Data Loss / Leak Prevention

Strictly speaking data  “Loss” can be due to machine failure, power failure, data corruption, data / media  theft etc and the means of protection is backups, disaster recovery strategies and redundancies.

Though “L”  is used to represent either  “Loss” or “Leak” in the acronym DLP, it is actually more about “LEAK”  as it is understood in the industry. Which actually  means sensitive data crossing over to unauthorized area from a authorized area due to various leak vectors.

DLP is actually more of a concept or strategy with functional sub components (e.g  email scanning, encryption of data at rest and so on). These components are used to enforce the strategy outlined by policy statements. Such policies can be

• Acceptable use policy( AUP),  
• Data sharing on detachable/portable media  policy, 
• Data classification policy,  etc

DLP is actually part of IRM (Information Risk Management). Data sanitation, using test data and  Data masking is also part of DLP strategy.

However, we have DLP tools which claim to handle all functionalities of DLP strategy and therefore some technologists believe that by just deploying such tools  DLP is implemented.  This is grossly wrong.  DLP is more about strategy, awareness,  training  plus the technology. Data leak more often than not happens due to poor employee discipline or awarness.

DLP addresses three areas

• ·         Data at rest ,    e.g data in databases, data on a drive of a laptop / usb storage
• ·         Data in transit,   e.g  emails or web forum postings, upload to cloud, data on network
• ·         Data in use, e.g  file copy or print operations

Output actions of a DLP tool:

• Quarantine, 
• encrypt, 
• block, 
• notify

DLP Tool is deployed at end points,  email gateways, network gateways for url filtering.

Sub functions or processes of DLP  tool are:

• Monitor, 
• Detect and 
• Prevent

DLP tools are good at monitoring structured data as in  PII(Personally Identifiable Information) and as in PCI(Payment card industry)  but they are difficult to use for unstructured data.

For data at rest Data discovery or discovery scanning is used. Pattern matching or string comparison is used for structured data. hashing is generally used for unstructured data.

Before a DLP tool is deployed one should clearly define  and identify the sensitive data which need protection and also all possible  internal and external threats

A Checklist

1. Policies and user awareness campaigns.
2. Encryption for data at rest and in transit.
3. File shares mapped  with access rights.
4. Consolidation of inventories.
5. Control of  external HDD and usb storages devices (mobile and portable storage devices)
6. Disabling of all usb ports for usb storage devices.  
7. Disabling of all unwanted  inbuilt DVD readers/writers.
8. Air gap maintenance  disconnected networks.
9. Secure  file delete policies and procedures.
10. Access controls on laptops and full disk encryption.
11. Use of  VLANS
12. Consolidation of file servers 
13. Strict data classification policies.
14. Data retention policies. Destruction of old and unwanted data files.
15. Deploying RMS/DRM/IRM  solution
16. PKI based email  
17. Effective Identity provisioning and management.
18. Content and Gateway screening

Presentations

Social Engineering

Layer Two Security

Email Best Practices

How Trustworthy are Mobile Apps or Applications ?

   Have a look at the the permissions being asked by these Andriod Apps. What do you make out of these snapshots? Which App is more secure - not from the point of view of security for the App but security for the user who downloads and uses them. The one on the extreme left(first one) is likely to have more access to your device than the other two. The makers would argue that these permissions are required for the features and functionality of the App. The question here is who will decide how much permission is required and who will guarantee that these permissions would not be abused. The one on the extreme right-bottom is more trustworthy as it requires no special permissions. But how many of us really pay any attention to such details?

    Unlike the applications on a Desktop, with mobile apps it is difficult to find what they are really doing behind the scenes. The situation is compounded by the fact that the mobile devices contain enormous amount of personal, sensitive and financial data. The email apps are always online.The device is always connected to internet in most cases. The passwords and others credentials are just there begging to be stolen away.

   Personally i prefer to use my browser on my mobile to access the various web sites and web applications rather than download an App. Re-entering usernames and passwords every time you access an web application or a website should not bother you if your are worried about safety of your data and online identity.

