Securing Sensitive Information: Protecting Your Network Against Information Leakage
By Tony Bradley, CISSP-ISSAP, Microsoft MVP – Windows Security
See other Security MVP Article of the Month columns.
Protecting Your Network
Securing the network is an ongoing process. There is a vast and evolving collection of threats seeking to exploit weaknesses and compromise your computer and network resources. Viruses and worms attempt to propagate through your e-mail and network shares. Phishing attacks attempt to lure your users into surrendering personal information like bank account or credit card information. Spyware programs with keystroke–logging capabilities capture user names, passwords, and other sensitive information. The list goes on.
Thankfully, most organizations have a sufficient handle on the majority of the threats. Firewalls segregate the internal network resources from many of the attacks circulating on the Internet. Spam-blocking devices and antivirus applications at the gateway help to identify and weed out many threats. Network-based intrusion prevention systems detect and block threats that get to the internal network. As a last line of defense, the endpoint computers typically run host-based antivirus software and personal firewalls to protect against any threats that might manage to get that far.
This is not to imply that all is well and there is no need for concern any longer. Again, security is a process, not a product. You can’t just buy the latest appliance and throw it on the network to be secure. Security is a game of leapfrog. Attackers will find new vectors to exploit and security vendors will develop new forms of protection. For the most part, though, there is ample protection available to sufficiently guard against the majority of threats.
The Not-So-New Enemy
One of the major areas of concern for many network and security administrators today is information leakage. It has always been there. Whether through corporate espionage, deliberate employee sabotage, or simple ignorance, it is always a serious matter when confidential, sensitive, or proprietary information leaves the network. Information leakage isn’t new; it is just getting attention now.
There are two primary reasons for the increased attention on information leakage. The first has to do with the state of information security when it comes to protecting against the external threats mentioned above. Viruses and worms spreading on the internal network, infecting systems, corrupting data, and sapping away network bandwidth are high profile issues that demand immediate attention. They have an urgency based on the potential damage they can do, as well as the visibility they have to both users and management.
The second reason for the increased attention is the growing number of standards and laws mandating the protection of data. Legislation such as Sarbanes-Oxley, HIPAA, and GLBA, as well as industry standards such as PCI DSS and Basel II, all dictate some form of protection for sensitive or confidential information, particularly personally identifiable information (PII) such as social security numbers, driver’s license numbers, and account data. Whether it is employee data or customer data, companies have an obligation to protect the personal information they store on their network.
Monitoring and Protecting Classified Data
Classified information extends beyond just the PII data stored on a network. Corporate financial projections, information about upcoming products or marketing initiatives, source code for applications under development, and human resources data on employee compensation are some other examples of information that should only be seen by authorized individuals and should be kept on the internal network.
The first step in protecting this information is to restrict access using file and directory rights and permissions. Classified and sensitive data should be locked down so that only those that need access to it are able to access it. Furthermore, not everyone who needs access to the information requires full access. Some may only need permission to view a file; others may need the ability to modify or update the information. The permissions on the file should grant only the level of access necessary.
If the data leaves the network, whether by being downloaded to a laptop, copied onto a portable USB flash drive, or sent by e-mail to an external account, the information should be encrypted. Without all the various layers of security available on the internal network, the additional protection of encrypting the data can help to ensure that unauthorized individuals will not be able to access or view the information. After recent security compromises resulting from lost or stolen laptops, many organizations have adopted full-disk encryption tools to safeguard all of the data.
There are other tools available to help monitor classified information and protect it from both intentional and inadvertent leakage from the internal network. The existing tools come either as hardware appliances or software applications, and the list continues to grow as information protection gains more attention.
On the hardware side, there are appliances such as the Reconnex iGuard that will monitor for certain types of information like social security numbers and will log and track that activity. Other devices, like the Fidelis XPS (Extrusion Prevention System) and Websense Content Enforcer, actively identify and block such data from leaving the network.
As for software solutions, Tenable Security recently added the ability for the Nessus Vulnerability Scanner to seek out PII and other sensitive information that might be accessible or unprotected on the network. This functionality, available to customers that subscribe to the Nessus Direct Feed, allows an organization to conduct a scan to identify information that could be compromised and take steps to protect it.
Another software solution is Windows Rights Management Services (RMS). With RMS, organizations can assign very specific rights to data that will be enforced regardless of where the data goes. RMS can be used to control the ability of a user to even print or forward sensitive data. In addition, even if an employee has copied information to portable media and taken it off site, if his or her access to the data is removed via RMS, the employee will be unable to access the data any longer.
Defining Classified Information
One of the biggest struggles facing many organizations, before they can even begin to worry about how to protect classified information, is how to classify the information. With limited and finite resources, it is unreasonable to try to treat all information the same. Much of the data on the network is relatively benign and does not need additional protection. The trick is identifying that small percentage of the data that does, and implementing effective measures to protect it.
If your organization does not currently have a policy for information classification, the initial effort may be substantial. Depending on the amount of files and data on your network, and how organized or structured the storage of that data is, performing an analysis to identify the classified or sensitive information can be daunting. In a case like this, using a tool like the Nessus Vulnerability Scanner might be a wise investment to more quickly identify the files containing sensitive information.
To efficiently secure confidential and sensitive information, your organization must have a clearly defined, written policy for information handling. A process should be defined to identify who assigns the initial classification as new data is created, who is responsible for maintaining the data, what the process is for changing the classification or declassifying information, etc.
Ideally, the responsibility for assigning classification should not rest with the IT department, at least not solely. It is a business decision to identify which information is sensitive to the business. Information that is confidential or secret to one manager may seem insignificant to another. The individual or department that owns the information and understands its importance should be involved in assigning its classification.
Regardless of how it is done, your organization must have an information handling policy and a method for assigning and maintaining data classification. Without that, the hardware and software tools will be much less effective—possibly even useless—at protecting the information and securing your network against information leakage.