Data Loss Prevention – CompTIA Security+ SY0-401: 2.3

If there’s no monitoring of data leakage, then your customer’s private information could find its way out. In this video, you’ll learn some strategies around data loss prevention and how some organizations found customer data exfiltrating their network.

<< Previous Video: Data Loss and Theft PoliciesNext: Order of Volatility >>

The concept of data loss prevention, or DLP, is all about making sure that your private data, or your customers’ private data, doesn’t get outside of your organization or in the hands of people who should not have access to that data. So think about all of this data that these large organizations might have. They’ll have credit card numbers. They might have medical or health information. They might have your social security number. All of that information is stored in one or a series of different databases.

The idea is that this information can get out. The bad guys want that info. That is extremely valuable information for them. So if they can get access to your information and gain access to credit card, social security numbers, and other important information, they can take advantage of that. That type of information getting out is called data leakage, and that’s what you want to prevent.

And so to prevent that we need to think about all of the different places where this data might be. You have information that is on hard drives and stored in databases. This information is flowing across the network. Some of this information may be on your desktop. This data is in so many different places, moving in so many different ways, that it really is a very broad concept that we have with data loss prevention, because we have to try to prevent that data from getting out in each one of those different areas.

A good example of where you might want DLP is this one that dealt with Heartland Payment Systems. Heartland Payment Systems is an organization that processes credit cards. So there’s a lot of very, very valuable information there for the bad guys get their hands on. In 2007, unfortunately the bad guys found a SQL injection on one of the Heartland Payment Systems machines, then got access into the Heartland Payment Systems network. And from there, they just sat there and they started gathering information about where they were. The Heartland Payment Systems had no idea that they were in place, had no notification that anything was wrong.

But in 2008, the bad guys started to gather data. They created a way to start capturing packets going across the network. And they took the data that was captured inside those packets and forwarded them off to the bad guys’ private servers. And as you can imagine, with a network of this size processing this much information, and the bad guys not even identified as being on the network, they were able to gather a lot of information. Ultimately they gathered over 130 million different transactions. A huge amount of information. And even today, this is one of the largest data breaches that IT has ever seen.

Obviously this speaks to the power and the necessity of being able to watch for data leaking out. And these DLP systems, to be able to look for credit card numbers would have been very valuable if they had been in just the right place to gather the details.

There was a lot to be learned from the breach at Heartland Payment Systems. One of the things they found was that they had all of the right things in place for their network to be PCI compliant. And even with the bad guys in their network fully entrenched, they had run many PCI audits, and had passed them every time.

So what was missing? Well what they realized of course, is the PCI DSS requirement is really just a starting point. It’s a bare minimum of what you need, because all of this data could be in so many different places. For instance, on your computer, these credit card numbers may come up on the screen, they may be stored locally in a cache. We call this data in use. And you would need some type of endpoint data loss prevention system to be able to look for this data and make sure that the person who had access to that on their desktop was really only getting access to what they needed.

Another type of DLP system is one that’s on your network. We often refer to this as data in motion, because as those packets are going back and forth, they’re not really stored anywhere, they’re just being moved around the network. So there are a number of network-based DLP systems that can look for things like credit cards inside of the packets themselves. Look for a specific string of text that’s inside of those packets, and if it ever sees those or maybe a certain number of them over a certain amount of time, they can inform you that is going across your network.

Another type of data loss prevention system is on your server, where the data is stored on the hard drive or in a database. We call that Data at Rest. And that type of DLP system is able to identify when that information is moved or placed onto a hard drive and stored there for any amount of time.

If you want to try some of these DLP systems yourself, you could go out and grab an open source version of something called MyDLP– this is a community edition. It allows you to install DLP on a machine, or a DLP piece of software on a machine. And you can look for data going across your network.

It’s these types of data loss prevention systems that are becoming much more important these days as the data on our networks becomes much more valuable.