The document discusses data loss prevention challenges and strategies. It notes that data loss incidents have increased significantly in recent years and now cost organizations millions on average. Many data losses are caused by employees and insiders. The document outlines various types of employee, application, and process exposures that can lead to data loss and recommends assessing current controls and focusing on technical controls, access management, and process controls to better mitigate risks.
2. Data Loss will impact your
organization this year…
…in an new, unexpected and
uncontrollable manner.
Copyright 2008 – Seccuris Inc.
3. Data Loss is an Escalating Problem
Number of Reported
1700% increase in incidents Data Loss Incidents2
since 20041 350 –
1 in 2 identities already at 300 –
risk2
250 –
$4.8M3
Avg cost/leak:
200 –
~70% of organizations
150 –
experienced loss caused by
“insiders”4 100 –
33% believe a serious data 50 –
breach can put them out of
0-
business5 2002 2003 2004 2005 2006
Source: McAffeeDLP Overview
1Source: Attrition.org
3Source: Privacy Rights Clearinghouse
3Source: Ponemon Institute “2006 Cost of Data Breach Study”
4Source: 2006 CSI/FBI Computer Crime and Security Survey
5Source: Datagate report by McAfee/Datamonitor
Copyright 2008 – Seccuris Inc.
4. Market Value of Data is increasing
$147
$980-$4,900
Birth certificate
Trojan to steal
account information
$98
$490
Social Security card
Credit Card
Number with PIN
$6-$24
$78-$294
Credit card number
Billing data
$6
$147 PayPal account
Driver's license logon and password
Source: McAffeeDLP Overview
1Source: www.informationweek.com
Copyright 2008 – Seccuris Inc.
5. Data Loss is a Serious Everyday issue
Copying customer
Emailing confidential
record files to a
document to a
USB Drive
competitor
Sending internal
Printing financial
documents via
documents
Hotmail
Emailing confidential
Sending email via
data via guest laptop
Blackberry
on corporate net
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
6. Technical threats are maturing
Movement of the technical threat
• Network & System Based
• Database & Application Based
• Second Tier Attacks
• Social Network Site Attacks
• Banking Site Trojans
Copyright 2008 – Seccuris Inc.
7. Business challenges are growing
Accidental and malicious means
Anywhere
All parts of the network & business
No visibility and control
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
8. Key Business Motivators are emerging
Breach of Corporate
Governance
Loss of Customer PCI DSS PIPEDA Loss of
& Confidential Data Intellectual Property
Provincial FOI Acts
Health Acts Basel II
Credit Card Records Patents
SOX/CSOX ACSI33
Accounts & Source Code
Passwords
GLBA Methods &
Social Insurance #s
Process
Financials
Trade Secrets
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
9. Expectations for protection have mutated
Data Loss Prevention is your organizations’
responsibility…
Expectations from:
• Government
• Industry
• Clients & Constituents
What, How, For what length of time?
WHY?
Copyright 2008 – Seccuris Inc.
10. Understanding the DLP priorities that
exist in your organization and
preparing effective mitigating strategies
is foundational to any successful
information security program today
Copyright 2008 – Seccuris Inc.
11. Data Loss Priorities
Employee Exposures – Access mistaken for ownership
Application Exposures – Impact from missing controls
Process Exposures – Enhance Information Management
Copyright 2008 – Seccuris Inc.
12. Data Loss - Scope
Printer
USB
On the Road
Copy &
At Work
Paste
Ph iro
En
ee
y s nm
v
oy
ic e n
At Home
pl
al t
Em
m
e
DATA
HTTPS
at k &
`
ns
Pr
lic or
io
oc
pp w
Creation
A Net
es
Identify &
Classify
s
IM Peer to Peer
Distribution Hello, how
Wi-Fi are you?
Incident
Handling
email
Use
Recycle
Maintain
FTP
Source: McAffeeDLP Overview
Archive
Destroy
Copyright 2008 – Seccuris Inc.
13. Employee Data Loss
Employee cuts out sensitive data from
working document and uses hotmail to send
a copy to his home account.
Data is cut & copied losing any labeling or
DRM from the original file
Sensitivity & Classification removed
Copyright 2008 – Seccuris Inc.
