Yuval Ben-Itzhak, Chief Technology Officer, Finjan, Inc, asks about data leakage; and your web browser.
Incidents of data intentionally or unintentionally leaving corporate networks are rising. The CSI Computer Crime & Security Survey of 2008 showed that 44pc of the polled companies registered data leakage to be the second biggest problem of their corporate IT security. In a survey conducted among German companies, less than 25pc were found to use HTTP traffic monitoring systems for protection from confidential data leakage. An older survey conducted in the US, investigated how data is being leaked through communication tools. Survey results showed that HTTP was the leading avenue for data leakage. Furthermore, it was found that customer data represented the vast majority of data leaked to unauthorized parties, followed by confidential information and Protected Health Information (PHI).
Data Loss Prevention or Data Leakage Prevention (DLP) is now a major issue, affecting the bottom line of enterprises. According to recent research, the total number of data loss incidents in 2008 has risen by 2600% compared to the total number of data loss accidents in 2004.
Not only companies, but also governmental agencies are at risk. One of the latest incidents occurred in May 2009 consisting of accidental data leakage. Some parties received electronic data consisting of the latest unemployment and average earnings figures from the Office for National Statistics (ONS) before their official publication date. The ONS was forced to officially release these figures ahead of time, resulting in the Pound Sterling bouncing higher. (The released data showed a smaller than expected rise in claimant count unemployment even as the overall unemployment rate rose to 7.1 percent). This incident is the latest addition to string of data breaches the British government has suffered over the past two years. They include leakage of secret intelligence files, the details of every prisoner in England and Wales, and information about thousands of potential army recruits.
Data leakage has grown into a global problem, as the following incidents show.
? In February 2009 in Hong Kong, more than 60 restricted government documents were leaked on the internet through file-sharing software "FOXY", forcing the Privacy Commissioner for Personal Data Mr. Roderick B. Woo to take immediate action.
? In the beginning of 2009, Dartmouth College researchers (US) searched file-sharing networks for key terms associated with the top ten publicly traded health care firms in the country. Over a two-week period, they discovered numerous sensitive documents, including a spreadsheet from an AIDS clinic with client details; hospital databases containing detailed information on more than 20,000 patients; a 1,718-page document from a medical testing laboratory containing patient data; and more than 350 megabytes of sensitive patient data from a group of anesthesiologists.
? In April 2009, a data leakage incident occurred in a Prague hotel (Czech Republic). The flight details and passport numbers of around 200 EU leaders, including those of a Finnish state delegation, were leaked by accident. The data was related to a recent EU-US summit held in Prague and attended by U.S. President Barack Obama.
? In April 2009, an employee of Mitsubishi UFJ Securities Co., who was deputy chief of their computer department, sold personal data on more than 49,000 of its customers to three dealers who specialize in personal data lists, which in turn sold them to more than 80 real estate agents and other firms.
? In March 2009, a spreadsheet containing customer data of Kabel Deutschland (a German provider of Internet, cable TV and telephony) was leaked to questionable call centers
Data leakage prevention (DLP) is gaining more and more attention as governments and organizations also realize the danger to their compliance status and to their commercial health. Web 2.0, especially Peer-to-Peer (P2P) networks, provides conduits through which information can leak. Especially intellectual property and patient information disclosed on P2P networks are at risk. IBM’s Many Eyes, which is essentially a mashup application for visualizing data, contains a lot of data that probably shouldn’t be there, such as sales forecasts, corporate income statements, and data from government agencies, including the CIA.
Although most data loss is unintentional, we see a growing number of intentional data loss incidents. During mergers, layoffs and reorganizations, corporate data are vulnerable. An employee could leak data for their personal benefit. Such data include customer lists, intellectual property (IP) and other business data that could be useful for the (former) employee.
Organizations around the world have become aware of their need to protect their outbound data in transit. This growing demand has resulted in a booming market for DLP solutions; expected to reach $2 billion by 2012. Protecting loss of data in transit is complicated, even more so when malware is involved as in the case of "Trojans phoning home". The optimal way to prevent data leaking out of the network is the use of a Gateway-based web security solution. Such solutions consist of dedicated hardware/software platforms. They analyze network traffic to search for unauthorized information transmissions, including IM, FTP, HTTP, and HTTPS.
When selecting a DLP solution, an enterprise needs to focus on the following elements:
? All outbound communication should be analyzed in real time and identified by their true content payload, not just by their file extensions. True Content Type detection capabilities prevent selected file types from leaking out or being downloaded by users.
? Administrators should be able to set policies based on dictionaries/lists containing words or formats (such as customer or employee information with names, addresses, social security numbers and other identity-related information) that should be protected. The solution should also enable lexical analysis and dictionaries/lists for words or formats relating to company-specific sensitive information (e.g., intellectual property (IP), financial information).
? A policy-based management is needed to setup and enforce granular rules per specific user or per user group (e.g. sales, marketing, R&D, finance, legal).
? The ability to set up compliancy lists for PCI, HIPAA, GLBA, SOX, CISP, FISMA, governmental regulations, etc. is needed, especially for publicly-traded companies, financial institutions, and healthcare providers.
Numerous enterprises are now looking for DLP as an integral part of their web security solution rather than dedicated DLP solutions which are available as a stand-alone solution. This enables administrators to turn specific features on and off, deploy security features in stages and even disable superfluous functions. This type of integrated DLP solution prevents intentional (as a result of malicious activity) and unintentional data leakage with low cost of ownership.
