Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Data Loss Prevention: Challenges, Impacts & Effective Strategies

1,284
views

Published on

An introduction to Data loss prevention requirements and basic technologies.

An introduction to Data loss prevention requirements and basic technologies.

Published in: Technology, Education

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,284
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
114
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Data Loss Prevention Challenges, Impacts & Effective Strategies
  • 2. Data Loss will impact your organization this year… …in an new, unexpected and uncontrollable manner. Copyright 2008 – Seccuris Inc.
  • 3. Data Loss is an Escalating Problem Number of Reported 1700% increase in incidents Data Loss Incidents2 since 20041 350 – 1 in 2 identities already at 300 – risk2 250 – $4.8M3 Avg cost/leak: 200 – ~70% of organizations 150 – experienced loss caused by “insiders”4 100 – 33% believe a serious data 50 – breach can put them out of 0- business5 2002 2003 2004 2005 2006 Source: McAffeeDLP Overview 1Source: Attrition.org 3Source: Privacy Rights Clearinghouse 3Source: Ponemon Institute “2006 Cost of Data Breach Study” 4Source: 2006 CSI/FBI Computer Crime and Security Survey 5Source: Datagate report by McAfee/Datamonitor Copyright 2008 – Seccuris Inc.
  • 4. Market Value of Data is increasing $147 $980-$4,900 Birth certificate Trojan to steal account information $98 $490 Social Security card Credit Card Number with PIN $6-$24 $78-$294 Credit card number Billing data $6 $147 PayPal account Driver's license logon and password Source: McAffeeDLP Overview 1Source: www.informationweek.com Copyright 2008 – Seccuris Inc.
  • 5. Data Loss is a Serious Everyday issue Copying customer Emailing confidential record files to a document to a USB Drive competitor Sending internal Printing financial documents via documents Hotmail Emailing confidential Sending email via data via guest laptop Blackberry on corporate net Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 6. Technical threats are maturing Movement of the technical threat • Network & System Based • Database & Application Based • Second Tier Attacks • Social Network Site Attacks • Banking Site Trojans Copyright 2008 – Seccuris Inc.
  • 7. Business challenges are growing Accidental and malicious means Anywhere All parts of the network & business No visibility and control Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 8. Key Business Motivators are emerging Breach of Corporate Governance Loss of Customer PCI DSS PIPEDA Loss of & Confidential Data Intellectual Property Provincial FOI Acts Health Acts Basel II Credit Card Records Patents SOX/CSOX ACSI33 Accounts & Source Code Passwords GLBA Methods & Social Insurance #s Process Financials Trade Secrets Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 9. Expectations for protection have mutated Data Loss Prevention is your organizations’ responsibility… Expectations from: • Government • Industry • Clients & Constituents What, How, For what length of time? WHY? Copyright 2008 – Seccuris Inc.
  • 10. Understanding the DLP priorities that exist in your organization and preparing effective mitigating strategies is foundational to any successful information security program today Copyright 2008 – Seccuris Inc.
  • 11. Data Loss Priorities Employee Exposures – Access mistaken for ownership Application Exposures – Impact from missing controls Process Exposures – Enhance Information Management Copyright 2008 – Seccuris Inc.
  • 12. Data Loss - Scope Printer USB On the Road Copy & At Work Paste Ph iro En ee y s nm v oy ic e n At Home pl al t Em m e DATA HTTPS at k & ` ns Pr lic or io oc pp w Creation A Net es Identify & Classify s IM Peer to Peer Distribution Hello, how Wi-Fi are you? Incident Handling email Use Recycle Maintain FTP Source: McAffeeDLP Overview Archive Destroy Copyright 2008 – Seccuris Inc.
  • 13. Employee Data Loss Employee cuts out sensitive data from working document and uses hotmail to send a copy to his home account. Data is cut & copied losing any labeling or DRM from the original file Sensitivity & Classification removed Copyright 2008 – Seccuris Inc.
  • 14. Employee Data Loss Employee copies sensitive data from database to USB for “safekeeping”. Copied data removed undetected on removable media No control from further duplication Copyright 2008 – Seccuris Inc.
