Top Cybersecurity Training Protects Your Assets - Learn From the BEST and Apply New Knowledge Immediately!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Data Loss Prevention

Featuring 30 Papers as of December 22, 2020

  • A New Take on Cloud Shared Responsibility Analyst Paper (requires membership in community)
    by Dave Shackleford - December 22, 2020 

    As the use of cloud computing has grown, so has the concept of the shared responsibility model for data protection and cybersecurity in general. While not a new concept, the nature of shared security responsibilities has changed with the advent of the cloud. While all cloud providers are wholly responsible for physical security of their data center environments, data center disaster recovery planning, business continuity, and legal and personnel requirements that pertain to security of their operating environments, cloud customers still need to plan for their own disaster recovery and continuity processes, particularly in IaaS clouds where they are building infrastructure.

  • Defend Your Business Against Insider Threats Analyst Paper (requires membership in community)
    by Matt Bromiley - January 4, 2019 

    Your business faces a security risk that may not even be on your radar. Looming from within are insider threats, which pose a significant risk to small- and medium-sized businesses (SMBs). Matt Bromiley breaks down the two types of insider threats and provides specific, actionable steps and user education tips you can implement today to protect and defend your business against threats from the inside.

  • High Assurance File Filtering, It's Not Magic Graduate Student Research
    by Adam Gould - January 29, 2018 

    This paper examines file type identification techniques to inform further research to improve the security of cross domain solutions (CDS), which are regarded as the most reliable technologies of high-assurance file filtering solutions. Traditionally only used in highly classified government environments, CDS are slowly being adopted by other institutions in the financial, healthcare and mining sectors due to the increasing recognition of the value and importance of the protection of intellectual property (IP). The portable document format (PDF) is one of the primary document formats in which IP is shared and distributed. By using PDFs as a case study, this paper proposes recommendations specifically for software file format specification creators to develop file type sub-specifications that can be easily validated for the purposes of IP control and security. The recommendations herein will conceptually apply to all file types, although it should be noted that not all techniques and recommendations will be applicable to every file type due to unique properties that exist in different classes of file types.

  • Looking Under the Rock: Deployment Strategies for TLS Decryption Graduate Student Research
    by Chris Farrell - January 13, 2018 

    Attackers can freely exfiltrate confidential information all while under the guise of ordinary web traffic. A remedy for businesses concerned about these risks is to decrypt the communication to inspect the traffic, then block it if it presents a risk to the organization. However, these solutions can be challenging to implement. Existing infrastructure, privacy and legal concerns, latency, and differing monitoring tool requirements are a few of the obstacles facing organizations wishing to monitor encrypted traffic. TLS decryption projects can be successful with proper scope definition, an understanding of the architectural challenges presented by decryption, and the options available for overcoming those obstacles.

  • Countering Impersonation, Spearphishing and Other Email-Borne Threats: A Review of Mimecast Targeted Threat Protection Analyst Paper (requires membership in community)
    by Jerry Shenk - January 24, 2017 

    The FBI estimates that between October 2013 and August 2015, more than 7,000 U.S.-based organizations lost a total of $748 million to business email scams. Such scams rely on the same tricks as confidence artists in the real world: the appearance of legitimacy and the tendency of victims to go along with requests that appear to be on the up-and-up, without checking to be sure. In this whitepaper, SANS senior analyst Jerry Shenk evaluates Targeted Threat Protect, an email-security service from Mimecast that is focused on stopping sophisticated phishing attacks. Among its most difficult targets: “whaling” attacks that spoof high-level executives asking for sensitive data, access or the transfer of money to accounts owned by scammers.

  • Packets Don't Lie: LogRythm NetMon Freemium Review Analyst Paper (requires membership in community)
    by Dave Shackleford - January 18, 2017 

    With more traffic than ever passing through our environments, and adversaries who know how to blend in, network security analysts need all the help they can get. At the same time, data is leaking out of our environments right under our noses. This paper investigates how LogRhythm’s Network Monitor Freemium (NetMon Freemium) Version 3.2.3 provides intelligent monitoring, and helps organizations to identify sensitive data leaving the network and to respond when loss occurs.

