Skip to main content

Featured

What Motivates Young Cybercriminals?

In the world of cybercrimes, the majority of cybercriminals always seek financial gain, but this is not the primary motivation. Aside from the advanced sophistication of state-sponsored incidences, the young cybercriminal venturing into the dark side boils down to their ego. Adolescent criminals seek out recognition among their peers eager for a sense of success in an effort to prove themselves.

Many seek out popularity within internet hacking communities driven by a feeling of accomplishment they compromised a target. This provides them with a rush, a demeanor to develop their skills further becoming tragically involved with organized crime immersed in their addictive and dangerous sphere of influence.

Others find inadequate employment opportunities and thus are lured into the dark side to learn a skill as a matter of survival by participating in online hacking groups. They are easy prey for organized crime and state-sponsored groups to recruit indoctrinating them into …

Data Loss Prevention Fundamentals


Data breaches have touched almost everyone in the civilized world, and yet a majority of organizations for a variety of reasons fail to lock down their data. Security professionals all understand the loss of control over sensitive and protected data by organizations is a serious threat to business operations.

Data Breach Containment Costs

It is not far-fetched to say that the general public including corporations has become desensitized and apathetic to the dangers data breaches cause globally. Daily we hear of some organization being breached and the enormous costs involved with containment and litigation. For example, the profound ramifications of any breach occurring in corporations are these:

Forensic Examination – This examination determines the severity and scope of a violation involving compromised computer systems or networks. It is considered a crucial step in the process, as companies that act too quickly to publicly disclose details of a data breach may actually worsen the situation and suffer additional long-term costs. According to the 2010 Ponemon report on data breach costs, companies that responded with quick notification ended up paying an average of $268 per record compared to the standard of $174 per record by companies that took the appropriate time to analyze the event. Multiply those amounts by the accrual number of records breached it becomes staggering and unsustainable. Be aware the dollar amounts shown are in 2010, and in 2014 the cost per record has risen.

Notification of Third Parties – Most states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted data breach notification laws. The state laws require companies or individuals that maintain unique personally identifiable information (PII) of individuals to notify those individuals if such information is lost, stolen or otherwise compromised. Beyond the legal requirement, many companies believe it is good business practice to inform affected individuals in the event of a breach. Before these laws were enacted state by state with California being the first to ratify the laws. The rest fell in order like dominoes (unlike our federal government struggling to get out of the stone age), many corporations back then adopted a hush rule to save them from the embarrassment and public outcry, to paraphrase it “What they don’t know will not hurt them.” Third party disclosure may not be the case in foreign countries which add to the enormity of data breaches occurring if PII data is stored in the cloud in another country where our legal jurisdiction does not apply.

Call Centers – To add insult to injury call center employees or third-party contractors factor into identity theft risk in a big way, especially call centers overseas. The weapon of choice may be a notepad and a pencil, this hard-to-track insider threat has become even more complicated by the recent decade’s globalization for cost savings. But for most, companies consider it a customer service best practice to include a phone number in the notification letters for affected individuals wanting more information about the extent of the breach, the company’s response, or next steps. Costs are typically calculated by call volume, number of weeks or months the center will be dedicated to fielding questions, as well as being available 24/7.

Public Relations – The scramble undoing the damage to the brand. Many companies are ill-equipped and have to engage an external PR firm that specializes in damage control to help mitigate harm to its reputation caused by a data breach. To this extent, the truth about the severity of the offense is not well-understood mind you even disclosed as per state laws would allow. Complete transparency is, in a nutshell, an oxymoron and will add enormously to litigation costs. The direct cost of obtaining a PR firm is covered under most network risk policies, but the indirect adverse impact on the company is mainly uninsurable. According to the 2010 Ponemon Study, the average cost of a data breach is $214 per record with $141 of that amount attributed to decreased stock price and customer churn. The remaining $73 was a result of direct costs such as notification, credit monitoring, defense, forensics, call center services, and PR consultation fees. The more concerning issue associated with the Public Relations aspect of a data breach is the potential long-term loss of confidence among customers and business partners, which in turn can impact sales and revenue.

Legal Defense – This among all can bring any corporation down to its knees.
Claims from a data breach can come from some parties, but most frequently from consumers and banks. Defending these claims results in legal defense expenses in addition to the actual cost of settlements. Consumers whose personally identifiable information has been compromised as a result of a breach may file suits alleging some violations that include in their allegations are:

  • Negligence
  • Breach of warranty
  • Failure to protect data
  • Failure to disclose defects in products or services regarding capabilities of protecting data
  • Unreasonable delay in remedying suspension of service or loss of data
  • Violations of various applicable state/federal laws
  • False advertising
  • Unfair or deceptive trade practices
Consumer claims are typically filed as class action lawsuits but tend to have limited success given the difficulty in proving injury in the absence of actual identity theft. However, new legal theories continue to evolve and so may affect the outcome of such claims. One such allegation is “Future Harm” where data breach cases brought to date by private litigants have generally involved hackers gaining access to a company’s database. Examples of plaintiff allegations are:

  • Theft or loss of a company’s unencrypted laptop computer or backup tapes.
  • The company failed to adequately safeguard data before any data was actually lost or stolen.
Where actual harm is sufficiently alleged such as identity theft or fraudulent charges, a claim is more likely to proceed.

While it is uncertain whether consumers may successfully prove damages, it is certain that the breached company will face significant costs in hiring legal counsel to defend itself. Banks that issue payment cards have also sought damages from the breached company for the costs of reissuing cards that were compromised during the breach. It is estimated that a bank may pay between $12 and $22 to reissue a single payment card. The costs of this card re-issuance are one of the reasons banks have been successful in recouping this expense from retailers or other breached organizations. Individual states, like Washington and Minnesota, have even passed legislation that makes a payment card processor or business liable if reasonable steps were not taken to protect against unauthorized access to the account information that leads to the loss of such information. Several other states are considering enhancing their data breach laws to include such language.

Creditor Identity Monitoring – Credit or identity monitoring is not required by most state notification laws, many companies believe that providing this service maintains sound customer relationships. Credit and identity monitoring have become a standard element of a comprehensive beach response. While credit monitoring services are focused primarily on financial aspects like credit history and account activity, identity monitoring goes further by tracking movements relative to medical, employment, and other types of fraud. One service may be more appropriate than the other depending on the type of information compromised during a breach. Identity restoration is an additional service that can be requested by affected parties if they do suffer actual identity theft. Combined costs for credit monitoring, identity monitoring, and restoration can range from $10 to $40 per individual per year. The values become significant when you consider that one breach can compromise thousands or even millions of records.

However, the catch with it is the service is only temporary for a given period of time notably for one year in most instances. With new litigation allegations and theories introduced with the argument of “Future Harm” those costs may remain for an extended period of time or become permanent.

Regulatory Enforcement – Increased scrutiny by the federal and state government is affecting all companies, but particularly health care and financial services firms due to the sensitive and personal nature of the information they handle. Depending on the quality of the data breach, a company may have to defend itself against investigations launched by applicable federal or state authorities, such as the Federal Trade Commission or state attorneys general.

Companies that experience a breach may also be subject to fines and penalties if found to be non-compliant with necessary requirements which, in many cases, are self-imposed. Yet I have seen organizations simply think that it is cheaper to pay the fines and penalties than invest in Data Loss Prevention best practices.

One good example of Federal law is the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPPA), which outlines necessary requirements for healthcare organizations regarding the handling of Protected Health Information. As part of the American Recovery and Reinvestment Act of 2009 (ARRA), the Health Information Technology for Economic and Clinical Health Act (HITECH) established a tiered civil penalty structure for HIPAA violations. Fines can range from $100 per violation to a maximum of $1.5 million. The Department of Health and Human Services has already fined several entities as a result of breaches of the Privacy Rule.

Aside from the government regulation are industry entities that set best practice standards and can levy fines and penalties. One such body is the Payment Card Industry Security Standards Council (PCI) that was established by the major payment card brands in 2006. The Council set the Payment Card Industry Data Security Standard as a uniform best practice requirement for any company that processes, stores or transmits credit card information. The Council engages third-party vendors in assessing compliance levels of organizations subject to the standard and can levy fines against organizations that do not comply. Penalties can range from $5,000 to $100,000 per month for PCI compliance violations.

Comprehensive Information Security Program – Arguably, many seasoned security professionals would want to weigh in that organizations lack this. An ongoing trend around regulatory settlements has been the requirement that the breached company implement a Comprehensive Information Security Program. These programs usually accompany a fine or penalty and are subject to periodic audits conducted by the enforcing body. Examinations can continue over the course of several years, and the costs include both the fine itself as well as the cost to implement the program through reallocation of existing human capital or indirect costs incurred in retaining an outside firm if internal resources are not available.

Corporate Fallout

“The intrinsic value of any company is within its data,” and it is not until recently notably the Target breach we are now seeing it affecting the mahogany office rows of senior corporate executives. All C level individuals including CEOs and board members are jettisoned from organizations.

Corporate executives are not immune, and they must be held accountable for their actions or the lack thereof for the safekeeping and stewards of sensitive corporate data. The buck stops on their desk to ensure adequate security safeguards are in place towards the prevention of data loss.

It’s difficult for some firms to grasp the severity of corporate data breach problems. The financial issues associated with these attacks can be severe, often more so than companies think them to be. In the end, if organizations aren’t fully aware of the problems associated with cyber criminalism, it could wind up costing them their livelihoods. These ramifications can lead to even far-reaching effects such as bankruptcy, but this alone may not suffice to need I say if, for example, white collar crime or scandals that were intentionally deliberate was the underlying cause of the breach.
The irony of it is that we are experiencing breach calamities throughout the globe, companies have paid little or no attention to protecting their crown jewel data in the Cyber era.
The reasons are many, but some of them are:

  • Security is not a consideration to sales/marketing in a rush to market products and services
  • Security is never a priority with software developers
  • Legacy systems developed before having modern security practices in place
  • Companies are still in the state of denial
  • Security does not generate revenue
  • Security is too expensive and cut from provisioning budgets
  • Human misconceptions, ignorance, and awareness
Today adversaries such as China and Russia are the two significant sources of cybersecurity attacks. Their targets are not just the financial system, which is better defended than most industries due primarily to burdensome government regulations and oversight. For reasons that are social, political and financial, cybersecurity attacks may also focus on disrupting nationally critical supply chains of natural resources, energy, water, and food. Assaults on poorly guarded computer systems controlling portions of these supply chains can have material effects on the companies involved, but also cause significant disruptions in our national economy and drastically affect our way of life. Not only do we have military adversaries waging cyber-attacks but the organized criminal underworld where both are hell bent with a taste for the jugular to acquire political, social or financial gain. Adversaries such as these “know no budget” taxing the financial resources of any organization and in the end destroys the livelihoods of all of us. Aside from adversaries such as Russia and China, the criminal underworld is a well-financed and lucrative organization make no mistake. Many elements are also financed by other rogue entities to serve their political or religious purpose, namely al-Qaeda and other terrorist organizations.

Data Loss Prevention (DLP) Best Practices

Organizations that are proactively on top of their game plan executing effective DLP best practices have total support from the top executives. Organizations that have enacted strong governance policies enforcing accountability and provide metrics measuring the effectiveness of strategies are the least prone to data breaches. Some of the best practices are:

  • Executive sponsorship – Get it as I cannot emphasize this more, a must, and if there is a lack of strong administrative backing and funding that champions the effort DLP basically collapses because of the lack of accountability, funding or both. I have been in other organizations where weak executive sponsorship is exhibited. The DLP initiatives and other security initiatives are perceived as forced upon them either from a major breach event or mandated by government regulations.
  • Proactive Business Goals and Awareness – Understanding the “Intrinsic value of the organization are in its data,” successful organizations are motivated and will go to great lengths to embrace a culture of good stewardship that protects their data in addition to their customer’s. They also understand accountability will be enforced from litigation and government investigations that will have adverse effects on their livelihoods.
  • Endpoint protections – DLP and endpoint encryption are two essential best practices in an organization’s security mission. Achieving end-to-end data encryption coupled with a DLP system protects data while in motion and where the data goes with appropriate access control measures.
  • The effectiveness of DLP Solutions – Metrics are essential from a centralized console that monitors the effectiveness of the system against criteria. Also, support for mobile devices is also a critical component with solutions.
  • Vendor Support – It is essential that vendors of DLP solutions back their product with affordable and continuous upgrades and issue resolution 24/7.
  • Accountability – Information security should be responsible for data protection, setting strategy, overseeing deployment and ongoing management of data protection activities.
  • Strategy – One of the fundamental best practices is to have a policy that will focus all efforts to mitigate data loss.
  • Common Barriers – The top two barriers are dealing with the complexity of compliance and regulatory requirements followed by lack of leadership. Strong leadership, executive sponsorship, and awareness stand at the very foundation to eliminate those barriers. Moreover, I have seen pushback from many departments complaining that DLP will impede their work yet through awareness and persuasion this can be overcome.
  • Risk – Conduct formal risk assessments is key to identifying risk and coming up with a mitigation plan. Automated features many DLP solutions have with regards to compliance are useful in this regard.
  • Metrics – Best practice organizations are more likely to have parameters in place to determine the effectiveness of their efforts. The top two metrics they use are the percentage of endpoints secured with encryption and other data protection tools followed by the number of records or files detected as compliance infractions.
  • Policies – No doubt this is part of best practices where the enforcement of policies is among the most significant deterrents to end users’ misuse of information assets. The implementation also goes all the way to the top, make no mistake. If the very executives and/or board members who champion the governance and policies of an organization are not in compliance with what makes us think the rest of the organization is?

The DLP Architecture



The above diagram is a typical overview of a DLP solution in an organization. The answer itself highlighted in red corresponds to how it is deployed within the organization’s infrastructure. In a nutshell, the DLP solution is a network device that has components or engines that govern data identification, data at rest, data in motion and data in use. Only the endpoint component has an agent that is installed on typical end-user devices such as workstation PCs, laptops, mobile devices, printers, fax machines and scanners on some solutions.

The Data Layer

At the base is the data and it resides at rest in a multitude of repositories within an organization such as shared folders, databases, directories, spreadsheets, text documents and every conceivable type used. Now the types of data are described as structured and unstructured:

  • Structured Data – Is data that resides in fixed fields within a record or file. Relational databases and spreadsheets are examples of structured data.
  • Unstructured Data – Is data that does not reside in fixed locations. Commonly referred to as free-form text, which is ubiquitous. Examples are word processing documents, PDF files, e-mail messages, blogs, Web pages and social sites.
Data that is sorted at rest in the public cloud and not in the control of the organization adds complexities many DLP solutions cannot address unless of course installed in a private cloud scenario.

Identification Data at Rest Component

Once the data classification scheme and policy are at hand and configured into the solution, the data identification performs the following tasks:

  • Content Discovery – Is a technique that scans data content fingerprinting the data under the prescribed classification scheme. On most solutions, it is conducted remotely, agent-based and memory-resident agents. The following tasks are performed:
  • Endpoint Discovery
  • Storage Discovery
  • Server Discovery
  • Data at Rest Enforcement – If a policy violation is discovered the component can perform the following functions:
  • Alert and Report
  • Quarantine and Notify
  • Quarantine and Encrypt
  • Quarantine and Deny Access
  • Remove and/or Delete

Network Data in Motion Component

The purpose of the data in motion component sniffs traffic on the network (passively or inline via proxy) to identify content being sent across specific communications channels. For example, this includes sniffing emails, instant messages, and web traffic for snippets of sensitive source code. In motion tools can often block based on central policies, depending on the type of traffic. Common functions are:

  • Email Integration
  • Filtering, Blocking and Proxy Integration

Endpoint Data in Use Component

This component typically addresses by endpoint agents that monitor data as the user interacts with it. For example, they can identify when you attempt to transfer a sensitive document to a USB drive and block it (as opposed to preventing the use of the USB drive entirely). Data in use tools can also detect things like copy and paste, or use of sensitive data in an unapproved application (such as someone attempting to encrypt data to sneak it past the sensors). The typical functions that are provided are:

  • Filtering and blocking data
  • Scanning
  • Enforcing network rules
  • Incident reporting
  • Monitoring and implementing within system kernel
  • Monitoring and executing within the file system
  • Encryption

Monitor Component

This component manages the DLP solution and is used by non-technical staff such as HR, Legal to executive management as delegation functionality permits. It also provides central admiration for enforcement and detection points, creating and administering policies, incident workflow, and reporting. The common functions are:

  • Dashboard
  • Incident management queue
  • Single incident display
  • System administration
  • Reporting
Many organizations are not proactive following DLP best practices let alone current information security best practices. In all cases, they are forced into it because of the ensuing consequences involved and the fallout after the breach occurred. Had they been proactive in the first place putting into motion best practices, the enormous amount of time and money would have been avoided.
Most solutions are efficient and evolving with new functionality and support. From a technical architectural standpoint, the most significant obstacles to a successful deployment tend to be inappropriate expectations and failing to prepare for the business process and workflow.