  • 15. Employee Data Loss Printer Employee prints sensitive document for review on the road. Printed documents removed from the office without version control, described context, etc. Retention & Destruction uncontrolled Copyright 2008 – Seccuris Inc.
  • 16. 16 Employee Data Loss Channels Data Loss Channels Email IM HTTP Copy and Paste Local/Screen capture External (USB) Web Mail Agent-less Devices 1/12/2009 Blackberry Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 17. Application Data Loss HTTPS Application encryption requirements assessed after initial prototype or UAT builds. Application encryption consists of end user transport encryption only. Database and inter-application issues not addressed. Copyright 2008 – Seccuris Inc.
  • 18. Application Data Loss Wireless functionality added to environment as an “enhancing” afterthought. Wireless encryption requirements did not consider “timeliness” of data transmitted. Encryption was broken while data still considered sensitive. Copyright 2008 – Seccuris Inc.
  • 19. Application Data Loss Employee roles for application functions not specified by business, user roles allow for moderate access throughout the system and datasets Employee roles poorly defined or limited in application. Inappropriate Use not limited, fraud potential not reviewed Copyright 2008 – Seccuris Inc.
  • 20. 20 Application Data Loss Channels Data Loss Channels Client Presentation Server-side Presentation Server-side Business Logic Server-side Data Logic Server-side Data Storage Remote Data Storage Server-side Platform Network Client-side Platform 1/12/2009 Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 21. Process Data Loss Large office move requires transport of hundreds of hard drives, tapes, CDs and paper records Records unaccounted for after substantial office move Unknown data loss Copyright 2008 – Seccuris Inc.
  • 22. Process Data Loss Outsourced contract requires use of sensitive data for service delivery Outsourcer can not provide inventory of current data / information sets in possession or controls protecting data Protection of data unknown Copyright 2008 – Seccuris Inc.
  • 23. Process Data Loss Previous archival methods must be refreshed to ensure long term storage of sensitive data Technology migration requires restoration of original data to a temporary location for transition Exposure to loss increased during transition Copyright 2008 – Seccuris Inc.
  • 24. 24 Process Data Loss Channels Data Loss Channels Creation Distribution Use & Processing Maintenance Archival Destruction Recycling 1/12/2009 Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 25. Current Control Strategies Protecting Data vs. Protecting Information Copyright 2008 – Seccuris Inc.
  • 26. Current Control Strategies Technical Control vs. Mitigating Process Copyright 2008 – Seccuris Inc.
  • 27. Current Control Strategies Client vs. Organizational Responsibility Accountability Copyright 2008 – Seccuris Inc.
  • 28. Control Strategies Best Practice Data Loss Best Practice: 1. Discover and protect confidential data wherever is it stored or used 2. Monitor data usage and prevent confidential data from leaving the security domain (organization) 3. Assure control solutions balance accuracy & efficiency Copyright 2008 – Seccuris Inc.
  • 29. Control Strategies Best Practice Data Loss Best Practice: 4. Automate policy enforcement where possible 5. Maintain visibility & control over encrypted data 6. Set and Maintain Employee trust in the privacy of their information 7. Plan long-term strategy for technical controls Copyright 2008 – Seccuris Inc.
  • 30. Current Control Challenges • Weak support and definition of Data Loss scope & priority at executive level • Inconsistent participation of involved corporate roles (Business, App Dev, IT, Privacy, Security & Audit) Copyright 2008 – Seccuris Inc.
  • 31. Current Control Strategies What controls exist to mitigate Data Loss in the discussed scenarios? Employee Exposures – Access mistaken for ownership Application Exposures – Impact from missing controls Process Exposures – Enhance Information Management Copyright 2008 – Seccuris Inc.
