The most trusted source for computer security training, certification and research.

Critical Control 15: Data Loss Prevention

20 Critical Security Controls << previous controlnext control >>

How do attackers exploit the lack of this control?

In recent years, attackers have exfiltrated more than 20 terabytes of often sensitive data from Department of Defense and Defense Industrial Base organizations (e.g., contractors doing business with the DoD), as well as civilian government organizations. Many attacks occurred across the network, while others involved physical theft of laptops and other equipment holding sensitive information. Yet, in most cases, the victims were not aware that significant amounts of sensitive data were leaving their systems because they were not monitoring data outflows. The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers.

The loss of control over protected or sensitive data by organizations is a serious threat to business operations as well as, potentially, national security. While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices, a lack of effective policy architectures, and user error. Data loss can even occur as a result of legitimate activities such as e-Discovery during litigation, particularly when records retention practices are ineffective or non-existent.

The phrase "Data Loss Prevention" (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Over the last several years, there has been a noticeable shift in attention and investment from securing the network, to securing systems within the network, to securing the data itself. DLP controls are based on policy, and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance.

How can this control be implemented, automated, and its effectiveness measured?

  1. QW: Organizations should deploy approved hard drive encryption software to laptop machines that hold sensitive data.
  2. Vis/Attrib: Network monitoring tools should analyze outbound traffic looking for a variety of anomalies, including large file transfers, long-time persistent connections, connections at regular repeated intervals, unusual protocols and ports in use, and possibly the presence of certain keywords in the data traversing the network perimeter.
  3. Vis/Attrib: Deploy an automated tool on network perimeters that monitors for certain Personally Identifiable Information (PII), keywords, and other document characteristics in an automated fashion to determine attempts to exfiltrate data in an unauthorized fashion across network boundaries and block such transfers while alerting information security personnel.
  4. Vis/Attrib: Conduct periodic scans of server machines using automated tools to determine whether PII data is present on the system in clear text. These tools, which search for patterns that indicate the presence of PII, can help identify if a business or technical process is leaving behind or otherwise leaking sensitive information in data at rest.
  5. Config/Hygiene: Data should be moved between networks using secure, authenticated, encrypted mechanisms.
  6. Config/Hygiene: Data stored on removable, easily transported storage media, such as USB tokens (i.e., "thumb drives"), USB portable hard drives, and CDs/DVDs, should be encrypted. Systems should be configured so that all data written to such media is automatically encrypted without user intervention.
  7. Advanced: If there is no business need for supporting such devices, organizations should configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, utilize enterprise software that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that all data placed on such devices be automatically encrypted.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:

AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7

Procedures and tools for implementing this control:

Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. Organizations deploying such tools should carefully inspect their logs and follow-up on any discovered attempts, even those that are successfully blocked, to transmit sensitive information out of the organization without authorization.

Control 15 Metric:

The system must be capable of identifying unauthorized data leaving the organization's systems whether via network file transfers or removable media. Within one hour of a data exflitration event or attempt taking place, enterprise administrative personnel must be alerted by the appropriate monitoring system. Once the alert has been generated it must also note the system and location where the event or attempt occurred. If the system is in the organization's asset management database, then the system owner must also be indicated in the generated alerts. Every 24 hours after that point, the system must alert or send e-mail about the status of the systems until the source of the event has been identified and the risk mitigated. While the one hour timeframe represents the current metric to help organizations improve their current state of security, in the future, organizations should strive for even more rapid alerting, with notification about data exfiltration events or attempts being sent within two minutes.

Control 15 Test:

To evaluate the implementation of Control 15 on a periodic basis, the evaluation team must attempt to move test data sets (that trigger DLP systems but do not contain sensitive data) outside of the trusted computing environment via both network file transfers and via removable media. Each of the following tests must be performed at least three times:

  • Attempting to transfer large data sets across network boundaries from an internal system.
  • Attempting to transfer test data sets of PII (that trigger DLP systems but do not contain sensitive data) across network boundaries from an internal system (using multiple keywords specific to the business).
  • Attempting to maintain a persistent network connection for at least ten hours across network boundaries between an internal and external system, although little data may be exchanged.
  • Attempting to maintain a network connection across network boundaries using an anomalous service port number between an internal and external system.
  • Inserting a USB token into an organization system and attempting to transfer example test data to the USB device.

Each of these tests must be performed from multiple, widely distributed systems on the organization's network in order to test the effectiveness of the monitoring systems. Once each of these events has occurred, the time it takes for enterprise staff to respond to the event must be recorded.

20 Critical Security Controls << previous controlnext control >>

List Of Controls

Additional Security Controls

The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.


SEC505-Securing Windows

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT