Professional Documents
Culture Documents
Unit - I: Nformation Ecurity Verview
Unit - I: Nformation Ecurity Verview
Unit - I: Nformation Ecurity Verview
• Internet Security - measures to protect data during their transmission over a collection
of interconnected networks
Threat
A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a
threat is a possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an
intelligent act that is a deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the security policy of a system.
PASSIVE ATTACK
A Passive attack attempts to learn or make use of information from the system, but does
not affect system resources.
Two types:
Release of message content
It may be desirable to prevent the opponent from learning the contents (i.e
sensitive or confidential info) of the transmission.
Traffic analysis
A more subtle technique where the opponent could determine the location and
identity of communicating hosts and could observe the frequency & length of encrypted
messages being exchanged there by guessing the nature of communication taking place.
Passive attacks are very difficult to detect because they do not involve any alternation of
the data. As the communications take place in a very normal fashion, neither the sender
nor receiver is aware that a third party has read the messages or observed the traffic
pattern. So, the emphasis in dealing with passive attacks is on prevention rather than
detection.
ACTIVE ATTACK
Active attacks involve some modification of the data stream or creation of a false
stream. An active attack attempts to alter system resources or affect their operation.
Four types:
Masquerade: Here, an entity pretends to be some other entity. It usually includes
one of the other forms of active attack.
Replay: It involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.
Modification of messages: It means that some portion of a legitimate message is
altered, or that messages are delayed to produce an unauthorized effect.
Ex: “John’s acc no is 2346” is modified as “John’s acc no is 7892”
Denial of service: This attack prevents or inhibits the normal use or management
of communication facilities.
Ex: a: Disruption of entire network by disabling it
Examples:
Examples:
Wire tapping to capture data in a network.
Illicitly copying data or programs
Eavesdropping
MODIFICATION
When an unauthorized party gains access and tampers an asset. Attack is on Integrity.
Examples:
Changing data file
Altering a program and the contents of a message
FABRICATION
An unauthorized party inserts a counterfeit object into the system. Attack on
Authenticity. Also called impersonation
Examples:
Hackers gaining access to a personal email and sending message
Insertion of records in data files
Insertion of spurious messages in a network
SECURITY SERVICES
It is a processing or communication service that is provided by a system to give a
specific kind of production to system resources. Security services implement security
policies and are implemented by security mechanisms.
Confidentiality
SECURITY MECHANISMS:
According to X.800, the security mechanisms are divided into those implemented
in a specific protocol layer and those that are not specific to any particular protocol layer
or security service. X.800 also differentiates reversible & irreversible encipherment
mechanisms. A reversible encipherment mechanism is simply an encryption algorithm
that allows data to be encrypted and subsequently decrypted, whereas irreversible
encipherment include hash algorithms and message authentication codes used in digital
signature and message authentication applications
SPECIFIC SECURITY MECHANISMS:
Incorporated into the appropriate protocol layer in order to provide some of the
OSI security services,
Encipherment: It refers to the process of applying mathematical algorithms for
converting data into a form that is not intelligible. This depends on algorithm used and
encryption keys.
Digital Signature: The appended data or a cryptographic transformation applied
to any data unit allowing to prove the source and integrity of the data unit and protect
against forgery.
Access Control: A variety of techniques used for enforcing access permissions to
the system resources.
Data Integrity: A variety of mechanisms used to assure the integrity of a data unit
or stream of data units.
Authentication Exchange: A mechanism intended to ensure the identity of an
entity by means of information exchange.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic
analysis attempts.
Routing Control: Enables selection of particular physically secure routes for
certain data and allows routing changes once a breach of security is suspected.
Notarization: The use of a trusted third party to assure certain properties of a
data exchange
These are not specific to any particular OSI security service or protocol layer.
Trusted Functionality: That which is perceived to b correct with respect to some
criteria
Security Level: The marking bound to a resource (which may be a data unit) that
names or designates the security attributes of that resource.
Event Detection: It is the process of detecting all the events related to network
security.
Security Audit Trail: Data collected and potentially used to facilitate a security
audit, which is an independent review and examination of system records and activities.
Security Recovery: It deals with requests from mechanisms, such as event
handling and management functions, and takes recovery actions.
MODEL FOR NETWORK SECURITY
29
Data is transmitted over network between two communicating parties, who must
cooperate for the exchange to take place. A logical information channel is established by
defining a route through the internet from source to destination by use of communication
protocols by the two parties. Whenever an opponent presents a threat to confidentiality,
authenticity of information, security aspects come into play. Two components are present
in almost all the security providing techniques.
A security-related transformation on the information to be sent making it unreadable
by the opponent, and the addition of a code based on the contents of the message, used to
verify the identity of sender.
Some secret information shared by the two principals and, it is hoped, unknown to
the opponent. An example is an encryption key used in conjunction with the transformation
to scramble the message before transmission and unscramble it on reception
A trusted third party may be needed to achieve secure transmission. It is
responsible for distributing the secret information to the two parties, while keeping it
away from any opponent. It also may be needed to settle disputes between the two parties
regarding authenticity of a message transmission. The general model shows that there
are four basic tasks in designing a particular security service:
1. Design an algorithm for performing the security-related transformation. The
algorithm should be such that an opponent cannot defeat its purpose
2. Generate the secret information to be used with the algorithm
3. Develop methods for the distribution and sharing of the secret information
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service
Various other threats to information system like unwanted access still exist. The
existence of hackers attempting to penetrate systems accessible over a network remains
a concern. Another threat is placement of some logic in computer system affecting various
applications and utility programs. This inserted code presents two kinds of threats.
Some basic terminologies used:
30
ENCIPHER (ENCRYPT) - converting plaintext to ciphertext
CRYPTOGRAPHY
Cryptographic systems are generally classified along 3 independent dimensions:
Type of operations used for transforming plain text to cipher text
All the encryption algorithms are abased on two general principles: substitution,
in which each element in the plaintext is mapped into another element, and
transposition, in which elements in the plaintext are rearranged.
The number of keys used
If the sender and receiver uses same key then it is said to be symmetric key (or)
single key (or) conventional encryption. If the sender and receiver use different keys
then it is said to be public key encryption.
The way in which the plain text is processed
A block cipher processes the input and block of elements at a time, producing
output block for each input block. A stream cipher processes the input elements
continuously, producing output element one at a time, as it goes along.
CRYPTANALYSIS
The process of attempting to discover X or K or both is known as cryptanalysis. The strategy
used by the cryptanalysis depends on the nature of the encryption scheme and the
information available to the cryptanalyst. There are various types of cryptanalytic attacks
based on the amount of information known to the cryptanalyst.
Cipher text only – A copy of cipher text alone is known to the cryptanalyst.
Known plaintext – The cryptanalyst has a copy of the cipher text and the corresponding
plaintext.
31
Chosen plaintext – The cryptanalysts gains temporary access to the encryption machine.
They cannot open it to find the key, however; they can encrypt a large number of suitably
chosen plaintexts and try to use the resulting cipher texts to deduce the key.
Chosen cipher text – The cryptanalyst obtains temporary access to the decryption machine,
uses it to decrypt several string of symbols, and tries to use the results to deduce the key.
