- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive! / SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
Critical Control 15: Data Loss Prevention
How do attackers exploit the lack of this control?
In recent years, attackers have exfiltrated more than 20 terabytes of often sensitive data from Department of Defense and Defense Industrial Base organizations (e.g., contractors doing business with the DoD), as well as civilian government organizations. Many attacks occurred across the network, while others involved physical theft of laptops and other equipment holding sensitive information. Yet, in most cases, the victims were not aware that significant amounts of sensitive data were leaving their systems because they were not monitoring data outflows. The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers.
The loss of control over protected or sensitive data by organizations is a serious threat to business operations as well as, potentially, national security. While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices, a lack of effective policy architectures, and user error. Data loss can even occur as a result of legitimate activities such as e-Discovery during litigation, particularly when records retention practices are ineffective or non-existent.
The phrase "Data Loss Prevention" (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Over the last several years, there has been a noticeable shift in attention and investment from securing the network, to securing systems within the network, to securing the data itself. DLP controls are based on policy, and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance.
How can this control be implemented, automated, and its effectiveness measured?
- QW: Organizations should deploy approved hard drive encryption software to laptop machines that hold sensitive data.
- Vis/Attrib: Network monitoring tools should analyze outbound traffic looking for a variety of anomalies, including large file transfers, long-time persistent connections, connections at regular repeated intervals, unusual protocols and ports in use, and possibly the presence of certain keywords in the data traversing the network perimeter.
- Vis/Attrib: Deploy an automated tool on network perimeters that monitors for certain Personally Identifiable Information (PII), keywords, and other document characteristics in an automated fashion to determine attempts to exfiltrate data in an unauthorized fashion across network boundaries and block such transfers while alerting information security personnel.
- Vis/Attrib: Conduct periodic scans of server machines using automated tools to determine whether PII data is present on the system in clear text. These tools, which search for patterns that indicate the presence of PII, can help identify if a business or technical process is leaving behind or otherwise leaking sensitive information in data at rest.
- Config/Hygiene: Data should be moved between networks using secure, authenticated, encrypted mechanisms.
- Config/Hygiene: Data stored on removable, easily transported storage media, such as USB tokens (i.e., "thumb drives"), USB portable hard drives, and CDs/DVDs, should be encrypted. Systems should be configured so that all data written to such media is automatically encrypted without user intervention.
- Advanced: If there is no business need for supporting such devices, configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, utilize enterprise software that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that all data placed on such devices be automatically encrypted.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7
Procedures and tools for implementing this control:
Periodically, such as once per quarter, information security personnel should run a script that purposely tries to trigger the data loss prevention functionality deployed at network perimeters by sending innocuous data with characteristics (such as certain key words, file size, or source address) to a test system located just outside the data leakage protection device and the firewall. These personnel should ensure that the attempted transfer was detected and an alert was generated, and should also investigate whether the transfer was successfully blocked.
List Of Controls
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 5: Boundary Defense
- Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- Critical Control 7: Application Software Security
- Critical Control 8: Controlled Use of Administrative Privileges
- Critical Control 9: Controlled Access Based on Need to Know
- Critical Control 10: Continuous Vulnerability Assessment and Remediation
- Critical Control 11: Account Monitoring and Control
- Critical Control 12: Malware Defenses
- Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
- Critical Control 14: Wireless Device Control
- Critical Control 15: Data Loss Prevention
Additional Security Controls
The following sections identify additional controls that are important but that cannot be automatically or continuously monitored.
- © 2000-2009 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy