Aujas US

An IDG Ventures Company

Data-Breach Risk Is Not Only from Insider Threats

Data Breach Risk

Consider the threats and risks involved when you share data outside your company.

There’s a very large push within the last few years for many organizations to spend their data protection efforts mainly on the “Insider Threat” – the employee or temp with access who decides to misuse or abuse those privileges. While this needs to be addressed; it is possible that some of us may be losing sight of what may be happening on the outside.

The question to consider is: “What about the critical data assets businesses willingly send out to external organizations?”

Delivering data to external parties is, after all, a necessary part of doing business. A bank, for instance, needs to share information with auditors, regulators, suppliers, vendors, and partners. Sharing data is quite a risky activity, with an elevated probability of data loss, and can potentially have a huge negative impact on a firm’s reputation, when not properly controlled.

Here’s what you need to consider when you share data outside your company:

  • Threats

–    What or who is placing the data at risk?

–    The data, as it flows externally from your firms’ environment, is subject to many threats ranging from man-in-the-middle attacks while in transit, to social engineering hacks while stored at the 3rd party’s network.

  • Risks

–    The threats mentioned above create serious risks around a firm’s critical data assets. One is the obvious loss or breach of confidentiality or data. If your firm doesn’t have the proper data transmission controls, such as TLS, SSL or sFTP, the man-in-the-middle threat can successfully materialize the risk of data loss.

–    Such loss can then compound the risks and impact to an organization or entity, via such things as revenue loss, negative reputation, remediation cost, customer notification expense, and loss of client trust.

  • Security Controls

–    The set of controls to consider for countering threats and mitigating risks are not only those pertaining to electronic data protection, such as software/hardware encryption.

–    Think beyond technology – to Social, Governance, Operational and Process controls, to protect against such things as Social Engineering and to ensure other factors are in place including Password Policy, User-Access/Entitlements processes and Data-Security Awareness activities.

The bottom line is that once your firm’s information leaves its own environment, most of the controls you had no longer apply. Your firm’s data is now sitting on a third party’s infrastructure, and is now dependent on their data security controls and processes. This isn’t just about whether the data is being encrypted in transit to the third party, but very much about how that data is safeguarded all throughout its lifecycle. Here are some relevant questions to ask:

  • Have the proper Confidentiality or Non-Disclosure agreements been executed with the third party receiving the data from your firm?
  • Who and how many people will have access to your data while sitting out at a third party?
  • Do you know the third party’s process for giving only the limited and necessary group of people in their environment access to your data? What about the access rights to people outside their organization (such as their partners or vendors)?
    • How are the servers and firewalls at the third party configured to adequately protect your data while in their environment?
    • Does the party receiving the data have the technology and processes in place to respond to and sufficiently investigate a data-loss incident?

These are only a handful of many questions to ask before sharing sensitive information. You also need to take into account various perspectives including technological, operational and process controls.

As an example, a bank business manager decides one day to send the firm’s tax data to their CPA via plaintext email, instead of the approved sFTP or PGP encrypted email transmissions. The email is intercepted at the CPA’s ISP mail server. A rogue administrator at the ISP sees the email with critical valuable data and uses it to tap into the bank’s equity funds to steal $1.2 million.

Per the Open Security Foundation’s DataLossDB (http://datalossdb.org/statistics ) data loss statistics for YTD 2011:

“…a trend that indicates that data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis, mostly all speculative as little data exists to establish one cause as dominant. The trend is, however, concerning.”

In the end this supports the fact that the riskiest environment for data is one that is not controlled by the enterprise owning that data. Though an insider with the access and intent can cause havoc with data on the inside, the enterprise should be able to implement the proper technical, process and operational/people controls to safeguard its own data. It is when the data leaves that environment where we’re truly no longer in control. That’s when the proper audits, interrogations and testing will assist as much possible.

Concerned about the external risks your company is facing? Let Aujas help. Contact Karl Kispert, Aujas VP of Business Development, at karl.kispert@aujas.com.