CVE is maintained by the MITRE Corporation and sponsored by the National Cyber
Security Division (NCSD) of the Department of Homeland Security. The CVE dictionary, a
shared information security vulnerability data list, may be viewed by the public.
In information security,
Items in the CVE list get names based on the year of their formal inclusion and the
order in which they were included in the list that year. The CVE helps computer security
tool vendors identify vulnerabilities and exposures. Before CVE, tools had proprietary
vulnerability databases, and no common dictionary existed. The key objective of CVE is
to help share data across different vulnerable databases and security tools.
CVE is used by the Security Content Automation Protocol, and CVE IDs are listed on
MITRE's system as well as the US National Vulnerability Database.
CVE IDENTIFIERS
32
MITRE Corporation's documentation defines CVE Identifiers (also called "CVE
names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for
publicly known information-security vulnerabilities in publicly released software
packages. Historically, CVE identifiers had a status of "candidate" ("CAN-") and could then
be promoted to entries ("CVE-"), however this practice was ended some time ago and all
identifiers are now assigned as CVEs. The assignment of a CVE number is not a guarantee
that it will become an official CVE entry (e.g. a CVE may be improperly assigned to an
issue which is not a security vulnerability, or which duplicates an existing entry).
CVEs are assigned by a CVE Numbering Authority (CNA);[3] there are three primary types
of CVE number assignments:
CVEs are for software that has been publicly released; this can include betas and
other pre-release versions if they are widely used. Commercial software is included in the
"publicly released" category, however custom-built software that is not distributed
would generally not be given a CVE. Additionally services (e.g. a Web-based email
provider) are not assigned CVEs for vulnerabilities found in the service (e.g. an XSS
vulnerability) unless the issue exists in an underlying software product that is publicly
distributed.
33
What is the new CVE-ID Syntax?
NOTE: The variable length arbitrary digits will begin at four (4) fixed digits and expand
with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN
and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there
will be no changes needed to previously assigned CVE-IDs, which all include 4 digits.
This is a standardized text description of the issue(s). One common entry is:
“** RESERVED ** This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.”
This means that the entry number has been reserved by Mitre for an issue or a CNA
has reserved the number. So in the case where a CNA requests a block of CVE numbers in
advance (e.g. Red Hat currently requests CVEs in blocks of 500), the CVE number will be
marked as reserved even though the CVE itself may not be assigned by the CNA for some
time. Until the CVE is assigned AND Mitre is made aware of it (e.g. the embargo passes
and the issue is made public), AND Mitre has researched the issue and written a
description of it, entries will show up as "** RESERVED **"
CVE attempts to assign one CVE per security issue, however in many cases this would
lead to an extremely large number of CVEs (e.g. where several dozen cross-site scripting
vulnerabilities are found in a PHP application due to lack of use of htmlspecialchars() or
the insecure creation of files in /tmp). To deal with this there are guidelines (subject to
change) that cover the splitting and merging of issues into distinct CVE numbers. As a
general guideline consider issues to be merged, then split them by the type of
vulnerability (e.g. buffer overflow vs. stack overflow), then by the software version
affected (e.g. if one issue affects version 1.3.4 through 2.5.4 and the other affects 1.3.4
through 2.5.8 they would be SPLIT) and then by the reporter of the issue (e.g. Alice
reports one issue and Bob reports another issue the issues would be SPLIT into separate
CVE numbers). Another example is Alice reports a /tmp file creation vulnerability in
version 1.2.3 and earlier of ExampleSoft web browser, in addition to this issue several
34
other /tmp file creation issues are found, in some cases this may be considered as two
reporters (and thus SPLIT into two separate CVEs, or if Alice works for ExampleSoft and
an ExampleSoft internal team finds the rest it may be MERGE'ed into a single CVE).
Conversely issues can be merged, e.g. if Bob finds 145 XSS vulnerabilities in
ExamplePlugin for ExampleFrameWork regardless of the versions affected and so on they
may be merged into a single CVE.
People who fall in love with the Net do so for different reasons. Many love the
ability to quickly and cheaply keep up with friends and loved ones via e-mail, while others
love the vast oceans of information or the rush of playing Internet games.
However, it's likely that most Internet users share one thing in common as they
surf: the last thing on their minds is computer security.
There are as many bad guys in cyberspace as there are in everyday life, and those
shady characters are constantly prowling the Internet in search of new victims to scam.
Does the potential of breaking a bone keep you from enjoying your favorite ski
slope or bike trail? Of course not. Instead, the smart person uses the necessary caution
that will allow for a safe and enjoyable experience.
That ethos also applies to those who want to surf the Web safely. There are
countless ways that thieves and mischief makers can wreak havoc with your sense of
security, but there are just as many ways to keep intruders at bay via safe-surfing
techniques or security software.
Backdoors
Denial-of-service attack
36
as by deliberately entering a wrong password enough consecutive times to cause the
victim account to be locked, or they may overload the capabilities of a machine or
network and block all users at once. While a network attack from a single IP address can
be blocked by adding a new firewall rule, many forms of Distributed denial of
service (DDoS) attacks are possible, where the attack comes from a large number of
points – and defending is much more difficult. Such attacks can originate from the zombie
computers of a botnet, but a range of other techniques are possible including reflection
and amplification attacks, where innocent systems are fooled into sending traffic to the
victim.
Direct-access attacks
Common consumer devices that can be used to transfer data surreptitiously.
An unauthorized user gaining physical access to a computer is most likely able to directly
download data from it. They may also compromise security by making operating
system modifications, installing software worms, key loggers, or covert listening devices.
Even when the system is protected by standard security measures, these may be able to
be by passed by booting another operating system or tool from a CD-ROM or other
bootable media. Disk encryption and Trusted Platform Module are designed to prevent
these attacks.
Eavesdropping
Spoofing
37
Tampering
Privilege escalation
Phishing
Information is one of the most valuable assets. The use of proper preventive
measures and safeguards can reduce the risk of potentially devastating security attacks,
which could cost you the future of your business. Some losses might be irrecoverable,
such as the loss of a business deal due to leaks of confidential data to your competitor.
Although the lone criminal mastermind still exists, these days most malicious
hacking attacks are the result of organized groups, many of which are professional.
Traditional organized crime groups that used to run drugs, gambling, prosecution, and
extortion have thrown their hats into the online money grab ring, but competition is
fierce, led not by mafiosos but several very large groups of professional criminals aimed
specifically at cybercrime.
38
Many of the most successful organized cybercrime syndicates are businesses that
lead large affiliate conglomerate groups, much in the vein of legal distributed marketing
hierarchies. In fact, today's cybercriminal probably has more in common with an Avon or
Mary Kay rep than either wants to admit.
Small groups, with a few members, still hack, but more and more, IT security pros
are up against large corporations dedicated to rogue behavior. Think full-time employees,
HR departments, project management teams, and team leaders.
