Preventing data leakage has generated a lot of discussion. But the focus has been narrow and could leave the door open to bigger threats, says Rik Ferguson.
In 2008-9, when the bigger suppliers in the security industry started getting interested in data leakage prevention (DLP) technologies, opinion, articles and enterprises tended to focus on a relatively narrow spectrum of technology when considering the threat.
Bigger security companies acquired smaller specialist DLP start-ups and niche vendors, the technologies were rebranded and marketed, and customers came to understand the importance and significance of this new toolkit.
But has the industry unintentionally helped to focus the planning of enterprises too narrowly? Data leakage is certainly about the corporate exec who loses a USB stick on a train. It is also about confidential email accidentally sent to the wrong recipient and of course it's about the salesperson, who knows they are up for redundancy, copying your customer database onto a CD. But it's also about so much more.
Protective measures and controls
Misconfigured or poorly secured web applications are one of the biggest channels of leakage. If an attacker can successfully compromise your customer database through a SQL injection attack — perhaps because you forgot to sanitise input, or because you published verbose error messages — they may be able to access your corporate crown jewels.
If your online store uses order numbers in the URL for individual orders are you letting a hacker guess enough URLs to steal the personal details of all your customers? Preventing these vulnerabilities doesn't call for DLP technology — it calls for web application firewalls and host-based instrusion-protection systems, not to mention secure coding and configuration policies.
Malware is equally focused on information theft. Malicious software has been used in both large and small-scale information theft, from individual infected machines as jumping off points for further infiltration, to the siphoning credit card data straight from the corporate network for periods as long as 18 months.
Most national implementations of the EU Directive on the protection of personally identifiable information as well as most regulatory frameworks for protecting sensitive data call for 'appropriate technology' to be deployed, 'protective measures' and 'controls' to facilitate access to records and minimise the possibility of data leaving the organisation inappropriately. In reality, 'classic' DLP is only a part of these preventative measures.
Encrypted storage and communications
This appropriate technology should also include encrypted storage and communications, particularly of email, and it should include employee education and certification in corporate polices and effective access audit.
Enterprises should also consider vulnerability-shielding technologies. It is unreasonable to expect all patches to be deployed as soon as they are released. Time needs to be dedicated to testing, planning and, of course, to deployment, but this process leaves an important window of vulnerability.
If an enterprise is benefiting from the cost-saving offered by cloud-based services — backup, for example — then great thought needs to be given to topping up the baseline security offered by the cloud provider because lowest common denominator is a long way from best efforts.
Not just legal and regulatory compliance are at stake here. After all, a recent survey of 1,000 people conducted by Harris Interactive in September of this year concluded that 90 percent of customers would not return to a company that had lost their data.
Rik Ferguson is senior security adviser for Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.