Network Security Basic Training Series: Data
In this fifth article of the series, we continue to explore some of the basic ways that businesses of all sizes can keep their networks safer. These include tools you can implement on your own and understand why taking action is so important to the safety of your business.
Today we will discuss the topic of data and ways to keep track of where sensitive data resides and where it is going.
It’s a common phrase used in the IT community that “you can’t secure what you can’t manage”, or another way to think of this is that you cannot secure what you don’t even know exists on your network.
In order to tackle the task of securing your company data, you first have to know that it exists in the first place. Many corporate users don’t realize where they may be putting their data, and many corporate network administrators and executives may not realize where their employees may be putting the data that runs their company.
To get started, I recommend that you take inventory of what PCs, servers, laptops, tablets, and phones are on your network and able to connect to your shared drives, email, and other systems. If you already have an inventory, chances are it may reside in a spreadsheet or other document, and if it is a little outdated or not complete, it’s time to do it again.
Ideally you should have a system in place that is doing automatic inventory, and keeping a central database up-to-date with any new devices or changes to the systems that are being monitored. Before you do any type of inventory of corporate owned devices, be sure that you have permission (in writing) first before you start.
You should never scan any system that you do not own or don’t have approval to scan.
There are many products available to help you do IT inventorying. Some cost money and others cost a LOT of money. What you choose is up to you and should match your particular requirements.
However, there is a FREE solution that I have used for years that may help get you started; It’s called Spice Works. I have used this product in the past to help me audit the local network that I am connected to and I even use this product at home to keep my home network inventory up-to-date.
What you ideally want to audit is the PCs, laptops, servers, tablets, phones, and other devices that are connected to your network. Then from there, using these tools you would want to audit the software that is installed on the devices.
One of the features of the SpiceWorks tool is the ability to audit hardware, software, and even tell you the “health” of those devices. You can tell how much space is left on a hard drive, how much memory is installed on a device, and how much is in use, and I have even had the system tell me when the toner in my wireless printer was low so I could re-order it!
Now that you have a high level overview of the devices on your network and what programs are installed on them, it’s time to move on to determining where your data is. This can be difficult without specialized tools that can scan your devices for data files (such as documents, spreadsheets, databases, etc.) and those tools are typically grouped into a category called “Data Loss Prevention” or “DLP” type of tools.
These can be very costly for the SOHO or SMB type of user, but for larger enterprises, they should be considered a requirement. Without a costly tool like DLP, you can take other steps to try and determine where data may reside.
Here are some of those steps:
With any of the steps listed above, be sure you are authorized to do these steps by your employer before doing these types of scans. Also ensure that you have the proper policies in place that lets your employees know that these types of audits will be done periodically and that proper responses and possibly sanctions may be applied if employees are found violating your established policies.
One of the most dangerous type of device being used on corporate environments these days are USB sticks and external USB connected hard drives.
While these can be just fine if they are provided by you for your employees to use, the ones they buy on their own and bring in from home could have devastating consequences to your business if not managed properly.
USB drives do not typically arrive with encryption on them, nor do they have anti-virus built in. If you do not block these devices, you should have a written policy in place that says that they must be checked and pro-approved for use before they are allowed to plug into your corporate owned devices.
Users can inadvertently bring in viruses from home on them, and they can also be used to copy sensitive corporate data and be brought home or lost in transit.
While the steps above may not find ALL the corporate data on the devices that are connected to your corporate network, it is a start and is better than doing nothing at all. Using the process above, you may end up finding personally owned devices on your network that you did not know were there, or you may even find data that you thought was better secured than it is.
When you find things that do not meet the corporate standards for use and storage, you should take steps to fix the situation so that data is not allowed to continue to be out of your control.
Subscribe to Lumifi's Daily Cybersecurity News Curated by a CISO
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.