SMALL-TIME CONS -- AND THE MONEY MULES AND LAUNDERS SUPPORTING THEM
It's not hard to find money launders. There are dozens to hundreds of entities
competing to be the one that gets to take a large percentage cut of the illegally procured
loot. In fact, you'd be surprised at the competitive and public nature of all the other people
begging to do support business with Internet criminals. They advertise "no questions
asked," "bulletproof" hosting in countries far from the reaches of legal subpoenas, and
they offer public bulletin boards, software specials, 24/7 telephone support, bidding
forums, satisfied customer references, antimalware avoidance skills, and all the servicing
that helps others to be better online criminals. Many of these groups make tens of millions
of dollars each year.
Many of these groups and the persons behind them have been identified (and
arrested) over the past few years. Their social media profiles show happy people with big
houses, expensive cars, and content families taking foreign vacations. If they're the
slightest bit guilty from stealing money from others, it doesn't show.
39
Imagine the neighborhood barbeques where they tell neighbors and friends that
they run an "Internet marketing business" -- all the while social engineering their way to
millions to the consternation of IT security pros who have done just about everything you
can to protect users from themselves.
HACKTIVISTS
Whereas exploit bragging was not uncommon in the early days, today's cyber
criminal seeks to fly under the radar -- with the exception of the growing legions of
hacktivists.
These days IT security pros have to contend with an increasing number of loose
confederations of individuals dedicated to political activism, like the infamous
Anonymous group. Politically motivated hackers have existed since hacking was first
born. The big change is that more and more of it is being done in the open, and society is
readily acknowledging it as an accepted form of political activism.
More often than not, political hacktivism is intent on causing monetary pain to its
victim in an attempt to change the victim's behavior in some way. Individuals can be
collateral damage in this fight, and regardless of whether one believes in the hacktivist's
political cause, the intent and methodology remain criminal.
While the likelihood of dealing with hacktivists may be low, most IT security pros
have to contend with the large group of malicious hackers that exist only to steal
intellectual property from companies or to perform straight-up corporate espionage.
40
The method of operations here is to break into a company's IT assets, dump all the
passwords, and over time, steal gigabytes of confidential information: patents, new
product ideas, military secrets, financial information, business plans, and so on. Their
intent is to find valuable information to pass along to their customers for financial gain,
and their goal is to stay hidden inside the compromised company's network for as long
as possible.
To reap their rewards, they eavesdrop on important emails, raid databases, and
gain access to so much information that many have begun to develop their own malicious
search engines and query tools to separate the fodder from the more interesting
intellectual property.
MALWARE MERCENARIES
No matter what the intent or group behind the cybercrime, someone has to make
the malware. In the past, a single programmer would make malware for his or her own
use, or perhaps to sell. Today, there are teams and companies dedicated solely to writing
malware. They turn out malware intended to bypass specific security defenses, attack
specific customers, and accomplish specific objectives. And they're sold on the open
market in bidding forums.
41
Once contacted, the DNS and mothership server often redirect the initiating stub
client to other DNS and mothership servers. In this way, the stub client is directed over
and over (often more than a dozen times) to newly exploited computers, until eventually
the stub program receives its final instructions and the more permanent malicious
program is installed.
All in all, the setup used by today's malware writers makes it very difficult for IT
security pros to defend against their wares.
At the most basic level, a website is simply a computer, just like a regular end-user
workstation; in turn, Webmasters are end-users like everyone else. It's not surprising to
find the legitimate Web is being increasingly littered with malicious JavaScript
redirection links.
But it's not entirely a matter of Webmasters' computers being exploited that's
leading to the rise in Web server compromises. More often, the attacker finds a weakness
or vulnerability in a website that allows them to bypass admin authentication and write
malicious scripts.
Many times it isn't the Web server or its application software but some link or
advertisement that gets hacked. It's fairly common for banner ads, which are often placed
and rotated by general advertising agencies, to end up infected. Heck, many times the
malware guys simply buy ad space on popular Web servers.
ALL-IN-ONE MALWARE
Most malicious programs are Trojan horses. Computer viruses and worms have
long since ceased to be the most popular types of malware. In most cases, the end-user is
tricked into running a Trojan horse that's advertised as a necessary antivirus scan, disk
defragmentation tool, or some other seemingly essential or innocuous utility. The user's
normal defenses are fooled because most of the time the Web page offering the rogue
executable is a trusted site they've visited many times. The bad guys simply compromised
the site, using a host of tricks, and inserted a few lines of JavaScript that redirect the user's
browsers to the Trojan horse program.
Another problem with hacked websites is that the computers hosting one site can
often host multiple sites, sometimes numbering in the hundreds or thousands. One
hacked website can quickly lead to thousands more.
No matter how the site was hacked, the innocent user, who might have visited this
particular website for years without a problem, one day gets prompted to install an
unexpected program. Although they're surprised, the fact that the prompt is coming from
a website they know and trust is enough to get them to run the program. After that, it's
game over. The end-user's computer (or mobile device) is yet another cog in someone's
big botnet.
43
CYBER WARFARE
Some victims never recover from exploitation. Their credit record is forever scarred by a
hacker's fraudulent transaction, the malware uses the victim's address book list to
forward itself to friends and family members, victims of intellectual property theft spend
tens of millions of dollars in repair and prevention.
The worst part is that almost none of those who use the above malicious attacks are
successfully prosecuted. The professional criminals on the Internet are living large
because the Internet isn't good at producing court-actionable evidence. It's anonymous
by default, and tracks are lost and covered up in milliseconds. Right now we live in the
"wild, wild West" days of the Internet. As it matures, the criminal safe havens will dry up.
Until then, IT security pros have their work cut out for them.
44
Who They Are
45
UNIT-2
Servers - Servers are computers that hold shared files, programs, and the network
operating system. Servers provide access to network resources to all the users of the
network. There are many different kinds of servers, and one server can provide several
functions. For example, there are file servers, print servers, mail servers, communication
servers, database servers, fax servers and web servers, to name a few.
Clients - Clients are computers that access and use the network and shared network
resources. Client computers are basically the customers (users) of the network, as they
request and receive services from the servers.
Shared data - Shared data are data that file servers provide to clients such as data files,
printer access programs and e-mail.
Shared printers and other peripherals - Shared printers and peripherals are hardware
resources provided to the users of the network by servers. Resources provided include
data files, printers, software, or any other items used by clients on the network.
Network Interface Card - Each computer in a network has a special expansion card
called a network interface card (NIC). The NIC prepares (formats) and sends data,
46
receives data, and controls data flow between the computer and the network. On the
transmit side, the NIC passes frames of data on to the physical layer, which transmits the
data to the physical link. On the receiver's side, the NIC processes bits received from the
physical layer and processes the message based on its contents.
Local Operating System - A local operating system allows personal computers to access
files, print to a local printer, and have and use one or more disk and CD drives that are
located on the computer. Examples are MS-DOS, UNIX, Linux, Windows 2000, Windows
98, Windows XP etc.
Network Operating System - The network operating system is a program that runs on
computers and servers, and allows the computers to communicate over the network.
Hub - Hub is a device that splits a network connection into multiple computers. It is like
a distribution center. When a computer requests information from a network or a specific
computer, it sends the request to the hub through a cable. The hub will receive the request
and transmit it to the entire network. Each computer in the network should then figure
out whether the broadcast data is for them or not.
