Why Sending Files Outside Your Enterprise Needs Approval

Thursday, March 24, 2011

Eli Talmor


Why would sending file outside your Enterprise need the approval of your supervisors? Because attackers can send files outside your Enterprise without approval...

Recent news leaves little room for doubt: the so-called APT ( Advanced Persistent Threat) may cause a major change in the way Enterprises protect their sensitive data.

Why change? Because if an IT Security Leader such as RSA cannot protect the source code of its flagship product SecureID, then change is needed.

Let's examine the existing technology of Data Loss Protection (DLP). According to Gartner, RSA is one of the market leaders in the field of content-aware DLP. So it is reasonable to assume that DLP was deployed at RSA. This brings the question why DLP was not able to withstand the APT attack?

The current perception of DLP was described in To DLP or not to DLP - Data Leakage/Loss Prevention.

"The first and the foremost thing is to answer the question: What problem space are we talking about when we talk about Data Leakage? The Data Leakage problem can be defined as any unauthorized access of data due to an improper implementation or inadequacy of a technology, process or a policy."

The "unauthorized access" described above can be the result of a malicious, intentional, inadvertent data leakage, or a bad business/technology process from an internal or external user.

Next, the second question to answer is what part of the problem space defined above does the DLP product market solve?

In the above definition of data leakage, the DLP solutions are designed to prevent unauthorized access of data due to inadequacy or improper implementation of a process or a policy, but not technology. They are not designed to address data leakage issues resulting from external attacks.

So, it is not an information security data leakage issue that the DLP solution is trying to solve. 

Hence the DLP solutions help mitigate following risks:

  • Identifying insecure business processes. For example, use of FTP for transporting PHI data
  • Accidental data disclosure by employees. For example, employee sending unencrypted email containing PHI data
  • Intentional data leakage by employees. For example, disgruntled employees stealing data or an employee leaving the company with sensitive data

DLP is not cheap... It requires considerable investment in sensitive Data classification. DLP is nontransparent - it is intentionally visible to end-user to change user behaviour.

We do not have the details of the APT attack - so we cannot answer the question how DLP was defeated . Perhaps one can pick few ideas at:  Ten Technical Questions to Make Your DLP Vendor Squirm

But if technology exists to defeat it then we can be sure it will be used. 

What do we know for sure? Enterprises need to communicate with the outside world. DLP can do a good job with content-screening of email, but file content screening may be a bit too much for DLP - and this is the "sweet spot" being exploited by APT.

So if you are sending file outside your Enterprise, you may need the approval of your supervisors. The DLP task will be to inspect whether this approval is valid.

Your vendor's job will be to convince you that an attacker will not be able to fake this approval. If both can be achieved, then attackers will not be able to send files outside your Enterprise.

Cross-posted from http://www.sentry-com.net/blog/

Possibly Related Articles:
RSA Data Leakage Enterprise Security Advanced Persistent Threats DLP Screening
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.