• Aucun résultat trouvé

UNCONVENTIONAL THINKING

Dans le document DOCUMENT SECURITY (Page 133-136)

SECURING PAPER AND PHYSICAL DOCUMENTS

UNCONVENTIONAL THINKING

As indicated prior, analyzing threats is key to the successful manage-ment of sensitive information. To defend everything is hopeless. Where are you vulnerable? Answering that question involves risk assessment.

A risk assessment creates a sound approach to safeguarding secrets.

If you fall into any of these categories below, you have a high level of vulnerability:

1. Involved in a divorce or family law dispute such as child custody.

2. Engaged in an unconventional lifestyle. For example, you wor-ship an Earth religion such as Wicca in a religiously conserva-tive community.

3. Politically active and in the limelight.

4. Ongoing legal problems, whether civil or criminal.

5. Involved in a dispute with a major corporation or a government agency. Someone powerful is upset with you.

6. You and your business are a potential target for industrial espi-onage.

7. You are the target of investigative journalists.

8. Private investigators are conducting an inquiry about you.

A divorce or a family law case sparks intense emotions and concerns about what the other side is hiding. Computer specialists offer services to family law attorneys to break into the opposing side’s PC. Placing sensitive information on a computer in this situation runs a real risk of exposure.

Unconventional lifestyles can draw the interest of an opposition bent on driving you out of the community. Your opponents going through the trash or gaining access to your computer is quite possible. They will be looking for “dirt” to embarrass or to ruin you.

The private lives of the prominent in the political area are fair game in today’s world. If your private life is less than impeccable, be very careful of what falls on your computer’s hard drive.

Those chronically in trouble with the law or engaged in litigation do not need their computer as a silent witness. Avoid the digital world.

Seek other ways to store information.

If someone powerful is angry with you, be circumspect in how you store information. They can afford to place private investigators on your information trail. In addition they may set law enforcement or journal-ists to look into your personal and professional life.

If your business is one where intellectual property drives the busi-ness, then always be on guard for industrial espionage. Whether you are at home or at work, your computer needs to be physically secure, encrypted, and locked down with good password protection. Computer media needed to be wiped and destroyed prior to disposal.

An important question becomes: why are you storing a given piece of information on your PC? If the benefits do not outweigh the risks, re-thinking a digital format may be worth considering. Even if you create files, and write them directly to a removable disk such as a floppy or a USB drive, forensic examination may detect the transfer. USB stands for Universal Serial Bus. It is among other new industry standards that allow the connection to a computer of a wide range of memory devices including removable microprocessor drives and cards.

An examiner will see that you created a file and placed it on a re-movable disk. That bit of information may cause problems for you or it may not. Just keep that potential in mind.

Small trails left in the digital record provide stepping stones from non-sensitive data to non-sensitive information. Think about and visualize an elec-tronic trail being forged every time something happens on your PC or other digital device. Web sites visited, e-mails sent and received, docu-ment created and transferred, and other transactions all leave clues.

Possible solutions to this problem are as follows:

1. Use different computers for different levels of sensitive infor-mation. In the computer security field, there is the concept of a sacrificial host. Such a machine is one you can live with being compromised. If someone breaks into it, they are not going to learn anything of real value. You would keep this PC in say your home and use it only for mundane purposes. For more sensitive information, you would use another computer in a lo-cation not known to others.

2. As indicated, removable hard drives, and USB drives are an option. Just be able to explain any transfer trails. Watch out for unintentional “temporary” copies being made on your PC by the application.

3. Use encryption, but remember it attracts attention. For highly sensitive information, encryption should not be the only means of defense. Think in terms of layers of protection. Good physi-cal security in a location not known by others greatly enhances the encrypted file’s secrecy.

4. Keep certain facts in your head. Obviously, you cannot memorize an entire database, but you can memorize the password for it.

5. Forget about hiding tricks such as files within files or within images on your PC. Computer forensics people know about these tricks. Searching for them would be a normal part of any forensic examination. You are far better off hiding data physically elsewhere.

6. Use a false fortress PC. Remember that creating the fortress in-volves several steps. Erect a portcullis with a screensaver pass-word. Dig a moat by adding a long, random, very hard to guess, wildly chaotic password for the administrator account. Build a for-midable wall by changing the name of the administrator account to something else and run the machine as a highly restricted user.

But even if an attacker gets through these defenses, not having sen-sitive information on the machine provides the ultimate defense.

7. Finally, do not carry your whole life around with you. Men have everything on their laptops and in their briefcases: from business plans to medications to emails to their sweethearts.

Women shoulder large, fashionable bags to tote around PDA’s, laptops, appointment books, correspondence, and even diaries.

True, these portages offer convenience, but they also serve as haute cuisine for information thieves.

Dans le document DOCUMENT SECURITY (Page 133-136)