Stopping data leakage:

Exploiting your existing security investment

After years of battling intrusions, viruses, and spam, organizations now find themselves wrestling with another growing security issue: data leakage – the intentional or accidental exposure of information ranging from legally protected personal information to intellectual property and trade secrets. Today’s data security breaches do not just come from internet hacking attacks, but encompass the wider IT environment, involving lost or stolen laptops, USB keys and other devices, email, and Web 2.0 applications, such as IM.

In a recent survey by analyst IDC, the inadvertent exposure of company confidential information was cited as the number one threat, above viruses, Trojans, and worms. The most common type of information leaked was intellectual property and 81 percent of respondents saw information protection and control (IPC) – defined as monitoring, encrypting, filtering, and blocking sensitive information contained in data at rest, data in motion, and data in use – as an important part of their overall data protection strategy. The highest priority IPC solution was data leakage prevention (DLP) deployed at the organization’s perimeter and on endpoint computers.¹ A Ponemon Institute study similarly found that data loss prevention and encryption solutions topped the list of most-frequently named technology measures deployed post-breach to help avert a future breach.²

Stopping Data Leakage

Importance of monitoring employee use¹

The growing importance of DLP

There are several reasons for the movement of data leakage prevention to the forefront of enterprise security.

High-profile, reputation-damaging data leaks

Bad publicity from data leakage can result in damaged reputation, lost customers, and sometimes even ruin for companies that fall victim to them.

The number of well-publicized examples of data security breaches is growing significantly. Recent high-profile incidents have included:

Hackers stole 4.2 million credit and debit card numbers from Hannaford Bros, a US supermarket chain with has 165 grocery stores in the New England area. (Dec 2007 – Mar 2008)³
Secret government documents on al Qaeda and Iraq were left on a commuter train in the UK. (Jun 2008)⁴
Her Majesty’s Revenue and Customs (HMRC) in the UK lost personal data – including dates of birth, National Insurance numbers and bank details – on 25 million people when two CDs disappeared in the internal mail. (Nov 2007)⁵
An email containing names, positions, salaries, and social security numbers of 192 faculty and staff members was accidentally sent to Ohio State University Agricultural Technical Institute students. (May 2008)⁶

Regulations

Government legislation

Governments worldwide have introduced increasingly stringent data protection legislation, such as the US’s Sarbanes-Oxley Act, HIPAA, and Gramm-Leach-Bliley Act, and the UK’s Data Protection Act, to provide suitable controls over sensitive company information. Organizations found to be in breach of the legislation can be fined and forced to put solutions in place to prevent a recurrence. The California Senate Bill 1386, introduced in 2003, was the first to require that organizations notify all affected individuals if their confidential or personal data has been lost, stolen, or compromised. This public disclosure is now required by 35 states. Many regulations also require regular audits, which an organization may not pass if the right controls are not in place.

PCI DSS

Alongside government legislation sits PCI DSS (Payment Card Industry Data Security Standard). Created by multinational corporations, it is enforced on merchants as a part of their terms of being allowed to accept credit card transactions. Organizations that cannot demonstrate PCIcompliance at an audit are subject to sanction even if no actual data leak has occurred. PCI’s reach across international boundaries and its ability to respond quickly to change makes it as important a security standard as any local or national legislation.

Cost

In addition to legal costs, organizations have to deal with the less tangible costs of recovery and commercial fallout, such as lost business, or withdrawal of credit card merchant status. All these costs have been rising steadily.

Cost of a data breach

Up 43 percent since 2005
Average cost per breach – $6.3 million
Average cost per record – $197

for financial firms – $239

Cost of lost business

Up 30 percent since 2005
65 percent of overall cost (compared to 54 percent in a similar 2006 study)

Source: Ponemon Institute, Nov 20072

The dissolving perimeter and Web 2.0

As business has gone online and become vastly more mobile, the 20th century security strategy of protecting the organization’s perimeter with firewalls, intrusion detection, and other similar tools has become insufficient. There are simply too many points of data entry and exit. While blocking the perimeter remains important, protection must focus on controlling access to the information.

This need is growing exponentially with the totally different perspective introduced by Web 2.0 users. This new “employee 2.0” workforce brings a mindset that is highly tuned to sharing information on social networking sites, posting to blogs, emailing and IMing friends, with little or no regard to whether this is appropriate in a business context.

The challenge for today’s DLP solutions

Several enterprise-focused DLP solution vendors, have developed innovative solutions for preventing the leakage of sensitive company information. Many of these products focus on identifying and categorizing all company data and then implementing corporate DLP policies to track sensitive information across the enterprise, applying controls where necessary.

These solutions make a lot of sense in concept, but in practice they run up against several implementation roadblocks.

Too much data, too little time. For many organizations data is so dispersed, disorganized, and voluminous that classifying it comprehensively is just too burdensome and resource-intensive a task for most IT departments to undertake.
IT resistance. Many available DLP products are relatively new and still suffer from issues such as frequent false positives, IT departments can be reluctant to invest their increasingly stretched resources in deploying another complex enterprise level infrastructure at the expense of delivering strategic value to the organization.
User resistance. There is a wariness about deploying yet another agent on each desktop and laptop that might interfere with legitimate business by hogging processor cycles, requiring frequent updates and slowing down the performance of other user applications.
Complexity of scope. Devising and implementing a comprehensive, viable policy to be supported by the DLP solutions can get in the way of regular business practices, requiring the involvement of not just IT but also human resources, finance and legal teams, and business unit managers.
The wrong focus. Many of these solutions focus to a large extent on intentional data leakage, when in reality data leakage is hard to stop. For example, people can deliberately alter files to avoid detection or there is the more mundane problem of people simply sharing information inappropriately in conversation.

