in personally owned devices that you do not permit.
- Check for programs installed on corporate-owned devices that you do not permit, such as cloud sharing products, personal email programs, or data encryption utilities that you do not control.
- Check for systems that are attaching to your corporate email system that you do not recognize or control. Devices such as phones and tablets can be used to store corporate data that you may prefer to not allow.
- Check for database products on devices since these local databases may conflict with corporate policy and may be used to store copies of sensitive data that you do not control or permit.
- Look for software products installed that you do not approve, or installations that exceed your allowed count of available licenses.
- Check for utilities such as FTP (File Transfer Protocol) programs that could be used to send large amounts of data to an external server that you do not control.
- Check your email communication to see what data is going out via email to recipients that it should not (or to your employee’s personal email accounts if you do not allow this).
With any of the steps listed above, be sure you are authorized to do these steps by your employer before doing these types of scans. Also ensure that you have the proper policies in place that lets your employees know that these types of audits will be done periodically and that proper responses and possibly sanctions may be applied if employees are found violating your established policies.
What about USB sticks and external hard drives?
One of the most dangerous type of device being used on corporate environments these days are USB sticks and external USB connected hard drives.
While these can be just fine if they are provided by you for your employees to use, the ones they buy on their own and bring in from home could have devastating consequences to your business if not managed properly.
USB drives do not typically arrive with encryption on them, nor do they have anti-virus built in. If you do not block these devices, you should have a written policy in place that says that they must be checked and pro-approved for use before they are allowed to plug into your corporate owned devices.
Users can inadvertently bring in viruses from home on them, and they can also be used to copy sensitive corporate data and be brought home or lost in transit.
While the steps above may not find ALL the corporate data on the devices that are connected to your corporate network, it is a start and is better than doing nothing at all. Using the process above, you may end up finding personally owned devices on your network that you did not know were there, or you may even find data that you thought was better secured than it is.
When you find things that do not meet the corporate standards for use and storage, you should take steps to fix the situation so that data is not allowed to continue to be out of your control.