Be careful, your project may be leaking confidential!

 Be careful, your project may be leaking confidential!
Of: Tian Guangfu BRANCH CAMPUS Fang Yanxiang
project the possibility of leaks everywhere, the slightest slip in the management, can give companies a huge loss. This paper selects a few representative projects leaked scene, and a detailed analysis of these scenarios the anti-phishing strategies.
project leak Scene One: a shared computer
W ERP project the company started, and from all business units to deploy officers set up a project team, including Zhang from the Finance Department. ERP projects were closed out the discussion group as a whole, the project team members together for food and shelter, Zhang laptop during this period has often been borrowed. start Zhang taking into account their own notebook computers have important information such as payroll, has not taken any measures for data privacy, do not want to share the computer, but then I thought, to borrow a computer is a project team of the brothers, could not refuse.
did not take long, leading to talk to find Zhang, said that many people discussing the recent unfair wages, he asked if it was leaked the salary information. Zhang regret.
Solution: Set in the security zone
increasingly open office environment, a shared computer, to borrow the computer, etc. occur. How to prevent confidential documents stored in the computer by other people to see, things are very anxious people.
the past, business, business leaders office often save a lot of confidential documents. They receive guests in the office, but do not worry about confidential documents seen by the guests. The reason is that confidential documents stored in a safe or locked in a drawer, into the office can not see these confidential information.
similar to this principle, the user can use computer encryption products in the construction of a security zone to their important information and data into the security area, to master the security zone on or off the password password. Thus, in addition to users themselves, others can not read these important documents, user information can be foolproof.
security zone set aside this way is to use the console management procedures (management encryption software to create the partition, such as add, delete partitions, password management, image file management), disk formatting module (of the virtual disk formatting features), the virtual disk module (virtual disk function), the disk image file to protect and hide (protection and hidden safe the data files to prevent illegal tampering or deletion), and other programs and modules to achieve encryption.
computer can store multiple types of files, some files take up much room types, such as photos, videos and so on. Users should want to encrypt files on this major to require users to create computer security zone must be large enough. current space encryption products in the security zone is usually only the upper limit of 4GB, users can no longer meet demand, encryption products is bound to create more toward security space development.
present, some encryption products with encryption capabilities than the hardware itself, but also allows users to set their own course in the use of a password. This is equivalent to a double protection of information. If people want to peek at your computer files to be proficient computer passwords, password encryption hardware products. And in order to get these same password for non-legitimate users, is basically impossible.
in real life, very few Some people in the presence of outsiders to open the safe. users to read documents in the security zone, which is equivalent to open the safe, most likely be stealing data and information through the network, or hacker attacks, resulting in files infected with viruses. Therefore, , the user important information in reading computer data, should run protection program. users set their own security space changes, additions or storage of data and other operations, should be temporarily shut down the system's network connection to prevent other computers to access this machine any resources, thus increasing the security of protected areas.
the Internet there are many free encryption software, users can easily download and install. However, such weak encryption software is very easy to break mm because almost all These software are vulnerable. If you really want to protect their confidential information on your computer, you must choose a safe and reliable encryption products.
project leak Scene Two: U disk free to use
2007 年 8 months China Central Television broadcast a legal program pointed out that enterprises and secret unit shall adopt both technology and management methods to prevent leaks.
with U disk, one can easily copy files from your computer. This has caused problems along the path of secrecy. If the information once Therefore disclosure will enable enterprises thrown into passivity.
responses: peripheral constraints
U disk U disk management easier and carry copies of electronic documents, but people do not worry. peripherals, security management is more limited prone areas of negligence, unauthorized users are often in the peripheral interfaces using small digital cameras, MP3 players, Flash memory sticks, and free to upload or download files. Of course, equipment restrictions are not only USB interface constraints. The current terminal I / O interfaces are floppy, CD-ROM, recorder, Bluetooth, 1394, serial and parallel, infrared port, etc..
variety of computer I / O interfaces to the user a great convenience, but also largely increased difficulty of management of managers: if the interface from the terminal block, will affect the employee's normal job requirements; if not blocked, these interfaces is an important means of information disclosure. I / O interface, easy to intensify the management of administrators and managers the contradiction between, so that managers in a dilemma.
