Solving the DLP Puzzle: 5 Ways Employees Spill Sensitive Data

A company can buy every top-of-the-line security product known to man, but it won’t make a difference for data loss prevention (DLP) unless end users are educated on their own role. Technology is indeed critical to DLP, as we showed in “Solving the DLP Puzzle: 5 Technologies That Will Help.” But security experts say user awareness is key to keeping sensitive data safe from online predators.

“DLP is a process first. The technology is simply an enabler for the automation of the process,” said Rick Lawhorn, a Richmond, Va.-based chief security officer. “The process needs to include education and awareness training and cover human resources, records management and compliance. The objective is to continuously train data owners and data custodians (the employees) on the company policies to reduce instances of non-compliance.”

Based on feedback from several security practitioners, here are five ways in which employees maliciously or unwittingly lose sensitive data, and how a DLP program with the right people policies can make a difference.

1. E-mail mayhem

IT administrators have had success detecting and blocking malicious e-mail, but users continue to let sensitive data outside the company walls by hitting “send” at inappropriate moments — like when they’ve just copied and pasted customer information or intellectual property details into a message box. Many times the e-mail is meant for recipients inside the company, but the user might include outside addresses in the message without thinking.

See an example of users compromising security through e-mail in “Ouch! Security Pros’ Worst Mistakes”

Meanwhile, e-mail filters can’t stop every phishing attempt. URLs to malicious sites will still get through, and all it takes is one user to click on it to infect one or more machines with malware that finds and steals data.

This is where the user policies and awareness training can make a difference, Lawhorn and others noted. Policies should be clear on the type of content that users can and cannot send out, including such things as customer credit-card numbers, detail on the company’s intellectual property and the medical records of fellow employees. Attackers typically latch onto news events like hurricanes or celebrity deaths to concoct bogus headlines that, once clicked, open the door to insidious websites designed to drop malware onto the user’s machine. An awareness program can reduce the risk by constantly alerting employees to malicious social engineering schemes making the rounds.

2. The perils of pinging programs like AOL Instant Messenger and Trillian have become routine applications in an increasingly mobile workforce. Employees often rely on these programs to communicate remotely with their bosses and department mates. Along the way, attackers have found ways to send malicious links and attachments to users by creating imposter accounts that look like legitimate messages from colleagues. Adding insult to injury is that many IM applications can be downloaded for free and, once installed, are pretty much beyond the control of enterprise IT shops. Like the e-mail problem, this is a case where user awareness training and policies are critical. Policies should be clear about information that can and can’t be sent by IM.

Instant Messaging

3. Social networking abuse Seven Deadly Sins of Social Networking Security” for examples of user oversights that enable data thievery].

While IT shops continue to struggle with the insecurities of e-mail and IM, attackers are increasingly setting their sights on such social networking sites as LinkedIn, Myspace, Facebook and Twitter [see the “

It turns out the bad guys can use these sites to do all the nasty things they learned to do by e-mail and IM.

Facebook in particular is notorious as a place where inboxes are stuffed with everything from drink requests to cause requests. For some social networkers, clicking on such requests is as natural as breathing. Unfortunately, the bad guys know this and will send you links that appear to be from legitimate friends. Open the link and you’re inviting a piece of malware to infect your machine. Christophe Veltsos, president of Prudent Security, describes this as being “click-happy” and warns, “Don’t click unless you’re ready to deal with drive-by downloads and zero-day attacks.”

User awareness programs must address the myriad tricks attackers can employ on these sites, whether it’s a bogus group invite on LinkedIn or a photo on Myspace that hides malware that’s unleashed when the user runs the curser over the image.

4. Passing up secure passwords

This is another old problem that attackers continue to exploit with plenty of success. Users have a growing pile of passwords they need to keep for access to everything from the work e-mail application to their social networking accounts and banking sites. Since memories are short and people tend to forget the password to a program they might only use once a month, the typical tactic is to use the same password for everything.

“Using the same password on several sites is like trusting the weakest link in a chain to carry the same weight. Every site has vulnerabilities, plan for them to be exploited,” says Daniel Philpott, information security engineer at OnPoint Consulting Inc.

Lawhorn cites this as an example of something an employee user policy should address. A good policy would require employees to use a different password for each work-related account with upper and lowercase letters and numbers, for example.

5. Having too much access

Another common problem is that employees are often given access to more enterprise applications than they need to do their jobs. All it takes is one disgruntled employee with too much access to go in and steal enough sensitive data to put the company in serious jeopardy.

The best defense here, security experts say, is to allow employees access only to applications and databases they need to do their jobs.

About this series: Companies are clamoring for Data Loss Prevention (DLP) tools to keep their data safe from online predators. But there is much confusion over what the true ingredients are. In this series, CSOonline talks to security practitioners, analysts and other experts for a crash-course on what DLP is, what it isn’t and how to get on the right track. We’ll begin with the proper technologies to use, followed by the right people policies.

ALSO IN THIS SERIES:

• Solving the DLP Puzzle: 5 Technologies That Will Help