White Paper | Data Leakage
Data Leakage - Controlled Substance Abuse and Misuse
“‘Tis not so deep as a well nor so wide as a church-door,
but ‘tis enough, ‘twill suffice”
-- Mercutio’s dying commentary on his mortal knife wound delivered by Tybalt
(Romeo and Juliet by William Shakespeare, Act III, Scene 1)
On the global digital stage, the mortal data breach might not be a dramatic attack. Rather, the persistent
seepage, leakage, extrusion of an organization’s data—its lifeblood in our post-industrial revolution market—
can cause enterprise demise. The “death by a thousand cuts” that characterizes the erosion of certainty
about organizational data can result in any of the following: loss of competitive advantage through the theft of
intellectual property (IP) or its compromise, accidental release of entrusted third-party information (especially,
legally protected personally identifiable information), damaged reputation, compliance and audit failures, and
system credit credential exposure.
One indication of the pervasiveness of data loss is that, as of December 2011, the Privacy Rights
Clearinghouse reported 543 million records breached in the U.S. since the group’s tracking began in 2005.
The top breaches in 2011 included Sony PlayStation (101.6 million records), Epsilon (at least 60 million
email addresses), Sutter Physician Services/Sutter Medical Foundation (3.3 million patient records), Texas
Comptroller’s Office (3.5 million individuals affected), Healthnet (1.9 million records), Tricare/SAIC (5.1 million
records, including financial as well as medical information). One lawsuit filed in response to the latter would
give $1,000 to each affected individual.1
Another indication of the pervasiveness of data loss comes from several recent reports about nation-state
activity to extract intellectual property from companies in the U.S. Security analyst Mandiant published a
report in February 2013 that exposed evidence of Chinese military complicity in efforts to steal proprietary
information from companies that control critical infrastructure (CI) assets: water, electrical power, oil and gas
lines.2 According to the Mandiant report, the “APT1” group has infiltrated at least 150 different companies
across industries and extracted terabytes of information—including 6.5 TB from one organization.3
1
White Paper
Data Leak
The vulnerability of the automated industrial control systems (ICS) used in these CI industries has attracted
increasing concern over the past several years. Originally designed to collect and transmit data and commands
over a closed (point-to-point) communications network, many systems have been brought online, that is, over
Internet Protocol networks. The National Institute of Standards and Technology (NIST) released its guidelines on
ICS security in June 2011 as NIST Special Publication 800-82. Ranking highly among NIST recommendations
are intrusion detection, audit trail analysis, monitoring compliance gaps, enforcing the rule of least privilege,
and managing credentials by various user categories.
CI and non-CI infrastructure industries not associated with power and utility are also under attack. Mobile
storage practices that rely on convenient repositories like Evernote, Google Docs, and Dropbox also create data
leakage channels. Evernote, for example, reported it had been hacked in early March 2013 and asked that all
50 million customers change their now-compromised passwords.4
THREAT LANDSCAPE - EXPOSURE OF ORGANIZATIONS
Estimating the cost of data loss to organizations is challenging, in part because the majority of organizations
do not really have high confidence about the status of their data, even when it is categorized as sensitive,
confidential, or otherwise protected. In an estimated 59 percent of data breach incidents examined as part
of the 2012 Data Breach Investigations Report (DBIR),5 law enforcement officials notified the compromised
organizations about their problems. Equally disturbing is that 92 percent of the incidents examined were
detected initially by a third party. The organizations themselves had not identified the problem! The report
further indicated that the use of stolen login credentials was the lead attack modality responsible for the
majority of records compromised.6 It’s one thing to have your house broken into. It is more disturbing when your
house is broken into, your keys are stolen, and you are still oblivious to your vulnerable position.
The extent of the problem is impressive. The 2012 DBIR showed the second-highest number of records
exposed—174 million—since the report’s first publication in 2004. Big data organizations are especially
attractive to attacks using advanced persistent threat (APT) techniques. In his comments made at the 2012
RSA Conference in San Francisco, Uri Rivner predicted IP threat targets include pharmaceuticals, energy, and
mining organizations.7 Critical infrastructure sectors should take heed.
