Protecting Against Data Leaks

Wikileaks seems to have become a rather quiet issue.  Very little in the press lately, and not much discussion for such a high profile and potentially damaging experience.  In follow-up to “Could it Happen To You“, here are some thoughts on detecting data leakage, and protecting your sensitive data and intellectual property.

You will never completely eliminate the possibility that someone will leak documents to WikiLeaks or any other outside organization, and every organization, even those that operate legitimately and completely above board have SOMETHING to hide.  From the competition, from enemeies, everyyone has intellectual property and those special trade secrets.  The opportunities and methods for extricating information in its various forms are just too diverse.  In order for any organization to function, individuals need to be able to access, copy, manipulate and print information.  There will always be a chance that an individual will intentionally or accidentally make that information available to an unauthorized audience or individual.  It could be as easy as adding the wrong email address on a CC list.  Auto-complete is notorious for making this example more common.

Eliminate Common Means   In incident response, an attacker typically needs 4 things in order to launch a successful attack. 

  1. The opportunity to attack.  This is provided to insiders by having access to data, and poor internal controls.
  2. The ability to attack.  This is provided by the tools and knowledge available to anyone.
  3. The motive to attack.  This could be monetary, moralistic, vengeful, accidental, etc.
  4. The means to complete the attack.  This is the physical or logical device used to move the data.

A fifth item could be added, but is not a requirement of the attack, but of the post-attack pay-off.  The attacker needs a buyer or promoter of the leaked information.  Today that is WikiLeaks, tomorrow it could be any copycat organization or news feed vendor.  Data is most often successfully moved from an organization using several common means.  Some are used everyday for business, others are often installed discretely and used quietly, hidden in the noise of everyday network traffic.

  • Lost / Stolen Portable Devices
  • Email
  • Fax Machines
  • Printed Materials
  • Removable Media (Backup Drives, USB Keys, MP3 Players, CD/DVD, etc.)
  • Instant Messanger / Chat Programs
  • Internet Relay Chat (IRC)
  • FTP Sites / Apps
  • Malware (Trojans, BotNets, etc.)
  • Blog or WebForum posting
  • Media Sharing Sites (RapidShare, MediaFire, Wikipedia, etc,)
  • Social Networking Sites (Facebook, LinkedIn, MySpace, etc.)
  • Peer-To-Peer Applications
  • Wireless LAN Bridging
  • Intercepted Communications / Eavesdropping
  • Shoulder-Surfing

Classify Assets & Data   It is a best practice to identify what your critical assets are, and what your critical DATA ASSETS are.  Identify and document the characteristics that make the data critical or sensitive.  Doing so will identify whether your organization has any mismatches regarding the data that is stored on a less than critical asset, and vice-versa. 

Often, assets are examined for their “Mission Criticality” measuring downtime in dollars during Disaster Recovery or Business Continuity exercises.  This is focused on the ability of the organization to function or regain operations in the event of device failure or larger catastrophe impacting availability.  Understanding where your critical data resides may change the way that you layout your network and security architectures.  This more granular examination of your data, its sensitivity and risk, and its placement and required protections should drive the organization to either increase access controls, or move data into areas that already provide the appropriate access controls.

An added benefit of this exercise is that when (not if) your organization begins to examine Data Leakage Prevention tools, you will have already taken care of a major hurdle.  Understanding what characteristics make your data critical, where it is located, and how it is currently protected.  The characteristics can be translated into technical policies that a good DLP appliance can consume and transfer into actionable detection and protection activities.

Manage Vulnerabiilties   Yet another opportunity to insert my favorite tag-line.  Manage Operating System and Application vulnerabilities within your organization, or others will manage them for you.  Do not just focus on those areas that service the Internet and your customers.  Instaed, get a holistic perspective of your ENTIRE environment, including the enterprise wide desktops, servers, and infrastructure devices, and start inventorying the applications, configurations and vulnerabiities on all systems.  With this information at hand, look for the worst of the worst, those vulnerabilities with known exploits.  This will provide a list of highest priority targets for patching.

Next, refine the list by the severity of the vulnerabiilty.  If it offers complete, administrative acces remotely, it is more dangerous and therefore a higher priority than an information disclosure issue or even a Denial of Service attack.  The end result is a spreadsheet complete with prioritized actionable intelligence that can be handed to your IT Managers and with little explanation, offer an agreed upon action plan for remediation.  (I wish it was all that simple, but at least you can enter the room with a handful of immediate targets, rather than a 3000 page report that will never gain traction…)

Institute “Least Privilege”    We can drastically reduce the odds of this type of incident by implementing appropriate technical controls.  All good discussions about implementing information security controls generally start with Access Control.  The more people that have access to a particular piece of information, the more likely that information will end up being shared somewhere.  “Least privilege” is the best practice of eliminating excessive access rights by giving staff members only the privileges required to do their jobs.  Many organizations start off on the wrong foot because they are small, or don’t have dedicated IT staff, and the habits that they adopt early are almost impossible to change once ingrained within the organization.  Access tends to be granted on an ad-hoc basis, as needed, and with no consideration for access management later.  Rather than investing the time to build a role based or other access control strategy, users are manually and often arbitrarily assigned access privileges to files, directories and entire volumes at the user level.

Access privileges also tend to accumulate over time.  If one person works for a company for 20 years, filling say 5 different roles, they are likely to have accumulated all of the access rights that each of those roles requires in order to function.  That’s great if you really pay this person well, and they NEED all of that access to keep things functioning (you have bigger problems than access control!).  Not so good if the economy or their personal situation suddenly changes for the worse, and opportunities to exploit and realize personal gains that access are presented.

Work out how to make drastic cuts in access privileges without blocking employees from getting to the information they need to be productive, by implementing detailed access control policies.

Clarify Accountability   Every employee needs to know that they carry a great responsibility, that ignoring or violating this responsibility will result in termination and possibly prosecution, and that they will be caught.  This means having system log-in rules, monitoring access, creating access request processes and other supporting processes that will make it very clear that access control is a priority within the organization.  It will also be clear and easy to report who has access to what, when, and why.  The presence and use of access control and data monitoring tools should be expressed up front to all staff, and never be a surprise to anyone.  This avoids potentially “plausible deniability” claims.

Beware Indirect Leaks   Often, a major leak is actually derived from many smaller, less significant leaks about the same event, group or organization, and inferences that can be made between their individual contents.  It is reasonable to suspect that not all leaks come directly from employees.  Malware developers and hackers seeking profit often gather confidential information for which they don’t have any apparent use.  WikiLeaks has made it very easy and convenient for anyone that would like to contribute to expose company secrets.

In addition to the insider threat, we all need to take a long, critical look at how we protect our data from outsiders, including friends, visitors, thieves and even family members, to keep our company secrets from becoming public knowledge.  What is stored on your home computer?  How is it protected?  Do you use encryption and passwords?

Summing Up   Information leakage and data misuse cannot be completely eradicated, however these events can often be detected and prevented before they become security incidents and newspaper articles.  The ultimate question that needs to be asked   remains “Just how valuable, damaging, or sensitive is your organization and customer data?”  The answer to this question will determine your organization’s reaction to and plans for preventing data leaks.  The tools are available and are now within reach of Small to Medium Businesses.  If there is something that I have missed, please feel free to add it.

Useful Links