In Part 4 of this series, we asked the question: “Where does the data live?” Sensitive data that is at rest must be protected by access controls and by encryption, according to its classification and security policies. Data does not stay in one place, though – it does not even stay in the many places where it lives. Data moves. That is to say, it is transmitted electronically. In a controlled environment, transmission occurs with our knowledge and our intent. If we lose control over the environment, transmission may occur without our knowledge or our intent. Data that is being transmitted can also be intercepted, captured, or redirected
An effective Information Management Plan includes documentation of when and how data is transmitted. The plan also includes provisions for detection of unauthorized transmission.
Data is transmitted either over wires, using electrical signals, or wirelessly, using radio waves. Transmission takes place between trusted devices within our network, which we **assume** is a controlled environment, and data is also transmitted to un-trusted devices outside our network. To control authorized transmissions of sensitive data:
1. The first step is to document every transmission link across which sensitive data is sent, whether it is transmission to a backup device, file transfer between locations, email messages, faxes, and even print jobs.
2. For each transmission link, we assess the risks based on the classification of the data being transmitted and the type of link. Obviously, transmission links that include public networks carry a much higher risk than those that are limited to the local network. Wireless links carry more risk than wired links.
3. Based on this risk, we then establish a policy for each type of data transmission. That policy determines what measures should be taken to protect the data. The best way to mitigate the risk of having data captured in transit is encryption, so policies typically require that any sensitive data being transmitted over public links must be encrypted. Strong encryption is important because any attacker that does manage to capture transmitted data will have unlimited time in which to attempt to break the encryption.
4. Email deserves some special attention because it is a standard medium for transmitting data. Separate policies regarding what types of information can or cannot be sent via email are necessary for any organization that requires a high level of security. Email security policies are also important for compliance with applicable laws and regulations.
5. Wireless links should be encrypted using WPA or WPA2 (and AES, if possible) encryption, regardless of the type of data being transmitted.
That covers the transmission of data that is authorized. Sometimes, though, there can be unauthorized transmission of sensitive data. This can be done unintentionally by users who do not understand or do not follow policy, or intentionally, by malicious users or unauthorized applications (a.k.a. malware). To guard against unauthorized transmissions of sensitive data:
1. Keep antivirus signatures, operating system patches, and application (especially those exposed to the internet) patched. This it the BEST protection against unauthorized applications.
2. Regular port scanning – most unauthorized applications open high-numbered ports for communications. Periodic port scanning will often detect these open ports.
3. Regular vulnerability scanning – vulnerability scanners look for a number of thing, including open ports, rootkits, and other indications of unauthorized applications.
4. Monitor outgoing traffic – periodic checks of outgoing traffic can be run using a protocol analyzer (a.k.a. a traffic “sniffer”). This should be done if there is any reason to suspect unauthorized traffic. Any unexpected encrypted traffic (SSL or otherwise) merits investigation – many unauthorized applications that send out data send it over an encrypted link to avoid detection
5. Install DLP (Data Loss Prevention) software. This software is specifically designed to analyze outgoing traffic for sensitive data.
Dennis H in West Virginia, US
December 24, 2009