Plugging Data Leaks
Whether intentional or accidental, data leaks are a huge concern for organizations. And it has been for years. Going back to a 2004 survey from an IT security forum hosted by Qualys, found that 67% of security executives do not have controls in place to prevent data leakage, A December 2006 survey, Boston-based researchers Simon Management Group noted that some 78% of respondents said they were "very concerned" about data exposure. A 2010 article published by Trustwave on CSOonline.com said that 65% of leakage occurs due to the following combined methods: Microsoft SMB sharing, Remote Access Applications, and Native FTP clients. And a recent informal survey conducted by the Avast Mobile Enterprise team at two healthcare technology events indicates that Data Leakage (69%) was the greatest security concern of Healthcare CISOs. Insider threats (34%) and Malware (28%) got silver and bronze. Information seems to be the gold standard in today’s digital society and it comes in many forms. It can be personally identifiable information (PII) of customers or employees; it can be corporate or financial info; it can be litigation related; it can also be health care related and really, any data that should be kept secret…except from those who are authorized to view it. According to Cisco, some risky behavior by employees can aggravate the situation. Areas included: Unauthorized application use: 70% of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies' data loss incidents. Misuse of corporate computers: 44% of employees share work devices with others without supervision. Unauthorized physical and network access: 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility. Remote worker security: 46% of employees admitted to transferring files between work and personal computers when working from home. Misuse of passwords: 18% of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy. How can you reduce and mitigate some data leakage risks? BIG-IPcan help shore up some areas. The overall category of Data Loss Prevention (DLP) is a multi-faceted area of security that encompasses securing data storage, data transmission, and data in-use. Specifically, BIG-IP ASM focuses on the protection of data in-flight. For instance, ASM’s DataGuard is a method of protecting against SSN or CC# information from leaking out of back-end databases but ASM’s benefits in a DLP strategy extend well beyond that. DLP is concerned with unauthorized access to any private data, whether confidential personal or corporate information. ASM provides comprehensive protection against unauthorized back-end database access, by preventing the exploit of well-known vulnerabilities such as XSS, SQL-injection, cookie poisoning, etc. If you can’t even reach the info, less likelihood of it leaking. No single product is going to provide a comprehensive, all inclusive DLP solution. HIPAA, PCI, and other regulatory standards are focused almost entirely on DLP. BIG-IP ASM, as a WAF, provides a vital part of any overall DLP solution in today’s security-conscious environment. ps Related: Survey Says: Data Leakage Tops Healthcare CISOs Concerns Data Leakage Worldwide: Common Risks and Mistakes Employees Make Stealing 11.5 million documents not so hard
Thoughts from the security non-professional: don’t let your data escape
Probably the biggest IT security threat to F5 Networks is typing this blog, and probably the biggest threat to your organization is reading it. OK, I don’t mean me or you, as such. We are, after all, IT professionals and wouldn’t dream of clicking on that suspicions link or using that freebie USB stick we picked up at the trade show. But the truth is people in organizations do dumb things. Even if your network is well equipped with firewalls, IPS’ and your policies are tight, people can take their laptops home with them and do dumb things. Even if your corporate policy is strict on Anti-virus and administrative lockdown, then BYOD allows people to do, yes, dumb things. In the modern workplace it’s extremely hard to prevent hostile code entering your organization. The question is, what do you do about it? Now I’m not really a security professional. Sure, I know a few acronyms and have occasionally fumbled my way through a configuring a firewall, but I don’t consider myself an expert. I do follow the high profile events in the industry though, and it struck me there was an ongoing theme that is worth examining: It’s not what comes into your organization that really hurts you, it’s what leaves it. Credit card numbers, career ending emails, source code, it’s often what organizations lose that causes the most damage. Now I know the root cause is the bad stuff that’s got in – the malformed HTTP request, the infected laptop, misused credentials or compromised router, but if we focus all of our attention on inbound security we are missing a chance to save the day when our frontline protection fails us. The successful hack of the US retailer Target is a great example – although there are plenty more to choose from. Ignoring all the infiltration and compromise techniques used, the real damage occurred when the customer details left the store. How was this done? Well allegedly an infected exfiltration server made outbound FTP connections to external drop servers. Did the in-store Target network allow inbound FTP from the internet? I don’t know for sure, but I’m guessing not. But outbound from a more trusted to a less trusted network? Apparently so. Examining and evaluating outbound traffic can and should be a powerful security tool in mitigating a compromise. You need control over where your infrastructure is sending data, and what’s in that data. If you can successfully control and audit these two things, then you have a good chance of avoiding a lot of the damage caused by an attack. For servers in your production infrastructure, it might be possible to build whitelists and restrict traffic to just the places you know it should go. Here’s where a network firewall like BIG-IP Advanced Firewall Manager can help by placing strict controls on your egress traffic. In many cases, however, and especially for end user devices, you’re going to have to rely on some kind of reputation score or endpoint location to make a decision. That’s why I like technologies like F5’s IP Intelligence and Secure Web Gateway, they can look at where your traffic is going, and decide if that’s a good idea based on a near real-time threat database and a geographical IP address database. You get a good level of control without the need to maintain an exhaustive whitelist. What about the data itself? Standalone DLP solutions are certainly available, but there are some other options. A classic DLP solution created in an iRule is the credit card scrubber this rule examines the response form a webs erver, looks for credit card numbers and removes them (or obscures the first twelve characters), simple stuff, but powerful and fairly easy to adapt to other patterns. For a more full featured solution take a look at the DataGuard feature in our web application firewall, which does the same thing but with the benefits of supporting a wider range of content, such as Microsoft® Office documents. So while inbound security controls, monitoring software and user education are still the first line of defense, in the view of this security non-professional, outbound traffic controls need more focus - because you have a greater chance of controlling what leaves your infrastructure than what gets in.
