Data leakage

entropy escapeData leakage is the unauthorized or unintentional exposure, disclosure, or loss of sensitive cultivation (GAO, 2007, p.2). M whatsoever businesses stool in their repel over sensitive in variateation ab pop their organisation, employees and customers. The Information Commissioner (ICO) in a recent press statement (ICO,2010) is alarmed with the unacceptable subdue of info leakages within the modern world and leave issue fines for major dampes to commence in 2010.In addition to our markets, the safety and atomic number 16urity of our information could non be assumed either. (Verizon line of merchandise, 2009 p.2). In 2008 there appears to be a link between the turn of the recess and an annex in report entropy leakages. Research conducted by Verizon Business (2009) showed that the number of inform compromised records was to a greater extent than the previous four historic period combined as shown be sm alto proposeher-scale in Figure 1.1.Figure 1.1 Number of records compromised per year in split upes investigated by Verizon Business (2009)Within this study (Verizon Business, 2009) it was found that the industries with the highest number of entropy leakages were in sell (31%) and monetary services (30%).As employees exit, so does corporate data (Ponemon Institute, 2009, p.1). A survey conducted (Ponemon Institute, 2009) showed 59% of employees who left a business (including voluntarily and those asked to leave) take data. It is difficult to measure the entire impact of a data leakage. Data Breaches Are Frequent, save Evidence of Resulting Identity Theft Is Limited However, the right Extent Is Unk flatn. (GAO, 2007, p.1.) The financial impact on a business per breach according to the Ponemon Institute (2006) is on average $4.8 million. Breaches move not exclusively be financi totallyy costing to a business but similarly exceedingly damaging to a companys reputation, this study (Ponemon Institute, 2006) showed that 60 % of customers terminated or considered terminating contracts after a security breach. fit to Verizon Business (2009) in 2008 91% of all compromised records were linked to make vicious groups. Examples of hidden data that criminal groups may wish to obtain ar companys financial information, customers sensitive data and credit card elaborate. There be many shipway in which data leakage bum occur, or so of which will be discussed in the following chapter of this report. 1.2 Data Leakage in the MediaThe media is one of the most influencing ways of communicating issues globally. Data leakage appears to be increasingly more(prenominal) best-selling(predicate) in the media as the reported breaches increase. The ICO stated that there were 434 organisations that reported data security breaches in 2009, the previous year had 277 reported (insufferable level of data loss, 2009). This evidence supports the theory of there macrocosm an increase in breaches during the recession but what must be interpreted into account is that there is an increase in the reported cases. It may be that more businesses are fair aware of data leakages where previously they were oblivious to breaches committed or did not disclose the known leakages. traverseed in the media, a countrywide employees laptop computer was stolen from their home containing confidential customer data (FSA,2007). 11 million Nationwide customers were said to be at risk of identity crime at the time. The FSA (Financial Services Authority) were alerted by the breach and it was found that the Nationwide did not starting signal an investigation until 3 weeks after the theft took place. The firm were fined 980,000 by the city watchdog for the security violation.An early(a) example in the media (Previous Cases of Missing Data, 2009) is the Ministry of denial data security breaches. The Ministry of disproof admitted to losing or having stolen 121 memory sticks in a four year period. correspond to this pre ss release (Previous Cases of Missing Data, 2009) Defence Secretary Des Browne said 747 laptops had been stolen of those provided 32 do been recovered. 1.3 Data Loss Pr pointtion (DLP)The justification of sensitive data, to avoid data breaches, should be a vital part of a business daylight to day operations. Yet organisations rarely lay down adequate visibility or control of their data (Broom, cited in When financial data goes missing, 2008).From the research conducted (Verizon Business, 2008) show up of all the data leakages that occurred in the year 87% were encumberable finished simple or intermediate controls. This suggests that many businesses are not putt in adequate controls to prevent leakages. The Date Protection Act (DPA) is a framework to ensure that personalised information is handled properly (ICO, The Basics, no date). unrivalled of the principles of the act is, it is the responsibility of the business to secure the sensitive data it withholds. The DPA subsc ribe to the right to prosecute and unless exempt, all businesses have to abide by this act. The worry faced by many businesses is to manage the risk without affecting their productivity and to manage risk in a new and challenging environment (chief financial officer Research Services and Crowe Chizek and Company LLC , 2008, p.2).The important factors to consider when implementing a DLP think is the alignment of process, technology and people as a unit. developing a robust security policy and ensuring that all employees fully understand their map and obligations(Broom, cited in When financial data goes missing, 2008). Broom besides stated that riding habitrs compulsion high-quality training and good communication regarding information security concerns. Chapter 2 Types of ThreatsThreats to the protective covering of data thunder mug be split into two broad categories inner(a) and External threats. Internal threats are from within the business itself and majorly centred on employees actions. Attacks from outcover(a) of the business are known as external threats. Examples include hackers, organized crime groups and government entities (p.8, Verizon Business, 2009) fit to Verizon Business (2008 or 2009) 20% of reported data breaches are cause by insiders whilst 39% of the breaches involved multiple parties, thus proving the importance of a combining of internal and external controls. 2.2 External Threats gibe to Verizon Business, 2008 saw more targeted, cutting edge, complex, and clever cybercrime attacks than seen in previous years (p5 2009). The fact that attacks appear to be increasingly more sophisticated is a concern for many organisations to ensure they have adequate control measures in place.One of the most common external threats to data security is Malware. According to Easttom (p6 estimator Secuirty Fundamentals) Malware is the Generic term for software that has a vicious purpose. Malware rear end be apply to steal confidential data fro m a personal information processing system to a global network. A virus is a slender platform that replicates and hides itself in other programs, usually without your knowledge (Symantec,2003) through Computer security fundamentals p6.) A fifth column Horse is a utilizable or apparently useful program containing hidden code that, when invoked, performs some unwanted sound. (P48 info sec pipkin). Trojans must spread through user interaction such as opening an e-mail attachment. It looks legitimate and so users are tricked into executing the malicious program. The Trojan screw hence latently delete institutionalizes, steal data and spread other malware. They can in addition be created to generate back doors to give hackers gravel to the system. (http//www.cisco.com/web/ virtually/security/intelligence/virus-worm-diffs.html) An example of a dangerous Trojan is the Dmsys Trojan. According to (http//www.2-spyware.com/trojans-remova) and (http//www.uninstallspyware.com/uninsta llDmsysTrojan.html) it steals users confidential information by infecting instant messengers. It uses a keystroke logging technique to steal passwords and private conversations. This information is stored in a log file and whence sent to the hacker. Thus allowing the malicious user to have price of admission to potentially, confidential information. There are various tools online that can dispose of this Trojan automatically, but if a user wanted to do it manually they would pick out to delete the files dmsysmail.eml and dat.log. Manually Deleting MalwareEach program consists of files. Evenspyware, a virus or a contrasting parasite all have their own files( http//www.2-spyware.com/ news/post203.html ) To remove a parasite usually entertains to delete all its files. According to this website, it is not always this simple, as files being used by active applications can not be deleted and some of the Malwares files may be toughened to in obvious. Following this sites guideline sOpen Windows Task Manager and select determination Process but only works if you know what processes should be running game and those that look suspicious. Once you have stopped the process it is now accomplishable to try and delete the malicious files. Locate the folder you believe the program to be (eg My Computer) and ensure all hidden and protected files are visible (Tools, Folder Options, View, Advanced Settings).There may shut away be files that are invisible, now type cmd into run to access the Command command flying. Within the Command energetic enter dir /A folder_name. All files within this folder will be listed including all hidden files. To delete these files within the cmd enter the command cd folder_name to locate the folder. Then enter del file_name to delete the file. Ensure the Recyle Bin is similarly emptied. http//www.2-spyware.com/news/post203.html steps on how to manually remove Malware. Preventing Malware attacksSince new viruses are alkaliduced dail y (p49 info sec pipkin) an up-to-date valid anti-virus software is demand to avoid data leakages via Malware.Vulnerability patching firewallsA combination of the mentioned attacks can be catastrophic to the security of data hacking gets the criminal in the door, but malware gets him the data (p20 verizon) It is minute that a blend of the above security measures are put into place. 