  • Data Breach Impact Estimation Graduate Student Research
    by Paul Hershberger - January 3, 2017 

    Internal and External auditors spend a significant amount of time planning their audit processes to align their efforts with the needs of the audited organization. The initial phase of that audit cycle is the risk assessment. Establishing a firm understanding of the likelihood and impact of risk guides the audit function and aligns its work with the risks the organization faces. The challenge many auditors and security professionals face is effectively quantifying the potential impact of a data breach to their organization. This paper compares the data breach cost research of the Ponemon Institute and the RAND Corporation, comparing the models against breach costs reported by publicly traded companies by the Securities and Exchange Commission (SEC) reporting requirements. The comparisons will show that the RAND Corporation's approach provides organizations with a more accurate and flexible model to estimate the potential cost of data breaches as they relate to the direct cost of investigating and remediating a breach and the indirect financial impact associated with regulatory and legal action of a data breach. Additionally, the comparison indicates that data breach-related impacts to revenue and stock valuation are only realized in the short-term.

  • The Information We Seek by Jose Ramos - October 25, 2016 

    Whether you are performing a penetration test, conducting an investigation, or are skilled attackers closing in on a target, information gathering is the foundation that is needed to carry out the assessment. Having the right information paves the way for proper enumeration and simplifies attack strategies against a given target. Throughout this paper, we will walk through some strategies used to identify information on both people and networks. Some people claim that all data can be found using Google's search engine; but can third party tools found in Linux security distributions such as Kali Linux outperform the search engine giant? Maltego and The Harvester yield a wealth of information, but will the results be enough to identify a target? The right tool for the right job is essential when working with any project in life. Let's take a journey through the information gathering process to determine if there is a one size fits all tool, or if a multi-tool approach is needed to gather the essential information on a given target. We will compare and contrast many of the industry tools to determine the proper tool or tools needed to perform an adequate information gathering assessment.

  • Data Breaches: Is Prevention Practical? Analyst Paper (requires membership in community)
    by Barbara Filkins - September 13, 2016 

    Despite the potential costs, legal consequences and other negative outcomes of data breaches, they continue to happen. A new SANS Institute survey looks at the preventive aspect of breaches – and what security and IT practitioners actually are, or are not, implementing for prevention.

  • Data Loss Prevention by Randy Devlin - August 8, 2016 

    Data Loss Prevention (DLP) continues to be a complex business-centric security initiative for organizations to overcome.

  • Tagging Data to Prevent Data Leakage (Forming Content Repositories) Graduate Student Research
    by Michael Hendrik Matthee - May 3, 2016 

    In order to protect sensitive data, it must be secured at rest, during transit and when in use (Aaron, 2013).

  • Shedding Light on Cross Domain Solutions Graduate Student Research
    by Scott Smith - December 9, 2015 

    As a general practice for information security assurance, a need-to-know model has dominated the industry.

  • Preventing data leakage: A risk based approach for controlled use of the use of administrative and access privileges Graduate Student Research
    by Christoph Eckstein - August 24, 2015 

    Organizations invest resources to protect their confidential information and intellectual property by trying to prevent data leakage or data loss. They adopt policies and implement technical controls to stop the loss and disclosure of sensitive information by outside attackers as well as inadvertent and malicious insiders. They follow best practices like the Critical Security Controls, specifically Control 12 (“Controlled Use of Administrative Privileges”) and Control 17 (“Data Protection”), to prevent the unauthorized leakage and disclosure of sensitive information. One type of data loss or data leakage prevention controls includes endpoint protection solutions to stop file transfers to USB storage devices or file uploads to public websites. However, the larger and more complex the business and organization the more users that may be granted exceptions to these policies and controls in order for them to be able to fulfill their job related tasks. The approval of these exceptions is often solely based on the business need for the individual user. This raises the question of how an approval for an exception does influence the risk of data leakage for an organization? What is the specific data leakage risk for granting an individual user a certain exception? This paper presents a new approach to risk based exception management, which will allow organizations to grant exceptions based on inherent data leakage risk. First, this paper introduces a concept for evaluating and categorizing users based on their access to sensitive information. Then in the second step, a ruleset is defined for granting exceptions based on the categorization of users, which enables individual approvers to make informed decisions regarding exception requests. The overall objective is to lower the data leakage risk for organizations by controlling and limiting exceptions where the access and thereby potential loss of information is the highest.