Third Parties—Trust Assumptions
Third parties represent multi-faceted liability to an organization. On the one hand, third parties may entrust
their sensitive information to an organization with the explicit or implicit assumption that that information will
be protected. If that trust proves ill-founded due to the organization’s negligence, security vulnerability, or bad
luck, the affected third parties may pursue restitution or penalty. On the other hand, third parties themselves
may be the source of an unmitigated weakness in the organization’s security architecture. In its 2013 survey
of more than 120 technology, media, and telecommunications (TMT) companies in 38 countries, Deloitte
& Touche identified third party security risks and employee awareness as the top concerns.8 Its 2011 study
observed that, given our hyper-linked world,
Multiple parties are connected – and therefore affected – meaning that organizations must not only
assure the security of their own assets, but also those of their third parties who have access to their
network.
Nearly 60 percent of the surveyed TMT organizations view third parties as an ‘average’ to ‘high’ threat
for information security, versus only 30 percent who are very confident in the information security
practices of third parties. This skepticism may be partly driven by the widely publicized problems recently
experienced by major cloud service providers.9
2
White Paper
Data Leak
The Open Security Foundation’s DataLoss DB report expressed concern with respect to third party involvement
in data extrusion, highlighting “a trend that indicates that data loss incidents involving third parties, on
average, result in a greater number of records lost than incidents that do not involve third parties. This may
be as a result of the type of data handled by third parties, the process of transferring the data between
organizations, or other hypothesis.”10 And again, in the majority of cases, third parties (often government
agency representatives, foreign and domestic) deliver the message that an organization’s systems have been
compromised. Both individuals and businesses can check PwnedList’s database of stolen credentials, email
addresses, and passwords if they suspect their information may have been exposed, for example, if among the
8 million Gamigo account holders whose information was compromised in March 2012 <www.pwnedlist.com>.
Permeable Spaces
Mobile devices figure prominently in reported data breach cases. Results from a 2011 Ponemon Institute
survey of IT professionals show that mobile devices figured in 63 percent of data breach cases.11 According to a
more recent survey report from the Ponemon Institute about practices to mitigate mobile device vulnerability:12
Many companies make significant investments in encryption and endpoint security to protect sensitive
data, but they often don’t know how/what data is leaving through insecure mobile devices. Traditional
static security solutions such as antivirus, firewalls, and passwords are not effective at stopping
advanced malware and data theft threats from malicious or negligent insiders. To safely permit corporate
use of mobile devices, organizations need data loss prevention technology that knows where critical data
is saved, who is accessing it, how it’s attempting to leave, and where it’s going (Ponemon 2012a, p. 9).
This advice carries across all potential attack surfaces. Still, collecting data about network traffic, system
changes, and user activity from a variety of widely dispersed logical and physical sensors is challenging. With
sophisticated and patient attackers, even nation-state agents, deploying complex, multilayer exploit strategies
over an extended period of time, detection is difficult, especially for understaffed IT groups. Analytical tools that
facilitate effective correlation and understanding of log and system data are needed to help IT professionals
visualize the organization’s informational situation awareness.
LOSS LANDSCAPE - BURDEN TO ORGANIZATIONS
Data leakage prevention (DLP) is a security objective that resonates clearly with the confidentiality leg of the
CIA triad, but not necessarily with availability and integrity (even though authenticity, the assurance that data
has not been tampered with, is problematic when the implicit chain of custody has been broken). Unlike a
water leak, data leakage may not be readily apparent. In many cases, the data is still available and even in its
original, designated repository. The problem arises when it is also in another repository—and not necessarily
one managed by the organization. Possession and access are now shared. It’s like having your cake and eating
it—while another person is digesting it.
Calculating the cost of DLP to organizations involves multiple factors, categorized in a 2012 Ponemon Institute
study as internal costs (detection, investigation, containment, recovery, ex-post response) and external costs
(information loss or theft, business disruption, equipment damage, revenue loss).13 According to survey results
from the 56 companies that participated in this study, almost half (44%) of the external cost of cyber crime
could be attributed to information loss, in part because of legally required notification and restitution/ victim
compensation, including credit monitoring. Protecting and knowing the status of the information asset itself
thus may be perceived as having a higher cost impact to an organization than other external costs.14
3
White Paper
Data Leak
The National Crime Prevention Council quotes estimated damage to the U.S. economy due to intellectual
property theft as $250 billion a year, also noting, “more than 45 percent of all U.S. businesses have reported
losses due to intellectual property theft.”15 Michael Chertoff, former Secretary of the U.S. Department of
Homeland Security, Intellectual property theft and McAfee’s Vice President for Threat Research stated, “I am
convinced that every company in every conceivable industry with significant size and valuable intellectual
property and trade has been compromised (or will be shortly), with the great majority of the victims rarely
discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two
categories: those that know they’ve been compromised and those that don’t yet know.”16
Brand piracy is one type of IP loss that affects an organization in various ways: (1) lost revenue, as when the
pirating company benefits from the pirated company’s marketing efforts and sells a knock-off product; (2)
warranty cost, as when the pirated company replaces or repairs faulty product that it did not produce; (3)
diminished product image/reputation when the counterfeit products proliferate (less exclusivity, thus snob
appeal; buyer disappointment in the quality of the counterfeit product, leading to future sales loss). Products
affected can range from high tech (software, electronics) to medium tech (pharmaceuticals, instrumentation) to
consumer tech (music, movies, instrumentation, clothing, toys). Energy resource companies have also reported
suspected IP theft. The consequences of IP theft can be deadly. Although a broken strap on your new Prada
bag only constitutes an irritating wardrobe malfunction, taking bogus medication to regulate your heartbeat
can be fatal. The problem is not new: Caveat emptor is a term first used in the 16th century. The ability to copy
designs without physically breaking into locked file cabinets and desk drawers is, however, very 21st century.
VICTIM LANDSCAPE - EXAMPLES OF VICTIMIZED ORGANIZATIONS
In 2010, McAfee identified a multi-layered attack against oil and gas companies that it dubbed “Night Dragon.”
The documents exfiltrated from the companies as a result of the attacks, which had been going on for a
minimum of two years (perhaps as many as four), included financial records (on field exploration and bidding)
and SCADA system data.17 Another disturbing, coordinated attack with nation-state involvement and U.S.
national security concerns was “Operation Aurora.” McAfee made this observation about Night Dragon and the
attacks that targeted dozens of high profile organizations like Google, Juniper Networks, Northrop Gruman, and
Dow Chemical:
What we have witnessed over the past five to six years has been nothing short of a historically
unprecedented transfer of wealth — closely guarded national secrets (including from classified
government networks), source code, bug databases, email archives, negotiation plans and exploration
details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design
schematics and much more has “fallen off the truck” of numerous, mostly Western companies and
disappeared in the ever-growing electronic archives of dogged adversaries.18
A 2009 study from Purdue’s Center for Education and Research in Information Assurance Studies (CERIAS),
based on its survey of 800 companies, estimated a combined cost of $4.6 billion in lost IP in 2008 alone, as
well as $600 million to repair damage caused by breaches.19 In addition to attacks against corporate data
repositories, social networking sites are also trawled to fish for information inadvertently shared that can
be useful for economic espionage. Guiding employees in the judicious use of social media, perhaps even
preventing their posting sensitive content, can reduce opportunities for bad actors.20
Other high-level data leakage incidents detected since 2010 include the U.S. Chamber of Commerce (trusted
partner of some three million companies), Sony PlayStation 3 (decryption codes released; this was after the
2011 breach that gave hackers access to 101.6 million customer records, including 12 million unencrypted
credit cards), The New York Times and The Wall Street Journal (and other Chinese hacks into various
4
White Paper
Data Leak
U.S. media organizations to control information flow), Cargill and Dow Chemical (more than $7 million of
agribusiness and agrichemical trade secrets passed through to a government sponsored Chinese university),
Motorola (1,000 sensitive documents intended for Chinese military and a media company), and Ford (insider
theft of at least $50 million worth of manufacturing trade secrets). Interestingly, U.S. Government actions have
thus far centered on policy, training, and reporting mechanisms (like databases), rather than tools to detect
and capture evidence of leakage.
TECHNOLOGY LANDSCAPE - TOOLS FOR ORGANIZATIONS
As much as sharing is valued and promoted among the nursery school set, the accidental or intentional data
sharing subjects an organization to specific collateral damage. The context of the data leakage determines an
organization’s response and business impact:
■■ Source - Where is the opening, membrane, or surface through which data left the organization?
■■ Channel - By what means is the data seeping out (e.g., personal media storage, ephemeral messages,
mobile devices, trusted community members)?
■■ Data State - Was the compromised data at rest, in motion, in process?
■■ Sensitivity - How was the escaped data classified with respect to protection level?
■■ Scope of Responsibility - To what extent is the organization legally or ethically accountable for the
protection of the data accidentally or intentionally shared?
■■ Restitution/Recourse - What kind of safety net (e.g., insurance) does the organization have in place to
cover the cost of litigation, penalties, and remediation?
