V. Hardening Steps for Data Leakage Prevention - Implementation

by JUCC ISTF
SHARE THIS
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
 
 
A comprehensive DLP solution is usually a combination of Network DLP, Endpoint DLP, Embedded DLP components and employee training program. The following addressed several techniques / processes to mitigate the data leakage threats:

1. Secure Content Management

This technique is often used by Network DLP to analyse the traffic passing through a specific gateway within a university. It examines the content of the messages and looks for specific keywords, patterns or fingerprinting (i.e. hashing of data at rest) that may belong to sensitive data. Examples are:

  • Keywords include "Confidential", "Restricted", "Internal Only"

  • Regular expressions that match with specified data format, e.g. 1 character following by 7-digit sequence could indicate Hong Kong identification card number

  • Outbound files that match with the stored data fingerprints (i.e. hash numbers)

2. Embedded DLP in Applications

Many application software are embedded with DLP functionalities to provide first-tier protection against unauthorised access, copy and printing of sensitive information. Several frequently used applications are listed below:

  • For Microsoft Office users, they should enable password protection for confidential documents or spreadsheets through "Save As > Tools > General Options > Password to Open"

  • For Adobe Acrobat users, they can go to "Advanced > Security > Encrypt with Password"

  • For Microsoft Access users, they can activate password encryption by going to "Database Tool" tab and click "Encrypt with Password"

3. Thin Client

 

Universities can consider implementing disk-less thin clients as an Endpoint DLP solution to ensure that only necessary data needed by the users to do their jobs is released to them. Disable or removal of USB from the thin clients will also prevent users from copying sensitive data to removable media. Major vendors for thin client solutions include IBM, HP and SUN, Wyse Technology and NComputing.

4. Restriction on Removable Media

To prevent data from being copied to removable media like CD, DVD, portable hard drive and USB stick, universities should establish corresponding policy or standards, stating that only authorised personnel are allowed to do so. By default, all computers and laptops should have their CD/DVD writers and USB ports removed or disabled. For laptops from which the CD/DVD writers cannot be removed, universities should uninstall relevant drivers and software for CD/DVD burning, and monitor whether unauthorised installation of burning tools by users.

5. Application Proxy Firewalls

Unlike stateful firewalls that only examine transport and network layers, application proxy firewalls work on all 7 layers of the OSI model. They strip down the network traffic and re-assemble it again, analyse specific commands or payloads carried by the packets. For examples, a university may configure its application proxy firewall to filter FTP commands "APPEND", "MKDIR" and "PUT" in order to prevent uploading of sensitive data through FTP programs. The university can also utilise the keyword searching function to examine outgoing e-mails and reject any e-mails containing keywords, regular expressions or patterns of data possibly classified as internal, restricted or confidential.

6. Secured Data Transmission via Internet

Secured method should also be implemented by universities when sensitive data is required to be transmitted over the Internet or to be accessed remotely by authorised external parties. A popular means is to deploy Virtual Private Network (VPN) with Secure Sockets Layer (SSL) capability, which creates a virtual "tunnel" connecting two endpoints and the network traffic traverse through the "tunnel" is encrypted. One popular VPN product is Cisco Easy VPN, which provides various VPN solutions for small/medium organisations to large enterprise.

7. Training and Awareness

As almost half of the data leakages are accidental because of human negligence, it is critical for universities' members to have a strong awareness of the acceptable use of information resources and necessary preventive measures towards data leakage threats and vulnerabilities. The awareness training should typically include the following topics:

  • Classification and Handling of Universities Information Asset - Before implementing DLP, users must know how to distinguish sensitive data and the respective protection required.

  • Risks and Consequences of Data Leakage - Users should be aware of the risks and serious consequences of leaking sensitive data to unauthorised parties. Examples on loss of patent secrets or loss of personal privacy data are recommended to be used during the training.

  • Policies and Procedures for DLP - In this section, users are informed of the policies and procedures established by the universities to enforce DLP. The major components include DLP techniques, useful tools approved by the universities, DOs & DON'Ts, reporting and escalation of data leakage incidents.

Summary

The development of networking and mobile computing technologies has posed serious threats to the data security of organisations including universities. As the capabilities of data transmission and storage are being continuously improved nowadays, data leakage incidents may result in more significant damages, diminishing organisations' value and reputations.

In developing DLP solutions, management should consider all types of data (i.e. data in motion, data at rest and data in use) and work closely with IT professionals and general users to determine the user requirements and suitable DLP products.

A comprehensive and effective DLP solution requires the commitment from both the management and general users to carefully determine the system specifications, functional requirements and data coverage, so that the solution can best fit in the university's existing IT infrastructure and operational process and would not introduce inefficiencies and incompatibilities.

 


Reference:

http://www.sans.org/reading_room/whitepapers/awareness/data-leakage-threats-mitigation_1931
http://www.isaca.org/Knowledge-Center/Research/Documents/DLP-WP-14Sept2010-Research.pdf
http://www.cisco.com/en/US/products/sw/secursw/ps5299/products_white_paper09186a00800a4b36.shtml