Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:05 PM

Finding And Securing Sensitive Data In The Enterprise

Your organization's most valuable data may be stored in scattered – and insecure – locations. Here are some tips for identifying that data and making sure it doesn't leak out

cover story art

When Michael Belloise joined human resources outsourcing firm TriNet four years ago as the IT manager, the amount of sensitive data held by the company put him on edge.

TriNet handles payroll and benefits for its customers. As such, its systems store Social Security numbers, birth dates, employee ID numbers, and addresses for 100,000 workers at other companies. That data isn't necessarily subject to the kind of detailed privacy and security rules covering financial transactions or healthcare information, but it's highly sensitive nonetheless.

Belloise brought in data loss prevention vender Vontu (now part of Symantec) to install a data discovery appliance that finds and monitors all data leaving the company's network. The results, says Belloise, were shocking.

"I dare not drop any numbers about what we saw, but it was egregious," he says.

TriNet had secure ways of transmitting and storing data, but its employees were using alternative, less-secure methods, including unencrypted portable media, drop boxes, and attachments to email sent from personal accounts. In most cases, they were skirting the rules in order to serve customers faster, but some of the activity looked questionable and possibly malicious. The security violations didn't result in any data breaches, but the results were eye opening, Belloise says.

"It was to the point where you couldn't put your head in the sand anymore, because it was that shocking," he says.

Belloise called a meeting of C-level execs and embarked on a mission to secure the company's data. TriNet first studied its data to gauge the risk it faced. Then it altered processes and educated employees to minimize misuse of data, and also installed a DLP system to monitor compliance.

TriNet's experience isn't all that unusual. Sensitive data has a habit of spreading throughout companies and ending up in places it shouldn't be--places it's more likely to be stolen or accidentally leaked. Lost, stolen, and inappropriately disposed-of laptops have accounted for the greatest number of breach incidents in most of the last five years, according to The Leaking Vault 2011, the Digital Forensics Association's comprehensive report. But much of the information that's on those laptops shouldn't have been there to begin with.

Start Talking

To tackle data problems, companies have to find out which systems and devices hold sensitive data, reorganize their infrastructure and business processes to restrict access to that data, and then monitor their systems to ensure compliance. It's difficult, and without support from company executives, it won't happen, says TriNet's Belloise.

"The hardest thing in the entire world is to get your executives on board," he says. "It's not as easy as plugging in an appliance--that's just a fraction of the effort. It's a cultural change."

Companies that haven't had a data breach might question if it's worth the effort. In those cases, Belloise's strategy of getting a vendor to document the problem is a good way to gain support.For companies that have suffered breaches, the challenge is moving quickly enough to identify and fix any problems.

In 2008, credit card processor Heartland Payment Systems found that attackers had breached its systems and stolen details on more than 130 million credit card accounts. Heartland's security team received the equivalent of a blank check from top company execs. Its first step: Find out what systems had access to data and where legacy data had gone, CTO Kris Herrin says.

"We had the green light to do whatever it takes to find any data that might be old, historic, or legacy and get it cleaned up," he says, "so we could take a very draconian approach."

Most companies won't have that kind of support, but that's no excuse for not having the conversation.

Journey Of Discovery

Discovering where sensitive data resides is the one indispensable data security step in this process. Once you know where the data is, you can use a variety of strategies from centralizing critical data assets on a server that's highly secured and monitored to implementing a comprehensive suite of data loss prevention tools. But each strategy requires that a company first survey its systems for business-critical data so it knows what needs to be protected.

"Know where your data is from inception to disposal," advises Suzanne Widup, the author of the Digital Forensics Association's report and a veteran information security specialist. "If you do not know where it comes into the organization, where it's transformed, stored, shared with outside parties, archived, and finally how it's disposed of, you cannot hope to keep it secure."

Nearly nine out of 10 companies that suffer a breach find out about it from a third party, in many cases a credit card company, according to Verizon Business's 2011 Data Breach Investigations Report. However, 69% of those incidents could have been discovered by closely monitoring data and log files, Verizon's report says.

The lesson for companies: Get control of your information or run the risk of a breach.

Following its own breach, Heartland bought ArcSight's data loss prevention appliance and used it to scan its network to see where sensitive data was located. It found such data in log files, in the output from developers' debuggers, and in notes written by support people troubleshooting customers' problems.

DLP tools search for data in different ways. Some look for patterns indicating the leak of certain types of sensitive information. For example, they can look through log files and spreadsheets for digit patterns that indicate the presence of credit card numbers or bank transactions. They also can search for documents that match a certain template, and for specific keywords and metatags on documents.

Some companies may not even know what constitutes critical data for their business. Vector learning is included in some DLP tools to help the system learn a definition of what constitutes business-critical data for that company based on examples that the company provides.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...