Unit - I: Nformation Ecurity Verview

UNIT –I
Information Security Management:

Information Security Overview, Threat and Attack Vectors, Types of Attacks, Common
Vulnerabilities and Exposure (CVE), Security Attacks, Fundamentals of Information
Security, Computer Security Concerns, Information Security Measures etc.
Manage Your Work to Meet Requirements (NOS 9001)
INFORMATION SECURITY OVERVIEW

Computer data often travels from one computer to another, leaving the safety of
its protected physical surroundings. Once the data is out of hand, people with bad
intention could modify or forge your data, either for amusement or for their own benefit.
Cryptography can reformat and transform our data, making it safer on its trip between
computers. The technology is based on the essentials of secret codes, augmented by
modern mathematics that protects our data in powerful ways.
• Computer Security - generic name for the collection of tools designed to protect data
and to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission over a collection
of interconnected networks
THE OSI SECURITY ARCHITECTURE

To assess effectively the security needs of an organization and to evaluate and
choose various security products and policies, the manager responsible for security
needs some systematic way of defining the requirements for security and characterizing
the approaches to satisfying those requirements. The OSI security architecture was
developed in the context of the OSI protocol architecture, which is described in Appendix
H. However, for our purposes in this chapter, an understanding of the OSI protocol
architecture is not required. For our purposes, the OSI security architecture provides a
useful, if abstract, overview of many of the concepts. The OSI security architecture focuses
on security attacks, mechanisms, and services. These can be defined briefly as follows:
Threat
A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a
threat is a possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an
intelligent act that is a deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the security policy of a system.
Information Security: It can be defined as “measures adopted to prevent the

unauthorized use, misuse, modification or denial of use of knowledge, facts, data or
capabilities”. Three aspects of IS are:
 Security Attack: Any action that comprises the security of information
 Security Mechanism: A mechanism that is designed to detect, prevent, or recover
from a security.
 Security Service: It is a processing or communication service that enhances the
security of the data processing systems and information transfer. The services are
intended to counter security attacks by making use of one or more security
mechanisms to provide the service.
SECURITY ATTACK
 any action that compromises the security of information owned by an
organization
 information security is about how to prevent attacks, or failing that, to detect

attacks on information-based systems
 often threat & attack used to mean same thing
 have a wide range of attacks
 can focus of generic types of attacks

 Passive
 Active
PASSIVE ATTACK
A Passive attack attempts to learn or make use of information from the system, but does
not affect system resources.
Two types:
Release of message content
It may be desirable to prevent the opponent from learning the contents (i.e
sensitive or confidential info) of the transmission.
Traffic analysis
A more subtle technique where the opponent could determine the location and
identity of communicating hosts and could observe the frequency & length of encrypted
messages being exchanged there by guessing the nature of communication taking place.
Passive attacks are very difficult to detect because they do not involve any alternation of
the data. As the communications take place in a very normal fashion, neither the sender
nor receiver is aware that a third party has read the messages or observed the traffic
pattern. So, the emphasis in dealing with passive attacks is on prevention rather than
detection.
ACTIVE ATTACK
Active attacks involve some modification of the data stream or creation of a false
stream. An active attack attempts to alter system resources or affect their operation.
Four types:
 Masquerade: Here, an entity pretends to be some other entity. It usually includes
one of the other forms of active attack.
 Replay: It involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.
 Modification of messages: It means that some portion of a legitimate message is
altered, or that messages are delayed to produce an unauthorized effect.
Ex: “John’s acc no is 2346” is modified as “John’s acc no is 7892”
 Denial of service: This attack prevents or inhibits the normal use or management
of communication facilities.
Ex: a: Disruption of entire network by disabling it
b: Suppression of all messages to a particular destination by a third party. Active

attacks present the opposite characteristics of passive attacks. Whereas passive attacks
are difficult to detect, measures are available to prevent their success. On the other hand,
it is quite difficult to prevent active attacks absolutely, because of the wide variety of
potential physical, software and network vulnerabilities. Instead, the goal is to detect
active attacks and to recover from any disruption or delays caused by them.
INTERRUPTION
An asset of the system is destroyed or becomes unavailable or unusable. It is an attack
on availability.
Examples:
 Destruction of some hardware

 Jamming wireless signals
 Disabling file management systems
INTERCEPTION
An unauthorized party gains access to an asset. Attack on confidentiality.
Examples:
 Wire tapping to capture data in a network.
 Illicitly copying data or programs
 Eavesdropping
MODIFICATION
When an unauthorized party gains access and tampers an asset. Attack is on Integrity.
Examples:
 Changing data file
 Altering a program and the contents of a message
FABRICATION
An unauthorized party inserts a counterfeit object into the system. Attack on
Authenticity. Also called impersonation
Examples:
 Hackers gaining access to a personal email and sending message
 Insertion of records in data files
 Insertion of spurious messages in a network
SECURITY SERVICES
It is a processing or communication service that is provided by a system to give a
specific kind of production to system resources. Security services implement security
policies and are implemented by security mechanisms.
Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. It is used

to prevent the disclosure of information to unauthorized individuals or systems. It has
been defined as “ensuring that information is accessible only to those authorized to have
access”.
The other aspect of confidentiality is the protection of traffic flow from analysis.
Ex: A credit card number has to be secured during online transaction.
Authentication
This service assures that a communication is authentic. For a single message
transmission, its function is to assure the recipient that the message is from intended
source. For an ongoing interaction two aspects are involved. First, during connection
initiation the service assures the authenticity of both parties. Second, the connection
between the two hosts is not interfered allowing a third party to masquerade as one of
the two parties. Two specific authentication services defines in X.800 are
Peer entity authentication: Verifies the identities of the peer entities involved in
communication. Provides use at time of connection establishment and during data
transmission. Provides confidence against a masquerade or a replay attack
Data origin authentication: Assumes the authenticity of source of data unit, but
does not provide protection against duplication or modification of data units. Supports
applications like electronic mail, where no prior interactions take place between
communicating entities.
Integrity
Integrity means that data cannot be modified without authorization. Like
confidentiality, it can be applied to a stream of messages, a single message or selected
fields within a message. Two types of integrity services are available. They are
Connection-Oriented Integrity Service: This service deals with a stream of
messages, assures that messages are received as sent, with no duplication, insertion,
modification, reordering or replays. Destruction of data is also covered here. Hence, it
attends to both message stream modification and denial of service.
Connectionless-Oriented Integrity Service: It deals with individual messages
regardless of larger context, providing protection against message modification only.
An integrity service can be applied with or without recovery. Because it is related to
active attacks, major concern will be detection rather than prevention. If a violation is
detected and the service reports it, either human intervention or automated recovery
machines are required to recover.
Non-repudiation
Non-repudiation prevents either sender or receiver from denying a transmitted
message. This capability is crucial to e-commerce. Without it an individual or entity can
deny that he, she or it is responsible for a transaction, therefore not financially liable.
Access Control
This refers to the ability to control the level of access that individuals or entities
have to a network or system and how much information they can receive. It is the ability
to limit and control the access to host systems and applications via communication links.
For this, each entity trying to gain access must first be identified or authenticated, so that
access rights can be tailored to the individuals.
Availability
It is defined to be the property of a system or a system resource being accessible
and usable upon demand by an authorized system entity. The availability can significantly
be affected by a variety of attacks, some amenable to automated counter measures i.e
authentication and encryption and others need some sort of physical action to prevent or
recover from loss of availability of elements of a distributed system.
SECURITY MECHANISMS:
According to X.800, the security mechanisms are divided into those implemented
in a specific protocol layer and those that are not specific to any particular protocol layer
or security service. X.800 also differentiates reversible & irreversible encipherment
mechanisms. A reversible encipherment mechanism is simply an encryption algorithm
that allows data to be encrypted and subsequently decrypted, whereas irreversible
encipherment include hash algorithms and message authentication codes used in digital
signature and message authentication applications
SPECIFIC SECURITY MECHANISMS:
Incorporated into the appropriate protocol layer in order to provide some of the
OSI security services,
Encipherment: It refers to the process of applying mathematical algorithms for
converting data into a form that is not intelligible. This depends on algorithm used and
encryption keys.
Digital Signature: The appended data or a cryptographic transformation applied
to any data unit allowing to prove the source and integrity of the data unit and protect
against forgery.
Access Control: A variety of techniques used for enforcing access permissions to
the system resources.
Data Integrity: A variety of mechanisms used to assure the integrity of a data unit
or stream of data units.
Authentication Exchange: A mechanism intended to ensure the identity of an
entity by means of information exchange.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic
analysis attempts.
Routing Control: Enables selection of particular physically secure routes for
certain data and allows routing changes once a breach of security is suspected.
Notarization: The use of a trusted third party to assure certain properties of a
data exchange
PERVASIVE SECURITY MECHANISMS:
These are not specific to any particular OSI security service or protocol layer.
Trusted Functionality: That which is perceived to b correct with respect to some
criteria
Security Level: The marking bound to a resource (which may be a data unit) that
names or designates the security attributes of that resource.
Event Detection: It is the process of detecting all the events related to network
security.
Security Audit Trail: Data collected and potentially used to facilitate a security
audit, which is an independent review and examination of system records and activities.
Security Recovery: It deals with requests from mechanisms, such as event
handling and management functions, and takes recovery actions.
MODEL FOR NETWORK SECURITY
29
Data is transmitted over network between two communicating parties, who must
cooperate for the exchange to take place. A logical information channel is established by
defining a route through the internet from source to destination by use of communication
protocols by the two parties. Whenever an opponent presents a threat to confidentiality,
authenticity of information, security aspects come into play. Two components are present
in almost all the security providing techniques.
A security-related transformation on the information to be sent making it unreadable
by the opponent, and the addition of a code based on the contents of the message, used to
verify the identity of sender.
Some secret information shared by the two principals and, it is hoped, unknown to
the opponent. An example is an encryption key used in conjunction with the transformation
to scramble the message before transmission and unscramble it on reception
A trusted third party may be needed to achieve secure transmission. It is
responsible for distributing the secret information to the two parties, while keeping it
away from any opponent. It also may be needed to settle disputes between the two parties
regarding authenticity of a message transmission. The general model shows that there
are four basic tasks in designing a particular security service:
1. Design an algorithm for performing the security-related transformation. The
algorithm should be such that an opponent cannot defeat its purpose
2. Generate the secret information to be used with the algorithm
3. Develop methods for the distribution and sharing of the secret information
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service
Various other threats to information system like unwanted access still exist. The
existence of hackers attempting to penetrate systems accessible over a network remains
a concern. Another threat is placement of some logic in computer system affecting various
applications and utility programs. This inserted code presents two kinds of threats.
Some basic terminologies used:
 CIPHER TEXT - the coded message
 CIPHER - algorithm for transforming plaintext to ciphertext
 KEY - info used in cipher known only to sender/receiver
30
 ENCIPHER (ENCRYPT) - converting plaintext to ciphertext
 DECIPHER (DECRYPT) - recovering ciphertext from plaintext
 CRYPTOGRAPHY - study of encryption principles/methods
 CRYPTANALYSIS (CODEBREAKING) - the study of principles/ methods of deciphering
ciphertext without knowing key
 CRYPTOLOGY - the field of both cryptography and cryptanalysis
CRYPTOGRAPHY
Cryptographic systems are generally classified along 3 independent dimensions:
Type of operations used for transforming plain text to cipher text
All the encryption algorithms are abased on two general principles: substitution,
in which each element in the plaintext is mapped into another element, and
transposition, in which elements in the plaintext are rearranged.
The number of keys used
If the sender and receiver uses same key then it is said to be symmetric key (or)
single key (or) conventional encryption. If the sender and receiver use different keys
then it is said to be public key encryption.
The way in which the plain text is processed
A block cipher processes the input and block of elements at a time, producing
output block for each input block. A stream cipher processes the input elements
continuously, producing output element one at a time, as it goes along.
CRYPTANALYSIS
The process of attempting to discover X or K or both is known as cryptanalysis. The strategy
used by the cryptanalysis depends on the nature of the encryption scheme and the
information available to the cryptanalyst. There are various types of cryptanalytic attacks
based on the amount of information known to the cryptanalyst.
Cipher text only – A copy of cipher text alone is known to the cryptanalyst.
Known plaintext – The cryptanalyst has a copy of the cipher text and the corresponding
plaintext.
31
Chosen plaintext – The cryptanalysts gains temporary access to the encryption machine.
They cannot open it to find the key, however; they can encrypt a large number of suitably
chosen plaintexts and try to use the resulting cipher texts to deduce the key.
Chosen cipher text – The cryptanalyst obtains temporary access to the decryption machine,
uses it to decrypt several string of symbols, and tries to use the results to deduce the key.
COMMON VULNERABILITIES AND EXPOSURE (CVE)
Common Vulnerabilities and Exposures (CVE) is a dictionary-type reference

system or list for publicly known information-security threats. Every exposure or
vulnerability included in the CVE list consists of one common, standardized CVE name.
CVE is maintained by the MITRE Corporation and sponsored by the National Cyber
Security Division (NCSD) of the Department of Homeland Security. The CVE dictionary, a
shared information security vulnerability data list, may be viewed by the public.
In information security,
A VULNERABILITY is a software coding error that is used by hackers to enter an

information system and perform unauthorized activities while posing as an authorized
user.
AN EXPOSURE is a software error that allows hackers to break into a system. During an
exposure, attackers may gain information or hide unauthorized actions.
Items in the CVE list get names based on the year of their formal inclusion and the
order in which they were included in the list that year. The CVE helps computer security
tool vendors identify vulnerabilities and exposures. Before CVE, tools had proprietary
vulnerability databases, and no common dictionary existed. The key objective of CVE is
to help share data across different vulnerable databases and security tools.
CVE is used by the Security Content Automation Protocol, and CVE IDs are listed on
MITRE's system as well as the US National Vulnerability Database.
CVE IDENTIFIERS
32
MITRE Corporation's documentation defines CVE Identifiers (also called "CVE
names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for
publicly known information-security vulnerabilities in publicly released software
packages. Historically, CVE identifiers had a status of "candidate" ("CAN-") and could then
be promoted to entries ("CVE-"), however this practice was ended some time ago and all
identifiers are now assigned as CVEs. The assignment of a CVE number is not a guarantee
that it will become an official CVE entry (e.g. a CVE may be improperly assigned to an
issue which is not a security vulnerability, or which duplicates an existing entry).
CVEs are assigned by a CVE Numbering Authority (CNA);[3] there are three primary types
of CVE number assignments:
1. The MITRE Corporation functions as Editor and Primary CNA

2. Various CNAs assign CVE numbers for their own products (e.g. Microsoft, Oracle,
HP, Red Hat, etc.)
3. A third-party coordinator such as CERT Coordination Center may assign CVE
numbers for products not covered by other CNAs
When investigating a vulnerability or potential vulnerability it helps to acquire a

CVE number early on. CVE numbers may not appear in the MITRE or NVD CVE databases
for some time (days, weeks, months or potentially years) due to issues that are
embargoed (the CVE number has been assigned but the issue has not been made public),
or in cases where the entry is not researched and written up by MITRE due to resource
issues. The benefit of early CVE candidacy is that all future correspondence can refer to
the CVE number. Information on getting CVE identifiers for issues with open source
projects is available from Red Hat.[4]
CVEs are for software that has been publicly released; this can include betas and
other pre-release versions if they are widely used. Commercial software is included in the
"publicly released" category, however custom-built software that is not distributed
would generally not be given a CVE. Additionally services (e.g. a Web-based email
provider) are not assigned CVEs for vulnerabilities found in the service (e.g. an XSS
vulnerability) unless the issue exists in an underlying software product that is publicly
distributed.
33
What is the new CVE-ID Syntax?
The new CVE-ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary Digits
NOTE: The variable length arbitrary digits will begin at four (4) fixed digits and expand
with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN
and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there
will be no changes needed to previously assigned CVE-IDs, which all include 4 digits.
This is a standardized text description of the issue(s). One common entry is:
“** RESERVED ** This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.”
This means that the entry number has been reserved by Mitre for an issue or a CNA
has reserved the number. So in the case where a CNA requests a block of CVE numbers in
advance (e.g. Red Hat currently requests CVEs in blocks of 500), the CVE number will be
marked as reserved even though the CVE itself may not be assigned by the CNA for some
time. Until the CVE is assigned AND Mitre is made aware of it (e.g. the embargo passes
and the issue is made public), AND Mitre has researched the issue and written a
description of it, entries will show up as "** RESERVED **"
CVE attempts to assign one CVE per security issue, however in many cases this would
lead to an extremely large number of CVEs (e.g. where several dozen cross-site scripting
vulnerabilities are found in a PHP application due to lack of use of htmlspecialchars() or
the insecure creation of files in /tmp). To deal with this there are guidelines (subject to
change) that cover the splitting and merging of issues into distinct CVE numbers. As a
general guideline consider issues to be merged, then split them by the type of
vulnerability (e.g. buffer overflow vs. stack overflow), then by the software version
affected (e.g. if one issue affects version 1.3.4 through 2.5.4 and the other affects 1.3.4
through 2.5.8 they would be SPLIT) and then by the reporter of the issue (e.g. Alice
reports one issue and Bob reports another issue the issues would be SPLIT into separate
CVE numbers). Another example is Alice reports a /tmp file creation vulnerability in
version 1.2.3 and earlier of ExampleSoft web browser, in addition to this issue several
34
other /tmp file creation issues are found, in some cases this may be considered as two
reporters (and thus SPLIT into two separate CVEs, or if Alice works for ExampleSoft and
an ExampleSoft internal team finds the rest it may be MERGE'ed into a single CVE).
Conversely issues can be merged, e.g. if Bob finds 145 XSS vulnerabilities in
ExamplePlugin for ExampleFrameWork regardless of the versions affected and so on they
may be merged into a single CVE.
COMPUTER SECURITY CONCERNS
People who fall in love with the Net do so for different reasons. Many love the
ability to quickly and cheaply keep up with friends and loved ones via e-mail, while others
love the vast oceans of information or the rush of playing Internet games.
However, it's likely that most Internet users share one thing in common as they
surf: the last thing on their minds is computer security.
While that's understandable, it's also a big mistake. It is important to remember

that surfing the Net comes with certain inherent risks. When you log onto the Net, you
step into the public arena, even if you're surfing from a bedroom computer while lounging
around in your skivvies!
There are as many bad guys in cyberspace as there are in everyday life, and those
shady characters are constantly prowling the Internet in search of new victims to scam.
However, the media often exaggerate these dangers. It is extremely unlikely