Like a hub, switch doesn't broadcast the received message to entire network, rather
before sending it checks to which system or port should the message be sent. In other
words, switch connects the source and destination directly which increases the speed of
the network. Both switch and hub have common features: Multiple RJ-45 ports, power
supply and connection lights.
47
that are provided by means of such facility or equipment, including subscriber numbers,
databases, signaling systems, and information sufficient for billing and collection or used
in the transmission, routing, or other provision of a telecommunications service.
Availability
48
The librarian must see and accept a patron’s proof of
identification before that patron has free and easy access to
the contents available in the bookroom.
Accuracy
Information is accurate
when it is free from mistakes or errors and
It has the value that the end user expects.
Information contains a value different from the user’s expectations due to
the intentional or unintentional modification of its content, it is no longer
accurate.
Example :-
49
When you receive e-mail, you assume that a specific individual or group of
individuals created and transmitted the e-mail—you assume know the
origin of the e-mail. This is not always the case.
E-Mail spoofing, the process of sending an e-mail message with a modified
field, is a problem for many individuals today, because many times the field
modified is the address of the originator.
Spoofing the address of origin can fool the e-mail recipient into thinking
that the message is legitimate traffic.
In this way, the spoofer can induce the e-mail readers into opening e-mail
they otherwise might not have opened.
The attack known as spoofing can also be applied to the transmission of
data across a network, as in the case of user data protocol (UDP) packet
spoofing, which can enable unauthorized access to data stored on
computing systems.
Confidentiality
50
Ex: 2 A hacker who successfully breaks into an internal database of a Web-
based organization and steals sensitive information about the clients such as
Names
Addresses and
Credit card numbers.
Integrity
The quality or state of being whole, complete, and uncorrupted is the integrity
of information.
The integrity of information is threatened when the information is exposed to
Corruption,
Damage,
Destruction, or
Other disruption of its authentic state.
The threat of corruption can occur while information is being stored or
transmitted.
Many computer viruses and worms have been created with the specific purpose
of corrupting data.
For this reason the key method for detecting the virus or worm
1. First Key methodology is to look for changes in file integrity as shown by the size
of the file.
2. Another key methodology for assuring information integrity is through file
hashing.
With file hashing, a file is read by a special algorithm that uses the value
of the bits in the file to compute a single large number called a Hash value.
The hash value for any combination of bits is different for each
combination.
Utility
The Utility information is the quality or state of having value for some purpose or
end.
51
Information has value when it serves a particular purpose. This means
that if information is available, but not in a format meaningful to the
end user, it is not useful.
Possession
INFORMATION STATES
52
Security Attacks
Examples:
Destruction of some hardware
Jamming wireless signals
Disabling file management systems
Examples:
Wire tapping to capture data in a network.
Illicitly copying data or programs
Eavesdropping
Examples:
Changing data file
Altering a program and the contents of a message
Examples:
Hackers gaining access to a personal email and sending message.
Insertion of records in data files.
Insertion of spurious messages in a network.
1. Confidentiality: This component is often associated with secrecy and the use
of encryption. Confidentiality in this context means that the data is only
available to authorized parties. When information has been kept confidential it
means that it has not been compromised by other parties; confidential data are
not disclosed to people who do not require them or who should not have access
to them. Ensuring confidentiality means that information is organized in terms of
who needs to have access, as well as the sensitivity of the data. A breach of
confidentiality may take place through different means, for instance hacking or
social engineering.
2. Integrity: Data integrity refers to the certainty that the data is not tampered
with or degraded during or after submission. It is the certainty that the data has
not been subject to unauthorized modification, either intentional or
unintentional. There are two points during the transmission process during which
the integrity could be compromised: during the upload or transmission of data or
during the storage of the document in the database or collection.
3. Availability: This means that the information is available to authorized users
when it is needed. For a system to demonstrate availability, it must have
properly functioning computing systems, security controls and communication
channels. Systems defined as critical (power generation, medical equipment,
safety systems) often have extreme requirements related to availability. These
systems must be resilient against cyber threats, and have safeguards against
power outages, hardware failures and other events that might impact the system
availability.
Whether you like it or not, every business is a target for cyber attackers,
and that includes yours.
Data breaches are becoming more severe, yet many organisations still
assume they will never suffer one.
However, if you want to protect your business you should adopt a ‘when
not if’ mentality.
Effective defences can prevent the majority of attacks and help you to
prepare for a breach.
In this post, we take a deep dive into the inner workings of an ISMS, and
explore the benefits it can bring to your organisation.
What is an ISMS?
An ISMS is a systematic approach consisting of processes, technology and
people that helps you protect and manage your organisation’s information
through effective risk management.
Benefits of an ISMS
An ISO 27001-compliant ISMS does more than simply help you comply
with laws and win business. It a can also:
Secure your information in all its forms: An ISMS helps protect all forms of
information, whether digital, paper-based or in the Cloud.
Increase your attack resilience: Implementing and maintaining an ISMS will
significantly increase your organisation’s resilience to cyber attacks.
Manage all your information in one place: An ISMS provides a central
framework for keeping your organisation’s information safe and managing
it all in one place.
Respond to evolving security threats: Constantly adapting to changes both in
the environment and inside the organisation, an ISMS reduces the threat
of continually evolving risks.
Reduce costs associated with information security: Thanks to the risk
assessment and analysis approach of an ISMS, organisations can reduce
costs spent on indiscriminately adding layers of defensive technology that
might not work.
Protect the confidentiality, availability and integrity of your data: An ISMS
offers a set of policies, procedures, technical and physical controls to
protect the confidentiality, availability and integrity of your information.
Improve company culture: An ISMS’s holistic approach covers the whole
organisation, not just IT. This enables employees to readily understand
risks and embrace security controls as part of their everyday working
practices.
Information Assurance Model
AppSec products must provide capabilities for managing security risk across all
of these options as each of these development and deployment options can
introduce security vulnerabilities. An effective software security strategy
addresses both immediate and systemic risk.
Information that is specific to the company can also be exposed. This can be
financials for banks and investment groups, medical records for hospitals and
insurers or sensitive documents and forms for government entities.
The exposure of this type of information can hamstring company projects, give
competitors insight into business operations, and reveal internal culture and
personalities. The bigger the company, the more interest there is in this type of
data.
Exposure of this type of data can devalue the products and services your
business provides and undo years of research.
market.
Data Leakage
Furthermore, in many cases, sensitive data are shared
among various stakeholders such as employees
working from outside the organization’s premises (e.g.,
on laptops), business partners, and customers.
• Indirect losses.
Intellectual property 4%
Health records 7%
DATA LEAKAGE THREATS
Internal threats
External threats
Internal threats – intentional or inadvertent?
BitTorrent
(abbreviated to BT) is a communication protocol for peer-to-peer
file sharing (P2P) which is used to distribute data and electronic
files over the Internet.
BitTorrent is one of the most common protocols for transferring
large files, such as digital video files containing TV shows or video
clipsor digital audio files containing songs.