    Having written what i wanted to convey, i would like to clarify that i am not aware that the above mentioned Apps are untrustworthy in anyway. I just picked them up for an illustration.

ISO 27001 : 2013 Changes

                                            

	ISO 27001:2005	ISO 27001:2013
1	Annex A :has 133 controls	Annex A : has 114 controls 11 new controls A.6.1.5 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 Secure system engineering principles A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 Information and communication technology supply chain A.16.1.4 Assessment of and decision on information security events A.16.1.5 Response to information security incidents A.17.2.1 Availability of information processing facilities
2	Annex A: 11 control objectives	Annex A: 14 control objectives (A5 to A18)
3	Five implementation sections ·         4-ISMS ·         5-Management  responsibility ·         6-Internal  ISMS  audits ·         7-Management review  of  the  ISMS ·         8-ISMS  improvement	Seven implementation sections ·         4-Context ·         5-Leadership ·         6-Planning ·         7-Support ·         8-Operation ·         9-Evaluation ·         10-Improvement
4	Non standard format	Annex SL format(MS standard)
5	Process based approach	Non process based
6	Structured around PDCA deming cycle	No emphasis on PDCA cycle
8	Separate class of ‘Preventive’ controls	‘Preventive’ controls removed
9	Requires ‘Documents’ and ‘Records’	Instead requires ‘Documented Information’
10		Parts derived from ISO 31000:2009 Risk mgmt
11	‘control objectives and controls from Annex A shall be selected and implemented’	‘produce a “statement of applicability(SOA)” that contains the necessary controls’
12	Has Annex A, B and C	Has Annex A
13		New important term ‘Risk owner’
14	Emphasis on documentation of Internal Audits	No need to document internal audit

Next 5 biggest Info sec challenges

In my previous post I had listed the biggest 5 challenges. The challenges listed in this post are the next  five.

6.  Formulating and Enforcing data classification data destruction policies

Data discipline in terms of classification and management which would include labelling for archiving or disposal/ destruction is still quite casual by end users who generate documents. Though most users understand such policies for hard copies or physical documents and implement them to a large extent, they fail to do so for digital data. Duplicate and uncontrolled versions  of unstructured data(e.g word documents) lead to quite a few embarrassing situations.


7.   Consolidation and leverage of user initiated software systems

In a reasonably big, diverse and geographically wide spread enterprise the local IT people tend to design and use their own software tools. In such cases the overall organisation requirements  are not the issue but day to day task achievements are the goals. Consolidation and control of these from an ISMS point of view is often overlooked by central IT management. The local IT people also resist such attempts most of the time.

 8.   Disposal of old and decommissioned IT assets

Not much thought is given to old and decommissioned systems and they become a sore point. This happens despite having policies and regulations on the subject. 

9.   Individualistic continuance of IT initiatives and their management

Continuous dependence on such individuals would definitely lead to security issues in future. Processes should be evolved for managing these systems and after giving due credit such  individuals  should be taken away from these projects.  

10.  IT asset ownership issues

This topic continues as a thorn and requires resolution by regular education and awareness  programs.

5 Biggest Challenges in Information Security Management

Based on my past experiences in implementing ISMS as an Information security Manager, I would rate the following as the biggest five challenges

1.  Attitude or the prevailing culture:
The responsibility of implementing and ensuring security automatically qualifies one as  "not so friendly" for computerisation and IT services. The top management(c-level) want you to implement and drive the policies and strategies but general employees who are end users of the various IT assets want minimum barriers and maximum convenience.

You end up sandwiched between both the parties hating you as you are not listening to them. It takes time and considerable effort to change attitude and culture for better cyber security health  although it is worth the effort. Surmounting such attitudes and changing the culture is the biggest challenge.

2. Technology as a solution:
Every medical problem does not have a medicine. Even if there are medicines available, they may not treat you completely. You do not rule out the side effects of the medicines though advances are being made everyday.

Similarly technology alone is not a complete security solution. Just the other day we heard of google getting affected due to  redundant network path failures simultaneously.
The ultimate success and efficacy of any security program will always be due to people, procedures and processes in conjunction with technology.

Most management and end users still perceive technology and products as the magic bullet. Breaking this myth is the next  biggest challenge.

3. Incorrect priorities:
CIA which stands for Confidentiality, Integrity and Availability is not clearly understood. Every functional organisation and every department needs to understand which one element is more important than the other two or one. Giving equal priority to all the three aspects may hamper the work  output and operations and would lead to unnecessary friction. Security professionals need to understand this and should advise accordingly.

4. Under Staffing:
The next biggest challenge is of under staffing. Though the situation in IT per say has improved to some extent, the situation in security remains grim. Senior management needs to appreciate this and provide sufficient staff to overlook information security.

5. Skill Retention:
The last of the five challenges in my opinion is of skill retention or continuity of job for lower level of Information security staff who are actually responsible to translate the policies and decisions into actions.  Insufficient skill and under staffing  not only increase the implementation gaps but also increase the stress level of the IT security staff.

Dangers of Geotagging and Location Aware Services

Every new and wonderful technology feature brings along its share of undesired effects bundled with the effervescent benefits. Geotagging or Geo Tagging is one such feature. To explain Geotagging in simple terms, it is nothing but including geographical information(location data) as tag within a file. These files can be of any type but mostly picture files are geotagged.

Why has geotagging suddenly become so prominent?
Smartphones and cameras with  GPS (Global Positioning System) feature is the norm now-a-days. By default the GPS location data is embedded into all the pictures taken by these devices. In addition you have location aware applications and games and location based social networking sites/platforms. Facebook uses "Update Status" for location update. Foursquare is a game wherein in your location is the integral part of the gaming strategy. There are software available which can add location data to picture and other files if this was not done inherently.

What can be bad about Geotagging and location data?
If you indiscriminately share geotagged pictures, SMSs and other files and update your current location in applications like Facebook then you are revealing too much of your whereabouts to the public at large. You can become a victim of cyberstalking. Burglars can target your house when you tweet that your are away somewhere in the woods enjoying a sunday picnic. In fact your are giving away information about your pattern of movements, place of residence and other such details for free and putting yourself and your family at risk. Kids who share photos and tweet on twitter a lot without giving a thought about the broadcasted location information may land up as victims of serious crimes.

It is important that all of us are aware of the dangers of this feature and know how to adopt the countermeasures. The most important countermeasure is to avoid oversharing. The default configurations which automatically include location data or tags need to be disabled or changed. The specific tips are listed on the SECURITY TIPS page.

Interesting links on the topic :
 http://icanstalku.com  
 http://www.geotagsecurity.com  

Information Security Quotes

Usually it is very difficult to spread security awareness amongst normal users or general public using technical jargon.  As many others already know, I have also realised that simple Sayings or Quotes in simple language aptly convey the required message and come to your rescue. I have created a separate page to list such Information Security quotes. I will update and increase the list subsequently.

What is a "Good and strong" password and other questions.

1. What is a good password?

There is a vast difference between a "good and strong" password and a "complex" password. 'Ab%98@#k*t5z' is a very complex and strong password but is a bad password because it is very hard to remember. However, 'Blacck>Mang0s' is a strong as well as a good password because you can easily remember it. It is strong because it is of sufficient length and is a combination of lower case, upper case, special character and numerals. Passphrase or related characters like above would be good.The other requirement is that of sufficient length, 10 or more characters.

2. Can  a Antivirus product detect all malware in existence?

This is simply not possible techinally, whatsoever the vendors may claim. However, some poducts may be better at any given time. The detection rate of even the best product may be not more than 85%.


3. Which is best anti-virus?

For commercial software go by the existing market reputation. But, be careful, a recently reported news mentions about an emerging antivirus product which induced malware and subsequently cleaned them to generate a good scan report. If you are using freeware then check for the reputation or popularity. Download these from a trusted source.


