Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/14/2011
02:05 PM
50%
50%

Finding And Securing Sensitive Data In The Enterprise

Your organization's most valuable data may be stored in scattered – and insecure – locations. Here are some tips for identifying that data and making sure it doesn't leak out

cover story art

When Michael Belloise joined human resources outsourcing firm TriNet four years ago as the IT manager, the amount of sensitive data held by the company put him on edge.

TriNet handles payroll and benefits for its customers. As such, its systems store Social Security numbers, birth dates, employee ID numbers, and addresses for 100,000 workers at other companies. That data isn't necessarily subject to the kind of detailed privacy and security rules covering financial transactions or healthcare information, but it's highly sensitive nonetheless.

Belloise brought in data loss prevention vender Vontu (now part of Symantec) to install a data discovery appliance that finds and monitors all data leaving the company's network. The results, says Belloise, were shocking.

"I dare not drop any numbers about what we saw, but it was egregious," he says.

TriNet had secure ways of transmitting and storing data, but its employees were using alternative, less-secure methods, including unencrypted portable media, drop boxes, and attachments to email sent from personal accounts. In most cases, they were skirting the rules in order to serve customers faster, but some of the activity looked questionable and possibly malicious. The security violations didn't result in any data breaches, but the results were eye opening, Belloise says.

"It was to the point where you couldn't put your head in the sand anymore, because it was that shocking," he says.

Belloise called a meeting of C-level execs and embarked on a mission to secure the company's data. TriNet first studied its data to gauge the risk it faced. Then it altered processes and educated employees to minimize misuse of data, and also installed a DLP system to monitor compliance.

TriNet's experience isn't all that unusual. Sensitive data has a habit of spreading throughout companies and ending up in places it shouldn't be--places it's more likely to be stolen or accidentally leaked. Lost, stolen, and inappropriately disposed-of laptops have accounted for the greatest number of breach incidents in most of the last five years, according to The Leaking Vault 2011, the Digital Forensics Association's comprehensive report. But much of the information that's on those laptops shouldn't have been there to begin with.

Start Talking

To tackle data problems, companies have to find out which systems and devices hold sensitive data, reorganize their infrastructure and business processes to restrict access to that data, and then monitor their systems to ensure compliance. It's difficult, and without support from company executives, it won't happen, says TriNet's Belloise.

"The hardest thing in the entire world is to get your executives on board," he says. "It's not as easy as plugging in an appliance--that's just a fraction of the effort. It's a cultural change."

Companies that haven't had a data breach might question if it's worth the effort. In those cases, Belloise's strategy of getting a vendor to document the problem is a good way to gain support.For companies that have suffered breaches, the challenge is moving quickly enough to identify and fix any problems.

In 2008, credit card processor Heartland Payment Systems found that attackers had breached its systems and stolen details on more than 130 million credit card accounts. Heartland's security team received the equivalent of a blank check from top company execs. Its first step: Find out what systems had access to data and where legacy data had gone, CTO Kris Herrin says.

"We had the green light to do whatever it takes to find any data that might be old, historic, or legacy and get it cleaned up," he says, "so we could take a very draconian approach."

Most companies won't have that kind of support, but that's no excuse for not having the conversation.

Journey Of Discovery

Discovering where sensitive data resides is the one indispensable data security step in this process. Once you know where the data is, you can use a variety of strategies from centralizing critical data assets on a server that's highly secured and monitored to implementing a comprehensive suite of data loss prevention tools. But each strategy requires that a company first survey its systems for business-critical data so it knows what needs to be protected.

"Know where your data is from inception to disposal," advises Suzanne Widup, the author of the Digital Forensics Association's report and a veteran information security specialist. "If you do not know where it comes into the organization, where it's transformed, stored, shared with outside parties, archived, and finally how it's disposed of, you cannot hope to keep it secure."

Nearly nine out of 10 companies that suffer a breach find out about it from a third party, in many cases a credit card company, according to Verizon Business's 2011 Data Breach Investigations Report. However, 69% of those incidents could have been discovered by closely monitoring data and log files, Verizon's report says.

The lesson for companies: Get control of your information or run the risk of a breach.

Following its own breach, Heartland bought ArcSight's data loss prevention appliance and used it to scan its network to see where sensitive data was located. It found such data in log files, in the output from developers' debuggers, and in notes written by support people troubleshooting customers' problems.

DLP tools search for data in different ways. Some look for patterns indicating the leak of certain types of sensitive information. For example, they can look through log files and spreadsheets for digit patterns that indicate the presence of credit card numbers or bank transactions. They also can search for documents that match a certain template, and for specific keywords and metatags on documents.

Some companies may not even know what constitutes critical data for their business. Vector learning is included in some DLP tools to help the system learn a definition of what constitutes business-critical data for that company based on examples that the company provides.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4590
PUBLISHED: 2020-09-21
IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
CVE-2020-4731
PUBLISHED: 2020-09-21
IBM Aspera Web Application 1.9.14 PL1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188055.
CVE-2020-4315
PUBLISHED: 2020-09-21
IBM Business Automation Content Analyzer on Cloud 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the i...
CVE-2020-4579
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.
CVE-2020-4580
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439.