14. Employee Data Loss
Employee copies sensitive data from
database to USB for “safekeeping”.
Copied data removed undetected on
removable media
No control from further duplication
Copyright 2008 – Seccuris Inc.
15. Employee Data Loss
Printer Employee prints sensitive document for
review on the road.
Printed documents removed from the office
without version control, described context,
etc.
Retention & Destruction uncontrolled
Copyright 2008 – Seccuris Inc.
16. 16
Employee Data Loss Channels
Data Loss
Channels
Email
IM
HTTP
Copy and Paste
Local/Screen capture
External (USB)
Web Mail
Agent-less Devices
1/12/2009
Blackberry
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
17. Application Data Loss
HTTPS
Application encryption requirements
assessed after initial prototype or UAT builds.
Application encryption consists of end user
transport encryption only.
Database and inter-application issues not addressed.
Copyright 2008 – Seccuris Inc.
18. Application Data Loss
Wireless functionality added to environment
as an “enhancing” afterthought.
Wireless encryption requirements did not
consider “timeliness” of data transmitted.
Encryption was broken while data still considered
sensitive.
Copyright 2008 – Seccuris Inc.
19. Application Data Loss
Employee roles for application functions not
specified by business,
user roles allow for moderate access
throughout the system and datasets
Employee roles poorly defined or limited in
application.
Inappropriate Use not limited, fraud potential not
reviewed
Copyright 2008 – Seccuris Inc.
20. 20
Application Data Loss Channels
Data Loss
Channels
Client Presentation
Server-side Presentation
Server-side Business Logic
Server-side Data Logic
Server-side Data Storage
Remote Data Storage
Server-side Platform
Network
Client-side Platform
1/12/2009
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
21. Process Data Loss
Large office move requires transport
of hundreds of hard drives, tapes,
CDs and paper records
Records unaccounted for after
substantial office move
Unknown data loss
Copyright 2008 – Seccuris Inc.
22. Process Data Loss
Outsourced contract requires use of
sensitive data for service delivery
Outsourcer can not provide inventory
of current data / information sets in
possession or controls protecting data
Protection of data unknown
Copyright 2008 – Seccuris Inc.
23. Process Data Loss
Previous archival methods must be
refreshed to ensure long term storage of
sensitive data
Technology migration requires
restoration of original data to a
temporary location for transition
Exposure to loss increased during transition
Copyright 2008 – Seccuris Inc.
24. 24
Process Data Loss Channels
Data Loss
Channels
Creation
Distribution
Use & Processing
Maintenance
Archival
Destruction
Recycling
1/12/2009
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
27. Current Control Strategies
Client vs. Organizational
Responsibility Accountability
Copyright 2008 – Seccuris Inc.
28. Control Strategies Best Practice
Data Loss Best Practice:
1. Discover and protect confidential data wherever is it
stored or used
2. Monitor data usage and prevent confidential data
from leaving the security domain (organization)
3. Assure control solutions balance accuracy &
efficiency
Copyright 2008 – Seccuris Inc.
29. Control Strategies Best Practice
Data Loss Best Practice:
4. Automate policy enforcement where possible
5. Maintain visibility & control over encrypted data
6. Set and Maintain Employee trust in the privacy of
their information
7. Plan long-term strategy for technical controls
Copyright 2008 – Seccuris Inc.
30. Current Control Challenges
• Weak support and definition of Data Loss
scope & priority at executive level
• Inconsistent participation of involved
corporate roles (Business, App Dev, IT, Privacy,
Security & Audit)
Copyright 2008 – Seccuris Inc.
31. Current Control Strategies
What controls exist to mitigate Data Loss in
the discussed scenarios?
Employee Exposures – Access mistaken for ownership
Application Exposures – Impact from missing controls
Process Exposures – Enhance Information Management
Copyright 2008 – Seccuris Inc.
32. 32
Employee Data Loss Channels
Data Loss
Controls to consider and review:
Channels
Email
•Policy (Define Access & Ownership)
•Access to data does not give permission to
IM
transport, copy & distribute
HTTP
•Procedures (Effective use & storage)
Copy and Paste
•Alerting (Suspicious & Inappropriate Use)
Local/Screen
capture
External (USB)
Web Mail
Agent-less Devices
1/12/2009
Blackberry
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
33. 33
Employee Data Loss Channels
Data Loss
Controls to consider and review:
Channels
Email •Technical controls (Host, Network & Gateway)
•Specific Implementations
IM •Regular Expressions
•Dictionaries
HTTP •Fingerprinting
•Heuristics
Copy and Paste •Proximity Matching
Local/Screen •Technical control management
capture
•Scalability & Visibility
External (USB)
Web Mail
Agent-less Devices
1/12/2009
Blackberry
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
34. 34
Host
Gateway
Corporate Public
Data Loss Corporate Public
Disconnected Disconnected
Network Internet Network Internet
Channels
Email
IM
HTTP
Copy and Paste
Local/Screen
capture
External (USB)
Web Mail
Agent-less Devices
1/12/2009
Blackberry
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
35. 35
Application Data Loss Channels
Data Loss Controls to consider and review:
Channels
Client Presentation •Role Based Access Controls & Definitions
Server-side Presentation
•Role & Access Overrides
Server-side Business Logic
•Logging (Audit & Maintenance)
Server-side Data Logic
•Alerting (Suspicious & Inappropriate Use)
Server-side Data Storage
Remote Data Storage
Server-side Platform
Network
1/12/2009
Client-side Platform
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
36. 36
Application Data Loss Channels
Data Loss Controls to consider and review:
Channels
Client Presentation •Encryption
Server-side Presentation
•Data Segmentation
Server-side Business Logic
•Coding & Implementation Errors
Server-side Data Logic
•Data retention & destruction methods
Server-side Data Storage
Remote Data Storage
Server-side Platform
Network
1/12/2009
Client-side Platform
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
37. 37
Process Data Loss Channels
Data Loss
Controls to consider and review:
Channels
Creation
•Data Creation & Collection practices
Distribution
•Identification & Labeling
Use & Processing
•Classification & Re-classification
Maintenance
•Privacy & Business Impact Assessments
Archival
Destruction
Recycling
1/12/2009
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
38. 38
Process Data Loss Channels
Data Loss
Channels Controls to consider and review:
Creation
•Minimum data protection requirements
Distribution
•Incident Handling & Public Relations
Use & Processing
•Service Levels & Required Reporting
Maintenance
•Awareness & Training for Data Protection
Archival
Destruction
Recycling
1/12/2009
Source: McAffeeDLP Overview
Copyright 2008 – Seccuris Inc.
39. Control Strategies to Assess
Assess current environment controls:
• Current control inventory
• Control usage
• Reporting processes
• Maturity of supporting process
Copyright 2008 – Seccuris Inc.
40. Control Strategies to Assess
Focus on Process Controls
• Data review should be considered for all sensitive
applications (BIA, PIA, TRA)
• Enhanced Response & Mitigation processes should be
created. (Incident Handling, Public Relations)
• Detailed contracts should set expectations for Data
Loss Prevention (SLAs, OLAs)
Copyright 2008 – Seccuris Inc.
41. Control Strategies to Assess
Focus on Technical Controls
• Limit collection, use and retention of data
• Identify & Classify what exists today
• Enterprise Rights Management, IRM / DRM
Copyright 2008 – Seccuris Inc.
42. Moving Forward
• Increase awareness of business risks
• Enhance & justify your DLP strategy
• Prepare for maturing expectations
regarding DLP
Copyright 2008 – Seccuris Inc.
43. Focus on your Data Loss Exposures
Employee Exposures – Reset and management
employee expectations & implement technical control
suites
Application Exposures – Promote architected systems
that can prevent and mitigate unforeseen DLP scenarios
Process Exposures – Enhance traditional records
management strategies to prevent, detect, mitigate and
respond to data loss issues.
Copyright 2008 – Seccuris Inc.
44. Understanding the DLP priorities that
exist in your organization and
preparing effective mitigating strategies
is foundational to any successful
information security program today
Copyright 2008 – Seccuris Inc.
45. Thanks
Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA
Founder & CIO
Seccuris Inc.
Email: Michael.Legary@seccuris.com
Direct: 204-255-4490
Main: 204-255-4136
Fax: 204-942-6705
Copyright 2008 – Seccuris Inc.