Troublesome Wandering Data

10 02 2012

It is your job to maintain the security of your company’s data. Perimeter security is in place with multiple layers of firewalls, Intrusion Prevention and detection. All files and databases are locked down with Access Control Lists and a full role based access control system. Auditing logs every access, update and deletion and you have staff review these logs on a regular basis. Secure remote access to systems is provided for those who need to work remotely.
So how do you handle the situation when your CFO copies the budget and GL to a thumb drive so he can work on it over the weekend for presentation at the full board meeting on Monday? According to the Open Security Foundations datalossdb.org, 23% of all data losses are due to accidental disclosure by authorized users. [1] Facilitating this action absolutely opens the door to add your organization to this statistic.
Every organization has sensitive data; information that is not meant for general public dissemination. It could be salary lists, client PII, marketing plans or any other strategic goals. This data needs to be maintained within your control, so that access to it is limited to authorized people and an environment where audit trails are maintained. The integrity and non-repudiation of the information must be maintained at all times.
Data leaks out from your sphere of influence in many ways. The more obvious can anticipated, restricting emailing attachments, using software controls to block USB devices, segmenting networks and so on. It is, however, nearly impossible for a typical organization to completely secure its data from wandering out of its control. Hacking and other nefarious activities aside, keeping a grip on the data you are responsible for is difficult to impossible as long as there are people authorized to access it. If there is a need or desire to move data out of your control, a way can be found. If you block USB devices, they may burn a CD, or try email, or ftp, or web based file sharing. If all else fails, your data can be printed, put in an envelope and mailed or the printouts just taken home.
So what can you do when a trusted, authorized user wants to add to your wandering data problem?
An acronym, DLP or Data Leak Prevention, has become mainstream for just this issue and technologies developed to help prevent data from wandering away from authorized ‘endpoints’.  Before beginning to even look at these technologies, you need to focus your attention on the source of the problem, at layer 8: people.
A strong policy needs to be developed to address this issue. People need to be trained on the policy and reminded of it on a regular basis. The policy should spell out the consequences of violation – up to termination and prosecution if deemed necessary.
Implementing a policy is a deterrent, but a politically charged deterrent. Getting back to the CFO needing to take data home to work on for the board of directors’ scenario, this policy probably will have absolutely no impact – it’s going to be done, policy or no. The policy needs to have procedures attached which detail how to allow for, and manage, exceptions to the rule. Companies break their own rules all the time, especially in the name of innovation and productivity. The policy should anticipate that exceptions will be needed and guidelines developed to frame the exception in a manageable and (hopefully) temporary way.

The risks that need to be addressed are twofold.
Loss and Disclosure
Mobile data storage devices, especially USB thumb drives, are lost all the time. We only have to go back a few days to find a security breach involving one of these devices. In this instance “data on 1,219 University of Miami patients was lost. [2] According to a statement from UM, this data was wandering because “The Pathologist involved kept a copy of limited aspects of some patient information on the stolen drive to facilitate data analysis and review while away from the office.”[2]
If simple encryption were used on the drive or even just the data, the loss of this device would be insignificant. The wandering data would remain secure, undecipherable by whoever ended up with this device. Why was the disk or data not encrypted? UM does not say, just that they “will be examining further means to secure its data”. [3]
If encrypted, the loss of the data should not be of great concern, as the original data is safe and secure within the organizations systems and network. Loss would just be whatever work was done since that data was copied and can most likely be recreated without significant effort.
Inadvertent disclosure is the most troublesome scenario. This is a significant source of credit card number and identity theft.
Re-integration and non-repudiation
If the wandering data is modified, the new data needs to be reintegrated with the original ‘source’ that is secure and trusted. All changes should be verified for accuracy and authenticity. Additional reintegration challenges are present if the data source was unable to be locked and the original was modified in an authorized way as well as the wandering data.

Conclusion
Data loss is one of the most significant threats facing companies today. In addition to the embarrassment of admitting a loss, business and customers can be lost, competitive advantage damaged and other consequences. There are many technical solutions which will prevent data from wandering away by different means, but this issue must be addressed first with people and policy. Moving data from the secure, controlled environment should be strongly discouraged, but if it does become necessary at a minimum policy should require it to be encrypted and audited on company owned and tracked devices. The NIST (National Institute of Standards and Technology) has developed a white paper titled ‘Guide to Storage Encryption Technologies for End User Devices’ [4] which is an excellent starting point for developing policy and reviewing technology options.
To make your CFO and board happy, wipe a USB drive clean; apply whole disk encryption with a strong key and passphrase known only to yourself and the CFO. Lock the files/database from change; copy and verify them on the USB disk. Write down the inventory of data on the media and have the CFO sign off on the policy before handing it over. There needs to be a clear understanding of the importance to maintain control of the data and consequences of disclosure.  He should work only from the encrypted device, not copying the data locally and it should be returned for re-integration as soon as possible.

_________________________

[1] Open Security Foundation, Incidents by Vector – All Time, 9 February, 2012, http://www.datalossdb.org/statistics
[2] Miami Herald, 30 January, 2012, UM Patient Data Stolen, http://www.miamiherald.com/2012/01/30/2615588/um-patient-data-stolen.html
[3] University of Miami Health System, Stolen USB Hard Drive: Pathology, http://www.med.miami.edu/hipaa/incident1111path/
[4] NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: