Tightening the tap

There are many ways data can be manipulated, lost, stolen and maliciously controlled. Julian Pletts finds out what more needs to be done to plug data leaks in Middle Eastern networks

Tags: Data Leakage PreventionData leakageMalwareMcAfee IncorporationMessageLabs IncorporatedTrend Micro Middle EastUnited Arab Emirates
  • E-Mail
Tightening the tap “What we do that is quite unique is go back and test against legacy data flow to see whether your policies have the right sort of implications and effects.” Greg Day, principal security analyst, McAfee. (Alex MacNaughton)
More pics ›
By  Julian Pletts Published  July 21, 2009 Network Middle East Logo

A single breach or loss of vital corporate information, such as intellectual property, can impact the bottom line, share price and customer confidence virtually overnight.

The biggest cost that could result from serious data leakage is probably also the most intangible one and that is brand damage and brand value. How much is your brand really worth?

In the current economic downturn, the demand for illicitly gained intellectual property or other sensitive information will only increase as companies look to strip every possible cost from R&D and speed-up time to market. Network administrators ignore these concluding words from McAfee’s recent Unsecured Economies study at their peril.

It seems on the face of it that there are relatively few incidences of serious data leakage in this region. Talk to anyone however, that deals with the problem and that myth is quickly challenged and even dispelled.

“When we were on our recent roadshow, where we went to every single country in the Middle East, I would say about 70% to 80% of all of the questions were around data leakage,” claimed Rik Ferguson, senior security analyst and solutions architect at security vendor Trend Micro. “Let me say there is a huge interest and I take from that, there it is a huge issue.”

Perhaps if we look a little bit closer we can make out the not-so faint outlines of some serious data leakage incidents that may have taken place in the Middle East in recent times.

“If you remember recently a lot of the banks notified their customers to change their passwords. We don’t know, but the bottom line is it is very difficult for us to identify and track things here because of the lack of disclosure regulations, so we can only draw some various conclusions,” added Ferguson.

He is not alone in this assertion, as another network security expert also made the point that recent prompting by Middle Eastern banks for customers to change their PIN numbers might well have been precipitated by some form of data leakage.

It is not that data leakage doesn’t happen in the Middle East. It does happen, and one way of looking at it is that it’s more likely to happen here as it is, after all, a region that is immature when compared to Europe or the US. It is just that when it does, it is not as widely reported and there are few incentives for companies to hold their hands up.

Greg Day, principal security analyst at McAfee, says there is seemingly a discrepancy between the likelihood of the problem and recorded data leakage events.

“I have seen a couple of small examples, but nothing to the extent that we have seen in other parts of the world. I think there are a couple of simple realties at play here, including the fact legislation isn’t yet as tough as it is in other parts of the world.”

Stronger and more direct disclosure laws, such as those currently in place in North America, if instigated, might well reveal the true extent of the data leakage problem in the Middle East. Interestingly, according to Trend Micro’s Ferguson, these laws have done little to actually reduce the incidences in the US.

Whilst on the surface data leakage might not seem like too much of a problem here, that doesn’t mean network administrators are ignoring the issue. Even in small countries where the risk is somewhat diminished, data leakage prevention (DLP) is still very much in the IT manager’s mind’s eye.

“It is not because the gravity of the situation in Oman is high that we are doing things like ISO: 27001. The gravity is low and we want to make absolutely sure that our organisation is secure enough,” emphasised Dileep Somani, CIO of the Omani-based OTE Group.

IT professionals like Somani are right to be worried about the dangers of data leakage because, from a corporate perspective, the ramifications can be catastrophic.

Data leakage can lead to the loss of confidential information to competitors and criminal entities. Customer information can be used for a whole host of undesirable reasons and a serious leak in the midst of a financial crisis could feasibly lead to the downfall of entire businesses.

But as McAfee’s Day puts it, the most serious injuries inflicted to a corporation that has fallen foul to holes in its network security are to brand image. “The biggest cost is probably the most intangible one and that is brand damage and brand value. How much is your brand really worth?” challenged Day. “A lot of industries are customer-facing today and it is very likely that a data breach could be enough to stop a customer dealing with them.”

Encryption is useless against user error. There is another decision to take over and above whether to use encryption — if you want the data to leave the organisation, encrypted or not.

He goes further to point out that the tangible costs of a data leak include the price of working out what went missing, both in terms of man hours, wasted time, and techniques that need to be used to try and recover it, and the cost of alerting those to whom the information relates. Factor all of these in, plus all of the other potential side effects that are far-reaching and numerous, and it begins to be clear that prevention is much better than cure.

So what can be done to plaster up any potential seepage? The answer is, fortunately, a great deal. There are many solutions that tackle data leakage and the general consensus among those touting these solutions and end-users making use of them is that defence has to be multi-faceted.

“Any effective strategy to deal with the risk of data leakage should combine a number of human and technological measures; neither will work effectively without the other,” asserted Paul Wood, senior analyst at MessageLabs.

The first port of call for many when building a strong DLP system is encryption. There are however, a few arguments around the worth of encryption in fighting data leakage. But it is certain that a full DLP solution would be incomplete without some form of encryption.

