by Perry Lynch
4:00 min read | Audio
Everything in systems security ultimately is about protecting data. CIS Control #13, deals with data protection in its most direct sense. The main issues are identifying sensitive data, preventing its unauthorized transfer, detecting any such transfers, and making improperly acquired data as difficult to use as possible.
Identifying critical data
The first step is to identify the data that needs protection. Organizations generally have their data spread over multiple systems with varying levels of security. However, you can successfully protect this data through the use of several tools and techniques: Access control, encryption, integrity protection, and data loss prevention can be used together to identify, restrict, and protect any sensitive or mission-critical data.
A data classification process should be undertaken. Once data is properly classified and labeled as regulated, sensitive, confidential, or public, those files and folders should then be migrated to properly identified folders on the SAN, and group policy should be applied to ensure that access is limited to authorized staff members.
Databases and files with sensitive data should be kept on machines which aren't exposed to outside connections. Access to them should also be restricted to authorized users on the internal network as well, in a manner that’s consistent with business requirements.
Once sensitive data is adequately secured, routine network hygiene needs to take place: Many users will maintain bad habits and keep unsecured copies of sensitive data because it's convenient. Administrators should routinely use appropriate tools to scan desktops and non-secured folders on the SAN for cleartext that looks like sensitive data and alert the appropriate data owners.
Protection by (and from) encryption
Laptops and mobile devices are easily stolen, so if they hold any sensitive information, the entire device needs encryption. Mobile Device Management tools can be used to secure sensitive corporate data for corporate and user-owned phones and smart devices, without impeding the end user’s personal use of the device. Full Disk Encryption should be deployed for all corporate laptops, using a centralized key management system. This will prevent unauthorized users from being able to access the device and any data should the laptop become lost or stolen.
Within the enterprise, encryption is often required in databases and other systems on the network. Many databases contain sensitive fields that require encryption or hashing, independently of the whether the disk is encrypted. Other systems may require the entire database be encrypted.
Methods of encryption need periodic review. Some algorithms that were once considered strong, such as SHA-1, are now deprecated because of their weaknesses. Any data encrypted using them needs migration to a better algorithm.
Encryption is valuable, but it's a problem when it isn't supposed to be happening. If outgoing encrypted traffic is originating from unauthorized desktops, it could be evidence of malware sneaking the data out. Network monitoring software can detect and flag the use of SSH and other secure protocols outside of expected contexts. If they don't have a legitimate purpose, administrators need to track down their source and remove any malware responsible.
Encrypted exfiltration can also tunnel through harmless-looking packets, such as DNS requests. These are harder to detect, but application-level monitoring software can often identify them by characteristics like abnormally long data fields.
Monitoring data movement
Network monitoring can generally recognize dubious packets. These packets could be included in otherwise legitimate traffic, such as an email that carries sensitive information in cleartext. It could indicate malware is at work, but it might also indicate that users are making otherwise legitimate transfers in an insecure way.
This falls into the area of data loss prevention (DLP). Software systems for DLP take a variety of approaches for recognizing abnormal traffic. Most rely on pattern detection, so human verification is generally necessary. Other systems rely on fingerprinting previously-identified data and will operate effectively with a lower level of human intervention. In either case, the software needs to be configured so that the number of false positives is reasonably low and, all alerts will get the attention they need.
Known hostile IP addresses should be blocked and monitored, as attempts to reach them could indicate that malware is trying to send out sensitive data; other destinations could be attempted if the first one is unreachable.
Transferring data within the network is sometimes a concern. Copying sensitive information to mobile phones or portable storage devices increases the risk. It may be a good idea to configure machines to prevent those transfers.
A large part of data protection is simply knowing where the information is and where it's going. Keeping track of all sensitive data storage and limiting its movement are essential practices, and accomplishing that requires safe network configurations, monitoring of traffic, encryption of data, and prompt action when problems arise. Protection needs to be multi-layered, especially when leaks would cause serious harm.