The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
Why Is This Control Critical?
Data resides in many places. Protection of that data is best achieved through the application of a combination of encryption, integrity protection and data loss prevention techniques. As organizations continue their move towards cloud computing and mobile access, it is important that proper care be taken to limit and report on data exfiltration while also mitigating the effects of data compromise.
The adoption of data encryption, both in transit and at rest, provides mitigation against data compromise. This is true if proper care has been taken in the processes and technologies associated with the encryption operations. An example of this is the management of cryptographic keys used by the various algorithms that protect data. The process for generation, use and destruction of keys should be based on proven processes as defined in standards such as NIST SP 800-57.
Care should also be taken to ensure that products used within an enterprise implement well known and vetted cryptographic algorithms, as identified by NIST. Re-evaluation of the algorithms and key sizes used within the enterprise on an annual basis is also recommended to ensure that organizations are not falling behind in the strength of protection applied to their data.
For organizations that are moving data to the cloud, it is important for organizations to understand the security controls applied to data in the cloud multi-tenant environment, and determine the best course of action for application of encryption controls and security of keys. When possible, keys should be stored within secure containers such as Hardware Security Modules (HSMs).
Encrypting data provides a level of assurance that even if data is compromised, it is impractical to access the plaintext without significant resources, however controls should also be put in place to mitigate the threat of data exfiltration in the first place. Many attacks occurred across the network, while others involved physical theft of laptops and other equipment holding sensitive information. Yet, in most cases, the victims were not aware that the sensitive data were leaving their systems because they were not monitoring data outflows. The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers.
The loss of control over protected or sensitive data by organizations is a serious threat to business operations and a potential threat to national security. While some data are leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices, a lack of effective policy architectures, and user error. Data loss can even occur as a result of legitimate activities such as e-Discovery during litigation, particularly when records retention practices are ineffective or nonexistent.
Data loss prevention (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Over the last several years, there has been a noticeable shift in attention and investment from securing the network to securing systems within the network, and to securing the data itself. DLP controls are based on policy, and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance.
How to Implement This Control
|CSC 17-1||Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.||Quick win|
|CSC 17-2 (NEW)||Verify that cryptographic devices and software are configured to use publicly-vetted algorithms.||Quick win|
|CSC 17-3 (NEW)||Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls||Quick win|
|CSC 17-4 (NEW)||Review cloud provider security practices for data protection.||Quick Win|
|CSC 17-5||Deploy an automated tool on network perimeters that monitors for certain sensitive information (i.e., personally identifiable information), keywords, and other document characteristics to discover unauthorized attempts to exfiltrate data across network boundaries and block such transfers while alerting information security personnel.||Visibility/ Attribution|
|CSC 17-6||Conduct periodic scans of server machines using automated tools to determine whether sensitive data (i.e., personally identifiable information, health, credit card, and classified information) is present on the system in clear text. These tools, which search for patterns that indicate the presence of sensitive information, can help identify if a business or technical process is leaving behind or otherwise leaking sensitive information.||Visibility/ Attribution|
|CSC 17-7||Move data between networks using secure, authenticated, and encrypted mechanisms.||Configuration/Hygiene|
|CSC 17-8||If there is no business need for supporting such devices, configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained.||Configuration/Hygiene|
|CSC 17-9||Use network-based DLP solutions to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them.||Configuration/Hygiene|
|CSC 17-10 (NEW)||Only allow approved Certificate Authorities (CAs) to issue certificates within the enterprise; Review and verify each CAs Certificate Practices Statement (CPS) and Certificate Policy (CP).||Configuration/Hygiene|
|CSC 17-11 (NEW)||Perform an annual review of algorithms and key lengths in use for protection of sensitive data.||Configuration/Hygiene|
|CSC 17-12||Monitor all traffic leaving the organization and detect any unauthorized use of encryption. Attackers often use an encrypted channel to bypass network security devices. Therefore it is essential that organizations be able to detect rogue connections, terminate the connection, and remediate the infected system.||Advanced|
|CSC 17-13||Block access to known file transfer and e-mail exfiltration websites.||Advanced|
|CSC 17-14 (NEW)||Define roles and responsibilities related to management of encryption keys within the enterprise; define processes for lifecycle.||Advanced|
|CSC 17-15 (NEW)||Where applicable, implement Hardware Security Modules (HSMs) for protection of private keys (e.g., for sub CAs) or Key Encryption Keys.||Advanced|
CSC 17 Procedures and Tools
Commercial tools are available to support enterprise management of encryption and key management within an enterprise and include the ability to support implementation of encryption controls within cloud and mobile environments.
