Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

How To Prevent Data Leaks From Happening To Your Organization

Data can find its way out through accidents or malice. Here are some tips for keeping your essential information from walking out the door.

What worries IT: a hacker lurking in the Internet's dark corners or Bob in accounting? Turns out it's both. Company employees pose just as much of a threat as cyberthieves, according to InformationWeek's 2012 Strategic Security Survey of business technology pros.

And yet, insider threats represent only a fraction of all attacks--just 4%, according to Verizon's 2012 Data Breach Investigations Report. So why the fuss? Because insiders have access to critical company information, and there are dozens of ways for them to steal it. And these attacks can have significant impact. Last year, a Bank of America employee sent account information on hundreds of customers to identity thieves, who used the information to steal money from those accounts. Losses totaled $10 million, not to mention the public relations fallout from the incident.

The threat insiders pose is compounded by the fact that IT tends to focus on securing the perimeter of the network from external attacks and pays little attention to malicious activity inside the network. The increasing mobility of corporate data and devices is making it even easier for insiders to steal data. Clearly, it's time companies rethink their security strategies to cover both the malicious hackers and Bob in cubicle 3B.

Insider threats can be either intentional or accidental, and you often can use one set of controls to mitigate both of these. You'll want to target three layers to address the insider threat: the network; the host device; and the people who generate, manipulate, and move data from one place to another.

At the network layer, controls must be capable of analyzing network traffic to detect and, when possible, prevent the transmission of sensitive data. Host-based protections include anti-malware, encryption, change management, and other security controls. The most difficult element of defense is the human factor--implementing policies and training to educate employees on proper handling of sensitive data. Here are steps you can take to secure all three layers.

Lock Down The Network

The two most common avenues for insiders to move data out of the enterprise are email and the Web. Both come into play with malicious and unintentional data breaches, and the intent may not always be clear at first glance. Employees using corporate email accounts may inadvertently send sensitive files to the wrong address. Meanwhile, someone who wants to steal sensitive information may use a personal Web mail account or upload information to a Web-based file-sharing site.

Therefore, email and Web security gateways are an important first line of defense against accidental and malicious breaches. These gateways are commonly used to inspect inbound traffic for spam and malware, but they can also be deployed to monitor outbound traffic. An internal security gateway sits in- line and acts as a relay, or proxy, to Web and email traffic that employees generate.

Gateway offerings from vendors such as Barracuda Networks, Cisco IronPort, McAfee, and WebSense have data loss protection features. As the traffic passes through the gateway, the DLP module inspects it for terms that are known to be sensitive within a company. It also looks for patterns involving specific data types, such as credit card and Social Security numbers, or specific classification labels on files that shouldn't leave the corporate network. If this sort of data is found to be moving out of the network, that could raise red flags. The traffic would then be blocked and the user notified. Alerts about a potential policy violation can be sent to a variety of recipients, including the security team, human resources, and the user's supervisor.

In addition to analyzing Web and email traffic, network-based DLP products can monitor protocols and services, including instant messaging, social networking sites, peer-to-peer file sharing, and File Transfer Protocol.

However, encryption can blind DLP and other gateway security products. If users are savvy enough to encrypt the data before sending it or use an encrypted network transmission method such as SSH/SCP or Tor, the data will bypass network-based DLP. To help address this limitation, DLP products typically include options for host- and storage-based DLP, which we'll discuss later.

Another network-level option is a behavioral anomaly detection system, from companies like Lancope and Riverbed Technologies. These products create a baseline of normal network activity and then send alerts when activity deviates from the baseline. For example, say a computer on the network typically touches about 12 other computers and servers, and transfers about 100 to 200 MB a day. If one day that computer touches 20 or more other systems or transfers 500 MB from a file server or a database, the behavioral anomaly system alerts an administrator.

Carnegie Mellon University's CERT Insider Threat Center has identified several insider attacker behaviors, one of which shows that insider attackers usually act within 30 days prior to leaving their employers. They download data from a company server to their workstation, then email it out, burn it to a CD, or copy it to a flash drive. The bulk data download is where a network anomaly detection system could detect the user's activity and flag it.

However, behavioral anomaly detection systems have drawbacks. For one, they can't send you an alert saying, "Looks like Bob is trying to steal a bunch of records." Instead, IT gets reports on odd application and network behavior, and it's up to security staff to investigate. That means digging into logs, reviewing network activity, and talking to people. Investigations may turn up harmless, though unusual, activity. IT and security teams must be prepared to invest time and effort in properly tuning a behavioral anomaly system, parsing reports, and investigating alerts to get value from such a system.

IT can also use tools designed to watch for anomalies in databases. They're prime targets for insiders because they contain valuable corporate information. Database activity monitoring products from vendors such as Imperva and IBM can provide insight into the activities between users and the database server. DAM products operating at the network or host layer and can detect unusual behavior, such as a user accessing 1,000 records when that person typically only views 30 or 40 a day.

chart: Does your company use mobile device management software to set and enforce a single security policy across different types of devices?

chart: Which of these technollogies or practives are very effective in protecting your company?

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
johnpaulb
50%
50%
johnpaulb,
User Rank: Apprentice
11/28/2014 | 3:07:03 PM
Pending Review
This comment is waiting for review by our moderators.
JSANDER926
50%
50%
JSANDER926,
User Rank: Apprentice
5/10/2012 | 6:28:27 PM
re: How To Prevent Data Leaks From Happening To Your Organization
Thanks for the great article, John. I definitely agree with the points here. I actually expanded on your piece in one of my blog posts:-http://identitysander.wordpres.... -Of note,-IT should-consider proactive controls inside the applications and platforms that can be placed there by IAM - I think that can cut down on inappropriate insider behavior. Thoughts?-
G Jonathan Sander, Quest Software
RJOHN9886
50%
50%
RJOHN9886,
User Rank: Apprentice
4/10/2012 | 10:01:19 AM
re: How To Prevent Data Leaks From Happening To Your Organization
Good to know about the How To Prevent Data Leaks From Happening To The Organization
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12162
PUBLISHED: 2019-07-23
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
CVE-2018-18669
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
CVE-2019-10101
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
CVE-2019-9815
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
CVE-2019-9816
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...