Commercial corporations, enterprises, organizations, such as government bodies, health care providers, military organizations, financial institutes, etc., face several computer security concerns. One of these concerns is the leakage of information from their internal computer network to the outside world. The threat of information leakage may come from outsiders attempting to hack into the organization's computers system as well as from disloyal, disgruntled or simply careless employees working inside the organization.
Internal employees, utilizing the permissions that have been granted to them, may gain access to the enterprise's information stored on the organization's computer system, download the information to their user's computer and then transfer the information to a hostile entity via an external storage device or any other method of data transferring. The external storage device may be a removable storage device (e.g. flash memory, such as but not limited to, DISK ON KEY provided by M-SYSTEMS or a other removable hard disk drives), a removable storage media (e.g., floppy disk, write able CD ROM or external hard drives), an internal hard drive (e.g., IDE hard drive or SCSI hard drive), a PDA with storage, a digital camera with storage, etc.
One common approach to deal with this type of security threat is by preventing access to all external storage devices from the computer system. This can be accomplished by blocking all the ports on which such external storage devices can appear on, or blocking the mount operation of a storage device. However, such drastic approaches adversely affect the productivity of the computer system users in that they prevent the employees from using any removable media.
Other common method is using one or more security agents that reside locally on each user's machine. A security agent is adapted to manage and enforce organizational security rules (policy) on its local user's computer. Usually a security agent can be effective when the user's computer is connected to the organizational network as well as when the user's computer is working offline far away from the organizational network. This agent monitors and controls the interaction of the local machine with other machines and devices. An exemplary security agent is disclosed in a PCT application number PCT/IL 2005/001367 and in a PCT application number PCT/IL 2004/001073, the contents of which are incorporated herein by reference. Usually an operating system is configured that the security agent is loaded as one of the first applications after the operating system.
However, there is a risk that a malicious employee, which “owns” the user's device, may try to remove or tamper the security agent in order to override the organizational security policy. An employee that “owns” the user's device has passwords, time and location in which he/she can access the user's device. Such a user may have some administrator's rights over her/his own machine, as well as some knowledge on the security policy. The malicious employee may try to bypass the security agent by installing a bypass, a detour application in both ends of the security agent for transferring the data over the bypass connection. Alternatively, in order to eliminate the operation of the security agent a malicious employee may reconfigure the operating system, by changing, for example, the operating system configuration file such as the Registry in Windows™ (Microsoft) operating system (OS).
A sophisticated malicious employee may use a CDROM having a boot program with an alternative operating system, such as Linux. The computer may be booted via the CDROM and loading the other operating system that does not include the security agent. Then the malicious user may copy the required confidential files or the entire content of the hard disk. Therefore, there is a need in the art for new method that can limit the ability of an employee to affect an installed security agent.