2.1 Internal ThreatsWhether knowingly or unknowingly, innocently or maliciously, employees read in behaviours that heighten the risk of data loss.( Cisco data leakage find page)According to a study conducted by cisco data leakage 46% of employees admitted to transferring files between work and personal computers and approximately 1 in 4 admitted sharing sensitive information with friends, family, or even strangers. According to the Deputy Information Commissioner David Smith (http//news.bbc.co.uk/1/hi/uk_politics/8354655.stm) Unacceptable amounts of data are being stolen, lost in transit or mislaid by s taff. Dangerous numbers of personal data is still being needlessly stored on unencrypted laptops and USB sticks.if they do not think just about security, users can start to cause quite a few problems p37 computer insecurity give. bar chart 5 ponemon 2009 page8 info kept after leaving chart 7 ponemon 2009 page 9 According to Ponemon (2009), only 11% of the respondents who took part in this research had permission from their supervisor to cargo area this information. in figure . An alarming percentage of the above transfers may have been avoided with appropriate controls, which will be discussed later in this report. It can a good deal be profound to detect data leakages, such an employee copying confidential data to a USB turn. more often, the information is left just as it was so that the theft is not quickly discovered p59 info sec pipkin. Using a Data Leakage Prevention tool can dish out in supervise and stop consonanting users speculative actions to avoid leakages. I n this report digital guardian by Verdasys will be used to demonstrate some examples of how a DLP tool can be used to assist in the battle of information security. Chapter 3 Verdasys digital withstander SoftwareIntroductionDigital shielder is a comprehensive and prove data security solution for protecting and tracking the flow of critical data anywhere in the world. (Verdasys, 2006) (http//www.daman.it/wp/dg/Digital_ protector_DS.pdf ) According to Verdasys (2006) Digital Guardian (DG) can help to prevent the loss of data by identifying hard to detect user actions. The tool can hold unauthorized access, copying, printing, and other user actions. The DG platform consists of a central legion and control console to communicate with remote agents deployed to desktops, laptops and servers where data needs protection. It is an agent found (Endpoint) Data Loss Prevention (DLP) tool. These agents operate silently and report tackles violations, continue to operate even when a trick is removed from the network. (Verdasys, 2006 http//www.daman.it/wp/dg/Digital_Guardian_DS.pdf ). The DG server is accessed via a web-based interface to the confine Console. Figure DG guidance /Control Console The above figure is the web-based management console. This tool can be implemented on both Windows and Linux machines. For this project Windows machines have been used.CapabilitiesDigital Guardian can monitor or plosive consonant various risky actions users are taking. Whether it be users abuse or unintended operations. There are many actions that the software can perform some of which will be shown in the following.. Rules can be created within the software and then applied to policies which are deployed to machines chosen. These traffic patterns can generate warnings to the user and also e-mail alerts to administrators upon policy breach. Reports can be generated to allow for auditing and drilldown summaries of use of data and users actions. on with being able to comp letely stop consonant specific actions DG can also ask for justification from a user which is a form of Soft Blocking (DG, 2006). This type of DLP can also allow for a monitoring only approach, which according to ( http//www.networkcomputing.com/wireless/time-to-take-action-against-data-loss.php) can be more successful than a overgorgeing solution. It can be used assist in computer forensics investigations whether it would be monitoring triggered rules by prohibited actions that breach corporate policy or more sinister illegal activity. According to (http//www.networkcomputing.com/wireless/time-to-take-action-against-data-loss.php) The beginning of the investigative process is to find out what was being sent, where, and by whom. Is it legitimate business reasons? Maliciously? They didnt know any cleanse? Blocking may keep the data