4. Is  an Antivirus still required if a firewall is used and vice versa?

Both have a different but comlimentary fuction. You require both to safeguard your computer. If a malware is able to breach your firewall then at least the Antivirus would have a chance to detect it.


5. What if the AV has not detected the malware and someone is remotely controlling or using my computer?

If your are a normal user then nothing much can be done except to attempt manually cleaning the offending software. The best option would be to go back to a previous checkpoint, or reinstall the OS after you have taken a backup. Before such a step, take a chance with the free tools i have listed on the right side of this post. Experienced users can use the tools mentioned in my prevoius post.


6. Enabling all the Browser security features has blocked my critical banking and email site?

There is no absolute '0' or '1' answer to this question. Depending on a users requirements and his web browsing habits he may have to customise the settings slowly over a period of few days. Disabling java may have led to your bank account page being rendered useless. You need to figure out this and enable java specifically for this site.

Android Smart - Phones Security

Android devices have become so ubiquitous that not acknowledging them would be a sin. These smartphones are nothing but mini computers or rather super computers of a previous era. It would be beneficial if users are aware about the security features available on these phones. I have listed some important security tips, in brief, on the Tips and Tricks page. They are also listed below. Hope they are of help to all.

1. Activate lock screen(‘Settings’ > ‘Location & security’). A pattern style is recommended.
2. Use a good data enryption app.
3. Donot store passwords as passwords in the phone.
4. Deactivate bluetooth when not required.
5. Deactivate WiFi when not required.
6. Deactivate GPS when not required. Do not update GPS location unnecessarily.
7. Turn off bluetooth discovery mode when not required(Settings > Wireless and networks > Bluetooth settings > Discoverable).
8. Install only trusted apps.
9. Ensure that the Browser does not store usernames and passwords.
10. Be careful when using wifi-hotspots.
11. De-activate geo-location feature.
12. Update(Settings > About phone > System updates) and upgrade wherever possible.
13. Use apps like 'Where’s my Droid' to Remote locate the phone in case it is lost.
14. Backup and sync important data(Settings > Privacy > Back up my data).
15. Install a good antivirus app.
15. Customize screenlock screen to display alternate contact information.
16. Consider using a 'Remote Wipe' app for contigencies
17. You can use 'Famigo Sandbox' to provide a safe environment for kids on your phone.
18. Use VPN (Settings > Wireless and networks > VPN settings).
19. Pay attention to tell-tale signs of SPAM.

More Free Security Tools for Adventuorous Windows Users

I have listed some free and safe Windows tools or software to ensure safety of your computer, Internet surfing  and in general Information security, in my previous post. In this post i would list out some tools for people who are not averse to slight advanced approach.

1.  The first of these is the "msconfig" tool bundled with the Windows operating system. Just type msconfig in the run box and you see a window opening. Take sometime to familiarize yourself before making any changes.



2. Netstat is another wonderful command line tool for network statistics.Use these tool to investigate network connections, listening services, exe files associated with the running programs and many more.




3.   Systinternal Tools.  Check them out on live.sysinternals.com

4. 'nbtstat' in command prompt
5. 'net' commands in command promt
6. Windows TaskManager
7. Use regedit.exe to play around. Warning: some amount of familarlisation is required before you modify entries.
8. Use 'Windows Firewall with Advanced Security'. Run the command wf.msc to configure the Firewall.
9. Additional resources can be found on the following links

• http://www.sans.org/security-resources/sec560/windows_command_line_sheet_v1.pdf
• http://www.sans.org/security-resources/winsacheatsheet.pdf
• http://www.sans.org/score/checklists/ID_Windows.pdf
• http://blog.securitymonks.com/2009/08/15/whats-in-your-folder-security-cheat-sheets/
• http://packetlife.net/library/cheat-sheets/
• http://www.sans.org/security-training/course_sums/1482.pdf