April 1, 2011 Posted by | Cyber Crime, Data governance, Data Leak Prevention, Data protection, IT security, Risk management | , , , , , | 1 Comment

Data Protection and Controls – Does Format Really Matter?

Identity and Access RiskNo one can argue that the most valuable asset for any enterprise, regardless of industry (whether military, finance, healthcare) is its Data. Whether that data includes an investment strategy/portfolio, personal identity, healthcare history or national security, it must be safeguarded and controlled.

We’re all familiar with the data lifecycle and related security controls, including storage transfer encryption and effective destruction. But do we also consider the format of the data? Data lives in many forms outside of the regular electronic email, Internet, PC, server or mainframe types that we normally work with. Unfortunately, some of our biggest vulnerabilities live in many other forms.

Printed paper is not the least of those. Scribbled notes, copied material, casual conversations on an elevator, voicemails or even a fellow passenger’s laptop (with the curious snooper watching over) are other forms of sensitive data. The main issue here is that most of us may not view these as “data types”. The truth is they can cause the same amount of harm as a DVD, USB or PC packed with information, and can just as easily land you on the front page. Let’s take a look at an unfortunate use-case to bring this all into context.

Henry S., a database administrator, was working over the weekend to get a presentation finished for his board of directors. His area of focus was his firm’s strategy on the proprietary development of a database-software that would revolutionize the storage and sharing of information with clients. Henry’s developments were ahead of all others in the enterprise and possibly the industry. What wasn’t being thought about was how valuable the information being prepared could be to competitors or thieves for profit.

It was late Sunday night and Henry was just happy finalizing and saving everything. Now he just had to print it. At about 11:30 that evening he found himself printing 20 color copies of his “master presentation” at the neighborhood copier. He felt the data he was bringing with him was safe since he brought it on an encrypted USB drive. At one point Henry’s copying streak went awry – after about 10 copies the machine began spitting out green paint. Henry wasn’t panicking – he knew there was plenty of time and his current set of copies were safe. After getting assistance and finishing the job on another machine, he found himself in the middle of a chaotic frenzy of paper crazily thrown all around his area. He was able to get things cleaned up, but what he wasn’t aware of was the 5 copies he’d left at the malfunctioning printer. Though a good multi-tasker, Henry was exhausted, yet practically livid with the thought of next day’s presentation and the effects it would have on his career and department. All he could think about was getting the deck right and being well prepared for the audience.

He got home with all the paperwork in his backpack and passed out. The next day at the presentation all went well, the crowd loved it and Henry was on top of the world. There’d been a slight mishap though, since there weren’t enough hard copies to go around for everyone at the meet. That was weird – he was sure he’d made enough. Everything had gone well, except for those 5 mysteriously missing copies of the presentation. What then seemed to be a small loss, within the next few days landed Henry and his firm on the front page of the paper.  The headline read “Leading Financial Firm’s Innovative Software Idea up for Grabs at Local Print Shop” – not quite the fabulous outcome he’d hoped for. Turns out that whoever got a hold of the lost copies managed to re-engineer the software and get it to market. To make things worse, the data-loss incident was widely publicized; the fall-out including Henry’s suspension and investigation, a full 10 point drop in his firm’s stock price and a long-term negative reputational impact for his firm.

Data in any format is an extremely critical asset and liability when not controlled or secured properly. The effect of negligence over that asset can be detrimental to a career, an innovative idea and possibly an entire franchise. Proper due diligence and controls for the entire lifecycle of the data; be it either encryption while in storage or transit for electronic material, or locks/safes for storage and shredding for destruction of hardcopy material.

Had Henry only given a bit of thought to these things as a top priority, reputations and careers may have been saved (and likely excelled astoundingly). Instead everyone had to run for cover, hope to not get hit by the shattering fallout, and hope to keep their shirts on their backs.

Need help with your company’s data protection programs? Contact Karl Kispert, Aujas VP of Sales, at karl.kispert@aujas.com.