safe, but it wont root those questions. (http//www.networkcomputing.com/wireless/time-to-take-action-against-data-loss.php) There are functions within the tool that can block the removal of confidential data via clipboard actions (cut/paste/print screen). add on features such as mail/file encryption and content reappraisal by Autonomy (company name) (Verdasys 2006)Figure () shows the capabilities of the software, How the software works Digital Guardian installs drivers that tie into the Operating System (O/S) at a very low level within the shopping center. When an application wants to save a file, it calls a function within the application that does this, and that the O/S handles the task, right down to the kernel that does the hard work, without application writers having to know the details.DG ties into that kernel, detects these events happening, extract useful details (like the filename and size etc), and then send the details onto the DG server. The advantage of this is that any application saving a file will have to get the O/S to do it, so tying in at that very low level ensures it works for virtually all applications. both more Installation oh god try and remember Installation details of .. appendix. windows server, SQL Server, DG Server, DG Agents, Hardware and Software pre , key etc. comminuted in the . Digital Guardian files. Limitations - FIND some Digital Guardian is mainly used for insider threats and doesnt lessen external threats by intruders or malicious attacks. It also does not address server and network vulnerabilities. (http//www.software.co.il/data-security/17-data-loss-prevention-shoppers-guide.html)No functionality to actually block users downloading applications (CHECK THIS) and running them if not already blocked within action commission. The software has to be installed on the network to be able to block the use of it. check No rule to be able to block all attachments sent via emailcheckScalability challenge of maintaining classifications of Windows shares/content(http//www.software.co.il/data-security/17-data-loss-prevention-shoppers-guide.html)Chapter 4 Testing and ex ecution Policy Exception USBEncrypt Email PromptEncrypt berth RuleEncrypted Email PasswordApplication ManagementApplication Management ExceptionsApplication Management ExceptionsBlock of Applications PromptUpload Via WebmailUpload via Webmail PromptBlock upload via webmail sites. This rule controls users access. Instead of completely blocking their access to certain sites. Can access the specified sites but can not upload to these sites. For example social networking sites like Facebook. Stops the sending of attachments via webmail. If laptop accessed from outside of network these rules will still function..NEED give SCREEN SHOT THAN THISIS THERE A COMPONENT RULE FOR THIS?Control of USB Devices Block non- ratified USB devices Within DG it is possible to block all uploads to all USB devices, thus preventing all users from removing any data from the network. It is also possible to block uploads to USB devices with the exception of predefined USB devices. For example if a business provides users with an encrypted USB device (such as Kingston.) a rule is created to say block all USB device if stated device is not listed in the component rule associated. The USB device is recognised by its Product ID and Vendor ID. These IDs can be discovered by exploitation a simple tool such as .Block non approved USBs Above is the control rule called Block non approved USBs. This rule is set to block any File Copy/Move/SaveAs to a extractable device that is not listed within the function (component control rule) approved usb device. function rule for USB Approved Within the approved usb device component rule is the Vendor Id and Product Id for the approved USB device(s). USB Block Prompt If the USB device inserted does not match the predefined approved removable device then the above prompt is triggered. This prompt is flexible and any message the administrator wishes to set will be displayed. Once Close is selected no data can then be transferred to the device. This way if the USB device is lost/stolen it is encrypted so would be extremely difficult to view any sensitive contents on the device without knowing the password. This rule could be useful for businesses where their employees have to travel regularly (eg Sales) and so data needs to be easily transportable. Obviously this rule does not stop users from stealing the data but does assist with accidental loss. The software could still be used to monitor who/what/how much data is being transferred to these devices. BETTER SCREEN SHOTContent inspection rules. calculate intoTRY AND CRACK/BREAK THESE RULES.Manually blocking USB within the cash register It is possible to manually block all USB devices via the register. The following steps were taken from Microsofts Support site (http//support.microsoft.com/kb/823732). Before manually adapting the registry it is potently recommended that a backup of the registry is do as any errors made within the registry can cause severe problems. To enter the registry of the computer from the Start menu click Run and enter regedit. view the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUsbStor. On the right hand side multiply click Start as highlighted in figure. Ensure hexadecimal is highlighted and enter 4 within Value data. This will now block all USB devices being used on this machine. When a device is out of use(p) into the machine the device will not be acknowledged. To re-enable USB devices follow the very(prenominal) steps above but change the Value data back to the default value of 3. Chapter 5 Analysis of results founded by Digital Guardian. Digital Guardian Technology ANY IMPROVEMENTS FOR DGChapter 6 Critical canvass of other productsHaving assessed an Endpoint (agent based) DLP tool, secondary research was conducted on a meshing DLP tool, Websense Data Security, for comparison. Figure below is a table of brief pros and cons for different DLP measures available, taken from informationweek.com . Analy se table Taken from (http//www.informationweek.com/1163/163ss_impactassessment690.jhtmljsessionid=WA0XH3S4GN0CTQE1GHPSKH4ATMY32JVN) WhenDLPvendors are being honest, theyll pronto admit they cant stop the serious and skilled insider from getting data out. (http//www.networkcomputing.com/wireless/time-to-take-action-against-data-loss.php)Their real significance is in finding employees who are incidentally leaking data, those who dont know its against policy or who are taking risky shortcuts to get their jobs done.Websense Data Security is a network based DLP tool with off proxy. According to a review by (http//www.software.co.il/data-security/17-data-loss-prevention-shoppers-guide.html) it is typically used for monitoring email traffic and quarantining suspect messages. It requires placing an application-layer proxy next to an Exchange server or server agent. With a network based DLP such as Websense it avoids having to install an agent onto every machine, and instead involving inst alling network taps. As data passes through these it is checked, and events collected that way.According to(http//www.networkcomputing.com/wireless/time-to-take-action-against-data-loss.php) Network-based solutions have the potential to be more vulnerable to an insider threat. An insider can steal data out via thenetwork, using encryption or steganography (where data is embedded within another(prenominal) data format).Unlike DG a network-based tool would not prevent a user plugging in a USB stick and copying files, it also would not log that this event had even occurred. TYPE UP to a greater extent COMPARISONSStill, an even somewhat paranoid but unskilled insider can use a cell phone or digital camera to fritter documents on the screen. No form ofDLPcan protect against that. (http//www.networkcomputing.com/wireless/time-to-take-action-against-data-loss.php) Installing a DLP tool is not the be all and end all protection against threats and as emphasised earlier in this report a comb ination of measures needs to be addressed. Chapter 7 Conclusion and Future Work. Highlight any deficiencies etc Ethical Traking employees? ANY IMPROVEMENTS FOR DG .Many different aspects to considerLink intro with conclusion. Verizon other factors p3 . The best security technology in the world wont produce a good return on investment without the foundation of security processes, policies, and education. P8 Cisco data leakage. if you have never experienced a security incident, does this mean that you are secure? Or does it just mean that, so far, you have been lucky? computer insecurity book in short no one is immune computer insecurity book More..GlossaryBibliographyOnline SourcesICO. (2010), Press Release Data Breaches to Incur up to 500,000 penalty, Online. on tap(predicate) at Accessed 3 inaugural January 2010. (2009),Unacceptable Level of Data Loss, Online. Available at Accessed 1st February 2010. FSA. (2007), Final Notice to Nationwide Building Society, Online. Available a t Accessed twenty-sixth January 2010 (2009), Previous Cases of Missing Data Online. Available at Accessed 12th January 2010 Broom, A. (2008),When financial data goes missing.Online. Available at Accessed 3rd February 2010ICO. (date unknown), The Basics . Online Available at Accessed 2nd February 2010JournalsGAO. (2007), What GAO Found, Report to Congressional Requesters Verizon Business (2009), Data Breach investigations ReportPonemon Institute. (2009), As Employees Exit so does Corporate Data, Data Loss Risks During downsizePonemon Institute. (2006), 2006 Annual Study Cost of a Data BreachCFO Research Services, Crowe Chizek and Company LLC. (2008), The Changing Landscape of Risk ManagementAppendices