Definition of lifecycle processes and roles and responsibilities associated with key management should be undertaken by each organization.
Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. Organizations deploying such tools should carefully inspect their logs and follow up on any discovered attempts, even those that are successfully blocked, to transmit sensitive information out of the organization without authorization.
CSC 17 Effectiveness Metrics
In order to test the effectiveness of the automated implementation of this control, organizations should measure the following:
1. Does the system identify and report on unauthorized data being exfiltrated, whether via network file transfers or removable media?
2. Does the system identify the attachment of unencrypted USB tokens and require encryption of tokens?
3. Does the system store cryptographic key material securely?
4. Does the system use only NIST approved encryption algorithms?
5. Within one hour of a data exfiltration event or attempt, enterprise administrative personnel must be alerted by the appropriate monitoring system.
6. Do alerts notifying of data exfiltration also note the system and location where the event or attempt occurred?
7. Are the systems able to identify the location, department, and other critical details about where the sensitive data originated from (yes or no)?
8. How long does it take before a data leakage risk has been remediated from the time it was detected (time in minutes)?
CSC 17 Automation Metrics
In order to automate the protection of data using cryptography and DLP functions, organizations should gather the following information with automated technical sensors:
1. How many unauthorized data exfiltration attempts have been detected within a period of time by DLP software?
2. How many plaintext instances of sensitive data have been detected within a period by automated scanning software?
3. How many attempts to access known file transfer and e-mail exfiltration websites have been detected within a period of time?
CSC 17 Effectiveness Test
To evaluate the implementation of Control 17 on a periodic basis, the evaluation team must attempt to move test data sets that trigger DLP systems but do not contain sensitive data outside of the trusted computing environment via both network file transfers and removable media. Each of the following tests must be performed at least three times:
* Attempt to transfer large data sets across network boundaries from an internal system.
* Attempt to transfer plaintext test data sets of personally identifiable information (that trigger DLP systems but do not contain sensitive data) across network boundaries from an internal system (using multiple keywords specific to the business).
* Attempt to transfer encrypted test data sets across network boundaries from an internal system to identify if the exfiltration is reported.
* Attempt to maintain a persistent network connection for at least 10 hours across network boundaries between an internal and external system, even though little data may be exchanged.
* Attempt to maintain a network connection across network boundaries using an anomalous service port number between an internal and external system.
* Insert a USB token into an organization system and attempt to transfer example test data to the USB device.
Each of these tests must be performed from multiple, widely distributed systems on the organization's network in order to test the effectiveness of the monitoring systems. Once each of these events has occurred, the time it takes for enterprise staff to respond to the event must be recorded.
CSC 17 System Entity Relationship Diagram
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining the flow of information in and out of the organization in an attempt to limit potential data loss via network or removable media sources. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. It also delineates each of the process steps in order to help identify potential failure points in the overall control.
Step 1: Data encryption system ensures that appropriate hard disks are encrypted
Step 2: Sensitive network traffic encrypted
Step 3: Data connections monitored at the network's perimeter by monitoring systems
Step 4: Stored data scanned to identify where sensitive information is stored
Step 5: Offline media encrypted.
Critical Security Controls - Version 5
- 1: Inventory of Authorized and Unauthorized Devices
- 2: Inventory of Authorized and Unauthorized Software
- 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- 4: Continuous Vulnerability Assessment and Remediation
- 5: Malware Defenses
- 6: Application Software Security
- 7: Wireless Access Control
- 8: Data Recovery Capability
- 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- 11: Limitation and Control of Network Ports, Protocols, and Services
- 12: Controlled Use of Administrative Privileges
- 13: Boundary Defense
- 14: Maintenance, Monitoring, and Analysis of Audit Logs
- 15: Controlled Access Based on the Need to Know
- 16: Account Monitoring and Control
- 17: Data Protection
- 18: Incident Response and Management
- 19: Secure Network Engineering
- 20: Penetration Tests and Red Team Exercises
This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to http://www.sans.org/critical-security-controls/ when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.