  • The What, Where and How of Protecting Healthcare Data by Kelli Tarala and James Tarala - April 6, 2015 

    Mitigating healthcare data-loss risk by understanding the What, Where, and How of Protecting Healthcare Data.

  • Data Breach Preparation by David Belangia - March 16, 2015 

    Home Depot experienced the second largest data breach on record. ("Home Depot data breach affected 56M debit, credit cards", 2014) It started in April 2014, but Home Depot did not become aware of the problem until September 2 when law enforcement and some banks contacted them about signs of the compromise.

  • Modeling Security Investments With Monte Carlo Simulations by Dan Lyon - September 24, 2014 

    Technical leaders and architects are frequently the interface from sponsors and management into projects.

  • Data Encryption and Redaction: A Review of Oracle Advanced Security Analyst Paper (requires membership in community)
    by Dave Shackleford - September 15, 2014 

    A review of Oracle Advanced Security for Oracle Database 12c by SANS Analyst and Senior Instructor Dave Shackleford. It explores a number of the product's capabilities, including transparent data encryption (TDE) and effortless redaction of sensitive data, that seamlessly protect data without any developer effort from unauthorized access.

  • Protecting Small Business Banking by Susan Bradley - July 22, 2013 

    Over the last several years, the use of online banking and other financial transactions have risen dramatically.

  • Information Risks & Risk Management by John Wurzler - May 1, 2013 

    In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.

  • People, Process, and Technologies Impact on Information Data Loss by Paul Janes - November 9, 2012 

    Organizations have always had contend with issue of data loss; however, with the advent of the computer and worldwide connectivity, the problem has become magnified.

  • Oracle Data Masking Analyst Paper (requires membership in community)
    by Tanya Baccam - January 4, 2012 

    This review of Oracle Data Masking, investigates the process of implementing and using data masking to mask specific confidential data types within Oracle Database 11g.

  • The Risks of Client-Side Data Storage by Edwin Tump - May 16, 2011 

  • One Touch Disaster Recovery Solution for Continuity of Operations by Rajat Ravinder Varuni - May 28, 2010 

    In this publication I present a solution where information is available during or following a disaster.

  • Data Protection Requirements Analyst Paper (requires membership in community)
    by Barbara Filkins - July 20, 2009 

    An interactive Data Protection Requirements Worksheet to map business needs against technological challenges.

  • Data Protection Requirements Checklist Analyst Paper (requires membership in community)
    by Barbara Filkins - July 10, 2009 

    A Prospective Vendor Checklist will help organizations map business needs and procure technical solutions.

  • SANS Review: McAfee's Total Protection for Data Analyst Paper (requires membership in community)
    by Dave Shackleford - June 2, 2009 

    McAfee’s Data Protection suite, Total Protection for Data, allows several data protection tools to work in tandem.

  • The Business Justification for Data Security by Securosis - February 10, 2009 

    In the information security world we face two major types of threats: “noisy” threats which directly interfere with our ability to do business and “quiet” threats which cause real damage, but don’t necessarily prevent people from doing their jobs. Noisy threats such as viruses, worms, and spam; attack both networks and systems, and clearly disrupt productivity and business operations. With highly visible (and often very annoying) attacks, it’s easy to justify investments to curb their impact. When the CFO see hundreds of spam messages in his inbox, he’s very likely to fund an anti-spam solution.

  • Data Loss Prevention by Prathaben Kanagasingham - September 5, 2008 

    Data breach has been one of the biggest fears that organizations face today. Quite a few organizations have been in the news for information disclosure and a popular recent case is that of T.J.Maxx. While DLP is not a panacea to such attacks, it should certainly be in the arsenal of tools to defend against such risks.

  • Data Leakage Landscape: Where Data Leaks and How Next Generation Tools Apply Analyst Paper (requires membership in community)
    by Barbara Filkins, Deb Radcliff - April 19, 2008 

    This paper maps data leakage points with regulations and best practices and tools to protect critical data.

  • The Mechanisms and Effects of the Code Red Worm by Renee Schauer - September 12, 2001 

    This paper addresses the vulnerability that was present in Microsoft Internet Information Services (IIS) web server software and the worm, Code Red, which exploited this vulnerability.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.