Breaking Down The Critical Security Controls: CSC – 13: Data Protection4 min read
Data is the core of security. Data is what the criminals are after and what security professionals are trying to protect. A system with no data is not a very valuable target. A system with a database full of PII and company information is worth lots to the highest bidder. Protecting that data is what control 13 is all about. Prior controls layout the security practices surrounding the data from procedures, network controls and detection mechanisms but through all those layers you can still lose data.
Here’s what the control says –
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
Your data is everywhere and therefore the solutions to help protect that data is in multiple places using several methods. From the servers to individual devices, laptops and mobile, you need to put controls in place. Data can be lost through malicious means but someone that has all the proper access can just as easily send out data they shouldn’t have by accident. You need to account for all the ways data can move in and out of your environment.
- Full Disk Encryption – This should be a mandatory component of your build. If and when a laptop is lost the hard drive is protected from being read outside the operating system.
- Data Loss Prevention Agents (DLP) – An additional component, usually tied to your anti-virus tool, watches all the data moving in and out of a laptop and can block data from leaving. For example it can look for social security, credit card or account numbers and block a spreadsheet from being emailed or copied to a location it shouldn’t be.
- Disable USB Ports – UBS drives, thumb or hard drives, are inexpensive and have enough storage to copy your whole business’ data and walk away. Lock the ability to write to USB drives unless through a very controlled, approval process for a small subset of users. In combination with your DLP watching what is copied of course.
- Security Information Event Manager (SIEM) – Leverage your SIEM to watch file copies and access to file locations.
- Network DLP – Put a DLP solution on the network, on or near your egress point, to watch all data flowing out. Device based DLP is good but doesn’t cover 100% of the devices in your environment. A network based DLP will get you close to 100%.
- Disable Attachments In Email, Use Secure Envelopes – Another solution is to not allow outbound emails to have attachments. Instead use a secure envelope. A Secure Envelope is generally a cloud based service where users will upload the files they need to send and the recipients will receive an email to go and download the file from the secure area. The service can have DLP, anti-virus and full access reporting. This will greatly diminish the ability to accidentally send out a spreadsheet full of account information and deter users from using it for reasons other than business purposes.
- Block web email, file sharing and online drives – In the business network only business communication methods are allowed. Anything else, block. Most people have personal devices with cell plans, they can use those for personal uses.
How It Could Be Exploited
I would say more data loss out of companies are done by mistakes than malicious intent. A laptop that was unencrypted left in a cab, an email sent to the wrong person with account information, a USB drive misplaced with PII. DLP and most of the controls will cover those actions very well. The deeper you get with network based DLP and packet inspection solutions the close you can get to detecting the ‘authorized’ ‘accounts from dumping data out through other means. Most breaches happen with compromised legitimate accounts with all the right access that most tools ignore, because it’s legit. Getting the data out without being detected is the goal of any hacker or malicious agent that wants to get the data out.
The trick is to flip the mindset of the security and business to think about the data rather than the accounts. When you look at the data and put policies and rules around it then the accounts don’t matter. If Data A can’t move to Location Z, block it. If you have a legitimate purpose that’s blocked, deal with it. It’s better to block legit actions than accept them and be wrong.
Data is your gold, protect it and assume every single account that has access to it is a threat. Because they are, or could be.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Follow Me On Twitter