Data Loss Incidents: preparation and response

Business operations may and usually do depend on maintaining control over critical information. You may, however, lose control over this information (whether it would be lost, deleted, stolen, published, etc) – in this case you may need to respond to a security incident.

Even though you should be concerned about potentially malicious hackers breaking through your defenses and stealing your data, in reality it is much more common to face losing control over critical information by unintentional mistakes or negligence. The chance of forgetting or losing a smartphone or a flash drive for example is much higher than having said devices stolen. The chances that the thief would target you specifically for the data on the device is even smaller in comparison.

Information sharing is yet another problem organizations face today. Social networks, easily accessible storage options (hardware and in the cloud) make copying and sharing information a matter of seconds following an emotional rather than a rational decision – and we all know people are generally acting based on their emotions first (at least 80% of them).

Lack of proper security awareness training is often the reason employees tend to share otherwise sensitive information with their friends or the public, not even realizing the potential consequences for the organization.

How to reduce the risks of losing control over confidential or sensitive information

Manage your network better.

You cannot have a secure network and protect critical information if said network is not managed well. What does that mean?

It means, that at any moment in time you should know who owns the information, how is it protected, what risks exist for the security of the information and what to do in case you no longer control its distribution.

Establish and enforce proper data management / protection policies

Enforcing well written policies and procedures helps prevent unauthorized access, modification, destruction, and disclosure of data at rest, in use, or in transit. This means that if a policy mentions a procedure which in turn requires certain devices to be managed and protected in a certain way (this includes backups, access, hardening, etc) – the policy and procedure are properly enforced if the device is managed according to them. Just having policies and procedures means nothing if you don’t follow them.

Controls such as full-disk encryption or at least sensitive data encryption and proper password management should be in place for any and all devices, including smartphones, tablets, laptops and removable drives.

The only viable access control mechanism should be “need to know”.

You should take care of things like Application Whitelisting in order to prevent access to data in use by unauthorized applications and code. Data in transit should always be encrypted – whether outside or inside your perimeter firewall.

Egress data (outbound traffic) should be monitored for anomalies such as abnormal code, exploits, large data transfers, unknown or unauthorized encryption or encoding, etc.

DLP

DLP or Data Loss Prevention is an approach, not a software suite. Before looking into choosing a software vendor for your DLP you should establish very good policies and procedures, taking into account Control 17 of the SANS 20 critical controls, covering network-based, host-based and discovery-based DLP. It is surprising how many organizations purchase and “use” DLP systems without even educating themselves what it is and how it works on a vendor-neutral level. The aforementioned SANS control should help with that.

When the sh*t hits the fan, or Incident Response

Handling data loss (specifically losing control over information) should be a solid part of your Incident Response Policies and Procedures. If you don’t have such, you can follow the guide below as an emergency resource.

  1. Inform the Information Owner and the Information Security Officer and the Incident Response Team of the incident, including as much information as possible.
  2. Isolate any devices involved in order to minimize damage and preserve evidence in case further investigation or law enforcement involvement is required. Do NOT REBOOT or otherwise modify evidence.
  3. Perform cyber forensic analysis of all devices involved. If the incident happened due to a weakness in software, training or policies & procedures, improve them to prevent the same or similar incidents from happening again.
  4. If confidential information has propagated to places it should not be and they are under your control, sanitize data using pre-approved software and procedures. Restore all devices involved to a secure state, re-installing and performing additional hardening when needed.
Posted in:
About the Author

Alexander Sverdlov

Alexander Sverdlov is the founder of NoPasara, author of numerous Information Security papers and articles published in CIO and other InfoSec magazines, speaker at the largest Russian INFOSEC Conference - PHDays. Certifications: CEH (Certified Ethical Hacker), CHFI (Certified Hacking Forensic Investigator), MCSE (Microsoft Certified Systems Engineer)