Aujas US

An IDG Ventures Company

Data-Breach Risk Is Not Only from Insider Threats

Data Breach Risk

Consider the threats and risks involved when you share data outside your company.

There’s a very large push within the last few years for many organizations to spend their data protection efforts mainly on the “Insider Threat” – the employee or temp with access who decides to misuse or abuse those privileges. While this needs to be addressed; it is possible that some of us may be losing sight of what may be happening on the outside.

The question to consider is: “What about the critical data assets businesses willingly send out to external organizations?”

Delivering data to external parties is, after all, a necessary part of doing business. A bank, for instance, needs to share information with auditors, regulators, suppliers, vendors, and partners. Sharing data is quite a risky activity, with an elevated probability of data loss, and can potentially have a huge negative impact on a firm’s reputation, when not properly controlled.

Here’s what you need to consider when you share data outside your company:

  • Threats

–    What or who is placing the data at risk?

–    The data, as it flows externally from your firms’ environment, is subject to many threats ranging from man-in-the-middle attacks while in transit, to social engineering hacks while stored at the 3rd party’s network.

  • Risks

–    The threats mentioned above create serious risks around a firm’s critical data assets. One is the obvious loss or breach of confidentiality or data. If your firm doesn’t have the proper data transmission controls, such as TLS, SSL or sFTP, the man-in-the-middle threat can successfully materialize the risk of data loss.

–    Such loss can then compound the risks and impact to an organization or entity, via such things as revenue loss, negative reputation, remediation cost, customer notification expense, and loss of client trust.

  • Security Controls

–    The set of controls to consider for countering threats and mitigating risks are not only those pertaining to electronic data protection, such as software/hardware encryption.

–    Think beyond technology – to Social, Governance, Operational and Process controls, to protect against such things as Social Engineering and to ensure other factors are in place including Password Policy, User-Access/Entitlements processes and Data-Security Awareness activities.

The bottom line is that once your firm’s information leaves its own environment, most of the controls you had no longer apply. Your firm’s data is now sitting on a third party’s infrastructure, and is now dependent on their data security controls and processes. This isn’t just about whether the data is being encrypted in transit to the third party, but very much about how that data is safeguarded all throughout its lifecycle. Here are some relevant questions to ask:

  • Have the proper Confidentiality or Non-Disclosure agreements been executed with the third party receiving the data from your firm?
  • Who and how many people will have access to your data while sitting out at a third party?
  • Do you know the third party’s process for giving only the limited and necessary group of people in their environment access to your data? What about the access rights to people outside their organization (such as their partners or vendors)?
    • How are the servers and firewalls at the third party configured to adequately protect your data while in their environment?
    • Does the party receiving the data have the technology and processes in place to respond to and sufficiently investigate a data-loss incident?

These are only a handful of many questions to ask before sharing sensitive information. You also need to take into account various perspectives including technological, operational and process controls.

As an example, a bank business manager decides one day to send the firm’s tax data to their CPA via plaintext email, instead of the approved sFTP or PGP encrypted email transmissions. The email is intercepted at the CPA’s ISP mail server. A rogue administrator at the ISP sees the email with critical valuable data and uses it to tap into the bank’s equity funds to steal $1.2 million.

Per the Open Security Foundation’s DataLossDB (http://datalossdb.org/statistics ) data loss statistics for YTD 2011:

“…a trend that indicates that data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis, mostly all speculative as little data exists to establish one cause as dominant. The trend is, however, concerning.”

In the end this supports the fact that the riskiest environment for data is one that is not controlled by the enterprise owning that data. Though an insider with the access and intent can cause havoc with data on the inside, the enterprise should be able to implement the proper technical, process and operational/people controls to safeguard its own data. It is when the data leaves that environment where we’re truly no longer in control. That’s when the proper audits, interrogations and testing will assist as much possible.

Concerned about the external risks your company is facing? Let Aujas help. Contact Karl Kispert, Aujas VP of Business Development, at karl.kispert@aujas.com.

April 1, 2011 Posted by | Cyber Crime, Data governance, Data Leak Prevention, Data protection, IT security, Risk management | , , , , , | 1 Comment

Effective Data Protection Requires More than Technology

Data protectionMore companies are finding that despite their technology investments, effective data protection remains elusive. Data protection technology has become as commonplace as anti-malware technologies and most organizations implement it as a standard desktop endpoint and gateway security. The technology works using a combination of document ‘fingerprinting’, key words, and policies defined around what is allowed and what is not. The technology has matured to support endpoints and email data leakage risks as well as social networking risks. However, even with a mature technology and rigorous implementation, organizations often can find their data protection is ineffective.  

