Secure Denmark Data Loss Prevention

1
Secure DenmarkData Loss Prevention

• October 9, 2007

2
Quote
Cyber War It comes in on little cat feet, and
its hardly noticed. John Arquilla, cyber
security expert
3
Problem Sets

• We face two broad problem sets with the
  information infrastructure
• Information Protection.
• Confidentiality
• Integrity
• Network Availability
• Assured access

Today Focus on Information Protection A
Government and Private Sector Perspective
4
Data Loss is Real and Costing Billions

• Key statistics
• 45 of employees take data with them when they
  leave jobs
• 90 of data loss occurs electronically
• 40 billion lost annually due to data loss or
  theft

5
Data at Risk

• Intellectual Property
• Design Documents, such as CAD models
• Source Code
• Pricing
• Corporate data
• Financial data
• MA materials
• Contract negotiation information
• HR data

• Customer data
• Social security numbers
• Credit card numbers
• Government data
• Economic data
• Defense capabilities and planning
• Intelligence information
• Law Enforcement Information

6
Case Study

• Moonlight Maze
• Effort beginning in 1998 to review and exfiltrate
  files from USG computers, believed to have
  originated from a mainframe computer in the
  former Soviet Union
• Characteristics
• Targeted Non-classified Internet Protocol Router
  Network (NIPRNET)
• Systematic review of tens of thousands of files
• Targeting maps, troop configurations, military
  designs

7
Case Study

• Titan Rain
• Series of attacks beginning in 2003 exfiltrating
  information from USG facilities and contractors
• Characteristics
• Well organized, methodical
• Fast
• Executed in off hours
• Erase footprints
• Electronic dead drops

8
Case Study

• Los Alamos National Lab
• 2006 - Classified Restricted Data on weapons
  testing transferred to USB flash drives by an
  employee. Flash drives and printed materials
  discovered in a trailer during a drug raid.
• Note At the time of incident - flash drives were
  banned
• 2004 - two hard drives declared missing.
  Investigation determined that hard drives never
  existed.

9
Case Study

• TJX
• Over 45 million credit and debit cards were
  stolen over an 18 month period beginning in 2005
• Characteristics
• Access likely gained through wi-fi monitoring via
  a telescope antenna outside of a Marshalls store
• Data collected help lead to hack of central
  database and installation of malicious software
• Attackers took advantage of TJXs poor
  organization
• Poor policy coordination and implementation

10
Opportunities for Mischief

• VOIP
• Most Wall Street firms now deploy VOIP phones
• All conversations can be captured, stored, and
  exfiltrated
• Particular extensions can be targeted and
  searched for key words
• Portable storage devices
• iPods and Zunes
• Everyday devices become security threats

11
Publicized Incidents
Etiolated.org
12
Data Loss Not a New Problem

• Cyber theft, cyber spying, cyber espionage
• Not new problems, just getting more attention
• Attacks are increasingly sophisticated, involving
  insiders and outsiders
• Attacks facilitated by technology, including IM,
  use of mobile communications devices, and thumb
  drives
• The risk
• 1400 messages contain confidential information
• 150 files wrongly exposed
• 110 laptops are stolen
• 12 USBs contain confidential information

13
Threat Spectrum

• Nation States
• Terrorist Organizations
• Criminal Organizations
• Free radical hackers or hactivists
• Insiders/Contractors
• Former employees

14
DLP

• Data Loss Prevention
• Several solutions are available, but first a
  company must answer several primary questions
• What information are you trying to protect?
• Where is this information located?
• What is the right mix of technology and policy
  to address data loss?
• How does addressing data loss fit into your
  overall business risk framework and information
  security program?
• What government regulations do you need to
  navigate?
• What standards should you adopt?

15
Addressing Data Loss

• Comprehensive Program Elements
• Classify and tag critical information based on
  risk to business
• Establish policies to protect information based
  on classification
• Implement a rigorous awareness and training
  program
• Establish enclaves for sensitive data
• Adopt technologies to secure and monitor data
• In motion - e-mail, IM, Web, HTTP, FTP, P2P
• At rest - file systems, desktops, groupware,
  databases, archives
• At the endpoint - USB devices, CD/DVD, data
  downloads, copy/paste, fax/print

16
Addressing Data Loss

• Establish rapid response capability to
• Investigate incidents
• Terminate access
• Push threat information
• Integrate program with overall business risk and
  IT security program -- including regulatory
  compliance such as Sarbanes-Oxley
• Adopt international standards -- 27001
• Establish strong relationships with local and
  national law enforcement
• Join organizations such as ISSA

17
Key Technologies

• Encryption of data at rest and in transit
• Authentication and access control
• Data tagging and watermarking
• Network monitoring
• Data quarantine
• End point monitoring
• Policy compliance monitoring and enforcement
  utilities, including auditing

18
Government Activity

• Government is beginning to focus on the problem
• Revising procurement standards
• Forming task forces to examine the problem
• Considering legislation
• You should anticipate additional regulations

19
Contact
Paul Kurtz COO Good Harbor Consulting Paul_at_goodhar
bor.net 703-812-9199