1

White Paper Data Leakage

“‘Tis not so deep as a well nor so wide as a church-door, but ‘tis enough, ‘twill suffice”

-- Mercutio’s dying commentary on his mortal knife wound delivered by Tybalt (Romeo and Juliet by William Shakespeare, Act III, Scene 1)

On the global digital stage, the mortal data breach might not be a dramatic attack. Rather, the persistent seepage, leakage, extrusion of an organization’s data—its lifeblood in our post-industrial revolution market— can cause enterprise demise. The “death by a thousand cuts” that characterizes the erosion of certainty about organizational data can result in any of the following: loss of competitive advantage through the theft of intellectual property (IP) or its compromise, accidental release of entrusted third-party information (especially, legally protected personally identifiable information), damaged reputation, compliance and audit failures, and system credit credential exposure.

One indication of the pervasiveness of data loss is that, as of December 2011, the Privacy Rights Clearinghouse reported 543 million records breached in the U.S. since the group’s tracking began in 2005. The top breaches in 2011 included Sony PlayStation (101.6 million records), Epsilon (at least 60 million email addresses), Sutter Physician Services/Sutter Medical Foundation (3.3 million patient records), Texas Comptroller’s Office (3.5 million individuals affected), Healthnet (1.9 million records), Tricare/SAIC (5.1 million records, including financial as well as medical information). One lawsuit filed in response to the latter would give $1,000 to each affected individual.1

Another indication of the pervasiveness of data loss comes from several recent reports about nation-state activity to extract intellectual property from companies in the U.S. Security analyst Mandiant published a report in February 2013 that exposed evidence of Chinese military complicity in efforts to steal proprietary information from companies that control critical infrastructure (CI) assets: water, electrical power, oil and gas lines.2 According to the Mandiant report, the “APT1” group has infiltrated at least 150 different companies across industries and extracted terabytes of information—including 6.5 TB from one organization.3

White Paper | Data Leakage

Data Leakage - Controlled Substance Abuse and Misuse

White Paper Data Leakage

2

The vulnerability of the automated industrial control systems (ICS) used in these CI industries has attracted increasing concern over the past several years. Originally designed to collect and transmit data and commands over a closed (point-to-point) communications network, many systems have been brought online, that is, over Internet Protocol networks. The National Institute of Standards and Technology (NIST) released its guidelines on ICS security in June 2011 as NIST Special Publication 800-82. Ranking highly among NIST recommendations are intrusion detection, audit trail analysis, monitoring compliance gaps, enforcing the rule of least privilege, and managing credentials by various user categories.

CI and non-CI infrastructure industries not associated with power and utility are also under attack. Mobile storage practices that rely on convenient repositories like Evernote, Google Docs, and Dropbox also create data leakage channels. Evernote, for example, reported it had been hacked in early March 2013 and asked that all 50 million customers change their now-compromised passwords.4

THREAT LANDSCAPE - EXPOSURE OF ORGANIZATIONS

Estimating the cost of data loss to organizations is challenging, in part because the majority of organizations do not really have high confidence about the status of their data, even when it is categorized as sensitive, confidential, or otherwise protected. In an estimated 59 percent of data breach incidents examined as part of the 2012 Data Breach Investigations Report (DBIR),5 law enforcement officials notified the compromised organizations about their problems. Equally disturbing is that 92 percent of the incidents examined were detected initially by a third party. The organizations themselves had not identified the problem! The report further indicated that the use of stolen login credentials was the lead attack modality responsible for the majority of records compromised.6 It’s one thing to have your house broken into. It is more disturbing when your house is broken into, your keys are stolen, and you are still oblivious to your vulnerable position.

The extent of the problem is impressive. The 2012 DBIR showed the second-highest number of records exposed—174 million—since the report’s first publication in 2004. Big data organizations are especially attractive to attacks using advanced persistent threat (APT) techniques. In his comments made at the 2012 RSA Conference in San Francisco, Uri Rivner predicted IP threat targets include pharmaceuticals, energy, and mining organizations.7 Critical infrastructure sectors should take heed.

Third Parties—Trust AssumptionsThird parties represent multi-faceted liability to an organization. On the one hand, third parties may entrust their sensitive information to an organization with the explicit or implicit assumption that that information will be protected. If that trust proves ill-founded due to the organization’s negligence, security vulnerability, or bad luck, the affected third parties may pursue restitution or penalty. On the other hand, third parties themselves may be the source of an unmitigated weakness in the organization’s security architecture. In its 2013 survey of more than 120 technology, media, and telecommunications (TMT) companies in 38 countries, Deloitte & Touche identified third party security risks and employee awareness as the top concerns.8 Its 2011 study observed that, given our hyper-linked world,

Multiple parties are connected – and therefore affected – meaning that organizations must not only assure the security of their own assets, but also those of their third parties who have access to their network.