March 8, 2011 Posted by | Data protection, IT security | , , , , | Leave a comment

Wikileaks Fallout: DLP Helps But Doesn’t Solve, Analysts Say

by George V. Hulme, Contributing Writer
WikiLeaks and DLPData leak prevention technologies have a limited but important role in protecting enterprise data, analysts say. But can the technology prevent another WikiLeaks-like fiasco?

In the aftermath of the Wikileaks fiasco, enterprises are wondering what the breach of so many sensitive documents means, and if such an event could ever happen to them. One of the technologies vendors and solution providers are feverishly pushing as the answer is Data Leak Prevention (DLP) technology.

According to IDC, while sensitive information leaks were seen as the second greatest threat to enterprise security, only 31.4 percent of organizations had adopted DLP. At the time of the study, which was December 2009, only 14.5 percent of organizations had plans to purchase DLP. It’s probably a good hunch, considering what has become public on the Operation Aurora attacks and the more recent Wikileaks phenomenon, that many enterprises are giving DLP a much closer look today.

DLP is widely marketed as the way to stop confidential information from sliding out the door on notebooks, smartphones, iPods, portable storage, and many other devices. Or, as US Army intelligence analyst Private First Class Bradley Manning is alleged to have done: copy and walk away with reportedly 250,000 files designated (at the least) as classified — on a writable CD labeled as Lady Gaga music — from the Secret Internet Protocol Router Network (SIPRNet). SIPRNet is run by the US Department of Defense and the U.S. Department of State.

Would having DLP in place had prevented that leak? Analysts are doubtful. DLP technology is very good at protecting specific types of information, but not protecting all of the information generated and managed by an organization. “In this case, the content taken appears to have been a mass amount of information that Manning had legitimate access to,” says Rich Mogull, founder and analyst at the research firm Securosis. “DLP is not good at stopping this sort of incident, where a broad amount of data is taken.”

Experts also agreed that while DLP has its place in the enterprise, it would provide no definitive protection against similar attacks from trusted insiders. “There is no 100 percent solution to stop a motivated insider from stealing information,” says Mike Rothman, president and analyst at Securosis.

It’s useful to pause and define what we mean by DLP. According to Mogull, DLP, at a minimum, identifies, monitors and protects data in motion, at rest and in use through deep content analysis. The tools identify the content, monitor its usage and builds defenses around it. “There’s also an emerging class of DLP that I call DLP Lite. These are single channel solutions that only look at either the end point, or the network,” he says.

For the most part, experts agree, whether considering full-blown DLP or DLP Lite, the technology excels at stopping specific kinds of data from leaking when it shouldn’t — credit card data, engineering plans and details, health care forms. “For enterprises, compared to a government situation like Manning’s case, you can certainly do more to protect more data,” says Mogull.

But, experts caution, DLP can’t prevent many types of attacks on data from being successful. “There is a rumor that WikiLeaks has a trove of information on one of the major US banks. While we’re not sure what type of information it is, or how it is stored, if that information is reams of e-mails with free flowing conversations, DLP is not necessarily going to pick up on and stop that kind of breach,” Mogull explains.

That’s why it remains important that enterprises, in their own efforts to protect data leaks, not place too large an emphasis on DLP technology, and that DLP be used as an additional layer of defense to supplement other important defenses such as access control, encryption, segmentation, security event monitoring, among others. Most importantly, enterprises need to understand what information it is they want to most protect, and how that information normally flows throughout their organization.

“They need to understand the context of the data they use and want to protect – the why and how it traverses their network – as part of the normal course of using that data,” says Nick Selby managing director at security consultancy Trident Risk Management. “For DLP to work in the limited way it’s intended, organizations must know what normal looks like before they have any hope at stopping abnormal activity.”

Read more about data protection and governance by clicking on this site for the Aujas whitepaper http://www.aujas.com/whitepapers.html

December 20, 2010 Posted by | Data Leak Prevention, Enterprise Security | , , , | Leave a comment