WHAT DO INFORMATION THIEVES WANT?

Information thieves seek marketable data on individuals, sensitive busi-ness information, and information about network infrastructure that can lead to exploits against the network. Personal identifiers such as Social Security numbers (SSN), credit card numbers, bank account numbers, and insurance policy numbers are among the common targets. These consumer identifiers, while prime targets, offer an advantage to a content security system in that they have a data structure, which is fairly easy to recognize. Regular expressions usually provide a searchable pattern to detect the unauthorized movement or copying of these data types. As far as network access or infrastructure information goes, logins, pass-words, internal IP addresses, and machine names also have recognizable patterns subject to detection by regular expression and keyword searches.

Fingerprinting or tagging confidential records such as medical docu-ments and financial statedocu-ments, spreadsheets, or docudocu-ments found on the network enables a reasonable degree of tracking. In addition keyword, pattern recognition, and lexicon-based searches facilitate detecting and locating these records. Source code, proprietary recipes, engineering designs, patent information, marketing plans, and documents pertaining to trade secrets are all tracked using fingerprinting and textual searches.

The tagging or fingerprinting of sensitive documents and the pattern recognition of sensitive information create an inner layer of security.

These measures deter unauthorized entry of sensitive documents and information into various business channels. Myopic vision results, how-ever, unless the security professional realizes that these measures are but one level of security within an overall plan. Defense in depth re-solves into two bottom-line issues: preventing outsiders from gaining access to the inner sanctum and preventing insiders from exploiting their access rights to the inner sanctum.

Outsider attacks on the inner sanctum of sensitive documents have several manifestations:

1. Exploiting a trust relationship. The attacker feigns being a user, a process, or a server that the sensitive object trusts.

2. Obtaining an authentication credential. A malefactor steals or com-promises a login and password, a token card, or an access card to authenticate herself to the object.

3. Usurping a trusted access channel. A vendor, a supplier, a customer, or a mobile employee has trusted access to the network through a VPN or a portal on an extranet. The attacker finds a way to hack into the channel. Always assume that third parties holding trusted access will not be as careful as you are about security.

(The classic discussion of this attack scenario is Carolyn P.

Meinel’s October 1998 article in the Scientific American, “How Hackers Break In . . . and How They Are Caught.”)

4. Social engineering their way in. An attacker fools employees or third parties with access rights into either granting him access or in sending him the sensitive information.

5. Researching for the sensitive information. People do get careless and place sensitive documents on the network with a view to the Web.

As depicted in Chapter Two, Google hacking can then take over.

6. Hacking their way in using technical methods. Buffer overflows, spoofing attacks, and compromising the Web server all come into play.

Developing a counterpoint for each of these methods requires a lay-ered approach. It is not simply a matter of saying, “we have content se-curity software in place, and therefore we are secure.” Obviously, a network additionally requires perimeter security measures like a screen-ing router, a firewall, and IDS and IPS (intrusion detection and protec-tion) monitoring to detect and to block external technical attacks.

Defenses against Google hacking, covered in Chapter 2, include security zones and the proper placement of documents within those zones. (Con-tent security monitoring also can help locate misplaced sensitive docu-ments.) Education against social engineering attacks is a constant matter for employee training. Content security measures help to a degree in this area because they monitor the traffic in sensitive information.

Any trusted channel or relationship requires extra monitoring by an IDS or IPS and by the content security system. Special attention needs

to be paid to the traffic moving in and out on that channel. With regard to authentication, single factor authentication is very bad for accessing any sensitive object, whether it is a file or a database. Use two-factor or multi-factor authentication for access to sensitive materials on the net-work. (Factors come in three forms: what you know, a password; what you have, an access card or token; and, who you are, a fingerprint.

Using more than one factor results in two- or multi-factor authentica-tion.) Build into contracts with third parties the right to audit their se-curity procedures to ensure sese-curity compliance. And, never grant anyone carte blancheaccess. They should only have the amount of access necessary to get their job or mission accomplished.

Insider attacks on sensitive documents require cunning, but these at-tacks have the advantage of already being within the security perimeter.

They include:

A. Cutting, copying, and pastingsensitive information into documents or messages of a lesser security level.

B. Placing sensitive documentsonto portable media like a USB drive.

C. Paraphrasing sensitive information. Attackers try to alter the pat-tern of the language but still convey the ideas.

D. Printing out sensitive files. Then, they carry them out as paper documents.

`E. Trying to strip off the security sensitivity label on the document. By re-moving the electronic tagging or fingerprinting, they elude de-tection of the document.

Content security monitoring measures deter “Item A” actions. With regard to transferring sensitive documents to portable media, content security software should create an audit trail for transfer transactions.

In addition, security software is available to prevent the unauthorized copying of files from a local machine onto an external drive or medium for an added layer of protection.

“Item C,” at first, seems a clever “dodge.” Yet, if the content security monitoring software has enough depth in resources to look for sensitive information, in that it uses multiple methodologies, the insider will still face a high possibility of detection. Printing is a business channel like any other, so monitoring should detect it. Electronic fingerprinting of sensitive documents should be robust enough to resist tampering. In any event, even if a label gets removed, then the other detection methodologies should still recognize it as a sensitive document.