Data Loss and Data Theft
Data theft, when data is deliberately stolen rather than simply lost, is harder to prevent than data loss.
But statistic after statistic, shows that the data theft incidents are far more common than are reported, often because people don’t know it had occurred. The article, “We know what is lost, but what is stolen”, covers much of this subject.
Data theft is also far more of a threat than data loss as its clearly malicious, and statistics support this intuitive theory, as data that is stolen is 12 times more likely be used in a fraud than data simply lost.
Know your Enemy
Before you try and prevent data theft you must first identify the people who will try and take the data. Broadly the perpetrators of data theft can be broken down into three categories.
- Internal employees
- External hackers
- Contractors – who move in and out of the company.
Interestingly the latter is hardly reported (which may show that they are more honest than the average employee, or don’t know how to steal the data, or just don’t get caught). Either way contractors can be treated as being internal or external, from a network perspective. Equally internal employees could use the knowledge of the network to attack the system externally.
For these reasons its best to view data security from two different perspectives, internal network security and external network security.
Internal Network Attacks:
The malicious employee, or the rogue IT administrator, is the serious threat, they have access to those terrible quarterly reports, the embarrassing staff photos and, more importantly, the client lists. They do not have to defeat passwords, database security, or go through firewalls.
All of the data is available to them, at a click of a button. The data can then be taken out of the network through a variety of different methods, USB devices, email, printing, CD burning, etc.
Therefore to secure the data internally both access and methods of data extraction need to be secured.
Many companies operate a relatively liberal policy on access, with the “accounts” folder open to the sales staff, and “marketing” folder open to HR staff. Do not allow this. Data should be compartmentalized, and staff should only be able to access data that they need for their job, and nothing more. Encryption should be used on file servers, and folders should be hidden from those who do not need to access them – to prevent temptation. Passwords should be strong and changed regularly, fingerprint readers can be bought for about £20 and should be considered, as they can enforce incredibly strong passwords.
Users should not be able to share passwords, or to jump onto others keyboards. This can be prevented by the use of biometrics (you can’t share the a finger easily), and the desktops should lock after a few minutes of the user being absent. Fingerprint readers can be defeated, but the aim is to deter data theft internally, not secure data on international scale. If it is, this article is not for you!
Limiting access is just one of the steps to secure the data, preventing copying is the next step in securing access. Each and every port needs to be secured.
USB access is possibly the most threatening of all the ports, as such a high volume of data can be taken so easily, so quickly, and so discretely. Do users need to have access to USB ports? They can be turned off manually, or by using software copying to USB drives can be blocked or controlled.
Who needs to burn a CD nowadays? If its for a presentation or the like, this should be conducted on controlled/designated machines. Turn CD burners off in the office for most of the machines, there is no need for them.
Printing. This can be a risk. Printing off key documents and just walking out with it, its hard to stop. But printer monitoring software exists, and should be used. You can limit huge volumes of documents being printed at certain times (though this may not be practical depending on the business). Other options include:
- Securing the key documents, so that they can not be printed.
- Placing printers by CCTV cameras could be considered
- Putting the printers in secured rooms where access is monitored.
If these options are explored and the users are updated to the security measures, the probability of data theft through printing is greatly reduced, both through technology and deterrent.
Data theft via email is a major risk, as its so fast and apparently untraceable. Key documents can be emailed out, in a moments notice, to any email account desired.
However, these problems can be reduced dramatically. Firstly, internal email traffic is traceable, even when deleted through back up tapes. Back up tapes should be used, daily, weekly, and monthly, and the deleted cache retention policy (on an Exchange server) should be greater than the tape rota. This way deleted emails can be recovered from tapes, and users should be informed of this capability. This will act as a deterrent.
Personal email is harder to combat, e.g sending a spreadsheet out via Hotmail is harder to monitor.
Therefore there are a couple of options.
1) Prevent access to personal email, this is not a popular action, but it can be considered. Users could be given access to machines outside of the network, which allow personal email access, but can not access the company data.
