Data Loss Prevention in the Enterprise

Transcription

1 Data Loss Prevention in the Enterprise ISYM 525 Information Security Final Paper Written by Keneth R. Rhodes

2 In today s world data loss happens multiple times a day. Statistics show that there is tremendous amount of data that is either stolen or lost everyday. A good source of this information is available on the following website Voltage security is a company that specializes in point to point encryption technology solutions. On the home page is a running ticker of data loss events from around the world for the last month. They also have an interactive map that shows events over the last three years. Statistically the percentages of data still remains low but this is due to the massive amounts of data that exist today. A large portion of lost data is not targeted data; most thefts are thefts of convenience. A laptop left on the car seat, or one that is not watched in an Airport, or cell phones that are picked up in restaurants. Then to complicate matters human error can also result in significance data loss if steps are not taken to prevent or at a minimum recover lost or damaged data. The main thing to remember is that all data is important. Simple put if it is collected it is important to you, this could be for litigation, documentation, or marketing purposes. So if it is important to you then it is important to others such as competitors, cyber criminals and so on. You will never know who may want your data but you can be sure someone wants your data. There is no such thing as useless data; Google has proven that fact, every byte of data means something to someone. In the book, Data Leaks for Dummies, (2009) here are the top two choices of criminals accounting for more than 1/3 of data stolen or sold. (Source Symantec Corporation, 2007) Rank Goods/Service Percentage Range of price 1 Bank Accounts 22% $10 - $ Credit Cards 13% $ $

3 The ability to recognize your vulnerabilities will greatly enhance the company's ability to defend and protect the valuable data within the organization. Some of the more common points of attack in a company are; , USB Devices, wireless networks, laptops, and unencrypted data. The first I mentioned was , attacks can be in many forms, Spam and other malware loaded Phishing s can get in and a link that is clicked by an unsuspecting user can easily begin transfer data from your network to another company's network server. Another such attack could be more specific and that would be in the capturing of messages being sent to remote users. Any that leaves your domain and is addressed to a mailbox outside of the domain is susceptible to an attack. Wireless networks are another area in which your data may be extremely vulnerable because the technology is still developing in the corporate areas not all potential vulnerabilities have been secured. Care must be taken in respect to transferring data over a wireless network. USB Devices are another great threat that many companies do not even consider, or if considerations were made they feel that convenience and speed outweighs the risks of data loss. Unencrypted data is another area that is vulnerable because it is like saying here is the information in ready to read form. Many businesses did not encrypted data in the databases because of the time required to recall the information so that changes can be made. The same goes for Removable storage and backup devices. The time needed to encrypt and store the unencrypted and restore was so great that many said it was not worth the time or effort that the data needs to be available quickly. Luckily this is less of 3

4 an issue today due to the increase of processing speeds larger storage capacity and development of better encryption techniques. Laptops are another major point of vulnerability since they are removable device they can not be protected by your network security or the physical security that you have control. The end user may just be careless and leave the laptop unprotected, left in plain view such as on the front seat of his car. This is where the company is at a loss when it comes to control and monitoring of the device. When you talk about the remote user you must consider the whole, not just when the user is in the office and connected to your network, but you must also consider the vulnerability of a portable device when the user is out of the area. Some locations that should be considered are Airports, Vacation Resorts, Internet Café s, and public transportation. Airports seem to be a common place where laptops and cell phones have been lost or stolen. In today s world one must think of a cell phone in the same context as a laptop. Large amounts of data can be stored on handheld devices. The airport is one if the prime areas that theft is high because of the constant traffic and long waits, one may tend to lose track of time and place a device down for just a few minutes without looking and the device is gone. The same would go for the other forms of public transportation such as buses, shuttles and taxi cabs. Remote user vulnerability occurs when a remote user is on vacation, this is a dual threat because the user is not only susceptible to theft from the room or even pool side but also vulnerable to attach because the end user is utilizing a public access network to the internet. This is the same vulnerability that one faces in any internet café or other such internet hot spot. It is very easy for a hacker to just sit and wait for a business user to 4

5 enter an establishment turn on his computer and then access the information on the machine. This is particularly true if the user is alone. Consider this a single user enters an establishment with just their laptop and themselves. They order a meal and coffee and begin to work, how many users would not get up and leave the machine unintended while they go and pick up their order. It would take less than a minute to plug a USB device into a laptop to download a program that would start transferring data to a remote host. The corporate entity should be fully aware of all technologies available whether or not the company chooses to utilize those products or to abide by those practice's. These can take on many forms from many different manufacturers. Your first defense in almost every network is at the outer boundaries of your domain. There different appliances that can be placed at this out boundary but a good firewall and router are a definite. Your firewall is the first line of defense against data loss, but the firewall is just one line of defense not a solution to data loss. Your firewall will only protect you against a provable attack packet, this is determined by different factors such as known attack routines and user programmable functions. The downside to a firewall is that it is susceptible to traffic overload in which the firewall will drop packets that may be legitimate if the amount of data exceeds the capacity of the firewalls limit. In conjunction with a firewall one should also have a Anti-Virus Server to process the data one step further by looking for known virus definitions stored within the memory of the server and reject anything that is known to be a threat. Your Antivirus server today should utilize software that is considered zero day virus protection. The server should automatically update the moment a new threat is detected and a known definition is 5