“The place that many will start is endpoint encryption and that is a quick win,” explained McAfee’s Day. “That is either full device encryption, whether it is on a server, a workstation, laptop or a USB or mobile device. We will either do full encryption or just by the folder encryption. And we can do USB encryption as a sideline to that.”

Encryption does not strictly prevent the problem of data leakage, more to the point it makes data leaving the organisation unusable by disreputable third parties. The encryption is not effective if someone inside an organisation steals information and is able to decrypt it.

It is also costly and potentially time consuming, as Day explains that a large degree of flexibility is important when it comes to encrypting corporate data. One way to maximise encryption flexibility is to include the capability to do file and folder encryption which works particularly well in protecting data being copied onto removable media at the end point.

“Encryption is often presented as being the solution to the data leakage issue, which it clearly isn’t,” stressed Trend Micro’s Ferguson. “I am not saying that it is not important, it is an important part of the puzzle. It protects against lost or stolen data. It is absolutely useless against user error. There is another decision to take over and above do I want to encrypt this device or data, the decision of whether you want this data to leave the organisation, encrypted or not.”

The next major step in DLP is seen by many as the need to classify your data and set up enterprise-wide security parameters and policies. When it comes to educating network users and defining sufficient policies, knowing exactly what data you have in your network is of paramount importance. This is done by a process of data classification.

“Normally you would start to look at your data and work out what is sensitive and then define your policies and implement them against your live environment. What we do that is quite unique is go back and test against that legacy data flow to see whether it has the right sort of implications and effects. Once I have started to understand my data and have defined policies, the next part is to enforce those,” said Day at McAfee.

Classification of data relates to working out what data you have, where it is stored, how it is moved about and how sensitive it is. As a means to help IT administrators define initial security policies and protocols for users to follow, this can be done in a single broad sweep. But from that point on it is ideal if there is some form of automated assessment of data, meaning policies can be enacted automatically.

“You have to have some interaction with the end-user saying something like — according to corporate policy we don’t think you should be doing what you are trying to do,” explained Ferguson. “If, despite this warning, you still feel you should be doing it, please type your reason in this box and press OK. We will log your reason and action and allow it to happen. But be aware we know it has happened, and you have justified your actions, so you are liable for what has happened.”

If you put in100% controls then there will be massive inefficiencies and you will get a lot of complaints from users. We never say it is completely secure and we are always trying to improve.

Having such end-user policy alerts fulfills a few functions. First, it mentally nudges a user, which reduces the number of unwitting leaks. Secondly, it educates them as to what is sensitive information. And lastly it gives the IT manager greater recourse in the event of a malicious leak to combat it and indeed show fault in the user.

Somani at OTE however, points out that this can be taken too far and too many alerts and warnings can massively impact the speed and efficiency of the work force. Instead he feels a calculated risk has to be made.

“If you put 100% controls then there will be massive inefficiencies and a lot of complaints actually. We never say it is 100% secure and we are always trying to improve, you have to boost it based on the current risks and what kind of people you have. You have to take a bit of risk otherwise it would be very inefficient,” said Somani.

In addition to allowing you to set automated policies, the recognition and classification of data can also work in conjunction with the tagging of data. If data is leaked, either on purpose or by accident, it can be traced and the IT manager can assess what has gone, whether it was encrypted and indeed who leaked it when they carry out an audit.

McAfee has also worked to combat the problem of malevolent individuals trying to hide their actions by disguising the data they are stealing.

“Even if they do things like cut and paste and move around and encrypt it and move it into strange formats, our tagging of where it actually comes from always stays with it. Even when it is no longer readable that tag still stays with it, so it can still always be used to enforce policy,” explained Day.

Ferguson at Trend Micro also points out that context is just as important when document tagging: “We look at the true content of the data with many different technologies but essentially we are using key word recognition or looking at patterns of data to recognise things,” he said. He also suggests that in a region that is so multi-lingual it is important that content classification systems are language-independent to ensure that policy is enforced on all of a large enterprise’s data.

The financial crisis is forcing most IT managers into having to make cutbacks in terms of spending. They should think long and hard before any of those cuts are aimed at DLP provisions in their network because, after all, the risk is greater now than it has ever been.

If all of these elements — encryption, malware defense, classification and tagging of data, end-user education and access controls and the installation of strong and consistent security policies — are implemented then they can rest a bit easier, safe in the knowledge they are doing everything possible to protect against a serious data spill.

Don’t forget malware

One threat that is often overlooked when it comes to data leakage is malware. Trend Micro’s security guru Rik Ferguson says malware must not be ignored.

“Malware is a seriously underestimated event when it comes to data leakage and loss. We are all focusing on people losing USB devices and emailing inappropriate and confidential data to people, but what most of the messaging around data leakage fails to address is the fact that it is bigger puzzle and there are more pieces than just anti-malware, just data leakage prevention and just encryption,” explained Ferguson.

To underline the point he makes reference to a report from security provider Verizon: “In [Verizon’s] annual report of all the leakages, in ones that they investigated, only 38% of them involved malware, but that 38% accounted for 90% of the lost records.”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code