Address the Security Threats at Source

Business, Security Leave a comment

Newton CradleInformation security  is a recurrent process. New threats arise and must be properly handled.

In Augustus 2009, I already reported a story and came to the following conclusion: The principle of “action – reaction” as described by Newton is not applicable in information security!

Here is another good example with the following post I read in a forum:

Here’s a interesting delima that I just came across, scanned pdf attachments that have privacy information, within the document.

Have anybody seen any solutions that will detect this and alert or block on this information?

I’ll post a sample of what I found during a audit so you can get an ideal of what I’m seeing. Most of the DLP solutions that I’ve seen has no engine to detect SSN/DOB within a graphical attachment or pdf for example.

A standard DLP (“Data Loss Prevention“) solution in this case will be helpless! Most DLP solutions are able to search across text documents for sensitive data. But in this case, a scanner produces a graphical representation of the data and would require the help of OCR (“Optical Character Recognition“) technologies. This would consume a huge amount of resources!

Instead of using the “action – reaction” principle, a better approach would be to analyze the data used inside the organization. When I read this post, the first question which popped out of my mind was “WTF, Why people tried to send SSN within attached scans?“. Organizations are responsible of data processed inside their perimeter and have to implement data management procedures following well-known principles like:

  • CIA (“Confidentiality – Integrity – Availability“)
  • Least privileges access
  • Define data owners
  • etc

With the help of  a deep analyze and by implementing correct upstream procedures (“at the source of the problem“) most threats could be fixed or greatly reduced. Deploying a software or hardware solution in emergency is never the right solution:

  • It adds complexity to the existing infrastructure
  • It could introduce performance bottlenecks
  • It often has huge costs! ($$$$)

To conclude, my message is certainly not that DLP solutions are useless, certainly not! (Dear DLP v€ndor$ don’t shoot me! 😉 ) They could be very useful to detect suspicious activities but do NOT entirely rely on them! They goal is not to be used as a first layer of defense! Have a clear view of the data types used by your business and how they are processed by your IT infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.