Organizations’ real requirements

The truth is that, with the exception of the largest enterprises with the most stringent security requirements, most organizations simply don’t have the funds, staff resources, and need to implement large-scale DLP efforts. Their most pressing and immediate needs fall into three categories.

Stopping the stupid

98 percent of data leakage incidents are actually due to accident or stupidity⁷. Lost laptops and USB keys, inadvertent misuse of email, the unthinking sharing of information on IM, webmail, social networking sites, and peer-to-peer file sharing sites are a much more significant threat to organizations than hackers.

Meeting regulatory requirements

The most pressing need for most organizations is to implement an effective solution that will satisfy auditors that they are providing the protection and control required to meet current regulations without the need for a huge amounts of funds, staff, and resources in implementation and management.

Benefiting from existing investment

Particularly where there are limited IT resources, the best solution is not investing a lot of time and money in a brand new infrastructure, but taking full advantage of the DLP features of the infrastructure they already have.

Enabling DLP

Enforcing an acceptable use policy

Creating and enforcing an acceptable use policy (AUP) should underpin any attempts to stop data leaking from an organization. Because of the changing nature of both the organizational infrastructure and the expectation of employees that information should be freely available to access and share, an AUP’s success depends heavily on creating ongoing employee buy-in to the fact that the threat is internal, overwhelming accidental, and in their hands to avoid.

As well as stressing the importance of commonsense, the AUP should set out exactly how an employee is expected to use an organization’s information, containing prescriptive advice on best practice and clearly defining prohibited behavior. It should cover issues such as:

What information/files it is acceptable to email
The company policy on posting to web message boards or downloading from the web
The policy on use of USB keys and CDs for storing sensitive company information
The policy on altering security settings.

The repercussions of not adhering to the policy should also be spelled out.

Harnessing existing solutions

Most organizations already have a variety of tools with features that can address their most pressing DLP requirements without a major new investment.

A further advantage is that as DLP grows as a corporate concern these same solutions are likely to upgrade their DLP-related features, in much the same way that spyware prevention, spam detection, and intrusion detection and prevention all started as separate security categories and infrastructures, but were quickly subsumed into other categories, such as antivirus protection and firewalls.

Existing tools that can be harnessed against data leakage include the following:

Email gateway and server protection

Much of the functionality available in email products can prevent sensitive or inappropriate data being sent outside the organization, or to unauthorized users inside the organization. Tools include:

Content scanning of messages and attachments to control and block sensitive information, by identifying, for example, social security numbers, or keywords relating to confidential corporate information
Controlling access to particular files
Compatibility with encryption solutions to prevent unauthorized users from reading emails
True file type identification to prevent users from disguising and obfuscating unauthorized file types in emails.

Web gateway protection

Tools in web solutions can enforce company policies that:

Prevent users from accessing the types of website and application that are typically used to bypass corporate controls and disseminate sensitive company information, including peer-to-peer file sharing, FTP sites, and webmail sites such as Googlemail and Yahoo! Mail.
Control and block the unauthorized use of Instant Messaging and FTP traffic
Protect against drive-by downloads which secretly place spyware on the user’s computer.

Endpoint protection

Endpoint protection goes far beyond the imperative not to leave laptops on trains:

Blocking the use of non-essential applications such as P2P file sharing, IM, FTP clients, unauthorized email clients, wireless network connections, and smartphone and PDA synchronization tools.
Managing write access to portable storage devices such as USB keys.
Encrypting portable storage data so that it cannot be read if it gets into the wrong hands.

Investing in new technology

All these existing tools can provide a significant degree of protection providing they are kept up to date and maintained. But there is one extra solution that can provide a crucial additional level of protection—network access control (NAC). NAC ensures that every computer connecting to the network — whether office-based or remote, company-owned or belonging to guest users — is compliant with the organization’s security policy.

With a good NAC solution, any endpoint computer that connects to the network is automatically scanned to ensure:

Firewall and malware protection is up-to-date and active
The latest operating system patches have been applied
There are no unauthorized applications

By immediately remediating or blocking any computers found to be out of compliance with corporate policies, NAC makes sure that the DLP features in other solutions are active and up to date.

Summary

Data leakage has become one of the most pressing security issues facing organizations today. However, implementing a whole new complex infrastructure to stop information leakage is generally neither a viable nor an effective strategy. Rather, the best DLP solution is to create an AUP,enforce it by applying the appropriate controls already available in the existing endpoint, server, and gateway security infrastructure, and invest in a NAC solution to ensure that all computers are up to date and compliant with corporate policies.

Sophos solution

Sophos Enterprise Security and Control provides complete protection for an organization’s desktops, laptops, mobile devices, file servers, email gateway and groupware infrastructure, and all web browsing needs. Sophos’s unified engine defends every point, controlling not just malicious software and activity but also preventing data leakage and the misuse of legitimate software applications, including VoIP, IM, P2P, internet browsers, media players and games. One per user license allows all Windows, Mac and Linux endpoints to be protected, enables software or appliance protection at the email and web gateway, and protects Microsoft Exchange and Lotus Notes groupware servers.