Security question - brainstorming ideas

Q

quadnad

Supreme [H]ardness
Joined
Oct 24, 2005
Messages
7,656
Hey guys, if you're able to drop in your .02c it would be much appreciated.
Here is the breakdown:
  • I work for a company that produces very valuable research (downloadable, passworded, watermarked, and printable) to our clients
  • If this research is disseminated to the groups we complete it on, it could ruin the business
  • Clients access this research through a secure website (typical username/pass system)

Here's my question: Our biggest issue is not people "hacking" our site, but rather someone obtaining a perfectly normal user's password, downloading all our research (say, via a script), and posting it somewhere public. How can we help to minimize this risk?

Currently we have a cap of 300 documents a day on users (so if a script is used to download all docs, we're notified and access is cut off to that user). However, if the user says "oh sorry I didn't realize" (they are also bound by a contract, but that won't help resurrect the business post-dissemination) they could very well set the script to pull 299 the next time, circumventing the flag. What are more effective alternatives to a straight download cap? Perhaps after the first breach, a lagged monitoring of usage for a few weeks after?

Regarding physical security in terms of upgrading beyond simple usernames/passwords: has anyone had any experience with a physical key provided to the client that would cycle to a new password every ten, twenty, or something similar minutes? what are the costs of these systems? other alternatives?

Any ways of allowing the research to be convenient to view for the clients, but difficult for them to bring to the groups we complete it on?

Is anyone working for a group with a similar issue? Any and all responses would be much appreciated.
 
In addition to the two-factor authentication that was mentioned above (a very good idea, check out RSA) you may also want to look at the way you share information to make it more secure. Do people currently have a login then access to all the research available? Would it make sense to segment that more depending on who's accessing the data? Monitoring and Logging is also key, a download cap doesn't seem useful except to warn system admins because as you said they can get around it quite easily. It sounds like you watermark your docs which is a good idea.

I'm not aware of any good ways to share the data without losing some control over it as the general rule of thumb is that if you can see it your can print it. Although you may want to look at Adobe for some options for security on PDF's which may help.

One of my favorite resources when looking at Security is the National Institute of Standards and Technology. They have a whole section just on computer security: http://csrc.nist.gov/

Beyond this perhaps a better way to help your cause is to work with those you share the data with. Establish NDA's and clear expectations on what is allowed and what is not. Be sure to set clear guidelines as to consequences, etc. Knowing how the people you share your data with protect it seems like a key part of what you need to accomplish and something that should be looked into. All your safeguards mean squat if Joe Blow loses his laptop with your most recent research on it.
 
First off, thanks to the both of your for providing your responses!
Keiichi said:
http://en.wikipedia.org/wiki/Two-factor_authentication
Click to expand...

Fantastic resource, I appreciate the link! This looks like it will provide quite a lot of material to review.

StarTrek4U said:
In addition to the two-factor authentication that was mentioned above (a very good idea, check out RSA) you may also want to look at the way you share information to make it more secure. Do people currently have a login then access to all the research available? Would it make sense to segment that more depending on who's accessing the data? Monitoring and Logging is also key, a download cap doesn't seem useful except to warn system admins because as you said they can get around it quite easily. It sounds like you watermark your docs which is a good idea.
Click to expand...

I'm going to research the two-factor authentication, it's an excellent idea. People currently have logins with varying levels of access based on subscription, one level of which is "universal" access. We use secured PDFs, but that only goes so far; someone with enough perseverance can get by that (but any road blocks along the way will prevent the average disgruntled employee leaving the client's company and looking to screw them). We do log and track who downloads what documents, though this data can't feasibly be reviewed down the line.

I'm not aware of any good ways to share the data without losing some control over it as the general rule of thumb is that if you can see it your can print it. Although you may want to look at Adobe for some options for security on PDF's which may help.
Click to expand...
I agree, that's an issue. The thing is, every single one of our clients is bound as tightly as possible to our NDAs/contracts to not disseminate this information. It's in the clients interest not to do so, otherwise they lose access (they pay a lot of money for access). But, if they have a disgruntled employee who had access (perhaps were fired or let go), it could result in them releasing the information (in which case the damage is already done). Perhaps some kind of proprietary web-enabled document viewer?

One of my favorite resources when looking at Security is the National Institute of Standards and Technology. They have a whole section just on computer security: http://csrc.nist.gov/
Click to expand...
Lots of good reading material!

Other than preventing the ability of someone to print the material (which would be a huge inconvenience to our clients), I'm trying to think of ways to prevent the client from taking the material when they visit the groups we've conducted the research on. They're told not to, and don't do so out of malice; it's just easy to forget and bring it with them.
 
bump for ideas!
As an update, I'm looking into the virtual token services available (PhishCops). This will help us in terms of adding another layer of security on our passwords/usernames, but won't help in terms of dissuading people from disseminating the research.
 
probably more hassle and effort than it's worth but how about a two stage biometric for download recipients. I used to work for the army and a lot of stuff was controlled by smart card Id badges which used PINs, or thumb print ID. I however have no idea how to do this.
 
someonesomewhere said:
probably more hassle and effort than it's worth but how about a two stage biometric for download recipients. I used to work for the army and a lot of stuff was controlled by smart card Id badges which used PINs, or thumb print ID. I however have no idea how to do this.
Click to expand...

See those are things we were looking at, bu apparently they cost a fair amount per user (which across a userbase of a few thousand would add up quickly). Virtual tokens, which is a way of verifying the device you log on with, are much less expensive and apparently just as effective.

Any ideas as to how we can further discourage people from disseminating the reports, or prevent people from downloading via a script? Perhaps something that limits the time between downloads after a certain amount?
 
I don't know if these clients are home-based, corporate based, or a mixture. But if they were corporate based, might you be able to restrict the access to their specific locations by IP?

I liked your idea on the custom reader, single license, must be activated/internet connection to use.
 
Keiichi said:
You can also implement CAPTCHA
http://en.wikipedia.org/wiki/Captcha
For each download. Most places like megaupload.com do this.
Click to expand...
AWESOME! I have no idea why I hadn't thought of this. This is definitely a top candidate as part of inclusion for our security.


TrEpIdAtIoN said:
I don't know if these clients are home-based, corporate based, or a mixture. But if they were corporate based, might you be able to restrict the access to their specific locations by IP?

I liked your idea on the custom reader, single license, must be activated/internet connection to use.
Click to expand...

They are almost all corporate, though due to the nature of the business some do work from home offices around the world. Restricting by IP would be a huge help for our the majority of our clients; this should be a good thing for us to use on a client per client basis.

Yet again: Thanks to ALL for your responses. I appreciate the ideas and would love to hear any more!
 
You must log in or register to reply here.
Back
Top