IT departments are able to quickly implement a data protection technology, but struggle with effectiveness. They are unable to bridge the gap between implementation and effectiveness, and end up with large numbers of data leakage ‘incidents’, which usually turn out to be false positives.  In many cases, organizations end up operating DLP tools in ‘audit only’ mode which completely defeats the tools’ purpose. 

This gap is usually due to the approach taken to data protection and not to the organization itself. Most organizations identify data protection as a risk and IT/IS department choose a vendor for implementation. The vendor usually ‘scans’ the file stores for ‘important’ files and policies are created to safeguard those files deemed important. While this approach seems simple enough, it is the root of the problem. IT organizations are basing policies on their own interpretation, rather than on what is important or appropriate for the business. 

Data, even if critical, may need to be exchanged with outsiders for valid business reasons. The challenge is to establish policies that allow the business to operate seamlessly while stemming the data leakage.  Another challenge is to build an ecosystem that supports this on an ongoing basis. The solution ideally integrates technology, process and a governance framework.  

 The first step is a data classification policy that clearly establishes how to classify data within the organization; the users should be made aware of how the classification policy applies. Next, the data flow within business processes should be understood to identify the type and nature of data, its classification and authorized data movement of ‘important’ data across organizational boundaries. Also, the important files, templates and data base structures that were identified during this exercise should be ‘fingerprinted’. The policies should then be configured and applied based on the authorized movement of data.

 Taking these two steps will help improve data protection technology effectiveness because it incorporates business rules for data. However, it still is a point-in-time exercise that does not address the fluid business data environment. To sustain the data protection, a governance process is required. One approach is to integrate with the data governance framework if one exists within the organization. If a data governance framework does not exist, a similar structure can be created. An additional benefit of this approach is close integration with data governance when such a framework is actually created. 

The governance function should be responsible at a high level for both the strategic and operational management of data protection. At a strategic level, the function should look at how data flows and is managed and its impact on data protection technology employed.  At an operational level, the function should look at how data protection incidents are managed, false positives reduced, user awareness on classification and protection improved.  Many organizations also employ active data protection with the use of data/digital/information rights management tools which require users to ‘protect’ based on allowed rights, time limits and expiry dates. Though the above approach remains the same for these technologies too, organizations have to spend more efforts on user awareness as their cooperation defines the success or failure of the technology. 

Though data protection technologies have changed the data confidentiality playing field completely, effective data protection cannot be achieved by the technology alone. It requires a focused lifecycle management approach for it to be more effective and sustainable.

January 24, 2011 Posted by | Data Leak Prevention, Data Losss Prevention, Risk management | , , | Leave a comment

What Is Needed for Data Protection?

Data protectionA more holistic approach is needed for protecting data that goes beyond individual tools and addresses data at its source: the business. The principles of data governance, data classification and the DLP tool need to work as one solution to effectively protect data in an organization.

Approach

  • Develop a strategy – Start by developing an organization-wide data protection strategy
  • Set up a data classification policy and a program – Individual business processes should identify and document all forms of data, its classification and its authorized movement.
  • Create a governance program – Establish accountability, roles and responsibilities for data protection and data ownership.
  • Create and ensure awareness and training for business users – To ensure that the data protection remains a strong focus within the organization, management should ensure users are made aware of their roles and responsibilities around data protection.

The Aujas Data Protection Service helps organizations extract maximum value from their investment in security technology and solutions. We build the governance framework, data protection strategy and data protection program. Then we assist organizations with data flow analysis to identify data movement within and between processes, the forms data takes, and user awareness levels. Our data flow analysis results in effective DLP policies while the governance framework and strategy translates into continuous data protection for the organization.

To learn more about the Aujas Data Protection Service, and our complete portfolio of services, please contact Karl Kispert, our VP of Sales at karl.kispert@aujas.com or at 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, Enterprise Security, IT security, Risk management | , , , | 1 Comment

5 Hot Topics in Information Security for 2011

Hot topics in information securityAccording to the Aujas information security experts, these are the five crucial security topics that should be on the radar for business executives in 2011:

Data Governance and Data Leakage Prevention (DLP) – Some executives believe their employees know exactly what data should be protected and what data can be shared via website, conversation or social media.  These executives have a false sense of security. Many companies still do not have a strong data classification program or policy in place to educate employees on what is critical to an organization and what is not.  Some execs may also think that having a DLP tool and plugging it in is the answer. That’s like plugging in a power saw and saying you can build a house! Having a tool and knowing how to use it effectively are two different things.

Tip: Find a champion to drive your data governance and loss prevention initiative.  If your company has a CISO, this person is the most logical one to take on this role. If not, you can assemble a small team of stakeholders to work with guidance from a third party who specializes in information risk management.

Application Security – With so many applications being developed and used in companies of all sizes, some are being created without security in mind.  Some technology companies have a need to be the first on the street with a new application and are bypassing Security Development Lifecycle (SDL) protocol. They are thinking about security after the application is released and, sadly, are finding that they are spending more money to fix the application.

Tip: First perform a penetration assessment on your company’s critical applications to identify vulnerabilities. Then be proactive!  Create a framework in which security is part of the SDL.

 Social Media – The intentional and unintentional release of sensitive information via Facebook, Twitter, etc. can affect your company’s bottom line.  Your intellectual property may wind up on an underground website or, if your secrets are shared with the world, you may not be first to market with your new product or service. 

Tip: You don’t need to declare social media off limits to your employees. It is an important business tool that is not going away.  You do, however, need to understand the risks of social media, and make users aware.

 Cyber Security – Over the past year, more organizations have come to understand that there is a very real cyber security threat in the US and that the US Government cannot take care of every threat-related issue. Your company needs to develop a strong internal and external security programs to protect it.

Tip: Putting in place a robust information risk management (IRM) program is essential so that your stakeholders understand the people, process and technology risks and how they can affect your access, availability, and agility to conduct business.

Phishing – Hackers continue to use phishing, a type of social engineering, to solicit information from individuals.  Though the incidents of phishing were down in the second half of 2010, the attacks continue to get more and more sophisticated. 

 Tip: Perform a phishing diagnostic so that you are aware of the threat, specifically who in your organization is susceptible to this type of attack.

Aujas can help your company manage risk from these threats. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, IT security, Phishing, Risk management, SDL, Social Engineering | , , , , , , | Leave a comment

Ephemeral Borders: Privacy and Security of Data in the Cloud

Privacy and security in the CloudBusiness is expanding across national borders at an accelerating rate.  Most corporations of significant size have facilities in many countries.  Cloud applications and storage offer savings and efficiencies, such as 24/7 availability of data and applications, enhanced access and elimination of costs associated with server maintenance.  Multinational corporations considering implementation or expansion of Cloud use should, however, tread cautiously, and obtain guidance on applicable privacy and security issues.

For example, litigation or government oversight proceedings involving such companies may result in demands for data originating in, say, France, yet stored in Cloud repositories in other countries  The servers will, for the most part, be located beyond the borders of France.  Personal data, which includes emails by definition, are subject to the European Union Privacy Directives and local enabling law, which hold that the personal data of an individual may not be sent outside the European Economic Area (the E.U. member states plus Norway, Switzerland, Iceland and Liechtenstein) without the individual’s consent.  Appropriately informed consent documents, then, must be drafted.  Additionally, no data of any kind may be sent outside France, pursuant to the Blocking Statute, for use in a foreign judicial proceeding.  Other states, such as Switzerland, have similar statutes.  Criminal penalties lie for violation of these provisions.  Data sent to Cloud repositories, then, with the intent of onward transfer for litigation, may run afoul of these laws.  In addition, The Data Protection Authority of the German state of Schlewsig-Holstein recently opined that it is a violation of German law to send data to Cloud repositories for which the servers are located outside the European Union.

Those companies registered with the U.S. Safe Harbor Program would require amendment to comprise personal data in the Cloud repositories. The Service Level Agreements with the Cloud providers must contain provisions for E.U. levels of security and privacy in the Cloud repositories (other countries where the company does business will have similar provisions) or, perhaps, provisions that the data will not be transferred to or stored in locations outside the country in which the data were created.

Finally, multinationals considering the significant economic and security advantages the Cloud offers would need documented protocols for Legal Holds for data in Cloud repositories.  Legal Holds are considered “processing” of data in the E.U., and must be done in a manner consistent with the Privacy Directives and for retrieval and production of such data to governmental agencies and courts.  

Security consultants, working closely with U.S.-based counsel experienced in cross-border data disclosure conflicts, can assist in navigating the byways of this new and complicated area of information governance.  This is where Aujas can help.

This article provided by Kenneth N. Rashbaum, Esq.     Rashbaum Associates, LLC

January 4, 2011 Posted by | Cloud Security, Data Leak Prevention, Risk management | , , | Leave a comment

Wikileaks Fallout: DLP Helps But Doesn’t Solve, Analysts Say

by George V. Hulme, Contributing Writer
WikiLeaks and DLPData leak prevention technologies have a limited but important role in protecting enterprise data, analysts say. But can the technology prevent another WikiLeaks-like fiasco?

In the aftermath of the Wikileaks fiasco, enterprises are wondering what the breach of so many sensitive documents means, and if such an event could ever happen to them. One of the technologies vendors and solution providers are feverishly pushing as the answer is Data Leak Prevention (DLP) technology.

According to IDC, while sensitive information leaks were seen as the second greatest threat to enterprise security, only 31.4 percent of organizations had adopted DLP. At the time of the study, which was December 2009, only 14.5 percent of organizations had plans to purchase DLP. It’s probably a good hunch, considering what has become public on the Operation Aurora attacks and the more recent Wikileaks phenomenon, that many enterprises are giving DLP a much closer look today.

DLP is widely marketed as the way to stop confidential information from sliding out the door on notebooks, smartphones, iPods, portable storage, and many other devices. Or, as US Army intelligence analyst Private First Class Bradley Manning is alleged to have done: copy and walk away with reportedly 250,000 files designated (at the least) as classified — on a writable CD labeled as Lady Gaga music — from the Secret Internet Protocol Router Network (SIPRNet). SIPRNet is run by the US Department of Defense and the U.S. Department of State.

Would having DLP in place had prevented that leak? Analysts are doubtful. DLP technology is very good at protecting specific types of information, but not protecting all of the information generated and managed by an organization. “In this case, the content taken appears to have been a mass amount of information that Manning had legitimate access to,” says Rich Mogull, founder and analyst at the research firm Securosis. “DLP is not good at stopping this sort of incident, where a broad amount of data is taken.”

Experts also agreed that while DLP has its place in the enterprise, it would provide no definitive protection against similar attacks from trusted insiders. “There is no 100 percent solution to stop a motivated insider from stealing information,” says Mike Rothman, president and analyst at Securosis.

It’s useful to pause and define what we mean by DLP. According to Mogull, DLP, at a minimum, identifies, monitors and protects data in motion, at rest and in use through deep content analysis. The tools identify the content, monitor its usage and builds defenses around it. “There’s also an emerging class of DLP that I call DLP Lite. These are single channel solutions that only look at either the end point, or the network,” he says.

For the most part, experts agree, whether considering full-blown DLP or DLP Lite, the technology excels at stopping specific kinds of data from leaking when it shouldn’t — credit card data, engineering plans and details, health care forms. “For enterprises, compared to a government situation like Manning’s case, you can certainly do more to protect more data,” says Mogull.

But, experts caution, DLP can’t prevent many types of attacks on data from being successful. “There is a rumor that WikiLeaks has a trove of information on one of the major US banks. While we’re not sure what type of information it is, or how it is stored, if that information is reams of e-mails with free flowing conversations, DLP is not necessarily going to pick up on and stop that kind of breach,” Mogull explains.

That’s why it remains important that enterprises, in their own efforts to protect data leaks, not place too large an emphasis on DLP technology, and that DLP be used as an additional layer of defense to supplement other important defenses such as access control, encryption, segmentation, security event monitoring, among others. Most importantly, enterprises need to understand what information it is they want to most protect, and how that information normally flows throughout their organization.

“They need to understand the context of the data they use and want to protect – the why and how it traverses their network – as part of the normal course of using that data,” says Nick Selby managing director at security consultancy Trident Risk Management. “For DLP to work in the limited way it’s intended, organizations must know what normal looks like before they have any hope at stopping abnormal activity.”

Read more about data protection and governance by clicking on this site for the Aujas whitepaper http://www.aujas.com/whitepapers.html

December 20, 2010 Posted by | Data Leak Prevention, Enterprise Security | , , , | Leave a comment