(though not impossible) that anyone reading this article will fall prey to an Internet crime,
and in truth the risks are not much greater than those associated with many fun activities.
Does the potential of breaking a bone keep you from enjoying your favorite ski
slope or bike trail? Of course not. Instead, the smart person uses the necessary caution
that will allow for a safe and enjoyable experience.
That ethos also applies to those who want to surf the Web safely. There are
countless ways that thieves and mischief makers can wreak havoc with your sense of
security, but there are just as many ways to keep intruders at bay via safe-surfing
techniques or security software.
Some of the Concerns/Issues of Computer Security

35
 Hacking unauthorized access to or use of data, systems, server or networks, including any
attempt to probe, scan or test the vulnerability of a system, server or network or to breach
security or authentication measures without express authorization of the owner of the
system, server or network. Members of the University should not run computer programs
that are associated with hacking without prior authorisation. Obtaining and using such
programs is not typical of normal usage and may therefore otherwise be regarded as misuse.
 Use of University owned computer equipment, including the network, for illegal activities
including copying Copyright material without permission. The vast majority of files shared
on P2P (peer-to-peer) networks violate copyright law because they were posted without
permission of the artist or label.
 Sending abusive e-mails or posting offensive Web pages.
 Creation or transmission of any offensive or indecent images.
 Giving unauthorized access to University computing resources e.g. allowing an account to

be used by someone not authorized to use it.
 Deliberately creating or spreading computer viruses or worms.

 Unauthorized running of applications that involve committing the University to sharing its
computing resources, e.g. network bandwidth, in an uncontrolled and unlimited way.
To secure a computer system, it is important to understand the attacks that can be

made against it, and these threats can typically be classified into one of the categories
below:
Backdoors
A backdoor in a computer system, a cryptosystem or an algorithm, is any secret

method of bypassing normal authentication or security controls. They may exist for a
number of reasons, including by original design or from poor configuration. They may
also have been added later by an authorized party to allow some legitimate access, or by
an attacker for malicious reasons; but regardless of the motives for their existence, they
create a vulnerability.
Denial-of-service attack
Denial of service attacks are designed to make a machine or network resource

unavailable to its intended users. Attackers can deny service to individual victims, such
36
as by deliberately entering a wrong password enough consecutive times to cause the
victim account to be locked, or they may overload the capabilities of a machine or
network and block all users at once. While a network attack from a single IP address can
be blocked by adding a new firewall rule, many forms of Distributed denial of
service (DDoS) attacks are possible, where the attack comes from a large number of
points – and defending is much more difficult. Such attacks can originate from the zombie
computers of a botnet, but a range of other techniques are possible including reflection
and amplification attacks, where innocent systems are fooled into sending traffic to the
victim.
Direct-access attacks
Common consumer devices that can be used to transfer data surreptitiously.
An unauthorized user gaining physical access to a computer is most likely able to directly
download data from it. They may also compromise security by making operating
system modifications, installing software worms, key loggers, or covert listening devices.
Even when the system is protected by standard security measures, these may be able to
be by passed by booting another operating system or tool from a CD-ROM or other
bootable media. Disk encryption and Trusted Platform Module are designed to prevent
these attacks.
Eavesdropping
Eavesdropping is the act of surreptitiously listening to a private conversation,

typically between hosts on a network. For instance, programs such
as Carnivore and NarusInsight have been used by the FBI and NSA to eavesdrop on the
systems of internet service providers. Even machines that operate as a closed system (i.e.,
with no contact to the outside world) can be eavesdropped upon via monitoring the
faint electro-magnetic transmissions generated by the hardware; TEMPEST is a
specification by the NSA referring to these attacks.
Spoofing
Spoofing of user identity describes a situation in which one person or program

successfully masquerades as another by falsifying data.
37
Tampering
Tampering describes a malicious modification of products. So-called "Evil Maid"

attacks and security services planting of surveillance capability into routers[6] are
examples.
Privilege escalation
Privilege escalation describes a situation where an attacker with some level of

restricted access is able to, without authorization, elevate their privileges or access level.
So for example a standard computer user may be able to fool the system into giving them
access to restricted data; or even to "become root" and have full unrestricted access to a
system.
Phishing
Phishing is the attempt to acquire sensitive information such as usernames,

passwords, and credit card details directly from users. Phishing is typically carried out by
email spoofing or instant messaging, and it often directs users to enter details at a fake
website whose look and feel are almost identical to the legitimate one. Preying on a
victim's trusting, phishing can be classified as a form of social engineering.
INFORMATION SECURITY MEASURES
Information is one of the most valuable assets. The use of proper preventive
measures and safeguards can reduce the risk of potentially devastating security attacks,
which could cost you the future of your business. Some losses might be irrecoverable,
such as the loss of a business deal due to leaks of confidential data to your competitor.
CYBER CRIME SYNDICATES
Although the lone criminal mastermind still exists, these days most malicious
hacking attacks are the result of organized groups, many of which are professional.
Traditional organized crime groups that used to run drugs, gambling, prosecution, and
extortion have thrown their hats into the online money grab ring, but competition is
fierce, led not by mafiosos but several very large groups of professional criminals aimed
specifically at cybercrime.
38
Many of the most successful organized cybercrime syndicates are businesses that
lead large affiliate conglomerate groups, much in the vein of legal distributed marketing
hierarchies. In fact, today's cybercriminal probably has more in common with an Avon or
Mary Kay rep than either wants to admit.
Small groups, with a few members, still hack, but more and more, IT security pros
are up against large corporations dedicated to rogue behavior. Think full-time employees,
HR departments, project management teams, and team leaders.
SMALL-TIME CONS -- AND THE MONEY MULES AND LAUNDERS SUPPORTING THEM
Not all cybercriminal organizations are syndicates or corporations. Some are

simply entrepreneurial in nature, small businesses after one thing: money.
These malicious mom-and-pop operations may steal identities and passwords, or

they may cause nefarious redirection to get it. In the end, they want money. They initiate
fraudulent credit card or banking transactions and convert their ill-gotten gains into local
currency using money mules, electronic cash distribution, e-banking, or some other sort
of money laundering.
It's not hard to find money launders. There are dozens to hundreds of entities
competing to be the one that gets to take a large percentage cut of the illegally procured
loot. In fact, you'd be surprised at the competitive and public nature of all the other people
begging to do support business with Internet criminals. They advertise "no questions
asked," "bulletproof" hosting in countries far from the reaches of legal subpoenas, and
they offer public bulletin boards, software specials, 24/7 telephone support, bidding
forums, satisfied customer references, antimalware avoidance skills, and all the servicing
that helps others to be better online criminals. Many of these groups make tens of millions
of dollars each year.
Many of these groups and the persons behind them have been identified (and
arrested) over the past few years. Their social media profiles show happy people with big
houses, expensive cars, and content families taking foreign vacations. If they're the
slightest bit guilty from stealing money from others, it doesn't show.
39
Imagine the neighborhood barbeques where they tell neighbors and friends that
they run an "Internet marketing business" -- all the while social engineering their way to
millions to the consternation of IT security pros who have done just about everything you
can to protect users from themselves.
HACKTIVISTS
Whereas exploit bragging was not uncommon in the early days, today's cyber
criminal seeks to fly under the radar -- with the exception of the growing legions of
hacktivists.
These days IT security pros have to contend with an increasing number of loose
confederations of individuals dedicated to political activism, like the infamous
Anonymous group. Politically motivated hackers have existed since hacking was first
born. The big change is that more and more of it is being done in the open, and society is
readily acknowledging it as an accepted form of political activism.
Political hacking groups often communicate, either anonymously or not, in open

forums announcing their targets and hacking tools ahead of time. They gather more
members, take their grievances to the media to drum up public support, and act
astonished if they get arrested for their illegal deeds. Their intent is to embarrass
and bring negative media attention to the victim as much as possible, whether that
includes hacking customer information, committing DDoS (distributed denial of service)
attacks, or simply causing the victim company additional strife.
More often than not, political hacktivism is intent on causing monetary pain to its
victim in an attempt to change the victim's behavior in some way. Individuals can be
collateral damage in this fight, and regardless of whether one believes in the hacktivist's
political cause, the intent and methodology remain criminal.
INTELLECTUAL PROPERTY THEFT AND CORPORATE ESPIONAGE
While the likelihood of dealing with hacktivists may be low, most IT security pros
have to contend with the large group of malicious hackers that exist only to steal
intellectual property from companies or to perform straight-up corporate espionage.
40
The method of operations here is to break into a company's IT assets, dump all the
passwords, and over time, steal gigabytes of confidential information: patents, new
product ideas, military secrets, financial information, business plans, and so on. Their
intent is to find valuable information to pass along to their customers for financial gain,
and their goal is to stay hidden inside the compromised company's network for as long
as possible.
To reap their rewards, they eavesdrop on important emails, raid databases, and
gain access to so much information that many have begun to develop their own malicious
search engines and query tools to separate the fodder from the more interesting
intellectual property.
This sort of attacker is known as an APT (advanced persistent threat) or DHA

(determined human adversary). There are few large companies that have not been
successfully compromised by these campaigns.
MALWARE MERCENARIES
No matter what the intent or group behind the cybercrime, someone has to make
the malware. In the past, a single programmer would make malware for his or her own
use, or perhaps to sell. Today, there are teams and companies dedicated solely to writing
malware. They turn out malware intended to bypass specific security defenses, attack
specific customers, and accomplish specific objectives. And they're sold on the open
market in bidding forums.
Often the malware is multiphased and componentized. A smaller stub program is

tasked with the initial exploitation of the victim's computer, and once securely placed to
ensure it lives through a reboot, it contacts a "mothership" Web server for further
instructions. Often the initial stub program sends out DNS queries looking for the
mothership, itself often a compromised computer temporarily acting as a mothership.
These DNS queries are sent to DNS servers that are just as likely to be innocently infected
victim computers. The DNS servers move from computer to computer, just as the
mothership Web servers do.
41
Once contacted, the DNS and mothership server often redirect the initiating stub
client to other DNS and mothership servers. In this way, the stub client is directed over
and over (often more than a dozen times) to newly exploited computers, until eventually
the stub program receives its final instructions and the more permanent malicious
program is installed.
All in all, the setup used by today's malware writers makes it very difficult for IT
security pros to defend against their wares.
THE INCREASINGLY COMPROMISED WEB
At the most basic level, a website is simply a computer, just like a regular end-user
workstation; in turn, Webmasters are end-users like everyone else. It's not surprising to
find the legitimate Web is being increasingly littered with malicious JavaScript
redirection links.
But it's not entirely a matter of Webmasters' computers being exploited that's
leading to the rise in Web server compromises. More often, the attacker finds a weakness
or vulnerability in a website that allows them to bypass admin authentication and write
malicious scripts.
Common website vulnerabilities include poor passwords, cross-site scripting

vulnerabilities, SQL injection, vulnerable software, and insecure permissions. TheOpen
Web Application Security Project Top 10 list is the authority on how most Web servers
get compromised.
Many times it isn't the Web server or its application software but some link or
advertisement that gets hacked. It's fairly common for banner ads, which are often placed
and rotated by general advertising agencies, to end up infected. Heck, many times the
malware guys simply buy ad space on popular Web servers.
ALL-IN-ONE MALWARE
Today's sophisticated malware programs often offer all-in-one, soup-to-nuts

functionality. They will not only infect the end-user but also break into websites and
modify them to help infect more victims. These all-in-one malware programs often come
42
with management consoles so that their owners and creators can keep track of what the
botnet is doing, who they are infecting, and which ones are most successful.
Most malicious programs are Trojan horses. Computer viruses and worms have
long since ceased to be the most popular types of malware. In most cases, the end-user is
tricked into running a Trojan horse that's advertised as a necessary antivirus scan, disk
defragmentation tool, or some other seemingly essential or innocuous utility. The user's
normal defenses are fooled because most of the time the Web page offering the rogue
executable is a trusted site they've visited many times. The bad guys simply compromised
the site, using a host of tricks, and inserted a few lines of JavaScript that redirect the user's
browsers to the Trojan horse program.
Because many of the evildoers present themselves as businessmen from

legitimate corporations, complete with corporate headquarters, business cards, and
expense accounts, it's not always so easy to separate the legitimate ad sources from the
bad guys, who often begin advertising a legitimate product only to switch out the link in
the ad to a rogue product after the ad campaign is under way. One of the more interesting
exploits involved hackers compromising a cartoon syndicate so that every newspaper
republishing the affected cartoons ended up pushing malware. You can't even trust a
cartoon anymore.
Another problem with hacked websites is that the computers hosting one site can
often host multiple sites, sometimes numbering in the hundreds or thousands. One
hacked website can quickly lead to thousands more.
No matter how the site was hacked, the innocent user, who might have visited this
particular website for years without a problem, one day gets prompted to install an
unexpected program. Although they're surprised, the fact that the prompt is coming from
a website they know and trust is enough to get them to run the program. After that, it's
game over. The end-user's computer (or mobile device) is yet another cog in someone's
big botnet.
43
CYBER WARFARE
Nation-state cyber warfare programs are in a class to themselves and aren't

something most IT security pros come up against in their daily routines. These covert
operations create complex, professional cyber warfare programs intent on monitoring
adversaries or taking out an adversary's functionality, but as Stuxnet andDuqu show, the
fallout of these methods can have consequences for more than just the intended targets.
Crime and no punishment
Some victims never recover from exploitation. Their credit record is forever scarred by a
hacker's fraudulent transaction, the malware uses the victim's address book list to
forward itself to friends and family members, victims of intellectual property theft spend
tens of millions of dollars in repair and prevention.
The worst part is that almost none of those who use the above malicious attacks are
successfully prosecuted. The professional criminals on the Internet are living large
because the Internet isn't good at producing court-actionable evidence. It's anonymous
by default, and tracks are lost and covered up in milliseconds. Right now we live in the
"wild, wild West" days of the Internet. As it matures, the criminal safe havens will dry up.
Until then, IT security pros have their work cut out for them.
Definitions: Risk = Threat X Vulnerability
 Being “at risk" is being exposed to threats.

 Risks are subjective -- the potential to incur consequences of harm or loss
of target assets.
 A Risk Factor is the likelihood of resources being attacked.
 Threats are dangerous actions that can cause harm. The degree of
threat depends on the attacker's Skills, Knowledge, Resources, Authority, and
Motives.
 Vulnerabilities are weaknesses in victims that allow a threat to become effective.
44
Who They Are
 A rogue user is an authorized user who, without permission, accessing restricted

assets.
 A bogie is an unauthorized user who subverts security systems.
 A cracker breaks into others' computing facilities for their own personal gain - be
it financial, revenge, or amusement.
 A hacktivist is a cracker with a cause. (Example of hactivism: Building Peekabooty
to get around governments blocking websites)
 A terrorist uses fear to blackmail others into doing what they want.
 White Hats are also called “ethical" hackers, such as the Axent (now Symantec)
Tiger Team
 Black Hats disregard generally accepted social conventions and laws.
 Script kiddie is a derogatory term for a wannabe cracker who lacks programming
skills and thus relies on prewritten scripts and toolkits for their exploits.
 Journeyman is an experienced hacker: someone who has collected many tools
and made many connections.
 A Puppet Master (wizard) produces exploits.
 Malware is a generic term for malicious software such as trojan horses, worms,
and viruses.
 Warez is a nickname for pirated software (illegal copies of copyrighted software).
 Serialz are serial numbers illegally shared used to unlock software.
45
UNIT-2
Fundamentals of Information Security:

Key Elements of Networks, Logical Elements of Networks, Critical Information
Characteristics, Information States etc.
Work Effectively with Colleagues (NOS 9002)
KEY ELEMENTS OF NETWORKS
Computer networks share common devices, functions, and what features

including servers, clients, transmission media, shared data, shared printers and other
hardware and software resources, network interface card(NIC), local operating
system(LOS), and the network operating system (NOS).
Servers - Servers are computers that hold shared files, programs, and the network
operating system. Servers provide access to network resources to all the users of the
network. There are many different kinds of servers, and one server can provide several
functions. For example, there are file servers, print servers, mail servers, communication
servers, database servers, fax servers and web servers, to name a few.
Clients - Clients are computers that access and use the network and shared network
resources. Client computers are basically the customers (users) of the network, as they
request and receive services from the servers.
Transmission Media - Transmission media are the facilities used to interconnect

computers in a network, such as twisted-pair wire, coaxial cable, and optical fiber cable.
Transmission media are sometimes called channels, links or lines.
Shared data - Shared data are data that file servers provide to clients such as data files,
printer access programs and e-mail.
Shared printers and other peripherals - Shared printers and peripherals are hardware
resources provided to the users of the network by servers. Resources provided include
data files, printers, software, or any other items used by clients on the network.
Network Interface Card - Each computer in a network has a special expansion card
called a network interface card (NIC). The NIC prepares (formats) and sends data,
46
receives data, and controls data flow between the computer and the network. On the
transmit side, the NIC passes frames of data on to the physical layer, which transmits the
data to the physical link. On the receiver's side, the NIC processes bits received from the
physical layer and processes the message based on its contents.
Local Operating System - A local operating system allows personal computers to access
files, print to a local printer, and have and use one or more disk and CD drives that are
located on the computer. Examples are MS-DOS, UNIX, Linux, Windows 2000, Windows
98, Windows XP etc.
Network Operating System - The network operating system is a program that runs on
computers and servers, and allows the computers to communicate over the network.
Hub - Hub is a device that splits a network connection into multiple computers. It is like
a distribution center. When a computer requests information from a network or a specific
computer, it sends the request to the hub through a cable. The hub will receive the request
and transmit it to the entire network. Each computer in the network should then figure
out whether the broadcast data is for them or not.
Switch - Switch is a telecommunication device grouped as one of computer network

components. Switch is like a Hub but built in with advanced features. It uses physical
device addresses in each incoming messages so that it can deliver the message to the right
destination or port.
Like a hub, switch doesn't broadcast the received message to entire network, rather
before sending it checks to which system or port should the message be sent. In other
words, switch connects the source and destination directly which increases the speed of
the network. Both switch and hub have common features: Multiple RJ-45 ports, power
supply and connection lights.
LOGICAL ELEMENTS OF NETWORKS

A network element is usually defined as a manageable logical entity uniting one
or more physical devices. This allows distributed devices to be managed in a unified way
using one management system. According to Telecommunications Act of 1996, the term
`network element' means a facility or equipment used in the provision of a
telecommunications service. Such term also includes features, functions, and capabilities
47
that are provided by means of such facility or equipment, including subscriber numbers,
databases, signaling systems, and information sufficient for billing and collection or used
in the transmission, routing, or other provision of a telecommunications service.
With development of distributed networks, network management had become an

annoyance for administration staff. It was hard to manage each device separately even if
they were of the same vendor. Configuration overhead as well as misconfiguration
possibility were quite high. A provisioning process for a basic service required complex
configurations of numerous devices. It was also hard to store all network devices and
connections in a plain list. Network structuring approach was a natural solution.
CRITICAL INFORMATION CHARACTERISTICS
Availability
 Availability enables users who need to access information to do so without

interference or obstruction, and to receive it in the required format.
 Availability of information
 Is accessible to any user.
 Requires the verification of the user as one with authorized access to the
information.
 The information, then, is said to be available to an authorized user when and
where needed and in the correct format.
Example:-
Consider the contents of a library
 Research libraries that require identification before

entrance.
 Librarians protect the contents of the library, so that it is
available only to authorized patrons.
48
 The librarian must see and accept a patron’s proof of
identification before that patron has free and easy access to
the contents available in the bookroom.
Accuracy
 Information is accurate
 when it is free from mistakes or errors and
 It has the value that the end user expects.
 Information contains a value different from the user’s expectations due to
the intentional or unintentional modification of its content, it is no longer
accurate.
Example :-
Consider the checking account
 Inaccuracy of the information in your checking account can

be caused by external or internal means.
 If a bank teller, for instance, mistakenly adds or subtracts too
much from your account, the value of the information has
changed.
 In turn, as the user of your bank account, you can also
accidentally enter an incorrect amount into your account
register. This also changes the value of the information.
Authenticity
 Authenticity of information is the quality or state of being genuine or original,

rather than a reproduction or fabrication.
 Information is authentic when it is the information that was originally
 Created,
 Placed,
 Stored, or
 Transferred.
Example :-
Consider for a moment some of the assumptions made about e-mail.
49
 When you receive e-mail, you assume that a specific individual or group of
individuals created and transmitted the e-mail—you assume know the
origin of the e-mail. This is not always the case.
 E-Mail spoofing, the process of sending an e-mail message with a modified
field, is a problem for many individuals today, because many times the field
modified is the address of the originator.
 Spoofing the address of origin can fool the e-mail recipient into thinking
that the message is legitimate traffic.
 In this way, the spoofer can induce the e-mail readers into opening e-mail
they otherwise might not have opened.
 The attack known as spoofing can also be applied to the transmission of
data across a network, as in the case of user data protocol (UDP) packet
spoofing, which can enable unauthorized access to data stored on
computing systems.
Confidentiality
 The confidentiality of information is the quality or state of preventing disclosure

or exposure to unauthorized individuals or systems.
 Confidentiality of information is ensuring that only those with the rights and
privileges to access a particular set of information are able to do so, and that those
who are not authorized are prevented from obtaining access.
 When unauthorized individuals or systems can view information, confidentiality
is breached.
 To protect the confidentiality of information, you can use a number of measure:
 Information classification
 Secure documents storage
 Application of general security policies
 Education of information custodians and end users
Example:-
Ex: 1 A security is an employee throwing away a document containing

critical information without shredding it.
50
Ex: 2 A hacker who successfully breaks into an internal database of a Web-
based organization and steals sensitive information about the clients such as
 Names
 Addresses and
 Credit card numbers.
Integrity
 The quality or state of being whole, complete, and uncorrupted is the integrity
of information.
 The integrity of information is threatened when the information is exposed to
 Corruption,
 Damage,
 Destruction, or
 Other disruption of its authentic state.
 The threat of corruption can occur while information is being stored or
transmitted.
 Many computer viruses and worms have been created with the specific purpose
of corrupting data.
For this reason the key method for detecting the virus or worm
1. First Key methodology is to look for changes in file integrity as shown by the size
of the file.
2. Another key methodology for assuring information integrity is through file
hashing.
 With file hashing, a file is read by a special algorithm that uses the value
of the bits in the file to compute a single large number called a Hash value.
 The hash value for any combination of bits is different for each
combination.
Utility
 The Utility information is the quality or state of having value for some purpose or
end.
51
 Information has value when it serves a particular purpose. This means
that if information is available, but not in a format meaningful to the
end user, it is not useful.
Possession
 The Possession of information is the quality or state of having

ownership orcontrol of some object or item.
 Information is said to be in possession if one obtains it, independent of
format orother characteristic.
 A breach of confidentiality always results in a breach of possession, a
breach ofpossession does not always result in a breach of
confidentiality.
Example:-
 Assume a company stores its critical customer data using an

encrypted filesystem.
 An employee, who has quit, decides to take a copy of the tape
backups to sell the customer records to the competition.
 The removal of the tapes from their secure environment is a
breach of possession, because the data is encrypted, neither the
employee nor anyone else can read it without the proper
decryption methods, therefore there is no breach of
confidentiality.
INFORMATION STATES
Different States of the Information that is processed between

two or moreCommunication entities.
52
Security Attacks
 There are different types of security attacks which affect the

communication process in the network.
 They are as follows:

 Interruption
 Interception
 Modification
 Fabrication
Department of Computer Science & Engineering, VNRVJIET, Hyderabad January 8, 2022 1

Interruption
 An asset of the system is destroyed or becomes unavailable or unusable. It is
an attack on availability.
 Examples:
 Destruction of some hardware
 Jamming wireless signals
 Disabling file management systems

Interception
 An unauthorized party gains access to an asset. Attack on confidentiality.
 Examples:
 Wire tapping to capture data in a network.
 Illicitly copying data or programs
 Eavesdropping

Modification
 When an unauthorized party gains access and tampers an asset. Attack is on
Integrity.
 Examples:
 Changing data file
 Altering a program and the contents of a message

Fabrication
 An unauthorized party inserts a counterfeit object into the system. Attack on
Authenticity. Also called impersonation.
 Examples:
 Hackers gaining access to a personal email and sending message.
 Insertion of records in data files.
 Insertion of spurious messages in a network.

Difference between Threats and Attacks
Threats Attacks
 Can be intentional or unintentional.  Is Intentional.
 May or may not be malicious.  Is malicious
 Circumstance that has ability to  Objective is to cause damage.
cause damage.
 Information may or may not be  Chance for information alteration
altered or damaged and damage is very high.
 Comparatively hard to detect.  Comparatively easy to detect.
 Can be blocked by control of  Cannot be blocked by just
vulnerabilities. controlling the vulnerabilities.
 Can be initiated by system itself as  Is always initiated by outsider
well as outsider. (system or user)

Some of the Concerns/Issues of
Computer Security
 Hacking unauthorized access to or use of data, systems, server
or networks, including any attempt to probe, scan or test the
vulnerability of a system, server or network or to breach security
or authentication measures without express authorization of the
owner of the system, server or network.
 Sending abusive e-mails or posting offensive Web pages.
 Creation or transmission of any offensive or indecent images.
 Giving unauthorized access to computing resources e.g. allowing
an account to be used by someone not authorized to use it.
 Deliberately creating or spreading computer viruses or worms.

INFORMATION SECURITY MEASURES
 Information is one of the most valuable assets.

 The use of proper preventive measures and safeguards can
reduce the risk of potentially devastating security attacks, which
could cost you the future of your business.
 Some losses might be irrecoverable, such as the loss of a
business deal due to leaks of confidential data to your
competitor.

IT Measures
 Include security in system architecture
 Strong password policy
 Strong Internet protection suite
 Secure mobile devices (laptops, smartphones)
 Secure all end points.

Vulnerability
 A VULNERABILITY is a software coding error that is used by
hackers to enter an information system and perform
unauthorized activities while posing as an authorized user.
 A vulnerability is a weakness which can be exploited in a cyber
attack to gain unauthorized access to or perform unauthorized
actions on a computer system.
 Vulnerabilities can allow attackers to run code, access system
memory, install different types of malware and steal, destroy or
modify sensitive data.

Exposure
 AN EXPOSURE is a software error that allows hackers to break
into a system. During an exposure, attackers may gain
information or hide unauthorized actions.
 An exposure is a mistake that gives an attacker access to a
system or network. Exposures can lead to data breaches, data
leaks and personally identifiable information (PII) being sold on
the dark web. In fact, some of the biggest data breaches were
caused by accidental exposure rather than sophisticated cyber
attacks.

Common Vulnerabilities and Exposures
 Common Vulnerabilities and Exposures (CVE) is a list of publicly
disclosed information security vulnerabilities and exposures.
 CVE was launched in 1999 by the MITRE corporation to identify
and categorize vulnerabilities in software and firmware. CVE
provides a free dictionary for organizations to improve
their cyber security.
 MITRE is a nonprofit that operates federally funded research
and development centers in the United States.

Goal of CVE
 The goal of CVE is to make it easier to share information about
known vulnerabilities across organizations.
 CVE does this by creating a standardized identifier for a given
vulnerability or exposure.
 CVE identifiers or CVE names allow security professionals to
access information about specific cyber threats across multiple
information sources using the same common name.

What is a CVE entry?
 A CVE entry describes a known vulnerability or exposure.
 Each CVE entry contains a standard identifier number with
status indicator (i.e. "CVE-1999-0067", "CVE-2014-12345", "CVE-
2016-7654321"), a brief description and references related
vulnerability reports and advisories.
 Each CVE ID is formatted as CVE-YYYY-NNNNN. The YYYY portion
is the year the CVE ID was assigned or the year the vulnerability
was made public.

THANK YOU

Data and information protection is the most technical and tangible of the three
pillars. The data we gather comes from multiple sources, such as information
technology (IT), operational technology (OT), personal data and operational
data. It must be properly managed and protected every step of the way.
What is the CIA triad?

When we discuss data and information, we must consider the CIA triad. The
CIA triad refers to an information security model made up of the three main
components: confidentiality, integrity and availability. Each component
represents a fundamental objective of information security.
The three components of the CIA triad are discussed below:
1. Confidentiality: This component is often associated with secrecy and the use
of encryption. Confidentiality in this context means that the data is only
available to authorized parties. When information has been kept confidential it
means that it has not been compromised by other parties; confidential data are
not disclosed to people who do not require them or who should not have access
to them. Ensuring confidentiality means that information is organized in terms of
who needs to have access, as well as the sensitivity of the data. A breach of
confidentiality may take place through different means, for instance hacking or
social engineering.
2. Integrity: Data integrity refers to the certainty that the data is not tampered
with or degraded during or after submission. It is the certainty that the data has
not been subject to unauthorized modification, either intentional or
unintentional. There are two points during the transmission process during which
the integrity could be compromised: during the upload or transmission of data or
during the storage of the document in the database or collection.
3. Availability: This means that the information is available to authorized users
when it is needed. For a system to demonstrate availability, it must have
properly functioning computing systems, security controls and communication
channels. Systems defined as critical (power generation, medical equipment,
safety systems) often have extreme requirements related to availability. These
systems must be resilient against cyber threats, and have safeguards against
power outages, hardware failures and other events that might impact the system
availability.
Stability, availability and security

Availability is a major challenge in collaborative environments, as such
environments must be stable and continually maintained. Such systems must also
allow users to access required information with little waiting time. Redundant
systems may be in place to offer a high level of fail-over. The concept of
availability can also refer to the usability of a system.
Information security refers to the preservation of integrity and secrecy when
information is stored or transmitted. Information security breaches occur when
information is accessed by unauthorized individuals or parties. Breaches may be
the result of the actions of hackers, intelligence agencies, criminals, competitors,
employees or others. In addition, individuals who value and wish to preserve
their privacy are interested in information security.
The CIA triad describes three crucial components of data and information
protection which can be used as guides for establishing the security policies in
an organization. Establishing and maintaining the organization’s security
policies can be a daunting task, but using the three-pillared strategic approach to
cyber security can help you identify and manage cyber security risks in a
methodic and comprehensive manner.
What is an ISMS? 9 reasons

why you should implement
one
Julia Dutton 4th June 2019
Whether you like it or not, every business is a target for cyber attackers,
and that includes yours.
Data breaches are becoming more severe, yet many organisations still
assume they will never suffer one.
However, if you want to protect your business you should adopt a ‘when
not if’ mentality.
Effective defences can prevent the majority of attacks and help you to
prepare for a breach.
Robust cyber security requires an ISMS (information security

management system) built on three pillars: people, processes and
technology.
By implementing an ISMS, you can secure your information, increase your
resilience to cyber attacks, and reduce the costs associated with
information security.
In this post, we take a deep dive into the inner workings of an ISMS, and
explore the benefits it can bring to your organisation.
What is an ISMS?
An ISMS is a systematic approach consisting of processes, technology and
people that helps you protect and manage your organisation’s information
through effective risk management.
It enables compliance with a host of laws, including the EU GDPR (General

Data Protection Regulation), and focuses on protecting three key aspects
of information:
1) Confidentiality: The information is not available or disclosed to unauthorised people,
entities or processes.
2) Integrity: The information is complete and accurate, and protected from corruption.
3) Availability: The information is accessible and usable by authorised users.
Where does ISO 27001 fit in?