6 written by the company. You should not have to wait for the next scheduled update before your network is protected. Access control is another major concern for the enterprise, these needs to be considered from all aspects where the control is on the physical access or the access to different hardware or software products with your organization. The physical access to your building should be your first concern. If you can not control that comes and goes your data will surly go. Competitors could easily pose a delivery person, potential customer or even a company employee. It is possible to infect a network with a virus that could transfer all your valuable data to a remote location in a matter of seconds by a rouge imposture who plugs a USB drive into the nearest computer terminal. Hardware and software access control is controlled through the ACL (Access Control Lists). An access control list is a table of rules that set the requirements for access to data on the network. The main thing to remember when creating an ACL is to start with the specific access needed, the general access needed and block all other access. As an example the District manger in the Chicago office has access to all financial records on Database A, the office manager and accounting personnel have access to only the Chicago financial data, all other employees do not have any access to financial database. Since an ACL will stop at the first rule that applies and will not drill down further it is assumed that, if no rules apply, access is granted. So it is very important to include the exclude rule in all ACL rule sets. Many of the subjects that have been touched on are just the outskirts of what should be considered when developing prevention techniques additional considerations are in the policy area. This is the area where the company can start to take a proactive 6

7 effort to protect data. Policy is the written rules and legal protection for the corporation. Written policy is very important and can be the basis for and legal proceedings in the future. A well written policy is protection against data loss, or at least the basis for prosecuting an individual for the unauthorized release of data. There are a few policies that are extremely important for a company to have in place and they include but are not limited to the following: policy Wireless policy Enterprise and Operating System patching policy Information Security policy hosting policy Desktop Management policies Testing policy Application deployment Application upgrade policy Data center policies Data center access policy File backup policy Files restore policy Data Center environment policies Password changing policy Windows Server Environment Functional testing 7

8 Computer naming convention Backup procedures Desktop Management testing procedures Patch deployment Account Management Application access Data review policies Termination and exception policies Audit and review policies Consultants Employee transfers Other specific policies could include an encryption policy that covers many areas of the company such as encryption of databases, backup media, , and even endpoint devices. Such encryption is critical to the protection of data loss. Unencrypted data is unsecure data. Likewise a sound and tested recovery policy is just as important for the database structure backup media and also the decryption, restoration and encryption of the endpoint. Additional prevention techniques include Data monitoring and data blocking. This is a newer technology that actually monitors the outgoing traffic just as much as the incoming traffic. Some internet providers will provide a limited aspect of this service by notifying the administrator of excessive upstream data transfers, the downside here is that notification my be to late to save data, this form of monitoring is more for protecting you bandwidth and data transfer consistency. Special appliances 8

9 need to be added to the network to protect and enterprise from such attacks. McAfee is one manufacture of such a product the McAfee Network DLP Monitor some of the key features mentioned on the web site found at work_data_loss_prevention_monitor.html are: Benefits: Identify and protect sensitive information Find sensitive information then conduct forensic analysis and create rules to prevent future behavior Capture and index all network traffic Filter and control sensitive information then index, query and mine all content, and monitor file share access Create and tune sophisticated rules Identify more than 300 content types over any port or application, classify network traffic independent of port, and support hundreds of thousands of concurrent connections Features: Real-time information scanning and analysis match entire and partial documents with rules to detect anomalies in network traffic Classification, indexing, and storage of all network traffic Leverage all information, not just that flagged by rules, to identify sensitive data Complex data classification Scan all sensitive data, filter information and search it to identify hidden or unknown risks. Comprehensive network traffic reports View comprehensive reports about information-which sent it, where did it go, and how it was sent. Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS) are features that should be strongly discussed and deployed within the enterprise, a solid 9

10 network structure contains many different devices you need a solid combination of products so that your enterprise can be function 24/7/365. There are many different types of IDS devices, Misuse Detection, analyzes data and compares to large databases of know attack signatures similar to many anti virus programs, so it is only as good as the information held in the database. Anomaly Detection, requires user intervention to set baseline information and the system will notify if any events are outside of the preset parameters. This system looks for data transfers that are out of the ordinary. Network based IDS and Host based IDS systems, analyze data either through the network or through the endpoint or host. There are also Passive and Reactive IDS systems. The main difference between an IDS and a firewall is placement within the enterprise network. As stated earlier the firewall is placed at the border of you network where as an IDS will be placed inside the network. An IPS or Intrusion Prevention System is an IDS that can also take preventive measures and drop packets that are suspect, where an IDS only notifies. To summarize the needs of an enterprise will require a good deal of research and planning, not to mention a large financial obligations. The total cost will vary depending on the sensitivity of the data you are protecting. The size of the data and the storage location of the data. This cost will be compared to what it would cost if data was lost. There are now federal laws that require certain things to be done in a specific time period if certain types of data are lost. This can be financial taxing to a corporation on top of the negative publicity and loss of loyal customers. The former seems to be the better choice from my point of view. 10

11 References (2009) Guy Bunker, Garth Fraser-King, Data Leaks for Dummies Wiley Publishing, Inc (2009) Gregory Lucidi, ISYM 525- Information Security Course Holy Family Univeristy Web site used for refence material and general knowledge