Critical Control 15: Data Loss Prevention
Last Updated: 2011-10-21 20:46:47 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
Ever wondered if events like wikileaks are pertaining only to government agencies or large companies? Information is a precious commodity. Many institutions regardless of its size have information of interest to many people and those people are willing to pay large sums of money for it or even make major criminal acts to get it.
How can anybody get access to information in an unauthorized manner? There are attackers at all times seek to exploit the vulnerabilities of information systems, but there are also users that, once they have been authorized to access a specific information asset, may have unrestricted access to the information and carry out actions such as copy and steal through removable storage media, email, dropbox, among others.
This means it is necessary to place a type of controls that allow the user has been authorized to access the information to manipulate it in the terms allowed by the information asset classification. This is known as Data Loss Prevention (DLP). Under what criteria can we classify information? We can use the classic: Confidentiality, integrity and availability, and can also add other important as traceability and non-repudiation. Traceability is the property of information that helps determine the operations performed on it at all times and non-repudiation is the feature that ensures that a transaction has been for the person whose user ID made and no other. Depending of the classification on each variable, the operations allowed to the information asset can be defined as read only, e-mail transmission, shared resource copy, among many others.
Data Loss Prevention Software allows monitoring of the following:
- Data in motion: When you have a network security perimeter in place, just before traffic reaches the firewall you can put the DLP device to monitor incoming and outgoing traffic and then realize which users are violating information security rules by performing unauthorized transmission of information assets.
- Data at rest: Information Assets are stored into servers located inside datacenters. DLP software can be installed into servers to learn about sensitive information stored in unsecure locations as open windows shares and unencrypted storage devices.
- Data in use: DLP software can be installed in endpoint devices to control the transmission of information assets like instant messaging, desktop e-mail clients and web transmissions.
DLP implementations are very challenging because of information identification. If information is not correctly identified, false positives arises and can be very painful as they can stop the information flow inside the whole company. That is why you should perform several accuracy tests with the information asset classification and solve problems before deploying.
Please keep in mind that business needs are first and needs to be satisfied. You cannot implement controls that will make the company operation slow and painful. Check the control 15 implementation tips for more information.
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org