ISO 27001 is the international standard that provides the specification for
a best-practice ISMS and covers the compliance requirements.
While ISO 27001 offers the specification, ISO 27002 provides the code of
conduct – guidance and recommended best practices that can be used to
enforce the specification.
Benefits of an ISMS
An ISO 27001-compliant ISMS does more than simply help you comply
with laws and win business. It a can also:
Secure your information in all its forms: An ISMS helps protect all forms of
information, whether digital, paper-based or in the Cloud.
Increase your attack resilience: Implementing and maintaining an ISMS will
significantly increase your organisation’s resilience to cyber attacks.
Manage all your information in one place: An ISMS provides a central
framework for keeping your organisation’s information safe and managing
it all in one place.
Respond to evolving security threats: Constantly adapting to changes both in
the environment and inside the organisation, an ISMS reduces the threat
of continually evolving risks.
Reduce costs associated with information security: Thanks to the risk
assessment and analysis approach of an ISMS, organisations can reduce
costs spent on indiscriminately adding layers of defensive technology that
might not work.
Protect the confidentiality, availability and integrity of your data: An ISMS
offers a set of policies, procedures, technical and physical controls to
protect the confidentiality, availability and integrity of your information.
Improve company culture: An ISMS’s holistic approach covers the whole
organisation, not just IT. This enables employees to readily understand
risks and embrace security controls as part of their everyday working
practices.
Information Assurance Model

Information States
Information in transit:
 Information in transit is data that is currently traveling across
a network or sitting in a computer’s RAM ready to be read,
updated, or processed.
 This data in transit includes data moving across a cables and
wireless transmission. It can be emails or files transferred
over FTP or SSH.
 Cryptography was originally invented to protect data in
transit–such as sensitive communications between a military
general and his army.

Information in process:
 Information in process is data that is not just being stored passively on a
hard drive or external storage media.
 This is data that is being processed by one or more applications. This is data
currently in the process of being generated, updated, appended, or erased.
 It also includes data being viewed by users accessing it through various
endpoints.
 Data in use is susceptible to different kinds of threats depending on where
it is in the system and who is able to use it.
 The most vulnerable point for data in use is at the endpoints where users
are able to access and interact with it.

Information in storage:
 Information in storage is a term that refers to data stored on a device or backup
medium in any form.
 It can be data stored on hard drives, backup tapes, in offsite cloud backup, or
even on mobile devices.
 Data at rest is data that has reached a destination (even if only temporarily).
 At this destination, there can be additional layers of security added to it, such as
encryption, multi-factor authentication, and both digital and physical access
controls. Data at rest should almost always be encrypted.

Security Countermeasures
1. People –
People are heart of information system. Administrators and users of
information systems must follow policies and practice for designing good
system. They must be informed regularly regarding information system and
ready to act appropriately to safeguard system.
2. Policy & Practice –
Every organization has some set of rules defined in form of policies that must
be followed by every individual working in organization. These policies must
be practiced in order to properly handle sensitive information whenever
system gets compromised.
3. Technology –
Appropriate technology such as firewalls, routers, and intrusion detection
must be used in order to defend system from vulnerabilities, threats. The
technology used must facilitate quick response whenever information
security gets compromised.

Logical elements of a Network
 The logical component of a network is the information being carried
from source to destination.
 The user information, which is called data, is carried inside
a frame across the network.
Frames:
 Frames carry the data across the network and are made up of three
parts: the header, the data itself, and the trailer.
 It is these frames that carry user data, just as railroad cars carry
passengers.

Elements of Information Security
Network Security:
 Network security refers to any activity designed to protect your network.
Specifically, these activities protect the usability, reliability, integrity and
safety of your network and data. Effective network security targets a variety
of threats and stops them from entering or spreading on your network.\
 No single solution protects you from a variety of threats. You need multiple
layers of security. If one fails, others still stand. Network security is
accomplished through hardware and software. The software must be
constantly updated and managed to protect you from emerging threats.
 A network security system usually consists of many components. Ideally, all
components work together, which minimizes maintenance and improves
security.

Network security components
 Anti-virus and anti-spyware software.
 Firewall to block unauthorized access to your network.
 Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as
zero-day or zero hour attacks.
 Virtual Private Networks (VPNs) to provide secure remote access.

Application Security:
 Application security (AppSec) is the use of software, hardware and
procedural methods to protect applications from external threats. AppSec is
the operational solution to the problem of software risk. AppSec helps
identify, fix and prevent security vulnerabilities in any kind of software
application irrespective of the function, language or platform.
 A good practiced AppSec employs practical and preventative methods to
manage software risk, and align an organization’s security investments with
the reality of today’s threats.

AppSec has three distinct elements:
 Measurable reduction of risk in existing applications
 Prevention of introduction of new risks
 Compliance (agreement) with software security mandates
AppSec products must provide capabilities for managing security risk across all
of these options as each of these development and deployment options can
introduce security vulnerabilities. An effective software security strategy
addresses both immediate and systemic risk.

Communications Security:
 Communications Security ensures the security of telecommunications
confidentiality and integrity – the two information assurance (IA) pillars.
Generally, COMSEC may refer to the security of any information that is
transmitted, transferred or communicated.
 There are five COMSEC security types:
 Crypto security: This encrypts data, rendering it unreadable until the data is
decrypted.
 Emission Security (EMSEC): This prevents the capture of release from equipment,
such as cryptographic equipment, thereby preventing unauthorized interception.
 Physical Security: This ensures the safety and prevention of unauthorized access
to, cryptographic information, documents and equipment.
 Traffic-Flow Security: This hides messages and message characteristics flowing on
a network.
 Transmission Security (TRANSEC): This protects transmissions from unauthorized
access, thereby preventing interruption and harm.

Data Leakage
Data leakage is the unauthorized transmission of data from within an

organization to an external destination or recipient.
 Data leakage threats usually occur via the web and email, but can also
occur via mobile data storage devices such as optical media, USB
keys, and laptops.
 Data leakage, also known as low and slow data theft, is a huge
problem for data security, and the damage caused to any
organization, regardless of size or industry, can be serious.

The potential damage and adverse consequences of a data leakage incident can
be classified into two categories: direct and indirect losses.
 Direct losses refer to tangible damage that is easy to measure or to estimate
quantitatively.
 Indirect losses, on the other hand, are much harder to quantify and have a
much broader impact in terms of cost, place, and time.

Customer Information
This data differs from company to company, but there are usually some
common factors involved:
• Identity information: name, address, phone number, email address,
username, password
• Activity information: order and payment history, browsing habits, usage
details
• Credit card information: card numbers, CVV codes, expiration dates, billing
zip codes
Information that is specific to the company can also be exposed. This can be
financials for banks and investment groups, medical records for hospitals and
insurers or sensitive documents and forms for government entities.

Company Information
Customer information isn't the only thing. Corporate information can be leaked
including:
• Internal communications: memos, emails, and documents detailing company
operations
• Metrics: performance statistics, projections, and other collected data about
the company
• Strategy: messaging details, roadmaps, rolodexes and other critical business
information
The exposure of this type of information can hamstring company projects, give
competitors insight into business operations, and reveal internal culture and
personalities. The bigger the company, the more interest there is in this type of
data.

Trade Secrets
This is the most dangerous thing to be exposed in a data leak. Information that
is critical to your business and its ability to compete. Trade secrets include:
• Plans, formulas, designs: Information about existing or upcoming products
and services
• Code and software: Proprietary technology the business sells or built for in-
house use
• Commercial methods: Market strategies and contacts
Exposure of this type of data can devalue the products and services your
business provides and undo years of research.

Why do data leaks happen?
 To understand why data leaks happen, we need to step back and understand
how information is generated, manipulated and used.
 When we examine information security, it becomes clear that organizing a
resilient process is difficult at scale. Operational gaps, process errors and
poor cybersecurity awareness can lead to vulnerable assets which leads to
data leaks.
 The benefits and risks of digital data are the same. Digital data can be
reproduced cheaply and without degradation. Organizations have many
copies of production data that includes customer data, trade secrets and
other sensitive information.
 The point is many copies of data exist and the more copies of data that exist
the higher the chance that something or someone could accidently expose
it.

Data Leakage Threats
Classified into two types:
 Internal threats –or inadvertent

 External threats.

Intentional / Internal data leakage
This kind of leakage happens via - Remote Access, Instant Messaging, Email,
Web Mail; Peer-to-Peer, and even by File Transfer Protocol.
 E-mail is a personal document may be sent to an unauthorized individual as
an attachment. They may also choose to compress and / or encrypt the file,
or embed it within other files.
 Steganography – a process of concealing a sensitive data within a non- secret
data may also be utilized for this purpose.
 Web Logs / Wikis →Web logs could be used to release confidential
information into the internet, simply by entering the information in their
blog.
 FTP is a File Transfer Protocol that may be added through the firewall which is
an intentional leakage. Uploading a file to an FTP server can be made only by
a person who is aware of the process and therefore cannot be done by an
average user on a daily basis

 Removable Media / Storage are USB, hard drives, digital cameras, and even
musical devices such as an Apple iPod Others may take a hard copy of the
document in briefcase and share it with other unauthenticated person or
take a picture of the doc and send it through mobile phone.
 Files and folders may not be provided with authentications, allow sensitive
data to be leaked or write inadequate queries in database.

External Threats
 Phishers may start developing fraudulent employment web sites, and
attempt to attract users to send their resumes directly to them on job site
users. Hackers not only grab resumes but also e-mail ids and credit card
numbers of job seekers by disguising as a trustworthy entity in websites.
 SQL injection is embedding malicious code in DB query which is made by
person who has good knowledge on Database.
 Dumpster diving Sometimes organizations may not be destroying the hard
copy information securely which may run the risk of confidential information
falling into unauthorized hands.
 An attacker may decide to scrutinize the company’s dumps and discover
important information. The information may be stored in external devices
like CDs or DVDs or printed document.

Data can be monitored at use, in rest and in motion –
 Data in motion can be an email or a FTP file transmission. The complete
pathway or network must be monitored while transmitting the data. There
are several monitoring points to intercept traffic like the web proxies, mail
servers to monitor the complete data flow.
 At Rest- An organization can recognize where its sensitive data is distributed
by scanning the network sharing methods. Sometimes a software agent is
used to assess the endpoint systems or application servers.
 In Use- it is not possible to remotely monitor the data in use. To control every
action, the user may take an endpoint agent to assess. This agent hooks up
into the operating system functions to recognize all actions.

Safeguarding confidentiality
The loss of confidentiality is a common problem when engaging with
information security. There are lots of approaches which follow a variety of
ways to safeguard the confidentiality of data.
 Hippocratic Databases are aimed that more granular access controls exist to
ensure that only the owner should be authorized to access the database
system. This can be achieved by attaching fake attributes to all stored
information. These attributes allow fine grained access control. Another
crucial requirement is the absence of side channels i.e. the executed queries
should not provide additional information like statistical data which is based
on a small number of data sets.
 Email Leak Prevention- Sending and receiving Emails has become one of the
most important communication mediums. Consequence of this is arising
threat of email leakage. Emails containing confidential data may be sent to
wrong recipients – e.g. due to misspelling or wrong use of the auto
completion, a feature of modern mail agents which completes email
addresses after the first letters.

Current DLP Approaches
There are three main capabilities of DLP solutions:
 • Identify • Monitor • React
 Each of these steps in leakage prevention has to handle data at rest, in
motion, and in use.
 Identify: How to Find Valuable Content First identify the valuable data. A
central management should induce protocols and policies to be consistent
and manageable.
 Rule-Based Regular Expressions are the most common technique for defining
data via an abstract pattern.
 This approach produces a high rate of false positives due to the limited scope
and missing context awareness. For example the word confidential or
important can be with various confidential contexts.
 While processing, they can be used as a filter to reduce the amount of data
for further processing.

 Database Fingerprinting- is a biometric identification (ID) methodology. It
uses digital imaging technology for storing and analyzing fingerprint data.
Finger prints of authorized people should be stored in dB already. Again
when the person is trying to access the data then the finger print matching
should be done.
 Cyclic hashing – is a process to scan large data in an efficient way. The first
hash value indexes the first N characters in the document, the next hash
value covers the next part which includes an overlapping. Thereby, it is
important that the resulting index contains an overlapping map of the
document. If suspicious documents should get examined, the same algorithm
can be used to determine whether there is sensible data included. But it
produces a high CPU load due to excessive hashing.

THANK YOU

Data Leakage
 According to a recent survey of hundreds of IT security
professionals, most of organizations have major
security holes when it comes to protecting themselves
against insider threats. if your IT security isn’t in place
across all devices that employees use then it’s an open
invitation to hackers and fraudsters. Organizations
strongly maintained that data loss was the top concern
regarding insider threats. When asked which types of
insider attacks were most concerning, 63 percent of
respondents said data leaks, 57 percent said
unintended data breaches and 53 percent said
malicious data breaches.
Data Leakage
 Data Leakage, put simply, is the unauthorized
transmission of data (or information) from within an
 This may be electronic, or may be via a physical

method.
 Data Leakage is synonymous with the term Information

Leakage.
Data leakage
 Data leakage poses a serious issue for companies as
the number of incidents and the cost to those
experiencing them continue to increase. Data leakage
is enhanced by the fact that transmitted data (both
inbound and outbound), including emails, instant
messaging, website forms, and file transfers among
others, are largely unregulated and unmonitored on
their way to their destinations.

Data Leakage
 The reader is encouraged to be mindful that
unauthorized does not automatically mean intentional
or malicious. Unintentional or accidental data leakage is
also unauthorized and illegal activities .
 Data leaks can be expensive, harm an organization's in
terms of brand & reputation and reduce trust in the
market.
Data Leakage
 Furthermore, in many cases, sensitive data are shared
among various stakeholders such as employees
working from outside the organization’s premises (e.g.,
on laptops), business partners, and customers.
 This increases the risk that confidential information will

fall into unauthorized hands. Whether caused by
malicious intent or an unintentional mistake by an
insider or outsider.
 Exposure of sensitive information can seriously hurt an

organization.
Data Leakage
 The potential damage and adverse consequences of a
data leakage incident can be classified into two
categories:
• Direct and
• Indirect losses.
 Direct losses refer to tangible damage that is easy to

measure or to estimate quantitatively.
 Indirect losses, on the other hand, are much harder to

quantify and have a much broader impact in terms of
cost, place, and time.
Data Leakage Statistics
Type of Data Leakage
Type of information leaked Percentage
Confidential information 15%
Intellectual property 4%
Customer data 73%
Health records 7%
DATA LEAKAGE THREATS
 Internal threats
 External threats
Internal threats – intentional or inadvertent?
 According to data compiled from different

agency 52% of Data Security breaches are
from internal sources compared to the
remaining 48% by external hackers.
 The noteworthy aspect of these figures is

that, when the internal breaches are
examined, the percentage due to malicious
intent is remarkably low
Internal Threats – Intentional or Inadvertent?
 The corollary of this is that the level of

inadvertent data breach is significant (96%).
This is further deconstructed to 46% being
due to employee oversight, and 50% due to
poor business process
Intentional Internal Data Leakage or sabotage
The data presented suggests the main threat to

internal data leakage is from inadvertent actions,
organizations are however still at risk of intentional
unauthorized release of data and information by
internal users. The methods by which insiders leak
data could be one or many, but could include
mediums such as Remote Access; Instant
Messaging; email; Web Mail; Peer-to-Peer; and
even File Transfer Protocol.
Unintentional Internal Data Leakage
 A significant amount of data security
breaches are due to either employee
oversight or poor business process. This
presents a challenge for businesses as the
solution to these problems will be far greater
than simply deploying a secure content
management system.
Internal Data Leakage Vectors
Instant Messaging / Peer-to-peer
Instant Messaging / Peer-to-peer :
Many organizations allow employees to access Instant
Messaging from their workstations or laptops. This includes
products such as MSN Messenger; Skype; AOL; GoogleTalk;
ICQ; and numerous others.
It would be a simple process for an individual to send a
Confidential document (such as an Excel file containing
sensitive pricing or financial data) to a third party. Equally a
user could disclose confidential information in an Instant
Messaging chat session
Peer-to-peer (P2P) also presents a significant
threat to data confidentiality. Popular P2P
clients include eDonkey and BitTorrent,
eDonkey : The eDonkey network (eD2k) is a decentralized peer-to-peer
(P2P) file sharing system designed to provide long term data file availability.
This means that all files are stored on an individual user computer and
then directly exchanged with peers.
BitTorrent
(abbreviated to BT) is a communication protocol for peer-to-peer
file sharing (P2P) which is used to distribute data and electronic
files over the Internet.
BitTorrent is one of the most common protocols for transferring
large files, such as digital video files containing TV shows or video
clipsor digital audio files containing songs.
Example
 Recently has been described as “new national security risk” by
Retired General Wesley K. Clark, who is a board member with
an organization that scans through peer-to-peer networks for
confidential or sensitive data. He commented “We found more
than 200 classified government documents in a few hours
search over P2P networks” and “We found everything from
Pentagon network server secrets to other sensitive information
on P2P networks that hackers dream about
A few moments consideration regarding the implications of these

findings will yield the issue of potential widespread distribution
and availability of the data. The number of potential users on P2P
networks that could access the confidential or sensitive data is
enormous.
Email
 Traditional email clients, such as Microsoft Outlook, Lotus
Notes, Eudora, etc are everywhere within organizations. An
internal user with the motivation could email a confidential
document to an unauthorized individual as an attachment.
They may also choose to compress and / or encrypt the
file, or embed it within other files in order to disguise its
presence. Steganography may also be utilized for this
purpose. Alternatively, instead of attaching a document,
text could be copied into the email message body.
 Email also represents a vector for inadvertent disclosure

due to employee oversight or poor business process. An
employee could attach the wrong file inadvertently, select
the wrong recipient in the email, or even be tricked into
sending a document through social engineering.
Web mail
Web Mail is well entrenched with users. Gmail, Yahoo,
and Hotmail are popular examples. It represents
another way for an individual to leak confidential data,
either as an attachment or in the message body.
Because Web Mail runs over HTTP/S a firewall may
allow it through un-inspected as port 80 or 443 will in
most organizations be allowed, and the connection is
initiated from an internal IP address. HTTPS represents
a more complex challenge due to the encryption of the
traffic.
Web Logs / Wikis
Web Logs (Blogs) are web sites where people can write their
thoughts, comments, opinions on a particular subject. The blog
site may be their own, or a public site, which could include the
input from thousands of individuals. Blogs could be used by
someone to release confidential information, simply through
entering the information in their blog. However, they would
most likely be able to be tracked, so this is perhaps a less likely
medium. A wiki site is “a collaborative website which can be
directly edited by anyone with access to it”.
File Transfer Protocol
File Transfer Protocol:

As FTP is a popular protocol there is the likelihood it will be allowed through
the firewall. FTP is probably more likely to be used in intentional leakage
than unintentional leakage, due to the fact that uploading a file to an FTP
server is generally not something an average user performs on a daily basis,
nor would do inadvertently, as compared to attaching a file to an email.
File Transfer Protocol
Removable Media / Storage
 Information Security researches are reported in
March 2007 that “Theft or loss of a digital information
or data storage medium, such as a USB memory key,
made up 54 percent of all identity theft-related data
breaches”.
 The price is very cheap of removable storage, Copying
a document (say 2 to 4 GB) onto a USB key is
effortless.
 The user merely needs to insert the device, open
Explorer, and drag and drop the target files to the
device, then removed, placed in the employees pocket and
walked out of the building.
Removable Media / Storage
 Due to their small size, USB keys are also easy to
lose. Even if the copying of data onto the key is
legitimate, the risk exists that the key could be lost by
the user and found by a third party.
 Other forms of USB mass storage include portable
hard drives, digital cameras, and even musical devices
such as an Apple iPod – one model contains an 80GB
hard drive.
 The ability to automatically copy all business
documents (e.g. .doc, .xls, .ppt, etc) from a PC
connected to a device such as an iPod that is running
the application.
Security Classification errors
 Security models such as Biba and Bell LaPadula are
intended to provide a framework for organizations to
avoid classified and / or sensitive information being
sent to individuals (internally and externally) without
the appropriate security clearance level. It is
conceivable that an individual with Top Secret
clearance may either intentionally or inadvertently
send a Top Secret document to another individual with
only “Classified” clearance.
Security Model
 A security policy governs a set of rules and
objectives need by an organization.
 A security model can be used by an organization

to help express the policy or business rules to be
used in a computer system.
 There are two types of models that can be used:

discretionary access control and mandatory
access control.
Computer Security
 Computer security is concerned with three
aspects:
• Confidentiality: preventing/detecting/deterring
the improper discloser of information.
• Integrity: preventing/detecting/deterring the

improper modification of data.
• Availability: preventing/detecting/deterring the

improper denial of service provided by the system.
Bell-LaPadula Model
 The Bell-LaPadula model is one of the first models
that was created to control access to data.
 The properties of the Bell-LaPadula model are:

• The simple security property which is “no read up”
• The star property which is “no write down”.
 A problem with this model is it does not deal with the

integrity of data.
 The star property makes it is possible for a lower level

subject to write to a higher classified object.
Biba Integrity Model
 The Biba integrity model was published in 1977 at
the Mitre Corporation, one year after the Bell La-
Padula model was published.
 The primary motivation for creating this model is

the inability of the Bell-LaPadula model to deal with
integrity of data.
 The Biba model addresses the problem with the

star property of the Bell-LaPadula model, which
does not restrict a subject from writing to a more
trusted object.
Data Leakage
Data leakage is the unauthorized transmission of data from within an

 Data leakage threats usually occur via the web and email, but can also
occur via mobile data storage devices such as optical media, USB
keys, and laptops.
 Data leakage, also known as low and slow data theft, is a huge
problem for data security, and the damage caused to any
organization, regardless of size or industry, can be serious.

The potential damage and adverse consequences of a data leakage incident can
be classified into two categories: direct and indirect losses.
 Direct losses refer to tangible damage that is easy to measure or to estimate
quantitatively.
 Indirect losses, on the other hand, are much harder to quantify and have a
much broader impact in terms of cost, place, and time.

Customer Information
This data differs from company to company, but there are usually some
common factors involved:
• Identity information: name, address, phone number, email address,
username, password
• Activity information: order and payment history, browsing habits, usage
details
• Credit card information: card numbers, CVV codes, expiration dates, billing
zip codes
Information that is specific to the company can also be exposed. This can be
financials for banks and investment groups, medical records for hospitals and
insurers or sensitive documents and forms for government entities.

Company Information
Customer information isn't the only thing. Corporate information can be leaked
including:
• Internal communications: memos, emails, and documents detailing company
operations
• Metrics: performance statistics, projections, and other collected data about
the company
• Strategy: messaging details, roadmaps, rolodexes and other critical business
information
The exposure of this type of information can hamstring company projects, give
competitors insight into business operations, and reveal internal culture and
personalities. The bigger the company, the more interest there is in this type of
data.

Trade Secrets
This is the most dangerous thing to be exposed in a data leak. Information that
is critical to your business and its ability to compete. Trade secrets include:
• Plans, formulas, designs: Information about existing or upcoming products
and services
• Code and software: Proprietary technology the business sells or built for in-
house use
• Commercial methods: Market strategies and contacts
Exposure of this type of data can devalue the products and services your
business provides and undo years of research.

Why do data leaks happen?
 To understand why data leaks happen, we need to step back and understand
how information is generated, manipulated and used.
 When we examine information security, it becomes clear that organizing a
resilient process is difficult at scale. Operational gaps, process errors and
poor cybersecurity awareness can lead to vulnerable assets which leads to
data leaks.
 The benefits and risks of digital data are the same. Digital data can be
reproduced cheaply and without degradation. Organizations have many
copies of production data that includes customer data, trade secrets and
other sensitive information.
 The point is many copies of data exist and the more copies of data that exist
the higher the chance that something or someone could accidently expose
it.

Data Leakage Threats
Classified into two types:
 Internal threats –or inadvertent

 External threats.

Intentional / Internal data leakage
This kind of leakage happens via - Remote Access, Instant Messaging, Email,
Web Mail; Peer-to-Peer, and even by File Transfer Protocol.
 E-mail is a personal document may be sent to an unauthorized individual as
an attachment. They may also choose to compress and / or encrypt the file,
or embed it within other files.
 Steganography – a process of concealing a sensitive data within a non- secret
data may also be utilized for this purpose.
 Web Logs / Wikis →Web logs could be used to release confidential
information into the internet, simply by entering the information in their
blog.
 FTP is a File Transfer Protocol that may be added through the firewall which is
an intentional leakage. Uploading a file to an FTP server can be made only by
a person who is aware of the process and therefore cannot be done by an
average user on a daily basis

 Removable Media / Storage are USB, hard drives, digital cameras, and even
musical devices such as an Apple iPod Others may take a hard copy of the
document in briefcase and share it with other unauthenticated person or
take a picture of the doc and send it through mobile phone.
 Files and folders may not be provided with authentications, allow sensitive
data to be leaked or write inadequate queries in database.

External Threats
 Phishers may start developing fraudulent employment web sites, and
attempt to attract users to send their resumes directly to them on job site
users. Hackers not only grab resumes but also e-mail ids and credit card
numbers of job seekers by disguising as a trustworthy entity in websites.
 SQL injection is embedding malicious code in DB query which is made by
person who has good knowledge on Database.
 Dumpster diving Sometimes organizations may not be destroying the hard
copy information securely which may run the risk of confidential information
falling into unauthorized hands.
 An attacker may decide to scrutinize the company’s dumps and discover
important information. The information may be stored in external devices
like CDs or DVDs or printed document.

Data can be monitored at use, in rest and in motion –
 Data in motion can be an email or a FTP file transmission. The complete
pathway or network must be monitored while transmitting the data. There
are several monitoring points to intercept traffic like the web proxies, mail
servers to monitor the complete data flow.
 At Rest- An organization can recognize where its sensitive data is distributed
by scanning the network sharing methods. Sometimes a software agent is
used to assess the endpoint systems or application servers.
 In Use- it is not possible to remotely monitor the data in use. To control every
action, the user may take an endpoint agent to assess. This agent hooks up
into the operating system functions to recognize all actions.

Safeguarding confidentiality
The loss of confidentiality is a common problem when engaging with
information security. There are lots of approaches which follow a variety of
ways to safeguard the confidentiality of data.
 Hippocratic Databases are aimed that more granular access controls exist to
ensure that only the owner should be authorized to access the database
system. This can be achieved by attaching fake attributes to all stored
information. These attributes allow fine grained access control. Another
crucial requirement is the absence of side channels i.e. the executed queries
should not provide additional information like statistical data which is based
on a small number of data sets.
 Email Leak Prevention- Sending and receiving Emails has become one of the
most important communication mediums. Consequence of this is arising
threat of email leakage. Emails containing confidential data may be sent to
wrong recipients – e.g. due to misspelling or wrong use of the auto
completion, a feature of modern mail agents which completes email
addresses after the first letters.

Current DLP Approaches
There are three main capabilities of DLP solutions:
 • Identify • Monitor • React
 Each of these steps in leakage prevention has to handle data at rest, in
motion, and in use.
 Identify: How to Find Valuable Content First identify the valuable data. A
central management should induce protocols and policies to be consistent
and manageable.
 Rule-Based Regular Expressions are the most common technique for defining
data via an abstract pattern.
 This approach produces a high rate of false positives due to the limited scope
and missing context awareness. For example the word confidential or
important can be with various confidential contexts.
 While processing, they can be used as a filter to reduce the amount of data
for further processing.

 Database Fingerprinting- is a biometric identification (ID) methodology. It
uses digital imaging technology for storing and analyzing fingerprint data.
Finger prints of authorized people should be stored in dB already. Again
when the person is trying to access the data then the finger print matching
should be done.
 Cyclic hashing – is a process to scan large data in an efficient way. The first
hash value indexes the first N characters in the document, the next hash
value covers the next part which includes an overlapping. Thereby, it is
important that the resulting index contains an overlapping map of the
document. If suspicious documents should get examined, the same algorithm
can be used to determine whether there is sensible data included. But it
produces a high CPU load due to excessive hashing.

Key Performance Indicator (KPI)
What is a Key Performance Indicator (KPI)?
 At its core, a KPI is a way of measuring the success or failure of a business
goal, function or objective, and a means of providing actionable information
on which decisions can be based.
 Goals in other business units are often clearly defined; for example,
marketing may have a goal of increasing web traffic by 20% over the next
year.
 While security operations may have similar goals, most security operations
goals are less finite. Most security operations goals are more focused on
positive or negative trends over time than achieving a specific target.

Why measure KPI’s?
 Much of the security operations process focuses around the analysis of data
and the identification of patterns and trends.
 This is true of both the tactical functions of security operations – looking for
attack patterns and trends of malicious activity, as well as the strategic
functions of security operations – identifying program gaps and making long-
term program decisions.
 The measurement and analysis of well thought out KPIs can have a
tremendously positive impact on both the tactical and strategic functions of
a security operations program.
 Quality KPIs serve as a security program enabler and driver for continuous
improvement.
 KPIs help ensure that a security operations program continues to remain
effective and that any process or technology gaps are addressed
appropriately

 KPIs should focus on assessing a goal or function and providing actionable
information on which decisions can be made.
 The most effective way to develop meaningful KPIs is to start by identifying
which security operations goals or functions are the most critical to the
security operations program.
 Avoid tracking unnecessary KPIs which will not inform the decision-making
process in some way.
 KPIs which do not inform the decision-making process serve no real purpose
to the organization.
 When choosing KPIs to measure, quality should be valued above quantity.
Each KPI should have meaning to the organization and add value to the
security program.

Each KPI should be:
 Simple – KPIs should not be overly complicated to measure. It should be clear
what the purpose of each KPI is and how it impacts the security program.
 Measurable – A KPI must be able to be measured in some way, quantitatively
or qualitatively. The method by which each KPI is measured should be clearly
defined and consistent.
 Actionable – KPIs should be used as a driver for decisions. The purpose of a
KPI is to measure performance, and if necessary, take some action based on
the results. A KPI which is not actionable serves little to no purpose.
 Relevant – Each KPI should be a measurement of the function being
assessed; in this case, the security program. KPIs which are simple,
measurable and actionable, but are not relevant to the function being
assessed will be of little value.
 Time Based – KPIs can and should be used to show changes over time. An
effective KPI should be able to be collected and grouped by various time
intervals to show variations and patterns.

Non-Financial They are non-financial measures (not expressed in dollars,
yen, pounds, Euro, etc.)
Timely They are measured frequently (e.g., 24/7, daily or weekly)
CEO focus They are acted upon by the CEO and senior management
team
Simple All staff understand the measure and what corrective action
is required
Team-based Responsibility can be assigned to a team or a cluster of
teams who work closely together
Significant impact They affect more than one of the organization’s top Critical
Success Factors and more than one balanced scorecard
perspective
Limited dark side They encourage appropriate action - i.e., they have been
tested to ensure they have a positive impact on performance
(whereas poorly thought through measures can lead to
dysfunctional behavior)

Database Security
What is a Database?
 A database is a structured collection of data that is accessed by one or more
applications.
 Databases are usually stored relationally, meaning they are linked to each
other.
 For eg:
 Student Data- name, birthday, student id, address
 Healthcare Data- name, birthday, patient id, address, doctor, date of visit
 Website data- name, username, password, email, secret questions

Database Elements
 Most databases are relational
 Elements include
 Primary key
 Foreign key
 Language- SQL
 DBMS- Database Management System
 Consists of database, users, tools to manipulate data

Database Access Control
 Most SQL languages and programs give two types of access
 Grant
 Revoke
 Rights can include
 Select
 Insert
 Delete/Drop
 Update

Why databases are important
 Organizations live off databases
 Customer data
 Financial data
 Security data

Threats
 SQL Injection
 Inference
 Encryption

Classification of Database Security
Mechanisms

ACCESS CONTROL POLICIES
 Access control policies define the rules according to which access to the
database objects is regulated.
 The most popular class of access control policies is represented by
discretionary access control (DAC) policies.
 Discretionary access control policies are based on authorizations rules.
 An authorization rule states that a subject has the privilege to exercise a
given action on a given object.
 The kind (and granularity) of subjects, objects, and actions that can be
referenced in authorizations may be different in different systems.

Subjects:
 Subjects are the entities to which authorizations can be granted.
 Typically, subjects are users (i.e., identifiers corresponding to human
entities).
 User groups can also be defined to which authorizations can be granted;
authorizations granted to a group can be enjoyed by all its members.
 Discretionary access control can be extended with role-based capabilities
allowing the definition of roles to which privileges can be granted.
 Roles are granted to users, and users can dynamically activate and deactivate
the roles received, thereby turning on and off the corresponding privileges.

Objects:
 Objects are the entities to be protected.
 Typically, objects correspond to information container (tables or portion of it)
or procedures.
 In DBMS systems, different granularity levels can be supported spanning
from the whole database to the single element (e.g., a specific employee's
salary) in it.

Actions:
 Actions define the specific operations that subjects can execute on objects.
 Actions to be supported include the operations corresponding to the basic
read, write, delete, create, and execute, which can take on different names in
relational database systems (for instance, read operations correspond to
SELECT actions).
Authorizations:
 Authorizations define which accesses are to be allowed.
 The simplest form of authorization is a triple (subject, object, action)
specifying that subject is authorized to exercise action on object.

