Best practice controls for preventing data loss
This article reviews the main areas for concern for protecting information assets from internal threats and vulnerabilities. It starts with an anecdote from an interview with a senior manager and concludes with a recommendation for implementing an approach to protect data directly (as opposed to commonly-used methods that attempt to protect the network and limit user permissions).
The background to problem
We start by sharing an anecdote taking from an interview with a senior manager at a bank.
…I’m not concerned about data theft. We’ve outsourced our entire IT operation to a big bank’s data center and they’re up to speed on information security. I can always go back to the logs and figure it out if something happens.
Vice President Internal Audit of a private banking institution with $5BN in assets.
Just 2 months later, the “big bank” had a major data theft event. Both banks missed their earnings estimates and took a beating in the market. Today the private institution is trying to break out of their 5 year outsourcing contract.
Data Loss is any unauthorized transfer of valuable information assets – credit cards, customer records, transactional information, source code or other classified information.
Data loss is an internal threat with a strange nature that derives from unexpected actions by trusted insiders and systems in an environment assumed to be secure. For this reason, extrusion prevention requires both management and technology controls.
Management and technical controls for extrusion prevention
Human resources controls
Ensuring employee loyalty and reliability starts with HR, which has responsibility for hiring and guiding the management of employees. High-security organizations (such as? Could you name a few areas?)defense contractors or securities traders add additional screening such as polygraphs and security checks to the hiring process. Over time, organizations may sense personality changes, domestic problems or financial distress that indicate increased extrusion risks for employees in sensitive jobs.
Disconnect #1: HR isn’t accountable for the corporate brand and therefore doesn’t pay the price when trusted employees and contractors steal.
Internal audit
Extrusion prevention needs to be part of an overall internal audit process that helps an organization achieve its objectives in the areas of:
- Operational effectiveness
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Internal auditors in the insurance industry say regulation has been their key driver for risk assessment and implementation of preventive procedures and security tools such as intrusion detection. Born in the 1960s and living on in today’s Windows and Linux event logs, log analysis is still the mainstay of the EDP (What does EDP mean? My guess is electronic data processing) Yes it does – EDP audit is sort of a buzz word I thought – we can use IT audit if you think it is clearer audit. Over the past 7 years our industry evolved to Client-Server computing, XML Web services and converged IP networks. Welcome to stateless http transactions, dynamic IP addressing and Microsoft Active Directory, where your ability to audit network activity depends on which versions of Windows run on your workstations and servers. Offline analysis of logs has fallen behind and yields too little, too late for the EDP auditor!
Disconnect #2: EDP audit have the job but they don’t have the tool.
Physical security
Physical security starts at the parking lot and continues to the office, with tags and access control. Office buildings can do a simple programming of the gates to ensure that every tag leaving the building also entered the building. Many companies run employee awareness programs to remind the staff to guard classified information and to look for suspicious behavior.
Disconnect #3: Perfect physical security will be broken by a Nokia 3650 (cell-phone with camera)
Information security
Information security builds layers of firewalls and content-security at the network perimeter, and permissions and identity management that control access by trusted insiders to digital assets, such as business transactions, data warehouse and files. This structure lulls the business managers into a false sense of security. Let’s not forget that firewalls let traffic in and out, and permissions systems grant access to trusted insiders by definition. Could your explain a little more what you mean here or give an example of what you mean? For example, an administrator in the billing group will have permission to logon to the accounting database and extract customer records using SQL commands. He can then zip the data with a password and extrude the file using a private Webmail account.
Content-security tools based on http/smtp proxies are used against viruses and spam. These tools weren’t designed for extrusion prevention; they don’t inspect internal traffic, they only scan authorized e-mail channels, they rely on file-specific content recognition and have scalability and maintenance issues. When content security tools don’t fit, we’ve seen customers roll out home-brewed solutions with open source software such as Snort and Ethereal. A client of ours recently used Snort to nail an employee who was extracting billing records with command line SQL and extruding the results by Web mail.
Disconnect #4: Relying on permissions and identity management is like running a retail store that screens you coming in but doesn’t put magnetic tags on the clothes to prevent you from wearing that expensive hat going out.
Implementing the controls
To correct the disconnects and protect your digital assets, you need CEO level commitment to management and technology controls. Your company’s management should mandate direct protection of digital assets in addition to conventional methods that protect the network, the servers and control access to resources by users.
- Soft controls – Training and continuous behavior sensing
- Direct controls – Good hiring and physical security
- Indirect controls – Internal Audit
The management controls must be based on classifying your key digital assets in financial terms and what the damage and probability of impact of a threat might be. The PTA (Practical Threat Analysis) freeware is a great way to do a risk assessment of your digital assets.
Mandate this direct approach independently of privileged system managers, permissions and identity management systems and complex perimeter security systems.