Security as a Strategy (SaaS)

Data Loss Prevention Systems: Do you need one?

Data loss prevention systems are another form of employee monitoring which aim to detect the possible transfer or vulnerable storage of valuable and sensitive data assets. Reports from Osterman Research indicate that employees who use email also use instant messaging clients and wikis, post to blogs, use personal Webmail accounts for business purposes, check email from home, send files through FTP systems, take work home and on the road, use USB thumbdrives, transport corporate data on mobile devices, and use collaboration tools of various types.

Most of these communications and files are sent and transported without any sort of monitoring, encryption or oversight. The result is that organizations are deploying a growing array of tools and endpoints for employees to become more efficient. And, at the same time, they are creating a growing number of opportunities for information to leak out of an enterprise in unauthorized and potentially damaging ways.

The vast majority of these data breaches are inadvertent, but the opportunity exists for malicious users to send confidential and sensitive data, as well.

According to a survey conducted by Osterman Research during April 2008:

• 100% of organizations have deployed anti-virus capabilities
• 99% have deployed anti-spam capabilities
• 96% have deployed anti-spyware capabilities

However, even using a fairly broad interpretation of data loss prevention (DLP) capabilities, which would include products that don’t provide true DLP functionality, only 49% of organizations have deployed these capabilities.

Clearly, the data above suggests that organizations of all sizes are well aware of the need to monitor their inbound communications for spam and malware. However, they are not nearly as aware of the need to monitor outbound communications, or they are not taking the threat as seriously as they should. This, despite the fact that 27% of organizations in the same survey reported that during the previous 12 months data or information was accidentally or maliciously leaked from their organization.

What should you do?

• Identify the leak points.
• Deploy systems that will take appropriate action. Based on the suspected level of data breach, the systems that monitor outbound communication should take the appropriate action.
• Promote appropriate employee handling of data. For example, if an employee sends an inappropriate message to a co-worker or a confidential document to a competitor’s domain, a monitoring system should remind employees of corporate policies that may exist regarding the appropriateness of the communications vehicle they have chosen or other corporate policies.
• Perform the appropriate level of inspection. Based on corporate policies, the role of the employee in the organization and other factors, content should be inspected based on the appropriate policies
• Train and make employees aware of corporate policies.
• Implement forensics capabilities. Organizations may want to implement forensics capabilities in order to check on how data has been handled after it has been sent, either for legal purposes or simply to understand how its data is being managed.
• Implement a sender authentication scheme. While not an outbound content scanning mechanism, it is important for any organization to implement an authentication mechanism, such as SPF or DKIM, to ensure that recipients of its emails are given some level of assurance that the sending organization is valid.
• Tight integration with existing infrastructure. In order to speed reduce costs, organizations should consider solutions that are well integrated with their IT infrastructure whenever possible. This approach will also speed implementation and lower on-going administration costs.

Top 7 Threats to Cloud Computing – Part 2

The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.

Threat #1: Abuse and Nefarious Use of Cloud Computing

Remediation

• Stricter initial registration and validation processes
• Enhanced credit card fraud monitoring and coordination
• Comprehensive introspection of customer network traffic
• Monitoring public blacklists for one's own network blocks

Threat #2: Insecure Interfaces and APIs

Remediation

• Analyze the security model of cloud provider interfaces
• Ensure strong authentication and access controls are implemented in concert with encrypted transmission
• Understand the dependency chain associated with the API (application program interface)

Threat #3: Malicious Insiders

Remediation

• Enforce strict supply chain management and conduct a comprehensive supplier assessment
• Specify human resource requirements as part of legal contracts
• Require transparency into overall information security and management practices, as well as compliance reporting
• Determine security breach notification processes

Threat #4: Shared Technology Issues

Remediation

• Implement security best practices for installation/configuration
• Monitor environment for unauthorized changes/activity
• Promote strong authentication and access control for administrative access and operations
• Enforce service level agreements for patching and vulnerability remediation
• Conduct vulnerability scanning and configuration audits

Threat #5: Data Loss or Leakage

Remediation

• Implement strong API access control
• Encrypt and protect integrity of data in transit
• Analyze data protection at both design and run time
• Implement strong key generation, storage and management, and destruction practices
• Contractually demand providers wipe persistent media before it is released into the pool
• Contractually specify provider backup and retention strategies

Threat #6: Account or Service Hijacking

Remediation

• Prohibit the sharing of account credentials between users and services
• Leverage strong two-factor authentication techniques where possible
• Employ proactive monitoring to detect unauthorized activity
• Understand cloud provider security policies and SLAs

Threat #7: Unknown Risk Profile

Remediation

• Disclosure of applicable logs and data
• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
• Monitoring and alerting on necessary information

Do We Still Need Employee Monitoring Software?