Example
Recently has been described as “new national security risk” by
Retired General Wesley K. Clark, who is a board member with
an organization that scans through peer-to-peer networks for
confidential or sensitive data. He commented “We found more
than 200 classified government documents in a few hours
search over P2P networks” and “We found everything from
Pentagon network server secrets to other sensitive information
on P2P networks that hackers dream about
Information that is specific to the company can also be exposed. This can be
financials for banks and investment groups, medical records for hospitals and
insurers or sensitive documents and forms for government entities.
The exposure of this type of information can hamstring company projects, give
competitors insight into business operations, and reveal internal culture and
personalities. The bigger the company, the more interest there is in this type of
data.
Exposure of this type of data can devalue the products and services your
business provides and undo years of research.
Limited dark side They encourage appropriate action - i.e., they have been
tested to ensure they have a positive impact on performance
(whereas poorly thought through measures can lead to
dysfunctional behavior)
Organisations handle a plethora of sensitive data, such as trade secrets, customer data, pricing lists, trading
algorithms and acquisition plans. This data can be leaked to unscrupulous competitors, organised criminal
groups and other entities via a multitude of channels, including email, the internet, portable storage devices
and cloud services.
Data leaks can be expensive, harm an organisation’s brand and reputation, and diminish trust. Customers
and shareholders alike expect organisations to take appropriate measures to properly safeguard their data
and investment. A successful data leakage prevention (DLP) programme can significantly reduce these risks.
RESURGENCE OF DLP To prevent the actual leakage of data, DLP tools need to
Interest in DLP technology quickly waned when it first came be carefully configured to block activities that put data at
to market due to the complexity of deployment, cost of risk. However, many organisations are reluctant to enable
investment, and inability to demonstrate business value. the blocking functionality for fear of disrupting business
However, cloud adoption, mobile computing and remote operations. This can limit the effectiveness of DLP.
working, coupled with major data breaches and new regulatory
requirements, such as the EU General Data Protection
NEED FOR A HOLISTIC APPROACH
Regulation (GDPR), have prompted organisations The full benefits of DLP can only be realised if organisations
to take a fresh look at DLP. implement DLP for clearly defined purposes and in a
structured, systematic manner that incorporates people,
Meanwhile, DLP technology has matured and is steadily process and technology. ISF Members reported that DLP can be
progressing towards a mainstream security control.1 a success when approached as part of a dedicated programme
DLP’s recent surge in popularity is reflected within the ISF for reducing the risk of data leakage.
Membership – to date, 42% of surveyed ISF Members have
implemented DLP and a further 45% are either running a Figure 1: Survey results of ISF Members who have implemented
DLP pilot or planning for deployment.2 a DLP programme
DLP CAPABILITIES
In today’s business environment, organisations handle a vast
amount of data that is increasingly easy to access and share,
and more vulnerable to leaking. DLP technology offers a set of
capabilities to manage the risk of data leaks – but it has some
limitations. 57% delivered return
72% achieved 72% demonstrated
objectives on investment risk reduction
For instance, DLP technology can only detect sensitive data in
a digital format and is used primarily to monitor conventional
channels of data leakage, such as email, the internet and Based on the experience of ISF Members, this report provides
USB. Although DLP technology is evolving to protect newer guidance on how to optimise a DLP deployment, describing
channels, it does not capture all types of sensitive data or the ten key attributes of a successful DLP programme. It
cover all conceivable scenarios of data leakage. emphasises that a focus on technology alone will likely lead to
the relegation of DLP tools to shelf-ware.
1 The enterprise DLP market is expected to grow at a compound annual growth rate of 16.28% between 2018 and
2023: Enterprise Data Loss Prevention Market – Industry Trends, Opportunities and Forecasts to 2023, https://www.researchandmarkets.com/research/npbpsp/global_enterprise?w=4.
2 Figures based on survey sample size of 147 ISF Members, correlated by ISF Security Healthcheck statistics.
1 What is data leakage prevention?
Data leakage prevention (DLP) can be defined as the practice of detecting and preventing the unauthorised disclosure of data.
Also referred to as data loss prevention and data loss protection, the main purpose of DLP is to ensure that specified sensitive
data is not leaked. It can also be used to help prevent data being mishandled or improperly accessed. DLP can be broken down
into the following three core activities:
IDENTIFY data to There are many different types of information that are valuable to organisations (known as information
protect against leakage assets) which need to be kept confidential (e.g. market strategies, payment card information, personal health
information, source code, product designs and employee data). Information may exist in digital, physical or
spoken formats.
MONITOR channels Digital data can leak through a variety of channels (also referred to as vectors) including email, social media
of data leakage and portable storage devices. Channels are monitored to understand data flows and detect activity that
indicates the leakage of data. Some channels can be difficult to monitor due to their nature (e.g. verbal
disclosure of information and printed documents left in an insecure location).
ACT to prevent data There are a range of actions that can be taken to stop data from leaving an organisation (e.g. alert users to
from leaking their risky behaviour, quarantine outbound email messages containing sensitive data, block the transfer of
data to portable storage media, and locate office equipment in a physically secure environment).
DLP tools and related technologies are used to help perform these core activities, which are illustrated in Figure 2 and explored
in more detail on the following pages.
– Personal data
– Customer data
Email Internet Removable Collaboration Cloud Database/
– Intellectual property media devices platforms File storage
Log Notify Block
– Business & governance data
+
– Financial data
– Sales & marketing data Printer/MFD File-sharing Camera Paper Clipboard Voice
applications
There are an increasing number of technologies, which are labelled as DLP that vary in their capabilities and perform different
aspects of DLP. The focus of this report is DLP tools, which are designed to identify data, monitor its usage and movement,
and take actions to prevent data from leaking. DLP tools (also known as enterprise DLP) are usually offered as a comprehensive
suite of products that cover multiple channels.
“DLP only protects what you tell it! Plan and understand the environment, have data classification
and know what it is you are trying to protect.” – ISF Member
As an alternative to using DLP tools, organisations may choose to utilise DLP functionality embedded into other security products
(e.g. secure web gateway, secure email gateway, email encryption and device control) or cloud-based services (e.g. Microsoft
Office 365). DLP offered as a feature of existing products (also known as integrated DLP) is typically restricted in capability and
may only protect a single channel.
Conditions instruct the DLP tool what data to look for and when to take action by defining the content to detect (e.g. type of data)
as well as the context (e.g. file type, file size, sender or recipient). When data matches the conditions, the system reports a policy
violation (also known in the context of DLP as an ‘incident’). DLP policy violations can be user or system generated (e.g. a finance
system emailing payslips automatically). Exceptions may be added to exempt certain data or activity from matching the condition
and triggering the rule.
Actions stipulate how the DLP tool acts to protect the content when the conditions are met (e.g. log the policy violation, notify
the user, encrypt a file or block copy of data to clipboard). Different actions can be applied depending on the level of risk, number
of matches within a given transmission or severity of the policy violation (e.g. transfer of 20 customer records versus 200 records;
internal versus external sharing of data).
A DLP policy can apply to one or more channels of data leakage. It need not apply enterprise-wide; it may be more appropriate to
limit its application to certain users, a user group or geographic region. Examples of DLP policies are shown in the table below.