THANK YOU

DATA LEAKAGE
PREVENTION
Organisations handle a plethora of sensitive data, such as trade secrets, customer data, pricing lists, trading
algorithms and acquisition plans. This data can be leaked to unscrupulous competitors, organised criminal
groups and other entities via a multitude of channels, including email, the internet, portable storage devices
and cloud services.
Data leaks can be expensive, harm an organisation’s brand and reputation, and diminish trust. Customers
and shareholders alike expect organisations to take appropriate measures to properly safeguard their data
and investment. A successful data leakage prevention (DLP) programme can significantly reduce these risks.
RESURGENCE OF DLP To prevent the actual leakage of data, DLP tools need to
Interest in DLP technology quickly waned when it first came be carefully configured to block activities that put data at
to market due to the complexity of deployment, cost of risk. However, many organisations are reluctant to enable
investment, and inability to demonstrate business value. the blocking functionality for fear of disrupting business
However, cloud adoption, mobile computing and remote operations. This can limit the effectiveness of DLP.
working, coupled with major data breaches and new regulatory
requirements, such as the EU General Data Protection
NEED FOR A HOLISTIC APPROACH
Regulation (GDPR), have prompted organisations The full benefits of DLP can only be realised if organisations
to take a fresh look at DLP. implement DLP for clearly defined purposes and in a
structured, systematic manner that incorporates people,
Meanwhile, DLP technology has matured and is steadily process and technology. ISF Members reported that DLP can be
progressing towards a mainstream security control.1 a success when approached as part of a dedicated programme
DLP’s recent surge in popularity is reflected within the ISF for reducing the risk of data leakage.
Membership – to date, 42% of surveyed ISF Members have
implemented DLP and a further 45% are either running a Figure 1: Survey results of ISF Members who have implemented
DLP pilot or planning for deployment.2 a DLP programme
DLP CAPABILITIES
In today’s business environment, organisations handle a vast
amount of data that is increasingly easy to access and share,
and more vulnerable to leaking. DLP technology offers a set of
capabilities to manage the risk of data leaks – but it has some
limitations. 57% delivered return
72% achieved 72% demonstrated
objectives on investment risk reduction
For instance, DLP technology can only detect sensitive data in
a digital format and is used primarily to monitor conventional
channels of data leakage, such as email, the internet and Based on the experience of ISF Members, this report provides
USB. Although DLP technology is evolving to protect newer guidance on how to optimise a DLP deployment, describing
channels, it does not capture all types of sensitive data or the ten key attributes of a successful DLP programme. It
cover all conceivable scenarios of data leakage. emphasises that a focus on technology alone will likely lead to
the relegation of DLP tools to shelf-ware.
1 The enterprise DLP market is expected to grow at a compound annual growth rate of 16.28% between 2018 and
2023: Enterprise Data Loss Prevention Market – Industry Trends, Opportunities and Forecasts to 2023, https://www.researchandmarkets.com/research/npbpsp/global_enterprise?w=4.
2 Figures based on survey sample size of 147 ISF Members, correlated by ISF Security Healthcheck statistics.
1 What is data leakage prevention?
Data leakage prevention (DLP) can be defined as the practice of detecting and preventing the unauthorised disclosure of data.
Also referred to as data loss prevention and data loss protection, the main purpose of DLP is to ensure that specified sensitive
data is not leaked. It can also be used to help prevent data being mishandled or improperly accessed. DLP can be broken down
into the following three core activities:
IDENTIFY data to There are many different types of information that are valuable to organisations (known as information
protect against leakage assets) which need to be kept confidential (e.g. market strategies, payment card information, personal health
information, source code, product designs and employee data). Information may exist in digital, physical or
spoken formats.
MONITOR channels Digital data can leak through a variety of channels (also referred to as vectors) including email, social media
of data leakage and portable storage devices. Channels are monitored to understand data flows and detect activity that
indicates the leakage of data. Some channels can be difficult to monitor due to their nature (e.g. verbal
disclosure of information and printed documents left in an insecure location).
ACT to prevent data There are a range of actions that can be taken to stop data from leaving an organisation (e.g. alert users to
from leaking their risky behaviour, quarantine outbound email messages containing sensitive data, block the transfer of
data to portable storage media, and locate office equipment in a physically secure environment).
DLP tools and related technologies are used to help perform these core activities, which are illustrated in Figure 2 and explored
in more detail on the following pages.
Figure 2: Core activities of DLP

IDENTIFY MONITOR ACT
– Personal data
– Customer data
Email Internet Removable Collaboration Cloud Database/
– Intellectual property media devices platforms File storage
Log Notify Block
– Business & governance data
+
– Financial data
– Sales & marketing data Printer/MFD File-sharing Camera Paper Clipboard Voice
applications
There are an increasing number of technologies, which are labelled as DLP that vary in their capabilities and perform different
aspects of DLP. The focus of this report is DLP tools, which are designed to identify data, monitor its usage and movement,
and take actions to prevent data from leaking. DLP tools (also known as enterprise DLP) are usually offered as a comprehensive
suite of products that cover multiple channels.
“DLP only protects what you tell it! Plan and understand the environment, have data classification
and know what it is you are trying to protect.” – ISF Member
As an alternative to using DLP tools, organisations may choose to utilise DLP functionality embedded into other security products
(e.g. secure web gateway, secure email gateway, email encryption and device control) or cloud-based services (e.g. Microsoft
Office 365). DLP offered as a feature of existing products (also known as integrated DLP) is typically restricted in capability and
may only protect a single channel.
2 Data Leakage Prevention Information Security Forum

DLP POLICIES
To monitor and control the flow of sensitive data, a DLP tool is configured using
technical DLP policies. A DLP policy contains one or more rules, consisting of A technical DLP policy is not the same
conditions, exceptions and actions against which data, files, document content as an organisational policy. The term
and messages are evaluated to detect and prevent data leaks. Through DLP policies, is commonly encountered in DLP
products as a central component
organisations can define:
of deploying the tool and is used
‒‒ what data can and cannot be sent, posted, uploaded, moved, or copied and pasted throughout this report to refer to the
‒‒ where data can be transmitted configuration of rules for detecting
and protecting data.
‒‒ who can send and receive data
‒‒ how data can be shared.
Conditions instruct the DLP tool what data to look for and when to take action by defining the content to detect (e.g. type of data)
as well as the context (e.g. file type, file size, sender or recipient). When data matches the conditions, the system reports a policy
violation (also known in the context of DLP as an ‘incident’). DLP policy violations can be user or system generated (e.g. a finance
system emailing payslips automatically). Exceptions may be added to exempt certain data or activity from matching the condition
and triggering the rule.
Actions stipulate how the DLP tool acts to protect the content when the conditions are met (e.g. log the policy violation, notify
the user, encrypt a file or block copy of data to clipboard). Different actions can be applied depending on the level of risk, number
of matches within a given transmission or severity of the policy violation (e.g. transfer of 20 customer records versus 200 records;
internal versus external sharing of data).
A DLP policy can apply to one or more channels of data leakage. It need not apply enterprise-wide; it may be more appropriate to
limit its application to certain users, a user group or geographic region. Examples of DLP policies are shown in the table below.
DLP POLICY CONDITION EXCEPTION ACTION
Source code Detect content containing Allow transfer of data to Block transfers containing source code
proprietary source code company X, selected to conduct (including web postings, email messages
a source code review and copy of files)
Credit cards Detect content that matches None Quarantine data in cloud applications,
the credit card number, using files and messages:
a Luhn algorithm − send an email notification to the user
− allow the user to provide business
justification for release
Project penguin Detect content containing key phrase Allow transfer of data Block transfer of content to external recipients
‘project penguin’ and intended for to John Doe (external Encrypt email transmissions to John Doe
an external recipient legal counsel)
Medical records Detect content that matches words Exclude emails marked Block transfers including copy of health
or expressions from a list of common as ‘personal’ data to a portable storage device
medical conditions Display on-screen notification stating file
transfer violates a specific DLP policy
DLP policies can be created by using predefined templates or building custom policies. Most DLP tools provide a library of predefined
policy templates to detect data that is subject to regulatory requirements, such as the GDPR, the Payment Card Industry Data Security
Standard and the US Health Insurance Portability and Accountability Act. Policy templates may cover industry-specific data that adheres
to a standard format (e.g. credit card number or SWIFT code) and country-specific data (e.g. Canadian social insurance number, French
passport number, Irish International Bank Account Number, New Zealand national health index number or UK driver’s licence number).
Other policy templates are more generic and designed for different use cases, such as protecting certain types of sensitive data
(e.g. content classified ‘top secret’, information pertaining to oil drilling or software design documents). Tools may also include
policy templates for detecting acceptable use transgressions (e.g. indecent images, profanities or racism) and employee discontent
(e.g. distribution of a curriculum vitae).
Predefined policy templates should be customised to meet an organisation’s specific needs, providing a quick and easy starting point
for deploying DLP tools.
Information Security Forum Data Leakage Prevention 3

IDENTIFY DATA
DLP is intended to protect specific types of sensitive data rather than secure every piece of data handled by an organisation. For
DLP to provide blanket protection of all data is not only an unrealistic ambition, but would be a resource-intensive task, irritate
business users and likely result in a degradation of system and network performance.
Types of sensitive data

Figure 3: Types of data ISF Members protect using DLP
Sensitive data is information that could cause harm to organisations
Personal 85%
if it were disclosed to unauthorised parties, for example, merger and
acquisition plans, personally identifiable information, product designs, Customer 80%
pricing models, source code and social security numbers. Data can be Financial 66%
deemed sensitive for many reasons, such as regulatory requirements, Business and governance 62%
internal policies and the potential impact of unauthorised disclosure.
Intellectual property 55%
Surveyed ISF Members focused predominantly on protecting personal
and customer data, as shown in Figure 3. Sales and marketing 51%
It is common for organisations to use DLP to detect and prevent the leakage of their mission-critical information assets
(i.e. information assets of greatest value and would cause a major business impact if compromised). Refer to the ISF implementation
guide Protecting the Crown Jewels for further guidance on approaches to securing mission-critical information assets.
Techniques for detecting sensitive data

Identifying what data should be included within the scope of DLP is a core
82% of surveyed ISF Members
activity that can determine whether DLP delivers value and reduces the risk ! found engagement with the
of data leaking. A DLP tool can only detect data if it is configured to look for business to be of high value for
that data. Deploying a tool that is incorrectly configured will result in the identifying sensitive data.
wrong data being reported, and potentially harmful leaks of sensitive data
being masked, hidden or simply unnoticed.
DLP tools protect sensitive data held in a readable digital format. To protect sensitive information in physical and spoken formats, DLP
tools need to be complemented by other security controls, such as procedures for the proper handling and disposal of information.
DLP tools typically incorporate different techniques to detect sensitive data (referred to as ‘content’). They are well-suited to
finding explicit keywords or alphanumeric patterns within data but can fail when data is complex (e.g. scientific data sets) or
purposely obscured (e.g. Zip files that can be compressed, encrypted and password-protected). Detection techniques commonly
provided in DLP tools include:
Described content Matches content using regular expressions, defined strings, keywords, patterns or dictionaries (a list of specific
matching terms, keywords or key phrases). Instances of described content include credit card numbers, social security
numbers, and files containing certain metadata such as a classification (e.g. confidential or secret).
Fingerprinting Takes a cryptographic hash of a sample file or file contents to create a ‘fingerprint’. Content is then checked against
(Indexing) the fingerprint for complete or partial matches (i.e. to detect either the complete text or excerpts that match the
sample document). This technique can be effective for both structured and unstructured data but requires the ‘data
sources’ (e.g. documents and files) to first be identified and prepared.
Machine learning Uses algorithms and statistical techniques to determine if content is similar to example documents, which are
(Statistical analysis) provided for the DLP tool to learn from as representative of the type of data to protect. Common use cases for this
technique include source code, software design documents and other data that is not practical to fingerprint or
difficult to describe with accuracy.
Optical character Analyses image files (e.g. screenshots or scanned documents) and extracts text to find matches for sensitive content.
recognition
(Image recognition)
For global organisations, consideration should be given to how a DLP policy applies across multiple jurisdictions (e.g. using an alphanumeric
pattern to detect sensitive data in one jurisdiction may cause benign information to be flagged as a policy violation elsewhere).

MONITOR DATA LEAKAGE CHANNELS
There are multiple channels through which sensitive data can leave an organisation. For instance, data can leak via email,
webmail, instant messaging, HTTP/HTTPS, file transfers, wikis and blogs. It may also be exposed to unauthorised entities when it
is transferred to portage storage devices (e.g. USB), uploaded to cloud storage services or stored in unencrypted folders with no
access control. By monitoring data leakage channels, organisations can establish how data is being used, understand the risks to
their data and detect potential leaks.
Coverage of data leakage channels

A DLP programme should ideally address all channels of data leakage but monitoring every channel can be an onerous task
in terms of financial cost, resourcing and impact on systems performance. Consequently, leading organisations prioritise those
channels where reducing occurrences of data leakage delivers significant benefit to the organisation or can demonstrate value
most quickly. Figure 4 shows the channels of data leakage covered by the respective DLP programmes of surveyed ISF Members.
Figure 4: Channels of data leakage protected by surveyed ISF Members

Yes Scheduled Under consideration No
Corporate email
Internet usage
Portable storage devices
External file-sharing applications
Cloud services
Collaboration platforms
Enterprise database and file storage
Office equipment
Screen capture
Physical information
Voice
Cameras
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The findings depicted in Figure 4 show that most organisations focus on email because it is perceived to be one of their primary
channels of data leakage and the easiest to protect using a DLP tool. New and emerging channels (for example mobile devices
containing high-resolution cameras) are relatively poorly covered, illustrating potential gaps in channel coverage.
Monitoring the insider threat

Figure 5: Three types of risky behaviour
DLP tools are primarily intended to mitigate insider threats causing
data to leak, whether that be theft of data by a disgruntled employee,
intentional misuse of data, human error or negligent behaviour. For
instance, ISF Members reported that monitoring email revealed both Conscious decision No conscious
to act decision to act
malicious activities as well as accidental data leaks by well-meaning inappropriately inappropriately
employees (e.g. mistakenly sent an email to the wrong recipient).
MALICIOUS NEGLIGENT ACCIDENTAL
DLP tools themselves lack insight into the business context or motive
of users to distinguish between the different types of risky behaviour. Motive to harm No motive to harm
As a consequence, some level of review and analysis will be required to
identify the root cause of policy violations.
Refer to the ISF briefing paper Managing the Insider Threat for further details about the three types of risky insider behaviour.

ACT TO PREVENT DATA FROM LEAKING
DLP prevents data from leaking by intervening with the use or movement of data to address risky behaviour and compensate
for poorly secured business processes. There are a range of actions that can be taken to improve how users handle data and to
stop attempts to exfiltrate sensitive data. Some actions are applied by DLP tools, while others involve the use of management or
physical security controls (e.g. clear desk policy, double packaging to protect physical information in transit, physical protection of
hardware and office equipment).
DLP tools should be not be treated as a long-term remedy for insecure business processes.
Types of action
A DLP tool can respond to a policy violation in one of three ways: log, notify or block (referred to as ‘modes’). Each mode should
be enabled sequentially to ensure DLP policies are enforced appropriately and do not disrupt business operations.
“Start with monitoring/detecting before implementing any protective controls.” – ISF Member
In log mode (also known as monitoring), policy violations are recorded in log files, allowing for analysis and investigation.
The individual responsible for the policy violation is not notified.
Once a policy rule has been fine-tuned and is delivering the required results, notifications can be introduced to advise individuals
that they violated a DLP policy. To compel a change in user behaviour, a copy of the message may be sent to the individual’s
manager. Types of notification include:
‒‒ sending an email to notify the user that their behaviour breached corporate policy but still permit the activity with guidance on
approved handling of data
‒‒ presenting a pop-up warning with an option for the user to cancel the data transfer.
Blocking is the third type of action that can be applied in response to a policy violation (e.g. email containing credit card data,
external file-sharing of source code or instant messaging of medical details). It can be divided into three categories: hard block,
soft block and other actions to remediate incorrect handling of data, as shown in the box below.
Blocking
Hard block, for example: Soft block, for example: Other actions to remediate incorrect
‒‒ block transfer of email message or file ‒‒ move file to another location handling of data, for example:
‒‒ disable download, copy or print options ‒‒ quarantine email message pending ‒‒ add visual tag
‒‒ delete attachment or file. business justification for release ‒‒ change access controls to restrict access
‒‒ redact sensitive data in web post or to the file
email and allow transfer. ‒‒ encrypt file or message.
Figure 6 shows the common actions taken by DLP tools, which surveyed ISF Members apply to data in motion, in use and at rest.
These three states of data are explained on the following page.
Figure 6: Common actions taken in response to policy violations

Data at rest Data in motion Data in use Not performed
Log
Encrypt
Notify
Block
Quarantine
Prevent download,
copy or print
Cancel or delete
Redact
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

DLP TECHNICAL ARCHITECTURE
DLP tools apply different techniques to monitor data depending on whether it is in motion over the network (also known as data
in transit), in use on endpoints or at rest in storage, as outlined in the table below.
STATE OF DATA DESCRIPTION MONITORING TECHNIQUE
Data in motion Data that is traversing a network, DLP tools can monitor network traffic through network sniffing and deep content
such as the internet or a private inspection to identify sensitive data travelling via a variety of means including email,
network (e.g. local area network). file transfer and HTTP (web).
Data in use Data that is being processed on DLP tools can provide visibility of how users interact with data on endpoints by
endpoint devices. installing DLP agents on target devices. The scope of activity monitored can vary
between DLP tools but may include copy and paste between applications, print
functions and download to portable storage devices (e.g. USB).
Data at rest Data in storage, such as in file DLP tools can inspect storage repositories and systems (indexing, opening, reading
systems, servers, databases, the and analysing files) to detect files that contain sensitive content. Scans may be set to
cloud and endpoint devices (e.g. occur in real time, at regular intervals or on demand (e.g. ahead of a security audit).
laptops and desktops). Scanning may be performed remotely or by agents installed locally.
The technical architecture for the deployment of DLP tools needs to be carefully designed to integrate with existing infrastructure.
A typical DLP architecture consists of four main architectural components as illustrated in Figure 7.
Figure 7: DLP technical architecture
DLP FOR NETWORK CENTRAL MANAGEMENT CONSOLE DLP FOR STORAGE

– Policy creation and management
– Reporting & dashboard
– Management of policy violations
Email Internet – System administration Cloud
DLP FOR ENDPOINT
Software as a Other network File Database Web

Service (Saas) protocols server server server
The central management console provides a single interface to author, implement and manage DLP policies across all data leakage
channels covered by a DLP programme. The console also consolidates logging, reporting, review of policy violations, incident
remediation and system administration.
“Business side activity: 75%; IT implementation (including testing): 25%.” – ISF Member
The network component often involves passive monitoring of network traffic, lacking the ability to intervene with user activities.
To apply preventative capabilities (e.g. blocking), data needs to be passed to DLP tools for analysis and handling, which can
be achieved by deploying software agents (e.g. on endpoints) or by integrating with web proxies, email services and storage
repositories. Increasingly, DLP tools include the capacity to extend DLP policies to cloud services by integrating with a cloud access
security broker (CASB) or cloud-delivered web gateway.

2 Benefits of a DLP programme
The primary benefit of data leakage prevention is in the name – preventing sensitive data from leaking and potentially being
exploited by adversaries for financial gain, industrial espionage or other malignant purposes. Sensitive data does not just
represent value to the organisation. It is also an asset that is highly sought after by adversarial threats, such as organised criminal
groups, unscrupulous competitors, hacktivists, investigative journalists and disgruntled employees, particularly since data can be
monetised (e.g. held to ransom or on-sold).
It does not take much effort to leak data but the business impact can be severe. Depending on the data leaked and extent of
exposure, potential consequences include regulatory penalties, negative publicity, loss of competitive advantage, brand damage,
erosion of customer trust and disruption to business activities, all of which can result in an organisation suffering financial losses.
DLP can help to mitigate the potential costs associated with sensitive data leaking. Securing data from unauthorised disclosure
can also set an organisation apart in terms of their information security maturity, especially if DLP is mandated as a requirement
by prospective clients or business partners.
DLP enables organisations to detect what data is leaking and demonstrably reduce
incidents of data leakage by blocking or otherwise restricting activities that put data 77% of surveyed ISF Members
at risk, whether initiated by the user or system generated. Additional benefits can implement DLP to reduce the
frequency or magnitude of accidental
also be derived from DLP, which include:
data leakage; almost the same
‒‒ supporting compliance with global, regional, country and industry-specific implement DLP to mitigate malicious
regulatory requirements data leakage (76%).
‒‒ gaining visibility of the usage and movement of sensitive data
‒‒ improving the security awareness and behaviour of users
‒‒ detecting the exfiltration of data by external hackers.
Implementation of DLP can help to identify signs of hacker activity on a network by detecting suspicious attempts to exfiltrate data via
channels that are monitored by DLP tools.
DLP LIMITATIONS
While DLP offers many benefits, it does have limitations that organisations will need to manage. In today’s world, the explosion of
information has created much more data to protect, which can leak through more channels than ever before due to technological
advances and new working trends.
The challenges of preventing data leakage cannot be solved by DLP tools alone due to gaps in their coverage and capabilities.
DLP tools are unable to:
‒‒ detect all content containing sensitive data “DLP isn't something you switch on and everything
‒‒ monitor all channels of data leakage is protected.” – ISF Member
‒‒ act to prevent every occurrence of data leakage.
ISF Members identified the following aspects of DLP that can diminish the business value of a DLP deployment.
Data is dispersed
Data is scattered across different environments – it is often replicated in various storage repositories and platforms (including
cloud services and geographically distributed data centres), constantly transferred out of an organisation and accessible from
personal devices or networks that may not be controlled by an organisation. This wide dispersal of data affects how it can be
scanned and protected by DLP tools.
Traditional DLP tools are designed to prevent the leakage of data already within the control of the organisation. While DLP
technology is evolving to extend coverage to mobile devices, the cloud environment and beyond, there will still be gaps where
data remains beyond the reach of DLP tools and can leak.
Coverage is limited to digital data

DLP tools are intended to prevent data from leaking in a digital format (rather than printed or spoken format). As a result, many
channels of potential data leakage are not covered by DLP tools. For instance, shoulder-surfing, steganography and lost laptops
are all ways that data can be leaked and need to be addressed by security controls other than DLP tools.

Detection of data needs business input
Half of surveyed ISF Members found it challenging to identify what data to protect using DLP tools. In the age of the information
explosion and big data, it is not easy to keep track of what sensitive data an organisation holds. Not only is data generated,
consumed and shared at a staggering rate, but it may be classified incorrectly – or in a way that makes it difficult to distinguish
sensitive data (e.g. a significant amount of data is classified ‘confidential’). To understand what data to detect and prevent from
leaking, business collaboration is crucial.
DLP controls are circumvented

Focusing DLP efforts on a select few channels of data leakage allows malicious insiders to circumvent DLP controls and exfiltrate
data via egress points that are less stringently protected (e.g. collaboration platforms or voice communications). To be truly
effective, a DLP programme needs to recognise patterns in human behaviour and take account of how users react to rules that
prevent certain activities.
For example, if a user is blocked from transmitting sensitive data externally by email, the user will often share this data via other
means, such as copying to a portable storage device, uploading it to a cloud storage service or printing the document. This is a
common occurrence where DLP is perceived to get in the way of routine business activities or if a determined insider is motivated
to steal data.
Excessive policy violations compromise effectiveness

Without proper configuration, DLP tools can miss genuine data leakages and generate large volumes of policy violations, which
can overwhelm resources. If a DLP policy rule is too specific, it can fail to detect occurrences of data leakage it was intended to
capture (false negatives). If it is too general or broad, it can result in an overload of policy violations that are not intended matches
(false positives). This reduces the accuracy and credibility of DLP tools, encroaching on the time and resources that should be
spent investigating actual incidents. False positives can also engender a tendency for users to ignore DLP notifications on the
assumption they pertain to valid communications, which in the given context do not violate a DLP policy.
50% of Benchmark respondents do not review policy violations to help minimise false negatives and false positives.
Organisations are reluctant to block

The benefits of blocking should not be underestimated since it is the most effective action for actually preventing data leakage.
Yet organisations are often reluctant to enable blocking for fear of disrupting business activities (e.g. preventing the business from
conducting legitimate transactions by stopping email messages or other forms of communication).
Blocking can interfere with user workflow and cause a degradation in productivity. However, to leave DLP tools running purely in
log or notify mode can reduce the value of deploying DLP, unless the main objective is to gain visibility into data usage and report
policy violations. By carefully tuning DLP policy rules with business input, organisations can ensure blocking does not disable
operations or impede business processes.
60% of Benchmark respondents do not block unauthorised user actions.
THE NEED FOR A DLP PROGRAMME

Simply installing DLP tools is not enough to deliver value and stop sensitive data from leaving an organisation. Surveyed ISF
Members reported that the benefits of DLP can only be fully realised by implementing a DLP programme that is designed to
address a business problem; not just a technology issue. DLP is inherently linked to business operations – more so than many
other security controls. Consequently, to treat DLP as a ‘fix and forget’ solution that can be achieved through technology alone
will result in failure.
Significant effort and resources need to be dedicated to the planning and preparation of a DLP deployment, the success of which
relies substantially on effective business engagement. A DLP programme should account for the organisational and human
factors of DLP, as well as apply robust processes for securing sensitive data. It should be supported by DLP tools but not take as
its starting point or primary component the selection and implementation of DLP tools. Section 3 defines the key attributes of a
successful DLP programme.

3 Attributes of a DLP programme
The most effective way of implementing DLP is to adopt a formal programme supported by the right blend of people, process and
technology. ISF Members identified ten key attributes of a successful DLP programme, as shown in Figure 8. These attributes can
be grouped into three phases of deploying a DLP programme: governance, preparation and implementation.
Figure 8: Key attributes of a DLP programme
A. GOVERNANCE B. PREPARATION C. IMPLEMENTATION

– Obtain executive support – Involve business stakeholders – Improve security awareness
– Define DLP programme objectives – Prioritise what data to protect of data leakage
– Assign roles and responsibilities – Select DLP tools – Determine how to respond
to policy violations
– Integrate DLP tools into existing
environment – Deploy DLP incrementally
Effective implementation of a DLP programme is not as simple as ticking a list of check boxes. To position a DLP programme for
long-term success, significant effort should be dedicated to effective governance and preparatory activities for implementation,
which include – but are not limited to – deployment of DLP tools.
“You may (likely will) find that your programme will succeed or fail based on the buy-in
that you get from your business partners.” – ISF Member
DLP inherently involves monitoring employees’ communications and online activities, and by extension third party messages, which
raises legal concerns that need to be carefully considered prior to deploying DLP tools. There are a variety of laws relating to privacy,
data protection, employment, interception of data and telecommunications that apply to monitoring and data processing in the
context of DLP.
The extent to which these laws constrict the scope and coverage of a DLP programme, or otherwise mandate specific measures, will
depend on the given legal system (e.g. in some countries, such as Germany and Austria, deployment of DLP technology may require
agreement with a ‘works council’). For global organisations, the legal complexity can prove particularly acute given the requirement to
plan and execute a DLP programme that takes account of variances in local laws across multiple jurisdictions. Legal advice should be
sought to ensure implementation of a DLP programme adheres to all applicable laws.
A DLP programme does not address all aspects of protecting data but instead concentrates on implementing the relevant tools,
procedures and processes for preventing specific sensitive data from leaving an organisation. A DLP programme should therefore
be approached as just one element of an organisation’s data protection strategy.
This section is not intended as an implementation guide or an end-to-end process map for installing DLP. Rather, it reflects good
practice within the ISF Membership and the areas on which to place focus to fully derive the benefits of a DLP programme. Each key
attribute is explained on the following pages in the order that a DLP programme would typically follow.
Implementation of a DLP programme is a multi-phase undertaking that does not end with the installation of DLP tools or creation
of DLP policies. To realise the value of a DLP programme and optimise its performance, organisations need to continually
maintain, review and refine their DLP programme.
“DLP requires scheduled review and assessment to ensure relevance and to comply
with the latest technology trends.” – ISF Member

PHASE A: GOVERNANCE
Obtain executive support
Gaining the support of executive management is often a prerequisite for deploying any 77% of surveyed ISF
security tool, but it is particularly important for the success of DLP. A DLP programme Members considered
typically has a wide reach across an organisation and can change how users handle data. executive-level
Actions performed by a DLP tool can interrupt business operations and workflow, causing involvement to be of
high value to their
employee frustration. Backing from executive management lends legitimacy to a DLP
DLP programme
programme and reinforces the need for individuals to embrace changes introduced by a
DLP deployment.
Surveyed ISF Members recommended establishing a steering committee to provide strategic direction, advise on business issues, set
risk reduction priorities and monitor the progress of DLP against agreed objectives. A steering committee should include representatives
from key departments, such as information security, IT, legal, human resources, compliance, privacy and risk management. An executive
sponsor should be appointed as early as possible to champion DLP and ensure it is a success.
Executive management should contribute to the organisation’s information risk assessments and therefore be involved in
identifying DLP as an appropriate risk treatment action. This way, DLP is deployed as a business initiative endorsed by executive
management from the outset, providing an important mandate for business stakeholders to dedicate time and resources to
developing a successful DLP programme.
Define DLP programme objectives

Before selecting any DLP technology, organisations should establish why DLP is required and what it needs to accomplish to be a
success. Setting objectives enables an organisation to define the scope of the programme and determine steps for achieving both
short and long-term goals. Fundamental questions for organisations to consider are:
‒‒ what data needs to be protected by DLP?
‒‒ which data leakage channels to cover?
71% of surveyed ISF
‒‒ how to respond to DLP policy violations, including whether and when to block? Members deploy
their DLP programme
Organisations should determine whether to apply DLP enterprise-wide or to a specific enterprise-wide
system, application, business unit, division or region. For the majority of surveyed ISF
Members, the end goal is to deploy DLP across the enterprise, starting with an initial pilot
that is limited to a defined group or target area.
Other factors that can influence the scope of a DLP programme include speed of risk reduction, costs, resourcing and timescales.
Organisations should also consider which supporting technologies and compensating controls to include within scope because
they either optimise the performance of DLP tools or protect data leakage channels that are not adequately covered by DLP tools.
Assign roles and responsibilities

Surveyed ISF Members advised that the success of DLP is highly dependent on the programme being properly staffed from its
inception. A permanent DLP team should be assembled to perform the following tasks:
‒‒ maintaining DLP tools and related infrastructure
‒‒ configuring and managing DLP policies
‒‒ triaging, investigating and responding to DLP policy violations
‒‒ coordinating cross-functional involvement.
The roles and responsibilities of those involved in a DLP programme need to be clearly defined, particularly since implementation
requires the input of representatives from various business functions (e.g. business operations, IT, information security, legal and
HR). Of ISF Members surveyed, those with a cross-functional DLP team were more likely to achieve their programme’s objectives and
deliver return on investment than Members who appointed either IT or information security to be primarily responsible for DLP.
To prevent misuse of DLP, duties should be segregated so the technical maintenance of DLP tools, the management of DLP policies
(i.e. author, update and delete) and review of policy violations cannot be carried out by the same individual or function.

PHASE B: PREPARATION
Involve business stakeholders
The ongoing involvement of business stakeholders throughout the planning and operation of a DLP programme is of paramount
importance to its success. To be leveraged to its full potential, a DLP programme needs to align with business priorities. Without
business involvement, neither information security nor IT can determine precisely what data the business deals with, the business
value of that data, and how it flows within and out of the business.
An ISF Member reported that to bolster collaboration they had co-opted business representatives into their DLP team for a specified
period to gain the institutional knowledge of the business. Another approach was to nominate business representatives (e.g. data
owners) to provide direct support with the triage of DLP policy violations.
Regular engagement with business representatives from across the organisaion is necessary to assist with both the configuration
of DLP policies and review of the policy violations generated. Short of business input, a DLP tool cannot be properly tuned to
protect what is important to the business. Equally, the authorised use of data may not be apparent to those outside a given
business function (e.g. whether or not an email to an external party concerning a business transaction should be blocked).
While DLP tools provide some visibility of user and system

DLP activities activities, collaboration with business stakeholders can help
Surveyed ISF Members recommended engaging with the business detect business processes that are undocumented or cause
to conduct the following DLP activities (this is not an exhaustive list): data to leak, revealing security weaknesses in business
‒‒ identifying the types of data handled by each business unit and operations. Decisions on how to remediate risky processes
the impact of that data leaking should be made with the relevant business owner to ensure
‒‒ defining what data is important to protect, who accesses it and that the changes introduced satisfy business requirements.
where it resides
To protect against data leakage requires the business not only
‒‒ determining what existing controls are in place to protect data,
to support DLP but also to be accountable for adjusting their
their relation to DLP and how good they are
practices and processes to reduce risk. A DLP programme is
‒‒ remediating insecure business processes without disrupting best placed to succeed if business representatives recognise
business operations
they are the custodian of data while handling it. This requires
‒‒ understanding the context of user behaviour and whether it the business to take responsibility for treating the risk of data
involves legitimate business transactions
leakage, with information security providing usable solutions
‒‒ reviewing and responding to policy violations. and options to enhance protection – whether that be DLP or
other relevant security controls.
Prioritise what data to protect Prioritising data for protection

Data can take many forms and exist in various locations across an Factors influencing the priority for protection may
organisation. In preparing for a DLP programme, it is important for relate to the:
organisations to understand the different types of sensitive data it handles ‒‒ data, for example:
and determine what data to protect using DLP. • data that is of greatest value to the organisation
• data that would attract high publicity if leaked due to
Not all data leaks are equal: the business impact varies depending on its profile (e.g. celebrity data)
the data leaked, to whom it is exposed and the extent of exposure. • location of data and extent of user access
Organisations should identify what data is the highest priority for • impact of data leakage, including costs and severity of
the consequences
protection and which channels to focus on securing first, considering a
• likelihood of data leaking
range of factors as shown in the box on the right.
• how well the data is already protected by existing tools
ISF Members recommended prioritising DLP activities according to the ‒‒ channels of data leakage, for example:
business risk associated with data leaking. This involves assessing the • channels through which the data most commonly
leaks
business impact of leakage for each type of data (e.g. regulatory fines, loss • volume of data processed by a channel
of competitive advantage, customer attrition, damage to the brand and • speed and ease of protecting a channel
direct financial losses). Consideration should also be given to where data is
‒‒ business operations, for example:
at the highest risk of unauthorised disclosure and the likelihood of it leaking. • impending launch of new business product or services
• contractual, legal or regulatory requirements
Risks can then be prioritised to concentrate DLP efforts on the data leakage • impact of data leaking for customers and
scenarios that pose the greatest risk to the organisation before a DLP business partners.
programme incrementally expands to the desired level of coverage.

Select DLP tools
To evaluate DLP tools effectively, organisations should first establish their requirements of a DLP programme, including the types
of data to prevent from leaking (in order of priority), the techniques required to detect that data and which channels to monitor.
When selecting DLP tools, organisations should evaluate the:

Before procuring a DLP tool, organisations should test
‒‒ features and functionality of the tool, including detection
the product thoroughly to ensure it meets requirements.
techniques and the interface for managing DLP policies
Undertaking a proof of concept (POC) will enable
‒‒ hardware and architecture requirements for deployment, organisations to assess the capabilities of the product and
including ease of installation and use determine whether it can interact well with other related
‒‒ reliability and performance of the tool, including availability technology in the target environment.
of technical support
‒‒ compatibility of the product with the existing IT environment
‒‒ ability to integrate with relevant third-party technologies
‒‒ alignment with the organisation’s overall IT strategy
Complementary technologies
‒‒ overall cost of ownership, including installation, configuration
and resourcing. Integrate with DLP tools:
‒‒ data classification tools
Integrate DLP tools into existing environment ‒‒ cloud access security brokers (CASB)
‒‒ security information and event management (SIEM)
To function correctly, DLP tools need to integrate with existing ‒‒ digital rights management
infrastructure, including servers, storage platforms, endpoint ‒‒ role-based access control
devices, email services, proxies and web gateways. As presented ‒‒ third-party encryption tools
in the box on the right, there are also a range of complementary ‒‒ enterprise mobility management
technologies that can enhance the performance of DLP tools and ‒‒ enterprise directories (e.g. Active Directory).
support the objectives of implementing a DLP programme. Support DLP objectives:
‒‒ user and entity behavioural analytics
By adopting some of these technologies, organisations can ‒‒ application and website whitelisting
address the shortcomings of DLP tools, extend the protection of ‒‒ sandbox technologies
data and improve the value delivered by their DLP programme. ‒‒ USB security management
For surveyed ISF Members, integration of DLP tools with a data ‒‒ collaboration platforms e.g. Yammer, Slack
classification scheme ranked as the most important technology- ‒‒ file compression tools.
related factor for a successful DLP programme.
Integrating DLP with data classification

Integration with data classification tools can optimise the value of DLP by improving its ability to accurately identify the data that needs
to be protected against leakage. The recommendation of surveyed ISF Members was to introduce a data classification scheme before
implementing DLP or in parallel. While it is possible to integrate a third-party data classification tool with DLP following the initial rollout,
this is a more complicated, resource-hungry and costly option.
Data classification involves assigning agreed labels to information based on its level of confidentiality, taking into account the value of
information to the organisation and potential business impact if it were disclosed. Classification labels can be applied as visual markings to
messages, documents and files (e.g. using electronic watermarks, headers and footers or rubber ink stamps); embedded into the content’s
metadata (e.g. document properties) or both.
Metadata labels can be read by DLP technology and DLP policies enforced based on the classification level (e.g. a classification of ‘internal
only’ will tell a DLP tool to block or otherwise restrict the movement of that data outside the organisation). To generate metadata labels that
are ‘machine readable’ by DLP requires organisations to install a suitable tool, such as data classification software, which is compatible with
DLP technology.
To enhance a DLP programme, data classification needs to be applied consistently and accurately across the organisation. Whenever
possible, organisations should supplement user-driven classification by using automated classification tools that can automatically label
information and prompt users to confirm a classification.

While a successful DLP programme needs to be supported by DLP tools and other technologies, a holistic approach to DLP
requires the programme to include non-technical controls and documented procedures that will help prevent the leakage of data
in physical and spoken formats.
“When you ‘sell’ the DLP service to business, make sure you explain that this is just one control...
make sure they understand where their information is still vulnerable.” – ISF Member
Complementary management and physical security controls

Management controls:
‒‒ clear desk policy
‒‒ authenticated printing
‒‒ authenticated network access
‒‒ protection of information on office equipment (e.g. password-controlled access).
Physical security controls:
‒‒ storing printed material containing sensitive data in a physically secure location
‒‒ protection of secure physical areas (e.g. installing CCTV)
‒‒ physical protection of hardware (e.g. restricting access to a data centre)
‒‒ secure transportation of sensitive physical information (e.g. double packaging to protect physical information in transit)
‒‒ secure means of disposal (e.g. incineration or cross-cut shredding).

PHASE C: IMPLEMENTATION
Improve security awareness of data leakage
The success of DLP is significantly influenced by the human factor. Often individuals simply do not realise the risk created by their
own actions, which may be undertaken in the interests of productivity or because routine business processes do not cater for the
secure handling of data.
By monitoring how data is transmitted, used and stored, DLP tools can provide insight into how an organisation works and expose
insecure habits that need to be addressed. In turn, DLP tools can be configured to send an email or display pop-up notifications to
coach users on how to handle data appropriately with options for immediate self-remediation. This real-time feedback can result
in a considerable drop in risky behaviour as users change the way they act and think about handling data.
Awareness activities tailored to DLP should be initiated ahead of deploying DLP tools to inform individuals what they can expect
from a DLP programme and avoid undue surprises. It should address the value of data, why DLP is being adopted and its business
benefits. This communication to the business will help foster a positive perception of DLP and prepare employees for actions that
block or otherwise intervene with user activity.
Figure 9: Benefits of promoting security awareness
ISF members reported a drastic reduction in DLP policy violations in Eliminating the noise attributable to poor security awareness allows
areas where the level of security awareness was raised, whether due other policy violations to be investigated in more depth and is a useful
to notifications, blocking or a security awareness campaign. metric by which to demonstrate the value of DLP.
Deploying DLP may require a culture shift within an organisation to There is the potential for employees to become careless and
create a corporate environment, where security is regarded as a complacent in their handling of data under the false assumption
priority. Just as DLP can improve security awareness via educational that DLP tools or other technology is able to detect and correct all
pop-up messages, a security conscious culture will benefit DLP user mistakes. This is why training needs to be refreshed at regular
implementation. intervals.
Video and gamification were identified by ISF Members as being

particularly effective for delivering security awareness messages
tailored to DLP.
Determine how to respond to DLP policy violations

Before DLP tools are deployed, organisations should determine the process for handling
DLP vendors use the term
policy violations, specifying who responds, the options for corrective action and the criteria
‘incident’ to refer to a DLP
for investigation. The response process needs to be appropriately resourced according to policy violation.
the size of the organisation and scale of the DLP roll-out, otherwise the value of the DLP
programme can diminish.
The initial response to a policy violation typically involves verifying its validity, the context and severity. This triage process may be
performed by a small, centralised team dedicated to the task or by nominated individuals from relevant business functions, with
the option to escalate to appropriate personnel – such as HR, legal or compliance – for further investigation. If a policy violation
proves to be an actual incident of data leakage, it should be integrated into wider security incident management processes.
Some ISF Members use a playbook to record their DLP policies, documenting how they are configured, who the data owners are and
how to respond to different types of policy violations (e.g. send an automated email to the user involved with guidance on the secure
handling of data, notify the user’s manager or impose restrictions on the user pending further investigation).
“Determining a process flow for incident remediation early in the project is crucial as these incidents
can escalate into huge amounts of data, which will make fine-tuning policies a little
more challenging and time consuming.” – ISF Member

DLP policy violations should be analysed to evaluate trends, measure the success of the programme and adjust DLP policies as
appropriate. Examples of relevant metrics include:
‒‒ number of violations per policy
‒‒ business units experiencing more policy violations
‒‒ percentage of policy violations classified as high severity
‒‒ policy violations related to insecure business processes
‒‒ policy violations due to poor security awareness.
Deploy DLP incrementally

A systematic, phased approach to implementation is imperative to execute a DLP programme successfully and optimise its
performance. Any attempt to simultaneously protect all sensitive data and channels from the outset is destined to fail.
“Obtain proof through a small deployment and then expand the deployment.” – ISF Member
An implementation pilot, which is limited to a representative group of users, a business unit or a region, should precede wider
deployment. This pilot will often focus on just one type of sensitive data and target a single data leakage channel, such as email.
Deployment of DLP should start small with one or two policies relating to a single ‘use case’ to ensure proper configuration and
effective performance of DLP tools. Additional DLP policies can then be introduced gradually.
Organisations should design a phased implementation plan for expanding their DLP programme, which takes account of:
‒‒ adding DLP policies to broaden the types of sensitive data protected
‒‒ improving the way existing channels are monitored
‒‒ extending DLP to monitor new channels of data leakage
‒‒ moving from logging policy violations to notify and block actions.
DLP policy rules should first be run in log-only mode (also known as monitor-only mode) to review the alerts generated and
effectiveness of the policy. This allows time to fine-tune each policy to improve its accuracy and determine its potential business
impact before enabling blocking or other response actions. Business input during the log phase is vital – it helps to minimise false
positives, highlight business requirements and reveal business activities that the DLP policy may disrupt once response actions
are applied.
When blocking is enabled, there should be a process for efficient recovery of quarantined or blocked information that is time-sensitive
(e.g. relates to an urgent business transaction), otherwise the IT helpdesk (or equivalent) may receive constant requests for the
release of data. This may be achieved by displaying an on-screen notification, allowing users to select from an agreed list of business
justifications for the transfer of data.
For many ISF Members, the ability to confidently turn on blocking is itself a measure of a DLP tool’s success. It provides assurance
that certain data cannot leave an organisation via a given channel without relying on scanning and analysis of policy violations to
detect data leaking.
Maintenance and improvement

Following the initial DLP roll-out, DLP tools need to be maintained and enhanced to obtain maximum value from the DLP programme.
The value of data to an organisation can change over a given period, meaning that the sensitivity of data can be time-bound or context
dependant. DLP policies should be reviewed regularly and kept current. They may need to be modified, removed or new policies created to
accommodate changing business requirements and account for new threats.
Organisations are rarely static. New product lines, services or projects are constantly being introduced as organisations adapt to market
trends. Organisations may also acquire, merge, divest and restructure. These changes affect the type of data that needs to be protected
and the channels to monitor. It is therefore critical to continuously engage with the business to ensure the right data is covered by the DLP
programme and leakage of sensitive data is kept to a minimum.

4 Conclusion
The increasing adoption of collaboration platforms, cloud services and social media, which are often accessed using personal
devices, has introduced a host of new ways for sensitive data to leak. Well-intentioned and rogue employees alike can now share
data with greater ease. This only serves to magnify the risk of disclosing data to unauthorised entities.
As data breaches continue to hit media headlines with costly consequences, organisations are realising the importance of taking
a systematic, structured approach to detect and prevent the leakage of sensitive data. DLP technology has existed for some time
but has experienced a resurgence in recent years. ISF Members reported that they are now achieving success with DLP technology
when it is deployed as part of a dedicated DLP programme.
DLP tools alone cannot prevent the leakage of all types of sensitive data across every possible channel. DLP capabilities are now
extending to the cloud, mobile devices and other emerging technologies, but blind spots will inevitably remain and obscure the
occurrence of data leaks.
Ultimately, the value of DLP is to block suspected leaks and stop sensitive data from leaving an organisation, whether via file
uploads, copy and paste, printing, social media posts or email. Failure to block will limit the value of DLP to simply detecting –
rather than preventing – the leakage of data. A balance must be struck, however, between blocking risky activities and impeding
legitimate business operations.
A prerequisite of a successful DLP programme is support from executive management and ongoing collaboration with business
representatives. By implementing a comprehensive DLP programme that encompasses awareness training, tools, supporting
technologies and other security controls, organisations can compensate for weaknesses in DLP technology and proactively
manage the risk.
WHERE NEXT?
The ISF encourages collaboration on its research and tools. ISF Members are invited to join
the Process community on ISF Live to share experiences and discuss practical approaches
for implementing a successful DLP programme.

Data Leakage Prevention
JULY 2018
CONTACT
For further information contact:
Steve Durbin, Managing Director
US: +1 (347) 767 6772
UK: +44 (0)20 3289 5884
UK Mobile: +44 (0)7785 953 800
steve.durbin@securityforum.org
securityforum.org
PUBLISHED BY
Information Security Forum Limited
+44 (0)20 3875 6868
info@securityforum.org
securityforum.org
AUTHOR
Emma Bickerstaffe
REVIEW AND QUALITY ASSURANCE

Andy Jones
Mark Sowerby
Jason Creasey
DESIGN
Kim Whyte
ABOUT THE ISF

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit
association of leading organisations from around the world. It is dedicated to investigating,
clarifying and resolving key issues in cyber, information security and risk management and
developing best practice methodologies, processes and solutions that meet the business
needs of its Members.
WARNING
This document is confidential and is intended for the attention of and use by either organisations that are
Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct.
If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF
on info@securityforum.org. Any storage or use of this document by organisations which are not Members of
the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information
Security Forum and the Information Security Forum Limited accept no responsibility for any problems or
incidents arising from its use.
CLASSIFICATION
Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.
REFERENCE: ISF 18 07 01 ©2018 Information Security Forum Limited. All rights reserved.

Unit - I: Nformation Ecurity Verview

Uploaded by

Copyright:

Available Formats

You might also like

Unit - I: Nformation Ecurity Verview

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit - I: Nformation Ecurity Verview

Uploaded by

Copyright:

Available Formats

UNIT –I

Information Security Management:

INFORMATION SECURITY OVERVIEW

• Network Security - measures to protect data during their transmission

THE OSI SECURITY ARCHITECTURE

Information Security: It can be defined as “measures adopted to prevent the

 information security is about how to prevent attacks, or failing that, to detect

 often threat & attack used to mean same thing

 have a wide range of attacks

 can focus of generic types of attacks

b: Suppression of all messages to a particular destination by a third party. Active

 Destruction of some hardware

Confidentiality is the protection of transmitted data from passive attacks. It is used

PERVASIVE SECURITY MECHANISMS:

 CIPHER TEXT - the coded message

 CIPHER - algorithm for transforming plaintext to ciphertext

 KEY - info used in cipher known only to sender/receiver

 DECIPHER (DECRYPT) - recovering ciphertext from plaintext

 CRYPTOGRAPHY - study of encryption principles/methods

 CRYPTANALYSIS (CODEBREAKING) - the study of principles/ methods of deciphering

ciphertext without knowing key

 CRYPTOLOGY - the field of both cryptography and cryptanalysis

COMMON VULNERABILITIES AND EXPOSURE (CVE)

Common Vulnerabilities and Exposures (CVE) is a dictionary-type reference

A VULNERABILITY is a software coding error that is used by hackers to enter an

1. The MITRE Corporation functions as Editor and Primary CNA

When investigating a vulnerability or potential vulnerability it helps to acquire a

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

COMPUTER SECURITY CONCERNS

While that's understandable, it's also a big mistake. It is important to remember

However, the media often exaggerate these dangers. It is extremely unlikely

Some of the Concerns/Issues of Computer Security

 Giving unauthorized access to University computing resources e.g. allowing an account to

 Deliberately creating or spreading computer viruses or worms.

To secure a computer system, it is important to understand the attacks that can be

A backdoor in a computer system, a cryptosystem or an algorithm, is any secret

Denial of service attacks are designed to make a machine or network resource

Eavesdropping is the act of surreptitiously listening to a private conversation,

Spoofing of user identity describes a situation in which one person or program

Tampering describes a malicious modification of products. So-called "Evil Maid"

Privilege escalation describes a situation where an attacker with some level of

Phishing is the attempt to acquire sensitive information such as usernames,

INFORMATION SECURITY MEASURES

CYBER CRIME SYNDICATES

Not all cybercriminal organizations are syndicates or corporations. Some are

These malicious mom-and-pop operations may steal identities and passwords, or

Political hacking groups often communicate, either anonymously or not, in open

INTELLECTUAL PROPERTY THEFT AND CORPORATE ESPIONAGE

This sort of attacker is known as an APT (advanced persistent threat) or DHA

Often the malware is multiphased and componentized. A smaller stub program is

THE INCREASINGLY COMPROMISED WEB

Common website vulnerabilities include poor passwords, cross-site scripting

Today's sophisticated malware programs often offer all-in-one, soup-to-nuts

Because many of the evildoers present themselves as businessmen from

Nation-state cyber warfare programs are in a class to themselves and aren't

Crime and no punishment

Definitions: Risk = Threat X Vulnerability