In fact, although the computer can provide a wealth of I / O interface, but only a small amount of interface work needed. timely closure of work-related interfaces can reduce the risk of leakage. export access control system through the device, administrators can focus on setting policy, remote open or close the interface, and detailed records of relevant information.
U disk management is the I / O interface to manage the most important part of the core of which is to be effective U disk to use to control the manner and scope of use can be divided into illegal U U disk U disk drive and two to the legitimate administration. legitimate disk is divided into non-controlled U U U disk drive and controlled both. Both U disk permissions need to be set, based on the user's authority to set different permissions for U disk. by authorizing, U disk to access the appropriate level of classified terminal. Non-controlled U disk not only in the classified area Use can also be used in non-classified area. controlled U disk can only be used in top-secret machine. Of course, non-controlled or controlled U disk U disk and can not be any use at all terminals, but also need to use be allocated. Finally, we need to bind the U disk and the target terminal, the user can under normal use the appropriate permissions.
order to facilitate the needs of different levels of confidentiality, you can create a personal secret U disk, U disk group privacy the unit disk U confidentiality: personal privacy can only make U disk U disk to open all their own; group confidentiality U disk is opened for all the group, but other groups of people can not open; confidentiality of the unit disk U is a unit of all who can open, but people can not open other units.
so U disk management system deployed to prevent the company did not authorize the person or persons outside the company to bring the U disk free access to the secret network of companies any terminal, thus ensuring internal company documents will not leak through the U disk.
project leak Scene Three: e-mail exchange
2005 年 6 10 May, Panyu District, Guangzhou City, a certain Internet cafe, Liu Qing quietly into the Sichuan Exhibition Biodroga Electronic Co., Ltd Shenzhen office clerk Xiamou e-mail.
In the process, Liu Qing and Yemen show that Xiamou is a customer to do business by e-mail and agreed method of payment, so the breeding ground for evil . He sent Xiamou interception of Yemen e-mail client, and a self-built customer of the same name with the Yemeni-mail to Xiamou send mail to steal the Xiamou back to the customers mail in Yemen and then to collection Liu Qing bank account changed to show my bank account opened by the result of Yemen customers will be $ 40,000 for the goods imported by Liu Qing exhibition held accounts.
responses: a digital certificate signed
this case did not occur in the project, But the exchanges during the project is particularly noteworthy. e-mail more traditional means of information transmission can significantly reduce the cost of the project has become a widely used means of communication exchange. enterprises more and more sensitive information transmitted by e-mail. How in the mail transmission process to protect these information security, to prevent the process of mail delivery was intercepted or tampered with, are companies should be of concern.
signature technology using PKI private key to ensure the authenticity and integrity of e-mail: e-mail certificate as the carrier of the private key, the message sender's private key to use their own digital certificate to digitally sign e-mail; e-mail message recipient is authenticated digital signature and the signer's certificate to verify that the message has been tampered with, thereby determine the sender's true identity.
digital signatures can help confirm the sender to the recipient's identity, but it can not ensure that information is not hackers peek. use PKI public key encryption technology, by e-mail as a public key certificate vector, to avoid this from happening. Sender e-mail recipient's digital certificate using the public key of the e-mail content and attachments are encrypted. encrypted message can only be held by the recipient's private key can decrypt , so only the recipient can read the message, intercepted the mail of other people only see garbled encrypted information. In this way, you can ensure that the e-mail in transit is not read by others, preventing the disclosure of confidential information.
With a digital certificate assistant, e-mail users can easily manage the life cycle of the certificate. assistant with the certificate of import and export certificates, the certificate password has been changed, other people certificate management, CA certificate management, file encryption and decryption and other functions, support for USB Key Certificate Assistant means the certificate, to help users complete the e-mail encryption certificate in the operation of virtually all management functions, to maximize the user experience on the use of certificates, the certificate has been greatly improved ease of use. In this way, the user centers do not deal directly with CA, only can be achieved with the certificate assistant all operations of the certificate.
