Data Protection (week 5 Blog)

Last month, one of the topics of my blog post was cybercrime motivation, one of the motivators that was discussed was competitive advantage. This motivator is usually associated to expert attackers who are either trying to ex-filtrate company blue prints or personal information of the company’s personnel. “One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people's fingerprints were stolen as part of the hacks” (Peterson, 2015).

5.6 million people! That is indeed a scary number. How did the attackers manage to get the data out of the OPM network without raising any flags? I am hard pressed and concerned that a government agency of that magnitude does not have safeguards in place to protect its confidential information from ending up in the wrong hands.

So how do we (attempt) to mitigate against data loss?

Data Protection (Data Loss Prevention - DLP)

DLP is a technology that is used to prevent both the intentional and unintentional loss or leakage of information that should not leave a specific network or be disclosed to unauthorized parties. Detective controls alone cannot stop the loss of data, although companies put in place policies and procedures, there is no stating how much of these guidelines are actually followed. Having preventive controls like a DLP solution can assist a company in enforcing the policies (Kanagasingham, 2008). Some of these policies could include who is allowed to handle what data and how that data is to be handled and what systems should be in place to aid in the transmission, usage and storage of that data.

To protect data, we first need to understand what the data is and at what state the data is. The individuals assigned responsibility of the data need to define the data. Some questions to ask include:

What type of data is being protected?

Where should the data reside and where should it not?

Who is granted access to this data?

What policies (like acceptable use) are in place for this data?

When designing solutions, the data states need to be accounted for. The different states of data are:

Data at rest – data saved on file servers, computer hard drives, portable drives, offsite backups etc.

Data in motion – when data is being transmitted e.g. through email, through web traffic etc.

Data in use – active data residing in volatile memory (RAM) and is prone to changes e.g. databases, open spreadsheets etc.

Solutions

1. Training

This is a key component of attempting to mitigate the possibility of a user inadvertently exposing data or coming into unauthorized contact with data. With regular reminders, employees are able to adopt best practices when handling data.

2. Defining policies

Policies act as guidelines and can be used as a legal document if the laid out policies are breached intentionally. A policy that can be adapted in preventing data loss is classification of data and having banners attached to all documents. Before accessing any document, an organization can have banners pop up with wording warning users of the nature of the data and the classification of this data. This can be used as a reminder to the users to be more careful when handling data and also act as a deterrent since the banner can be used as legal evidence that the users were notified on the company’s data handling polices prior to their access to it. If the user breaches the policy, they can be held accountable.

3. Incident response plans

Human error is inevitable and organizations need to prepare for when an incident occurs. A team that will be responsible for putting a cap on any data breaches should be in place. Planning for the worst can help prepare the organization and also aid in efficiently mitigating the repercussions that may come from data loss or data leakages. 

4. Technology for monitoring data

Having policies and contingency plans may not be enough if there are no technologies in place to stop the potential loss or leakage of data. Some technologies to adopt may include pattern matching or data matching that can catch specific data like SSN’s or Credit Card numbers leaving the network. Another option can be to watermark documents in order to prevent copyright breaches. Scrubbing devices should also take place as users can store data on their local workstations or laptops for later use or in the case of a rogue employee, offline data ex-filtration.

Conclusion

Data prevention is one of the toughest elements of Information Security; totally eliminating the prospect of data loss or leakage is a myth as it is impossible to be 100% secure but adopting the solutions outlined above can help mitigate the risk. Organizational commitment is needed from the top down and policies should be used to emphasize this organizational goal. The Information Security team should note that one solution may not necessarily apply to all scenarios and they should also be aware that some solutions may handicap the business if aggressively implemented. There needs to be a balance between control and business continuity. Testing and constant reviews should be a routine occurrence to evaluate efficiency of the checks and balances in place.

References:

Peterson, A. (2015, September 23). OPM says 5.6 million fingerprints stolen in
     cyberattack, five times as many as previously thought. Retrieved January
     17, 2016, from The Washington Post website: https://www.washingtonpost.com/
     news/the-switch/wp/2015/09/23/
     opm-now-says-more-than-five-million-fingerprints-compromised-in-breaches/ 

Kanagasingham, P. (2008, August 15). Data Loss Prevention (J. C. Bambenek, Ed.).
     Retrieved January 17, 2016, from SANS.org website: https://www.sans.org/
     reading-room/whitepapers/dlp/data-loss-prevention-32883