2) Monitor the network traffic, and update the users (therefore providing a deterrent). Like blocking email this is not popular, and rather oppressive. Also, monitoring the data is different from recording it. You can record it for free (e.g wire shark), but actually seeing what has been said, and when, is slightly harder. Software does exist for this purposes, but its not cheap.
3) DLP – Data Loss Prevention Tools. Data Loss Prevention tools can monitor email traffic for inappropriate content – inappropriate data can be defined by pointing the tools at the companies databases and file storage. The tool then knows what the company data is and can block it leaving the company on Hotmail, or Yahoo!, etc.
In fact these tools can block any port from copying company data, from USB to Email, and they are incredibly granular. E.g the CEO can copy data to a USB drive at 10am to 11am, but at no other time.
The DLP tools while fantastic, are expensive, and start at around £50,000. So its a major investment.
External Network Attacks:
Those attacking systems from the outside have a much harder route to go, though it does still happen, but it can be made harder.
This area requires a network specialist, and will be covered later on, but the basics are below:
Ensure there is a firewall and NAT (network address translation), ths will seperate the the important data from the outside world. Believe it or not, this statement still needs to be made. File servers should not be internet facing!
If you have a direct connection between the outside world and your internal network you are vulnerable, i.e if one of your servers does not have an internal IP address (192.168.x.x) then that server should be considered the most likely way in.
The Tower of London does not leave “a window a jar” at night, because people “probably wont steal the crown jewels“.
Every weakness needs to be secured.
The most common flaws are VPN, Exchange/Email servers, SQL servers, rogue wireless networks, and web servers. These risks can be mitigated as follows:
The Web server does not need to be in your network, though people still do this. Put it outside your network, ideally in a co-located site. This means that if/when the server is hacked it will not effect your network.
Exchange/Email Servers. Email servers, by their very nature (unless you host externally) have to be connected to the outside and inside world, but there is a lot of security that can be put on this. Here are some suggestions.
1) Use a virtual exchange server, that way even if its compromised you can simply load the old file instantly and start again.
2) Use a proxy, possibly internal and external. E.g build a Linux email server for the Exchange server to connect to, but only allow the Linux server to connect to one of the spam filtering companies, e.g WebSense. This provides double security for the email server.
3) Patch the server(s) regularly. Ensure that the server is maintained on an almost daily basis.
4) Protect the server internally, ensure strong passwords are used, possibly biometrics, and encrypt whatever data you can.
5) Make sure the firewalls to the proxy server are effectively filtering email traffic
6)Harden the email server as much as possible. Even though the server should be the last line of defense, with multiple proxies and firewalls, it does not mean you should not protect it as well.
VPN is a must for many companies, but does everybody need to have it? Do you have the latest VPN software? Is it patched? Are the passwords secure? Do you limit access? If you have the best secured network you can build, but have a VPN access for the CEO with a username of “ceoname” and password of “password”, then its reasonable to expect that it will be cracked.
Also, do you allow VPN from anywhere? Can people get VPN access from their home machines, where they download music, software and porn? This is not a good idea, because if their machine is insecure, then so is your VPN, and therefore so is the network.
For the VPN access enforce strong passwords, and user names, consider using multiple authentication methods , e.g tokens, user names, and passwords. Only allow the VPN connection to occur through company secured machines – desktops or laptops. Once user is in, force their web traffic through your office, so that it is also secured, or consider forcing the staff to remote in, either to a desktop or a terminal services. This way their traffic is secured through the company.
Unless your company is running wireless networks, they should all be turned off. Everyone one of them, no exceptions, not even for the graphic designer with his Mac, or the marketing person with their wireless webcam. Turn them all off, everyone. If you are using them, secure them as much as possible.
Does the SQL really need to be internet facing? If so, does it also need to connect to your network or can it be put with the web server? If it does need to be internet facing and connected to the internal network, harden it as much as possible, strong passwords, encryption, etc before it goes into into production, then get a pen tester in to ensure its secured properly. Consider using a virtual machine, so you can rebuild it if necessary.
Pen Testers: IT Security
Overall, get an IT professional in to secure your network, and then consider using an outside company to check the work. An external consultant will look for different things, and the cost of a pen test, versus the risk of losing data, will almost certainly make the exercise worth while.