between businesses and their customers often pass some important confidential information, and customers might be used free e-mail. to ensure that these secure communication between the mailbox to ensure secure transmission of the core secrets, and transferred to the mailbox information security is very important. The good news is that some manufacturers to provide solutions to this situation have been able to protect the security of e-mail communications. < br> it is necessary to prevent leakage mail, but also prevent important documents are sent by email. This need to support the monitoring of email content security solution. There are many such solutions, the company security policy can be established to achieve sensitive information transfer control to ensure that confidential company information will not be sent out by mail.
flow chart of e-mail encryption program leaks
Scene Four:
people collaborate on documents found in a large R & D center, the competition opponents one step ahead of launch of new products, and this new product and the company will launch the A product is almost identical. The center led senseless: the enterprise had to rely on A products to complete the product line conversion, and put a lot of money , many researchers have paid hard work. The company has taken on the design drawings strict security measures, not only purchasing encryption software to encrypt, but also drawing on personnel access to strict limits.
company executives The first reaction is that this is a result of leaked internal staff, and ordered to stop investigating the development of the product. The survey found that the company does not compromise the final drawings, but close to the end result of leakage of the drawings. As semi-finished products drawing persons involved too much, to find out who leaked too difficult, and ultimately the company had to let the matter rest.
responses: the role of encryption to encrypt the design drawings
to prevent leaks, better approach is to design team in isolation, to close all possible export. but not necessarily the right approach is most useful. such isolation would be subjected to the designer's objections, they will not check the internet to borrow, not convenient to communicate with other departments, need to print the design issued by the effect such a reason to oppose.
lot of encryption software can be encrypted for the final document, but can not guarantee that someone is copying the document during editing the document to go. the process of encryption and encryption is the role of the design team should be a way to try . the process of encryption refers to the entire design process, the document is encrypted. This encryption is the moment you save the document to.
to CAD documents, for example, the process of encryption is not only reflected in the CAD document the production process, but also in production from the CAD to the tender process. In many cases, designers need to participate in the production of tenders or product specifications, CAD software needs to be some of the graphics data copied to Word, Excel, or PPT, etc. the document. This not only can avoid the distortion of graphics and very easy to modify. Some encryption software is usually to copy and paste function blocked, but the shielding will cause great inconvenience to the designer. Some of this encryption software is open function, but because the encryption software may not be encrypted to the Office family of software, leading to the drawings by way of disclosure of the hidden danger.
In this case, the user can also choose to encrypt Office family of encryption products to ensure the CAD software and the Office family of software for information security. In this way, designers can to ease from the CAD software to Word, Excel, PPT and other documents copied graphic data, without having to worry about the existence of security risks.
identity-based encryption is another situation. in the same project team, each member is responsible for the content of their work, is responsible for a part of the members of the B part of the contents can not understand. but if you split each part into a separate document, the document is neither convenient production and modification, and overall responsibility for convenient reading. At this time, we can document that requires encryption settings in different parts of different identities, for example, you can set the title of the document as one important sentence in the body (for example, the amount of bids in the tender) as the second set, the general body of the set to identity three and so on. Protection of identity-based encryption to further refine the access rights that can better meet the project team co-production of tenders and other circumstances. < br> administrator can set permissions for individual user can also set permissions based on user groups. If the user group to set permissions, set group permissions will apply to all users. through the user groups to set access permissions strategy, individual users do not need to set one by one. permissions can be divided into local authority, external authority, print rights, etc. can also set the permission is valid. At the same time, you can also set up a temporary operating permit, the project team to deal with a variety of temporary needs. This identity-based encryption method has the advantage, can the same document with different security classification of information to set a different approach, the project team to meet the complex requirements of large document production.
electronic documents can not be taken away , print the document can not be taken away. many collaborative projects but also bring a printed document to prevent leakage. file a printed copy management system is designed for this demand. file a copy management system can print all content of the documents printed preserved for later review and evidence. Audit information can be detailed log file of the print time, the terminal machine name, IP address, user name, file extension, file content, pages and other information, the administrator can always play back the file contents.
document management system can also print a copy of the contents of the file audit. The system will back up the terminal to print the file, and then put the designated server console through the system to remotely view the contents of the terminal to print the file. In this way, regardless of whether the end user to modify the document name, you can determine whether the file contents secret.