In Part 4 of this series, we asked the question: “Where does the data live?” Sensitive data that is at rest must be protected by access controls and by encryption, according to its classification and security policies. Data does not stay in one place, though – it does not even stay in the many places where it lives. Data moves. That is to say, it is transmitted electronically. In a controlled environment, transmission occurs with our knowledge and our intent. If we lose control over the environment, transmission may occur without our knowledge or our intent. Data that is being transmitted can also be intercepted, captured, or redirected

An effective Information Management Plan includes documentation of when and how data is transmitted. The plan also includes provisions for detection of unauthorized transmission.

Data is transmitted either over wires, using electrical signals, or wirelessly, using radio waves. Transmission takes place between trusted devices within our network, which we **assume** is a controlled environment, and data is also transmitted to un-trusted devices outside our network. To control authorized transmissions of sensitive data:

1. The first step is to document every transmission link across which sensitive data is sent, whether it is transmission to a backup device, file transfer between locations, email messages, faxes, and even print jobs.
2. For each transmission link, we assess the risks based on the classification of the data being transmitted and the type of link. Obviously, transmission links that include public networks carry a much higher risk than those that are limited to the local network. Wireless links carry more risk than wired links.
3. Based on this risk, we then establish a policy for each type of data transmission. That policy determines what measures should be taken to protect the data. The best way to mitigate the risk of having data captured in transit is encryption, so policies typically require that any sensitive data being transmitted over public links must be encrypted. Strong encryption is important because any attacker that does manage to capture transmitted data will have unlimited time in which to attempt to break the encryption.
4. Email deserves some special attention because it is a standard medium for transmitting data. Separate policies regarding what types of information can or cannot be sent via email are necessary for any organization that requires a high level of security. Email security policies are also important for compliance with applicable laws and regulations.
5. Wireless links should be encrypted using WPA or WPA2 (and AES, if possible) encryption, regardless of the type of data being transmitted.

That covers the transmission of data that is authorized. Sometimes, though, there can be unauthorized transmission of sensitive data. This can be done unintentionally by users who do not understand or do not follow policy, or intentionally, by malicious users or unauthorized applications (a.k.a. malware). To guard against unauthorized transmissions of sensitive data:

1. Keep antivirus signatures, operating system patches, and application (especially those exposed to the internet) patched. This it the BEST protection against unauthorized applications.
2. Regular port scanning – most unauthorized applications open high-numbered ports for communications. Periodic port scanning will often detect these open ports.
3. Regular vulnerability scanning – vulnerability scanners look for a number of thing, including open ports, rootkits, and other indications of unauthorized applications.
4. Monitor outgoing traffic – periodic checks of outgoing traffic can be run using a protocol analyzer (a.k.a. a traffic “sniffer”). This should be done if there is any reason to suspect unauthorized traffic. Any unexpected encrypted traffic (SSL or otherwise) merits investigation – many unauthorized applications that send out data send it over an encrypted link to avoid detection
5. Install DLP (Data Loss Prevention) software. This software is specifically designed to analyze outgoing traffic for sensitive data.

Dennis H in West Virginia, US

December 24, 2009

Once data has been classified and we know what types of sensitive data a system stores or processes, we have to locate the data we want to protect. Data exists in one of two states – it is either at rest or in transit. We have to ask two questions:

1) Where does the data live?

2) Where does the data go?

In this installment, we will focus on the first question. In part 5, we will focus on the second one.

Any data that is stored, even data stored in RAM during processing, is at rest. Data at rest can be found:

1) On hard drives, in the working file structure
2) On backup tapes or other backup media
3) On removable media, such as CDs, DVDs, floppy disks (remember those?), and USB storage devices
4) On “hard copy” – printed copies in file cabinets, in brief cases, in desk drawers, or in trash cans
5) On LAPTOPS, which are mobile devices with hard drives. This is a MAJOR concern – for obvious reasons. There will be an installment in this series devoted to laptop security.
6) On other portable devices, such as phones and PDAs. This is a growing concern. Gone are the days when the only concern was the contact list. Smarphones are computers that can make phone calls and the data they carry with them must be included in the Information Management Plan.

These are the areas of concern in most business environments. We should be aware, though, that data at rest can also be found in some other places. In highly secure environments, we also have to concern ourselves with data:

1) On hard drives, in “non-working” file structures, such as temp files or time-save files
2) On hard drives, outside the file structure – in files that have been “deleted” from the file system, data in hard drive sectors that not been completely overwritten (the “slack space”), and in hibernation files.
3) In memory while it is being processed.
4) In fax memory.

When the system includes servers, workstations, multiple faxes and printers, and many users, documenting all these locations can be a substantial task.

In order to more effectively manage and protect sensitive data, we want to consolidate it into as few locations as possible. The more we can reduce the number of folders or directories that contain sensitive data, the more easily we can control access and apply encryption where appropriate. This is one of the BEST reasons for installing a server and maintaining all user data on server shares.

If sensitive data cannot be consolidated onto shares on a single computer, this should at least be done on each individual computer. All sensitive data should be consolidated into one or more folders to which access is controlled. Files requiring encryption should be consolidated into encrypted folders or volumes. Access controls and encryption will be discussed in later installments of this series.

All of this requires careful planning, documentation, and review.

Individuals will still require access to unencrypted data to do their jobs, and this always presents a risk that they will intentionally or unintentionally copy this data to locations other than those designated. There are four controls that we can use to mitigate this risk:

1) Education, training, and awareness – everyone has to be aware of data classifications, the importance of protecting sensitive data, and the methods used.
2) Policies – written policies MUST be in place to ensure that EVERYONE knows what is and is not acceptable use of systems and what procedures must be followed. Effective policies include signed acknowledgments and consequences for failure to comply.
3) Endpoint security – software can be employed to limit or prohibit the use of USB devices, mobile devices, and removable media
4) Information audits – period scans of hard drives and other devices should be done to check for certain types of sensitive information outside of the designated locations.

As we can see, the answer to “Where does the data live?” can be fairly complex. In the next installment, we will look at the second question – “Where does the data go?”



Dennis H in West Virginia, US

December 16, 2009

Protecting sensitive data requires an expenditure of money, time, and effort. We want to protect all of our client’s sensitive data, but we don’t want to waste resources on data that is not sensitive . In addition, some kinds of data require more protection than others. We need a way to identify and classify sensitive data.

The most familiar data classification system is that used by many government and military organizations: Top Secret, Secret, Confdential, Restricted, and Unclassified. This is not the best fit for most businesses. A more appropriate classification is Confidential, Private, Sensitive, and Public. The first three are different types of “sensitive” data, and the fourth is data which is not “sensitive”.

Confidential data includes proprietary information that the organization owns – company financial records, customer or client lists, formulas, recipes, processes, and any other data that could harm the company directly if improperly disclosed.

Private data is data for which the company serves as custodian, but does not necessarily own. In other words, data about other individuals or organizations. This includes employee records, patient records, and the financial records of others. Improper disclosure could harm the individuals or organizations. This data is typically subject to legal or regulatory requirements, such as PIPEDA in Canada, HIPAA or GLBA in the US, or the PCI DSS, which applies to vendors in all countries.

Sentsitive data is not specifically subject to legal or regulatory requirements, but its disclosure could cause harm to others. An example is medical records maintained by an attorney in the US. Only medical providers are subject to HIPAA regulations. However, non-medical providers can still be held liable for any harm caused by unauthorized disclosure of information. As data custodians, they have a legal obligation to exercise due diligence in protecting the property of others, including data.

Public data is everyting else – that data that would cause no appreciable harm if publicly disclosed.

Any data that your business cleint would not want posted on a bulletin board in the lobby falls into one of the fist three categories.

The legal requirements are different for each country, and there may be additional state or provincial laws. You have to be familiar with the laws that apply to your client’s business.

Next: Where does (or should) your client’s sensitve data live?



Dennis H in West Virginia, US

December 7, 2009