Source code Detect content containing Allow transfer of data to Block transfers containing source code
proprietary source code company X, selected to conduct (including web postings, email messages
a source code review and copy of files)
Credit cards Detect content that matches None Quarantine data in cloud applications,
the credit card number, using files and messages:
a Luhn algorithm − send an email notification to the user
− allow the user to provide business
justification for release
Project penguin Detect content containing key phrase Allow transfer of data Block transfer of content to external recipients
‘project penguin’ and intended for to John Doe (external Encrypt email transmissions to John Doe
an external recipient legal counsel)
Medical records Detect content that matches words Exclude emails marked Block transfers including copy of health
or expressions from a list of common as ‘personal’ data to a portable storage device
medical conditions Display on-screen notification stating file
transfer violates a specific DLP policy
DLP policies can be created by using predefined templates or building custom policies. Most DLP tools provide a library of predefined
policy templates to detect data that is subject to regulatory requirements, such as the GDPR, the Payment Card Industry Data Security
Standard and the US Health Insurance Portability and Accountability Act. Policy templates may cover industry-specific data that adheres
to a standard format (e.g. credit card number or SWIFT code) and country-specific data (e.g. Canadian social insurance number, French
passport number, Irish International Bank Account Number, New Zealand national health index number or UK driver’s licence number).
Other policy templates are more generic and designed for different use cases, such as protecting certain types of sensitive data
(e.g. content classified ‘top secret’, information pertaining to oil drilling or software design documents). Tools may also include
policy templates for detecting acceptable use transgressions (e.g. indecent images, profanities or racism) and employee discontent
(e.g. distribution of a curriculum vitae).
Predefined policy templates should be customised to meet an organisation’s specific needs, providing a quick and easy starting point
for deploying DLP tools.
It is common for organisations to use DLP to detect and prevent the leakage of their mission-critical information assets
(i.e. information assets of greatest value and would cause a major business impact if compromised). Refer to the ISF implementation
guide Protecting the Crown Jewels for further guidance on approaches to securing mission-critical information assets.
DLP tools protect sensitive data held in a readable digital format. To protect sensitive information in physical and spoken formats, DLP
tools need to be complemented by other security controls, such as procedures for the proper handling and disposal of information.
DLP tools typically incorporate different techniques to detect sensitive data (referred to as ‘content’). They are well-suited to
finding explicit keywords or alphanumeric patterns within data but can fail when data is complex (e.g. scientific data sets) or
purposely obscured (e.g. Zip files that can be compressed, encrypted and password-protected). Detection techniques commonly
provided in DLP tools include:
Described content Matches content using regular expressions, defined strings, keywords, patterns or dictionaries (a list of specific
matching terms, keywords or key phrases). Instances of described content include credit card numbers, social security
numbers, and files containing certain metadata such as a classification (e.g. confidential or secret).
Fingerprinting Takes a cryptographic hash of a sample file or file contents to create a ‘fingerprint’. Content is then checked against
(Indexing) the fingerprint for complete or partial matches (i.e. to detect either the complete text or excerpts that match the
sample document). This technique can be effective for both structured and unstructured data but requires the ‘data
sources’ (e.g. documents and files) to first be identified and prepared.
Machine learning Uses algorithms and statistical techniques to determine if content is similar to example documents, which are
(Statistical analysis) provided for the DLP tool to learn from as representative of the type of data to protect. Common use cases for this
technique include source code, software design documents and other data that is not practical to fingerprint or
difficult to describe with accuracy.
Optical character Analyses image files (e.g. screenshots or scanned documents) and extracts text to find matches for sensitive content.
recognition
(Image recognition)
For global organisations, consideration should be given to how a DLP policy applies across multiple jurisdictions (e.g. using an alphanumeric
pattern to detect sensitive data in one jurisdiction may cause benign information to be flagged as a policy violation elsewhere).
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The findings depicted in Figure 4 show that most organisations focus on email because it is perceived to be one of their primary
channels of data leakage and the easiest to protect using a DLP tool. New and emerging channels (for example mobile devices
containing high-resolution cameras) are relatively poorly covered, illustrating potential gaps in channel coverage.
Refer to the ISF briefing paper Managing the Insider Threat for further details about the three types of risky insider behaviour.
DLP tools should be not be treated as a long-term remedy for insecure business processes.
Types of action
A DLP tool can respond to a policy violation in one of three ways: log, notify or block (referred to as ‘modes’). Each mode should
be enabled sequentially to ensure DLP policies are enforced appropriately and do not disrupt business operations.
“Start with monitoring/detecting before implementing any protective controls.” – ISF Member
In log mode (also known as monitoring), policy violations are recorded in log files, allowing for analysis and investigation.
The individual responsible for the policy violation is not notified.
Once a policy rule has been fine-tuned and is delivering the required results, notifications can be introduced to advise individuals
that they violated a DLP policy. To compel a change in user behaviour, a copy of the message may be sent to the individual’s
manager. Types of notification include:
‒‒ sending an email to notify the user that their behaviour breached corporate policy but still permit the activity with guidance on
approved handling of data
‒‒ presenting a pop-up warning with an option for the user to cancel the data transfer.
Blocking is the third type of action that can be applied in response to a policy violation (e.g. email containing credit card data,
external file-sharing of source code or instant messaging of medical details). It can be divided into three categories: hard block,
soft block and other actions to remediate incorrect handling of data, as shown in the box below.
Blocking
Hard block, for example: Soft block, for example: Other actions to remediate incorrect
‒‒ block transfer of email message or file ‒‒ move file to another location handling of data, for example:
‒‒ disable download, copy or print options ‒‒ quarantine email message pending ‒‒ add visual tag
‒‒ delete attachment or file. business justification for release ‒‒ change access controls to restrict access
‒‒ redact sensitive data in web post or to the file
email and allow transfer. ‒‒ encrypt file or message.
Figure 6 shows the common actions taken by DLP tools, which surveyed ISF Members apply to data in motion, in use and at rest.
These three states of data are explained on the following page.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Data in motion Data that is traversing a network, DLP tools can monitor network traffic through network sniffing and deep content
such as the internet or a private inspection to identify sensitive data travelling via a variety of means including email,
network (e.g. local area network). file transfer and HTTP (web).
Data in use Data that is being processed on DLP tools can provide visibility of how users interact with data on endpoints by
endpoint devices. installing DLP agents on target devices. The scope of activity monitored can vary
between DLP tools but may include copy and paste between applications, print
functions and download to portable storage devices (e.g. USB).
Data at rest Data in storage, such as in file DLP tools can inspect storage repositories and systems (indexing, opening, reading
systems, servers, databases, the and analysing files) to detect files that contain sensitive content. Scans may be set to
cloud and endpoint devices (e.g. occur in real time, at regular intervals or on demand (e.g. ahead of a security audit).
laptops and desktops). Scanning may be performed remotely or by agents installed locally.
The technical architecture for the deployment of DLP tools needs to be carefully designed to integrate with existing infrastructure.
A typical DLP architecture consists of four main architectural components as illustrated in Figure 7.