  • 32. 32 Employee Data Loss Channels Data Loss Controls to consider and review: Channels Email •Policy (Define Access & Ownership) •Access to data does not give permission to IM transport, copy & distribute HTTP •Procedures (Effective use & storage) Copy and Paste •Alerting (Suspicious & Inappropriate Use) Local/Screen capture External (USB) Web Mail Agent-less Devices 1/12/2009 Blackberry Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 33. 33 Employee Data Loss Channels Data Loss Controls to consider and review: Channels Email •Technical controls (Host, Network & Gateway) •Specific Implementations IM •Regular Expressions •Dictionaries HTTP •Fingerprinting •Heuristics Copy and Paste •Proximity Matching Local/Screen •Technical control management capture •Scalability & Visibility External (USB) Web Mail Agent-less Devices 1/12/2009 Blackberry Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 34. 34 Host Gateway Corporate Public Data Loss Corporate Public Disconnected Disconnected Network Internet Network Internet Channels Email IM HTTP Copy and Paste Local/Screen capture External (USB) Web Mail Agent-less Devices 1/12/2009 Blackberry Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 35. 35 Application Data Loss Channels Data Loss Controls to consider and review: Channels Client Presentation •Role Based Access Controls & Definitions Server-side Presentation •Role & Access Overrides Server-side Business Logic •Logging (Audit & Maintenance) Server-side Data Logic •Alerting (Suspicious & Inappropriate Use) Server-side Data Storage Remote Data Storage Server-side Platform Network 1/12/2009 Client-side Platform Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 36. 36 Application Data Loss Channels Data Loss Controls to consider and review: Channels Client Presentation •Encryption Server-side Presentation •Data Segmentation Server-side Business Logic •Coding & Implementation Errors Server-side Data Logic •Data retention & destruction methods Server-side Data Storage Remote Data Storage Server-side Platform Network 1/12/2009 Client-side Platform Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 37. 37 Process Data Loss Channels Data Loss Controls to consider and review: Channels Creation •Data Creation & Collection practices Distribution •Identification & Labeling Use & Processing •Classification & Re-classification Maintenance •Privacy & Business Impact Assessments Archival Destruction Recycling 1/12/2009 Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 38. 38 Process Data Loss Channels Data Loss Channels Controls to consider and review: Creation •Minimum data protection requirements Distribution •Incident Handling & Public Relations Use & Processing •Service Levels & Required Reporting Maintenance •Awareness & Training for Data Protection Archival Destruction Recycling 1/12/2009 Source: McAffeeDLP Overview Copyright 2008 – Seccuris Inc.
  • 39. Control Strategies to Assess Assess current environment controls: • Current control inventory • Control usage • Reporting processes • Maturity of supporting process Copyright 2008 – Seccuris Inc.
  • 40. Control Strategies to Assess Focus on Process Controls • Data review should be considered for all sensitive applications (BIA, PIA, TRA) • Enhanced Response & Mitigation processes should be created. (Incident Handling, Public Relations) • Detailed contracts should set expectations for Data Loss Prevention (SLAs, OLAs) Copyright 2008 – Seccuris Inc.
  • 41. Control Strategies to Assess Focus on Technical Controls • Limit collection, use and retention of data • Identify & Classify what exists today • Enterprise Rights Management, IRM / DRM Copyright 2008 – Seccuris Inc.
  • 42. Moving Forward • Increase awareness of business risks • Enhance & justify your DLP strategy • Prepare for maturing expectations regarding DLP Copyright 2008 – Seccuris Inc.
  • 43. Focus on your Data Loss Exposures Employee Exposures – Reset and management employee expectations & implement technical control suites Application Exposures – Promote architected systems that can prevent and mitigate unforeseen DLP scenarios Process Exposures – Enhance traditional records management strategies to prevent, detect, mitigate and respond to data loss issues. Copyright 2008 – Seccuris Inc.
  • 44. Understanding the DLP priorities that exist in your organization and preparing effective mitigating strategies is foundational to any successful information security program today Copyright 2008 – Seccuris Inc.
  • 45. Thanks Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA Founder & CIO Seccuris Inc. Email: Michael.Legary@seccuris.com Direct: 204-255-4490 Main: 204-255-4136 Fax: 204-942-6705 Copyright 2008 – Seccuris Inc.