Critical Control 17: Data Loss Prevention

How do attackers exploit the absence of this control?

In recent years, attackers have exfiltrated more than 20 terabytes of often sensitive data from DoD and defense industrial base organizations (e.g., contractors doing business with the DoD), as well as civilian government organizations. Many attacks occurred across the network, while others involved physical theft of laptops and other equipment holding sensitive information. Yet in most cases, the victims were not aware that significant amounts of sensitive data were leaving their systems because they were not monitoring data outflows. The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers.
The loss of control over protected or sensitive data by organizations is a serious threat to business operations and a potential threat to national security. While some data are leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices, a lack of effective policy architectures, and user error. Data loss can even occur as a result of legitimate activities such as e-Discovery during litigation, particularly when records retention practices are ineffective or nonexistent.
Data loss prevention refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Over the last several years, there has been a noticeable shift in attention and investment from securing the network to securing systems within the network, and to securing the data itself. DLP controls are based on policy, and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance.

How to Implement, Automate, and Measure the Effectiveness of this Control

  1. Quick wins: Organizations should deploy approved hard drive encryption software to mobile machines that hold sensitive data.
  2. Visibility/Attribution: Network monitoring tools should analyze outbound traffic looking for a variety of anomalies, including large file transfers, long-time persistent connections, connections at regular repeated intervals, unusual protocols and ports in use, and possibly the presence of certain keywords in the data traversing the network perimeter.
  3. Visibility/Attribution: Deploy an automated tool on network perimeters that monitors for certain sensitive information (i.e., personally identifiable information), keywords, and other document characteristics to discover unauthorized attempts to exfiltrate data across network boundaries and block such transfers while alerting information security personnel.
  4. Visibility/Attribution: Conduct periodic scans of server machines using automated tools to determine whether sensitive data (i.e., personally identity, health, credit card, and classified information) is present on the system in clear text. These tools, which search for patterns that indicate the presence of sensitive information, can help identify if a business or technical process is leaving behind or otherwise leaking sensitive information in data at rest.
  5. Visibility/Attribution: Use outbound proxies to be able to monitor and control all information leaving an organization.
  6. Configuration/Hygiene: Use secure, authenticated, and encrypted mechanisms to move data between networks.
  7. Configuration/Hygiene: Data stored on removable and easily transported storage media such as USB tokens (i.e., "thumb drives"), USB portable hard drives, and CDs/DVDs should be encrypted. Systems should be configured so that all data written to such media are automatically encrypted without user intervention.
  8. Configuration/Hygiene: If there is no business need for supporting such devices, organizations should configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained.
  9. Configuration/Hygiene: Use network-based DLP solutions to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them.
  10. Advanced: Monitor all traffic leaving the organization and detect any unauthorized use of encryption. Attackers often use an encrypted channel to bypass network security devices. Therefore it is essential that organizations be able to detect rogue connections, terminate the connection, and remediate the infected system.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7
Associated NSA Manageable Network Plan Milestones and Network Security Tasks
Personal Electronic Device (PED) Management
Data-at-Rest Protection
Network Security Monitoring

Procedures and Tools to Implement and Automate this Control

Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. Organizations deploying such tools should carefully inspect their logs and follow up on any discovered attempts, even those that are successfully blocked, to transmit sensitive information out of the organization without authorization.

Control 17 Metric:

The system must be capable of identifying unauthorized data leaving the organization, whether via network file transfers or removable media. Within one hour of a data exfiltration event or attempt, enterprise administrative personnel must be alerted by the appropriate monitoring system. Once the alert has been generated it must also note the system and location where the event or attempt occurred. If the system is in the organization's asset management database, the system owner must also be included in the generated alerts. Every 24 hours after that point, the system must alert or send e-mail about the status of the systems until the source of the event has been identified and the risk mitigated. While the one-hour timeframe represents the current metric to help organizations improve their state of security, in the future organizations should strive for even more rapid alerting, with notification about data exfiltration events or attempts sent within two minutes.

Control 17 Test:

To evaluate the implementation of Control 17 on a periodic basis, the evaluation team must attempt to move test data sets that trigger DLP systems but do not contain sensitive data outside of the trusted computing environment via both network file transfers and removable media. Each of the following tests must be performed at least three times:
  • Attempt to transfer large data sets across network boundaries from an internal system.
  • Attempt to transfer test data sets of personally identifiable information (that trigger DLP systems but do not contain sensitive data) across network boundaries from an internal system (using multiple keywords specific to the business).
  • Attempt to maintain a persistent network connection for at least 10 hours across network boundaries between an internal and external system, even though little data may be exchanged.
  • Attempt to maintain a network connection across network boundaries using an anomalous service port number between an internal and external system.
  • Insert a USB token into an organization system and attempt to transfer example test data to the USB device.
Each of these tests must be performed from multiple, widely distributed systems on the organization's network in order to test the effectiveness of the monitoring systems. Once each of these events has occurred, the time it takes for enterprise staff to respond to the event must be recorded.
Control 17 Sensors, Measurement, and Scoring
Sensor: Network-based data loss prevention tool
Measurement: Verify that a reputable DLP solution has been installed and configured on the network.
Score: Pass/Fail
Sensor: Data encryption
Measurement: Verify that a full disk encryption solution has been deployed for all mobile systems that handle sensitive data.
Score: Percentage of mobile systems with full disk encryption installed.
Sensor: Behavioral network-based Intrusion Detection Systems
Measurement: Ensure that the solution used for Critical Control 5 is capable of performing behavioral analysis to identify unusual outbound data flows.
Score: Pass/Fail.
Abonnieren Posts (Atom)