Protecting Your Organization’s Reputation – Part 3

Welcome to Part 3, of the multi-part series on “Protecting Your Organization’s Reputation”, where we’ll be focusing on the area of Data Loss and Leakage Prevention.

As discussed in the previous installment, sender verification, anti-spoofing and messaging signing (digital signature) technologies/controls are a great first step, but that still doesn’t protect from malware and other types of social engineering and exploits.  This is where data loss prevention (DLP) and data leakage prevention (DLP), policies, controls and tools come into play.  Notice that these are both called DLP, but mean different things.  I know some will argue that this is just semantics, but I think this really needs to be differentiated.  

You can lose data and not leak it.  You can leak data and not lose it.  Or, you can do both.  So, let’s name this as Data Loss and Leakage Prevention (DLLP), if you are doing both.

Data Loss and Leakage Prevention

Data Loss Prevention

What is it Data Loss? Data Loss, quite simply, is when you no longer have access to your data, usually because of deletion or corruption.  Now, many vendors will tout their Data Loss Prevention (DLP) prevention solutions and will take offense to what I say next, but what they are really offering is Data Leakage Prevention.  Data Loss Prevention protects your data/information from being rendered inaccessible or unusable, due to: permanent deletion; partial deletion; unauthorized/malicious updating/encrypting; or disaster, either natural or man-made. In the event that these preventative measures fail, a Data Loss Prevention plan should also provide measures for recovering that data/information.

There are a variety of preventative measures, based on the likelihood and severity of the event, that can be implemented.  But in the end, nothing beats a good backup strategy, local or cloud and regardless of where you data/information resides.   In addition to a good back and recovery strategy,  there are high-availability solutions (e.g. clustering, fail-over, replication) from sites, services, servers and files.  There are permissions and rights management controls to protect from accidental or intentional updating or deleting data.

Data loss can be intentional or unintentional. It can be from a simple unintended overwrite of a file to deletion of entire folder structure or database table; to a malicious attack by a disgruntled employee or malware attack. The data loss could be temporary or permanent, depending on what controls are in place.

All of this should be considered in a much larger Disaster Recovery and Business Continuity plan. Forty percent of businesses do not reopen after a disaster and another 25 percent fail within one year according to the Federal Emergency Management Agency (FEMA).

Here are some things that can be used to help protect you from data loss:

  • Disaster Recovery and Business Continuity Plan
  • Server and client updates/patching
  • Site fail-over with Secondary Data Centers
  • Server/Database Clustering/fail-over
  • File/Database/Storage Replication
  • File/Database Permissions (DACLs/ACLs) applied with the concept of Least Privilege in mind
  • File Version Control/History
  • Information Rights Management (file controls that go above and beyond what is done with traditional file permissions)
  • Intrusion Detection and Prevention Systems (IDPS)
  • Anti-Malware on servers and clients
  • Last and not least, Backup and Recovery

Data Leakage Prevention

What is it Data Leakage? Data Leakage is when data/information that was/is not intended to be seen/used by those other than the intended parties, but has been.  This could be customer credit card information, employee SSNs, patient PHI,  corporate financial information, proprietary data, legal counsel correspondence, user ids/passwords, etc…; anything that could be used to get more information or could cause financial harm to a company, its employees, its customers or its partners.

Data leakage can either be intentional or unintentional but, depending on the data/information, it can be equally as damaging.  This could be accomplished a variety of ways by: social engineering, phishing (As mentioned in a previous installment, spear phishing scams are on the rise), viruses and malware, by an employee or partner simply copying the wrong person(s) on an email, internal users having access to files/data not necessary for their job function, etc…

Most organizations have no document classification policy, which makes it harder to identify/control information.  Simply placing a file in a “protected” folder is not enough.  They have no classifications on emails to help determine what should not go outside the organization. They have no encryption to protect sensitive information that must travel outside the organization. They have no ongoing security awareness training programs. These organizations are ripe for Data Leakage.

You’ll see a few overlaps with Data Loss Prevention, but here are some things that can be used to help protect you from Data Leakage:

  • E-mail/File/Database Encryption (quite often overlooked)
  • E-mail/File/Database Auditing
  • E-mail URL rewrite protection
  • Information Rights Management (certificate-based security)
    • Who can access, send, print, modify a file or e-mail
    • Who can forward a specific e-mail and to whom a e-mail can forwarded
    • Can it be access by users outside the organisation (customers and partners)
  • Intrusion Detection and Prevention Systems (IDPS)
  • File/Database Permissions (DACLs/ACLs) applied with the concept of Least Privilege in mind
  • Anti-Malware on servers and clients
  • Last and not least, a Security Program and Training Plan covering
    • Compliance PCI, HIPAA, SOC, etc..
    • Social engineering attacks
      • Phishing, Impersonation, etc…
    • Physical Security
    • Viruses/Malware
    • Passwords

Wrap-up

As mentioned at the beginning of this series, this is not intended to be an in-depth exploration of these topics, but hopefully it is good primer to help you get things started, if you haven’t already.  I’ll be expanding on a variety of these topics in future blogs, for a much deeper dive and specific implementations of solutions for protecting your organization’s reputation and information.