The central management console provides a single interface to author, implement and manage DLP policies across all data leakage
channels covered by a DLP programme. The console also consolidates logging, reporting, review of policy violations, incident
remediation and system administration.
“Business side activity: 75%; IT implementation (including testing): 25%.” – ISF Member
The network component often involves passive monitoring of network traffic, lacking the ability to intervene with user activities.
To apply preventative capabilities (e.g. blocking), data needs to be passed to DLP tools for analysis and handling, which can
be achieved by deploying software agents (e.g. on endpoints) or by integrating with web proxies, email services and storage
repositories. Increasingly, DLP tools include the capacity to extend DLP policies to cloud services by integrating with a cloud access
security broker (CASB) or cloud-delivered web gateway.
It does not take much effort to leak data but the business impact can be severe. Depending on the data leaked and extent of
exposure, potential consequences include regulatory penalties, negative publicity, loss of competitive advantage, brand damage,
erosion of customer trust and disruption to business activities, all of which can result in an organisation suffering financial losses.
DLP can help to mitigate the potential costs associated with sensitive data leaking. Securing data from unauthorised disclosure
can also set an organisation apart in terms of their information security maturity, especially if DLP is mandated as a requirement
by prospective clients or business partners.
DLP enables organisations to detect what data is leaking and demonstrably reduce
incidents of data leakage by blocking or otherwise restricting activities that put data 77% of surveyed ISF Members
at risk, whether initiated by the user or system generated. Additional benefits can implement DLP to reduce the
frequency or magnitude of accidental
also be derived from DLP, which include:
data leakage; almost the same
‒‒ supporting compliance with global, regional, country and industry-specific implement DLP to mitigate malicious
regulatory requirements data leakage (76%).
‒‒ gaining visibility of the usage and movement of sensitive data
‒‒ improving the security awareness and behaviour of users
‒‒ detecting the exfiltration of data by external hackers.
Implementation of DLP can help to identify signs of hacker activity on a network by detecting suspicious attempts to exfiltrate data via
channels that are monitored by DLP tools.
DLP LIMITATIONS
While DLP offers many benefits, it does have limitations that organisations will need to manage. In today’s world, the explosion of
information has created much more data to protect, which can leak through more channels than ever before due to technological
advances and new working trends.
The challenges of preventing data leakage cannot be solved by DLP tools alone due to gaps in their coverage and capabilities.
DLP tools are unable to:
‒‒ detect all content containing sensitive data “DLP isn't something you switch on and everything
‒‒ monitor all channels of data leakage is protected.” – ISF Member
‒‒ act to prevent every occurrence of data leakage.
ISF Members identified the following aspects of DLP that can diminish the business value of a DLP deployment.
Data is dispersed
Data is scattered across different environments – it is often replicated in various storage repositories and platforms (including
cloud services and geographically distributed data centres), constantly transferred out of an organisation and accessible from
personal devices or networks that may not be controlled by an organisation. This wide dispersal of data affects how it can be
scanned and protected by DLP tools.
Traditional DLP tools are designed to prevent the leakage of data already within the control of the organisation. While DLP
technology is evolving to extend coverage to mobile devices, the cloud environment and beyond, there will still be gaps where
data remains beyond the reach of DLP tools and can leak.
50% of Benchmark respondents do not review policy violations to help minimise false negatives and false positives.
Blocking can interfere with user workflow and cause a degradation in productivity. However, to leave DLP tools running purely in
log or notify mode can reduce the value of deploying DLP, unless the main objective is to gain visibility into data usage and report
policy violations. By carefully tuning DLP policy rules with business input, organisations can ensure blocking does not disable
operations or impede business processes.
Significant effort and resources need to be dedicated to the planning and preparation of a DLP deployment, the success of which
relies substantially on effective business engagement. A DLP programme should account for the organisational and human
factors of DLP, as well as apply robust processes for securing sensitive data. It should be supported by DLP tools but not take as
its starting point or primary component the selection and implementation of DLP tools. Section 3 defines the key attributes of a
successful DLP programme.
– Assign roles and responsibilities – Select DLP tools – Determine how to respond
to policy violations
– Integrate DLP tools into existing
environment – Deploy DLP incrementally
Effective implementation of a DLP programme is not as simple as ticking a list of check boxes. To position a DLP programme for
long-term success, significant effort should be dedicated to effective governance and preparatory activities for implementation,
which include – but are not limited to – deployment of DLP tools.
“You may (likely will) find that your programme will succeed or fail based on the buy-in
that you get from your business partners.” – ISF Member
DLP inherently involves monitoring employees’ communications and online activities, and by extension third party messages, which
raises legal concerns that need to be carefully considered prior to deploying DLP tools. There are a variety of laws relating to privacy,
data protection, employment, interception of data and telecommunications that apply to monitoring and data processing in the
context of DLP.
The extent to which these laws constrict the scope and coverage of a DLP programme, or otherwise mandate specific measures, will
depend on the given legal system (e.g. in some countries, such as Germany and Austria, deployment of DLP technology may require
agreement with a ‘works council’). For global organisations, the legal complexity can prove particularly acute given the requirement to
plan and execute a DLP programme that takes account of variances in local laws across multiple jurisdictions. Legal advice should be
sought to ensure implementation of a DLP programme adheres to all applicable laws.
A DLP programme does not address all aspects of protecting data but instead concentrates on implementing the relevant tools,
procedures and processes for preventing specific sensitive data from leaving an organisation. A DLP programme should therefore
be approached as just one element of an organisation’s data protection strategy.
This section is not intended as an implementation guide or an end-to-end process map for installing DLP. Rather, it reflects good
practice within the ISF Membership and the areas on which to place focus to fully derive the benefits of a DLP programme. Each key
attribute is explained on the following pages in the order that a DLP programme would typically follow.
Implementation of a DLP programme is a multi-phase undertaking that does not end with the installation of DLP tools or creation
of DLP policies. To realise the value of a DLP programme and optimise its performance, organisations need to continually
maintain, review and refine their DLP programme.
“DLP requires scheduled review and assessment to ensure relevance and to comply
with the latest technology trends.” – ISF Member
Surveyed ISF Members recommended establishing a steering committee to provide strategic direction, advise on business issues, set
risk reduction priorities and monitor the progress of DLP against agreed objectives. A steering committee should include representatives
from key departments, such as information security, IT, legal, human resources, compliance, privacy and risk management. An executive
sponsor should be appointed as early as possible to champion DLP and ensure it is a success.
Executive management should contribute to the organisation’s information risk assessments and therefore be involved in
identifying DLP as an appropriate risk treatment action. This way, DLP is deployed as a business initiative endorsed by executive
management from the outset, providing an important mandate for business stakeholders to dedicate time and resources to
developing a successful DLP programme.
Other factors that can influence the scope of a DLP programme include speed of risk reduction, costs, resourcing and timescales.
Organisations should also consider which supporting technologies and compensating controls to include within scope because
they either optimise the performance of DLP tools or protect data leakage channels that are not adequately covered by DLP tools.
The roles and responsibilities of those involved in a DLP programme need to be clearly defined, particularly since implementation
requires the input of representatives from various business functions (e.g. business operations, IT, information security, legal and
HR). Of ISF Members surveyed, those with a cross-functional DLP team were more likely to achieve their programme’s objectives and
deliver return on investment than Members who appointed either IT or information security to be primarily responsible for DLP.
