Data Loss Prevention

Tuesday, 26 January 2010

Operation Aurora analysis

A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.

Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!

Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.

In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:

  • Next Generation Firewall
  • Secure Web Gateway
  • Mail Server well configured
  • Desktop Anti-malware that includes web site checking
  • Latest version of browser, perhaps not Internet Explorer
  • Latest version of Windows, realistically at least XP Service Pack 3, with all patches
  • Database Activity Monitoring
  • Data Loss Prevention
  • Third Generation Security Information and Event Management

Posted at 08:17 AM in Advanced Persistent Threat (APT), Breaches, Data Loss Prevention, Database Activity Monitoring, Malware, Next Generation Firewalls, Phishing, Secure Browsing, Security Information and Event Management (SIEM) | | Comments (0) | TrackBack (0)

Technorati Tags:

Wednesday, 30 December 2009

DLP Administration Requirements & Security/Compliance Portfolio Management

Dark Reading's December 21, 2009 article, 4 Factors To Consider Before Firing Up that DLP Solution provides welcome insight into the administration requirements of DLP systems. Too often, the press just hypes the latest security solution types (think NAC in 2006 and 2007; where is Cisco's TrustSec?). While DLP is surely not new, this type of article is still refreshing.

The four factors described are:

  1. Policy - Initial creation and/or customization, ongoing modification
  2. Data Discovery - Initial and ongoing configuration of data identification algorithms
  3. Integration - e.g. ICAP, email, encryption
  4. Administration - Alert Adjudication

The article says that the amount of administrative work is a function of "the size of your organization and the level of deployment." I would add a third - the product you select.

Actually, all security products require at least Policy Management, Integration, and Alert Adjudication. Therefore when considering adding a new security/compliance solution type, review your overall security/compliance portfolio and consider consolidation opportunities as a way to control administration costs.

While the major security vendors have been acquiring and integrating additional functionality for years, start ups have been coming to market with innovative approaches to unifying functions designed and built from the ground up. Next generation firewalls, as described by Gartner, comes to mind.

Posted at 04:33 PM in Data Loss Prevention, Security/Compliance Portfolio Management | | Comments (0) | TrackBack (0)

Technorati Tags:

Tuesday, 24 November 2009

Massive T-Mobile UK trade secret theft perpetrated by insider

Last week T-Mobile UK admitted to the theft of millions of customer records by one or more insiders. These customer records which included contract expiration dates were sold to T-Mobile competitors or third party brokers who "cold called" the T-Mobile customers when their contracts were about to expire to get them to convert.

While this is a privacy issue from the customer perspective, from T-Mobile's perspective it's also theft of trade secrets.

And this is about as basic as theft of trade secrets gets. According to the article in the Guardian, in the UK this type of crime is only punishable by fine, not jail time, although the Information Commissioner's Office "is pushing for stronger powers to halt the unlawful trade in personal data..."

So if you steal a car, you can go to jail, but if you steal millions of customer records, you can't. Clearly the laws must be changed. Or, not being a lawyer, I am missing something.

Based on some research I've done, the same is true in the United States, i.e. no jail time. Here are some good links that cover trade secret law in the US:

Regardless of the laws and their need for change, organizations must invest in trade secret theft prevention appropriate to the associated level of risk.

Let's take a look at the components of Risk - Threat, Asset Value, Likelihood and Economic Loss -  in the context of trade secret theft.

The overall Threat is increasing as the specific methods of theft of digital Assets constantly evolve. Economic loss, depending on the Value of the trade secret Asset, can range from significant to devastating, i.e. wiping out much or all of an organization's value.

It's hard to imagine the Likelihood of theft of any trade secret in digital form could ever be rated as low. Unfortunately we do not have well accepted quantitative metrics for measuring the degree to which administrative and technical controls can reduce Likelihood.

Therefore trade secret theft risk mitigation is really a continuous process rather than a one time effort. New threats are always appearing. New administrative and technical controls must constantly be reviewed and where appropriate implemented in order to minimize the risk of trade secret theft.



Posted at 07:26 PM in Breaches, Data Loss Prevention, Trade Secrets Theft | | Comments (0) | TrackBack (0)

Technorati Tags:

Monday, 26 October 2009

Social Networking's Promise and Peril

NetworkWorld has an interesting article today on the perils of social networking. The article focuses on the risk of employees transmitting confidential data. However, it's actually worse than that. There are also risks of malware infection via spam and other social engineering tactics. Twitter is notorious for its lax security. See my post, Twitter is Dead.

Blocking social networks completely is not the answer just as disconnecting from the Internet was not the answer in the 90's. Facebook, Twitter, and LinkedIn, among others can be powerful marketing and sales tools.

The answer is "IT Security 2.0" tools that can monitor these and hundreds of other web 2.0 applications to block incoming malware and outgoing confidential documents.

Posted at 05:48 PM in Application Security, Data Loss Prevention, IT Security 2.0, Network Security, Risk Management, User Activity Monitoring | | Comments (0) | TrackBack (0)

Technorati Tags: ,

Friday, 09 October 2009

Cloud-based Data Leak Detection complements Data Leak Prevention - Monitoring P2P Networks

Can you imagine your Data Leak Prevention system not being perfect? Is there value in a service that scans P2P networks looking for leaked data that eluded your Data Leak Prevention (DLP) controls?

Tiversa offers such a service. In an example of the value of their service, according to a Washington Post article, they claim that "the personal data of tens of thousands of U.S. soldiers - including those in the Special Forces - continue to be downloaded to unauthorized computer users in countries such as China and Pakistan..."

On a separate, but possibly related note, there was an Ars Technica article last last week on a bill working its way through Congress called the "Informed P2P User Act." From the Ars Technica article:

"First, it requires P2P software vendors to provide "clear and conspicuous" notice about the files being shared by the software and then obtain user consent for sharing them. Second, it prohibits P2P programs from being exceptionally sneaky; surreptitious installs are forbidden, and the software cannot prevent users from removing it."

It's clear that P2P represents risks that can be reduced by both technical and legal means.


Posted at 09:26 PM in Breaches, Data Loss Prevention, IT Security 2.0, Privacy | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

About

Subscribe to this blog's feed

Recent Posts

My Favorite Books on Risk and IT Security