Stop the Flood: Keeping Sensitive Data in Your Environment

Email Print Digg This Add to del.icio.us

It doesn't take much to get negative attention these days. Lose one file containing sensitive data, and your organization's name is almost certain to be all over the evening news.

To protect against data and information leakage, organizations must address both the internal threats posed by unauthorized copying of information to portable storage devices and the external threats that arise from malicious software downloads.

Now, before we go any farther, it's important to know that there is no single solution or magic bullet. In fact, it is virtually impossible to completely mitigate data extrusion vectors. That said, there are things you can do to "stop stupid" and also ensure compliance with regulations such as Sarbanes-Oxley (SOX), HIPAA, Gramm-Leach-Bliley (GLB) and Payment Card Industry (PCI).

The first thing you must do is cover the basics and gain an understanding of what exactly is going on in your environment. To gain this understanding, ask yourself the following:

• Have we created good, structured segmentation?
• Do we have an understanding of what types of traffic should flow ingress and egress out of each segment?
• Do we have adequate visibility via monitoring and statistical analysis of Netflows?

The answers to these preliminary questions provides a solid inroad toward understanding what information is traversing or leaking out. It also provides context, which is one of the most important elements of security decision making.

Let's assume the above paragraph is covered. The next thing organizations usually turn to is a point solution. While there is no vendor to cover everything, organizations usually turn to those that specialize in SMTP, HTTP, FTP and a variety of instant messaging applications.

Another technique used at the network side of the equation is egress filtering. The biggie in regards to Extrusion Detection is what ports are allowed egress at the perimeter. If you are serious about stopping information from leaking out, you must enforce policy regarding what ports you allow egress; then you must have a way to apply policy to what is traveling egress on those ports. Your culture about what is considered "acceptable use" will drive the solution. If your culture is open, you are going to have a much more difficult time providing protection. If you know specifically the ports that are allowed egress and can make that a more finite picture, then you have better hold on things.

Routing is another good way to manage data flows. A default routing scheme allows you to manage filtering much more efficiently and adds resiliency to your environment. This has a side benefit that deals with malware and other types of malicious behavior.

At the workstation level, disk encryption and port management are two cornerstone approaches to data extrusion protection. Most organizations use a vendor-supplied solution for laptop disk encryption. There are many choices out there, so conduct your due diligence when looking at these solutions.

Port management deals with removable media, such as USB drives. Most places try to use group policy with Active Directory; however, this doesn't cover Unix hosts, which are at least as likely to have sensitive data. Let's also point out that there are many tools freely available that circumvent controls. One example is the Hak5s switchblade tool. Just be aware that if the motivation is there, even a sound data extrusion architecture can be thwarted.

Also bear in mind that some devices that have become commonplace in IT environments were not even a consideration a few years back: smart phones with wifi, iPhones, portable MP3 players and so on. These devices pose a huge threat to your organization. They can carry data in and out of your environment, drop malware, photograph information and physical environments, and take alternate network routes out of your organization and many other vectors. To date, the only effective response I've seen to these devices is to ban them from your environment. Even with this response, however, people can (and do) sneak these items in given the small form factor of the devices.

However, like anything else, you can reduce the risk to acceptable levels to conduct business, which at the end of the day, is what this is all about.

Email Print Digg This Add to del.icio.us