Many of us who watched prime time TV in the 1960s and 1970s remember the nightly ABC admonishment,
“It’s 10 p.m. Do you know where your children are?” For organizations, knowing the whereabouts of their data
was challenging even before cloud computing, BYOD, and ad hoc trading partner arrangements. In an ideal
world, of course, organizations have complete informational awareness, enabled through a combination of
responsible organizational data practices, consistently reinforced user training, audited control mechanisms,
secure network architecture, and layered monitoring tools.
DO YOU KNOW WHERE YOUR DATA IS?
INTELLIGENT ID - BENEFIT TO ORGANIZATIONS
With the pervasiveness of IP theft, data loss, information use and abuse combined with the increase of
sensitive information stored and transmitted digitally, cloud computing, management of third party PII and
BYOD creates the perfect storm of opportunity for leakage to occur, whether maliciously or accidentally. While
many may prefer to adopt an “ignorance is bliss” mindset toward the use of an organization’s data, increasing
policy, compliance measures, regulation and the chance of unattractive media exposure demand that decision
makers remain in-the-know and proactive regarding company data.
Adopting an in-the-know philosophy regarding data and its usage not only prevents the negative consequences,
but produces positive outcomes as well, including cost reduction, efficient data flow, brand protection and
over-all enhanced organizational security. According to the PI report, significant opportunities for cost reduction
are available to organizations that invest in technologies to assist with and automate recovery and detection
activities. (p. 15)
5
White Paper
Data Leak
Intelligent ID’s endpoint and user activity management system captures the largest area of opportunity for
organizational benefit, identified by PI as “investigation and incident management,” capturing the source,
channel, data state and sensitivity of data in the event of a leakage, and preventing loss and theft through
monitoring compliance, enforcing policies, user training and intuitive data analysis and alerting. This area of
opportunity showed a 40% reduction in cost for those reporting companies that implemented an intelligent
security solution as compared to those who did not.21
Because its dashboard monitoring interface and customizable reporting is so easy for IT and non-IT staff alike
to use, Intelligent ID can equalize the asymmetry of informational situation awareness among organizational
legal, HR, R&D, marketing/sales, and IT teams. Intelligent ID can thus alleviate the “shoot the messenger”
response that often characterizes IT communications with other business areas, especially when the news
is not welcome. Bridging this information gap facilitates better teamwork for investigation and resolution. In
addition to its utility as an investigative tool, Intelligent ID also serves to ensure compliance with HR policies,
by promoting staff training/awareness, equally and consistently applied enforcement, and organizational
protection against wrongful termination lawsuits. A recent issue of HR Magazine recommends the wellcoordinated and preemptive use of technology, policy, and training controls that includes collection of
electronically stored information as a “just in case” measure.22
Such coordinated controls covering removable media and mobile devices were not in place at the Florida
Department of Juvenile Justice when a mobile device was stolen in January 2013, even though organizational
policy governing such usage was disseminated as early as November 2008. The information on the device—at
least 100,000 records concerning youths and their employee records—was neither encrypted nor the device or
files password-protected. This was in violation of the aforementioned policy. Sadly, three computers that also
contained unprotected but sensitive information from the Department were stolen from an Orlando apartment
in September 2012. Intelligent ID customers like the Ohio Department of Developmental Disabilities avoid
these kinds of unfortunate incidents related to lax policy enforcement and user training. The DODD chose
to enhance its data leakage prevention mechanisms by using Intelligent ID’s features such as monitoring
removable media, protecting against unauthorized copies to USB drives, and encrypting files that have been
deemed sensitive prior to their copy to removable media.
Given the increasing incidents of data leakage reports, rising cost of responding to such incidents, and
significant evidence of incidents going underreported or unacknowledged, it is reasonable that companies
invest in electronic tools to aid in monitoring, detection, containment, investigation, and response. “Electronic
discovery response planning is not just a matter of gathering responsive information but of working in advance
to control what information is created and how it is stored. Electronic discovery best practices begin with
making data management a part of daily business operations.”23 Intelligent ID’s monitoring capabilities are
ideally suited to address these coverage areas. In addition, Intelligent ID is not an “IT Staff Eyes Only” tool.
A scalable and customizable tool, it delivers easily comprehensible alerts and reports to the desktop of
those who need to know, whether hailing from IT, HR, R&D, accounting, or any other organizational business
area. Intelligent ID assembles and correlates the numerous data points needed to attain comprehensive
informational situation awareness to prevent defined data extrusion, intercept questionable activity, and
consolidate digital evidence: organizational protection against “death by a thousand cuts.”
6
White Paper
Data Leak
For More Information:
Allow our team to demonstrate
how Intelligent ID can solve your
organization’s specific security needs
unlike any other solution.
1.888.798.7792
www.intelligentid.com
[email protected]
References
Privacy Clearinghouse, Data Breaches: A Year in Review (December 16, 2011). Retrieved from https:// www.privacyrights.
org/data-breach-year-review-2011
1
Gonsalves, Antone, U.S. urged to take comprehensive action on Chinese cyberespionage (February 22, 2013).
Retrieved from http://www.cio.com/article/729347/U.S._Urged_to_Take_Comprehensive_Action_on_ Chinese_
Cyberespionage?source=CIONLE_nlt_infosec_2013-02-26)
2
Lambert, Patrick, What the Mandiant report reveals about the future of cyber espionage (February 25, 2013).
Retrieved from http://www.techrepublic.com/blog/security/what-the-mandiant-report-reveals-about- the-future-of-cyberespionage/9112
3
Sumagaysay, Levi (March 5, 2013), (In)security: Evernote hacked, corporate data in the age of BYOD, banks as targets.
Retrieved from http://bl169w.blu169.mail.live.com/default.aspx#n=125776487&fid=1&fav=1&mi d=62e72741-850111e2-9c3f-002264c24396&fv=1
4
The report analyzed the characteristics of 855 incidents that the partner organizations investigated in 2011. Thus, it
reports on a subset of data breach incidents annually.
5
2012 Data Brach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/ reports/rp_databreach-investigations-report-2012_en_xg.pdf.
6
Emigh, Jacqueline, RSA: Five Top Internet Security Threats in 2012 (March 6, 2012). Retrieved from http:// www.
notebookreview.com/default.asp?newsID=6310
7
Deloitte & Touche, Blurring the Lines: 2013 TMT Global Security Study (January 2013). Retrieved from http://www.deloitte.
com/tmtsecuritystudy
8
9
Deloitte & Touche, Raising the Bar: 2011 TMT Global Security Study—Key Findings (2011).
10
Retrieved from http://datalossdb.org/statistics on January 10, 2012.
11
Ponemon Institute, Perceptions about Network Security, June 2011.
12
Ponemon Institute, Global Study on Mobility Risks (February 2012). Sponsored by Websense.
Ponemon Institute, 2012 Cost of Cyber Crime Study: United States (October 2012), p. 23. Sponsored by HP Enterprise
Security.
13
The study participants estimated the remaining external cost factors for 2012 as follows: business disruption, 30%;
revenue loss, 19%; equipment damages, 5% (down from 13% in 20102); and other costs, 2%. (Ponemon, 2012b, p. 14)
14
7
White Paper
Data Leak
National Crime Prevention Council. Intellectual property theft: Get real. Retrieved from http://www.ncpc. org/topics/
intellectual-property-theft/trends-globalization-and-digitalization-usher-in-a-new-era-of-intellectual- property-theft
15
Alperovitch, D. (August 2011). Revealed: Operation Shady RAT. Retrieved March 1, 2012, from www. mcafee.com/us/
resources/white-papers/wp-operation-shady-rat.pdf
16
McAfee Foundstone® Professional Services and McAfee Labs (February 2011). Global Energy Cyberattacks: “Night
Dragon,” p. 19.
17
18
Alperovitch, p. 2.
19
LockLizard. Intellectual property theft (n.d.). Retrieved from http://www.locklizard.com/intellectual_ property_theft.htm
Nairn, Geoff. Your Wall Has Ears (October 18, 2011). Wall Street Journal Online. Retrieved from http:// www.online.wsj.
com/article/SB10001424052970204226204576600531532461052.html#printMode 21. Ponemon Institute (October
2012), p. 17.
20
Jackson, Graham. Managing the risk of intellectual property theft in a highly connected business. (July 25, 2012).
HR Magazine Online. Retrieved from http://www.hrmagazine.co.uk/hro/features/1073968/ managing-risk-intellectualproperty-theft-highly-connected-business
22
LexisNexis®. Electronic discovery best practices. Retrieved from http://www.lexisnexis.com/ applieddiscovery/lawlibrary/
whitePapers/ADI_ImplementEDiscBestPractices.pdf
23
8