To prevent misuse of DLP, duties should be segregated so the technical maintenance of DLP tools, the management of DLP policies
(i.e. author, update and delete) and review of policy violations cannot be carried out by the same individual or function.
An ISF Member reported that to bolster collaboration they had co-opted business representatives into their DLP team for a specified
period to gain the institutional knowledge of the business. Another approach was to nominate business representatives (e.g. data
owners) to provide direct support with the triage of DLP policy violations.
Regular engagement with business representatives from across the organisaion is necessary to assist with both the configuration
of DLP policies and review of the policy violations generated. Short of business input, a DLP tool cannot be properly tuned to
protect what is important to the business. Equally, the authorised use of data may not be apparent to those outside a given
business function (e.g. whether or not an email to an external party concerning a business transaction should be blocked).
“When you ‘sell’ the DLP service to business, make sure you explain that this is just one control...
make sure they understand where their information is still vulnerable.” – ISF Member
By monitoring how data is transmitted, used and stored, DLP tools can provide insight into how an organisation works and expose
insecure habits that need to be addressed. In turn, DLP tools can be configured to send an email or display pop-up notifications to
coach users on how to handle data appropriately with options for immediate self-remediation. This real-time feedback can result
in a considerable drop in risky behaviour as users change the way they act and think about handling data.
Awareness activities tailored to DLP should be initiated ahead of deploying DLP tools to inform individuals what they can expect
from a DLP programme and avoid undue surprises. It should address the value of data, why DLP is being adopted and its business
benefits. This communication to the business will help foster a positive perception of DLP and prepare employees for actions that
block or otherwise intervene with user activity.
ISF members reported a drastic reduction in DLP policy violations in Eliminating the noise attributable to poor security awareness allows
areas where the level of security awareness was raised, whether due other policy violations to be investigated in more depth and is a useful
to notifications, blocking or a security awareness campaign. metric by which to demonstrate the value of DLP.
Deploying DLP may require a culture shift within an organisation to There is the potential for employees to become careless and
create a corporate environment, where security is regarded as a complacent in their handling of data under the false assumption
priority. Just as DLP can improve security awareness via educational that DLP tools or other technology is able to detect and correct all
pop-up messages, a security conscious culture will benefit DLP user mistakes. This is why training needs to be refreshed at regular
implementation. intervals.
The initial response to a policy violation typically involves verifying its validity, the context and severity. This triage process may be
performed by a small, centralised team dedicated to the task or by nominated individuals from relevant business functions, with
the option to escalate to appropriate personnel – such as HR, legal or compliance – for further investigation. If a policy violation
proves to be an actual incident of data leakage, it should be integrated into wider security incident management processes.
Some ISF Members use a playbook to record their DLP policies, documenting how they are configured, who the data owners are and
how to respond to different types of policy violations (e.g. send an automated email to the user involved with guidance on the secure
handling of data, notify the user’s manager or impose restrictions on the user pending further investigation).
“Determining a process flow for incident remediation early in the project is crucial as these incidents
can escalate into huge amounts of data, which will make fine-tuning policies a little
more challenging and time consuming.” – ISF Member
“Obtain proof through a small deployment and then expand the deployment.” – ISF Member
An implementation pilot, which is limited to a representative group of users, a business unit or a region, should precede wider
deployment. This pilot will often focus on just one type of sensitive data and target a single data leakage channel, such as email.
Deployment of DLP should start small with one or two policies relating to a single ‘use case’ to ensure proper configuration and
effective performance of DLP tools. Additional DLP policies can then be introduced gradually.
Organisations should design a phased implementation plan for expanding their DLP programme, which takes account of:
‒‒ adding DLP policies to broaden the types of sensitive data protected
‒‒ improving the way existing channels are monitored
‒‒ extending DLP to monitor new channels of data leakage
‒‒ moving from logging policy violations to notify and block actions.
DLP policy rules should first be run in log-only mode (also known as monitor-only mode) to review the alerts generated and
effectiveness of the policy. This allows time to fine-tune each policy to improve its accuracy and determine its potential business
impact before enabling blocking or other response actions. Business input during the log phase is vital – it helps to minimise false
positives, highlight business requirements and reveal business activities that the DLP policy may disrupt once response actions
are applied.
When blocking is enabled, there should be a process for efficient recovery of quarantined or blocked information that is time-sensitive
(e.g. relates to an urgent business transaction), otherwise the IT helpdesk (or equivalent) may receive constant requests for the
release of data. This may be achieved by displaying an on-screen notification, allowing users to select from an agreed list of business
justifications for the transfer of data.
For many ISF Members, the ability to confidently turn on blocking is itself a measure of a DLP tool’s success. It provides assurance
that certain data cannot leave an organisation via a given channel without relying on scanning and analysis of policy violations to
detect data leaking.
As data breaches continue to hit media headlines with costly consequences, organisations are realising the importance of taking
a systematic, structured approach to detect and prevent the leakage of sensitive data. DLP technology has existed for some time
but has experienced a resurgence in recent years. ISF Members reported that they are now achieving success with DLP technology
when it is deployed as part of a dedicated DLP programme.
DLP tools alone cannot prevent the leakage of all types of sensitive data across every possible channel. DLP capabilities are now
extending to the cloud, mobile devices and other emerging technologies, but blind spots will inevitably remain and obscure the
occurrence of data leaks.
Ultimately, the value of DLP is to block suspected leaks and stop sensitive data from leaving an organisation, whether via file
uploads, copy and paste, printing, social media posts or email. Failure to block will limit the value of DLP to simply detecting –
rather than preventing – the leakage of data. A balance must be struck, however, between blocking risky activities and impeding
legitimate business operations.
A prerequisite of a successful DLP programme is support from executive management and ongoing collaboration with business
representatives. By implementing a comprehensive DLP programme that encompasses awareness training, tools, supporting
technologies and other security controls, organisations can compensate for weaknesses in DLP technology and proactively
manage the risk.
WHERE NEXT?
The ISF encourages collaboration on its research and tools. ISF Members are invited to join
the Process community on ISF Live to share experiences and discuss practical approaches
for implementing a successful DLP programme.
CONTACT
For further information contact:
Steve Durbin, Managing Director
US: +1 (347) 767 6772
UK: +44 (0)20 3289 5884
UK Mobile: +44 (0)7785 953 800
steve.durbin@securityforum.org
securityforum.org
PUBLISHED BY
Information Security Forum Limited
+44 (0)20 3875 6868
info@securityforum.org
securityforum.org
AUTHOR
Emma Bickerstaffe
DESIGN
Kim Whyte
WARNING
This document is confidential and is intended for the attention of and use by either organisations that are
Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF
on info@securityforum.org. Any storage or use of this document by organisations which are not Members of
the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information
Security Forum and the Information Security Forum Limited accept no responsibility for any problems or
incidents arising from its use.
CLASSIFICATION
Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
REFERENCE: ISF 18 07 01 ©2018 Information Security Forum Limited. All rights reserved.