Several years ago software that monitored employee use of the Internet was big news. We heard how thousands of workers, on company time, visited pornographic sites, downloaded music and videos or just spent inordinate amounts of time surfing the web.

Sexual harassment cases and lawsuits came up when folks saw offensive materials on their co-workers computers. Bandwidth charges were going up and network performance going down. In addition, there were statistics that said over 87% of hacking and confidential data losses were from company insiders. Workers just couldn't be trusted.

The question is: "Has the situation evolved?" While there are more restrictions, guidelines and penalties for inappropriate use of company assets and handling of confidential materials, has employee behavior changed? And therefore, do we still need surveillance software for our employees? The answers are no and yes, respectively. Behavior hasn't changed and yes we still need monitoring software.

Recent surveys indicate a majority of employers monitor their employees. They are motivated by concern over litigation and the increasing role that electronic evidence plays in lawsuits and government agency investigations.

Internet monitoring software has now evolved into larger security and surveillance suites. You can monitor and trace employees' use of e-mails, the Internet, computer files, keystrokes, chats in all popular instant messengers, logins and logouts as well as "shadow copy" which allows network administers to create copies of files that are transferred to USB devices by workers.

Solutions include the following:

Record logging: record everything from key strokes, websites visited, FTP downloads, P2P downloads, and even screen captures of what is on a user's computer

Email Logging: emails sent and received as well as attachments and Instant Messenger discussions can be monitored and recorded

Internet Filters: block ports on your network servers normally accessed by certain Internet protocols, as well as specific websites, bulletin boards, P2P downloads, foreign languages, and content using keyword filters

Anti-spyware/anti-virus: block downloads which are identified as potentially harmful as well as viruses, worms, malware, spam, drive-by downloads and phishing attacks

While most transgressions in the workplace are committed by a few, the impact on the organization of a single breach of trust could be great. Therefore we continue to monitor, safeguarding the halls of our institutions.

What Has the Heartland Systems Data Security Breach Taught Us and is PCI Compliance Enough?

Heartland Security Systems has been slow to release detailed information about their data breach, but we know that after being notified from VISA about a high number of fraudulent transactions, it took them at least two weeks to find the source of the problem--malware.  More specifically, a Trojan with the ability to sniff data on its network systems.  What's significant is the hackers targeted the sensitive magnetic stripe data as it was being transmitted, not information stored in a database.  After all, since one of the core requirements of PCI is that the magnetic stripe data should not be stored, where else can hackers get it, right?

 According to released reports, Heartland invested in the security products and audit processes required to comply with the Payment Card Industry Data Security Standard (PCI/DSS), but this did little to thwart a serious exposure of consumer credit card data or to help them identify they had been compromised. 

Security professionals for the longest time touted PCI/DSS as a reasonable level of care necessary to secure a business handling this sensitive data from being compromised.   I believe it has helped tighten security in a lot of ways, but at the same time I also believe it  has given a somewhat false sense of security to many CEOs and corporate security decision makers.  PCI compliance does reduce the risk of security incidents, but it in no way guarantees that an organization is secure.  The fact that the attack on Heartland was only discovered after receiving a high rate of fraudulent transaction complaints is proof that PCI/DSS compliance is not enough to secure, nor that the Heartland-style data breach will not happen again.  It took experts several weeks to find the attack, even with advance knowledge that the malicious code was alive on its network.

PCIs preventive measures could not thwart the attack, and the manual audit performed took weeks to discover the malicious code.    

Are hackers just as bold as ever because corporations have been lulled into a false sense of security by regulations like PCI? 

I say yes… but bare in mind it is impossible to create an environment where you are 100% protected from a data breach.  Unfortunately without great advancements in technology, data breaches are going to continue for the near future.  What's important is how you respond, how you detect, and how you manage and mitigate the risk.

In my opinion, the best proactive protection against data breaches is proper employee training and education and implementation of robust security tools on an on-going basis.