Nearly 60 percent of the surveyed TMT organizations view third parties as an ‘average’ to ‘high’ threat for information security, versus only 30 percent who are very confident in the information security practices of third parties. This skepticism may be partly driven by the widely publicized problems recently experienced by major cloud service providers.9

White Paper Data Leakage

3

The Open Security Foundation’s DataLoss DB report expressed concern with respect to third party involvement in data extrusion, highlighting “a trend that indicates that data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis.”10 And again, in the majority of cases, third parties (often government agency representatives, foreign and domestic) deliver the message that an organization’s systems have been compromised. Both individuals and businesses can check PwnedList’s database of stolen credentials, email addresses, and passwords if they suspect their information may have been exposed, for example, if among the 8 million Gamigo account holders whose information was compromised in March 2012 <www.pwnedlist.com>.

Permeable SpacesMobile devices figure prominently in reported data breach cases. Results from a 2011 Ponemon Institute survey of IT professionals show that mobile devices figured in 63 percent of data breach cases.11 According to a more recent survey report from the Ponemon Institute about practices to mitigate mobile device vulnerability:12

Many companies make significant investments in encryption and endpoint security to protect sensitive data, but they often don’t know how/what data is leaving through insecure mobile devices. Traditional static security solutions such as antivirus, firewalls, and passwords are not effective at stopping advanced malware and data theft threats from malicious or negligent insiders. To safely permit corporate use of mobile devices, organizations need data loss prevention technology that knows where critical data is saved, who is accessing it, how it’s attempting to leave, and where it’s going (Ponemon 2012a, p. 9).

This advice carries across all potential attack surfaces. Still, collecting data about network traffic, system changes, and user activity from a variety of widely dispersed logical and physical sensors is challenging. With sophisticated and patient attackers, even nation-state agents, deploying complex, multilayer exploit strategies over an extended period of time, detection is difficult, especially for understaffed IT groups. Analytical tools that facilitate effective correlation and understanding of log and system data are needed to help IT professionals visualize the organization’s informational situation awareness.

LOSS LANDSCAPE - BURDEN TO ORGANIZATIONS

Data leakage prevention (DLP) is a security objective that resonates clearly with the confidentiality leg of the CIA triad, but not necessarily with availability and integrity (even though authenticity, the assurance that data has not been tampered with, is problematic when the implicit chain of custody has been broken). Unlike a water leak, data leakage may not be readily apparent. In many cases, the data is still available and even in its original, designated repository. The problem arises when it is also in another repository—and not necessarily one managed by the organization. Possession and access are now shared. It’s like having your cake and eating it—while another person is digesting it.

Calculating the cost of DLP to organizations involves multiple factors, categorized in a 2012 Ponemon Institute study as internal costs (detection, investigation, containment, recovery, ex-post response) and external costs (information loss or theft, business disruption, equipment damage, revenue loss).13 According to survey results from the 56 companies that participated in this study, almost half (44%) of the external cost of cyber crime could be attributed to information loss, in part because of legally required notification and restitution/ victim compensation, including credit monitoring. Protecting and knowing the status of the information asset itself thus may be perceived as having a higher cost impact to an organization than other external costs.14

White Paper Data Leakage

4

The National Crime Prevention Council quotes estimated damage to the U.S. economy due to intellectual property theft as $250 billion a year, also noting, “more than 45 percent of all U.S. businesses have reported losses due to intellectual property theft.”15 Michael Chertoff, former Secretary of the U.S. Department of Homeland Security, Intellectual property theft and McAfee’s Vice President for Threat Research stated, “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”16

Brand piracy is one type of IP loss that affects an organization in various ways: (1) lost revenue, as when the pirating company benefits from the pirated company’s marketing efforts and sells a knock-off product; (2) warranty cost, as when the pirated company replaces or repairs faulty product that it did not produce; (3) diminished product image/reputation when the counterfeit products proliferate (less exclusivity, thus snob appeal; buyer disappointment in the quality of the counterfeit product, leading to future sales loss). Products affected can range from high tech (software, electronics) to medium tech (pharmaceuticals, instrumentation) to consumer tech (music, movies, instrumentation, clothing, toys). Energy resource companies have also reported suspected IP theft. The consequences of IP theft can be deadly. Although a broken strap on your new Prada bag only constitutes an irritating wardrobe malfunction, taking bogus medication to regulate your heartbeat can be fatal. The problem is not new: Caveat emptor is a term first used in the 16th century. The ability to copy designs without physically breaking into locked file cabinets and desk drawers is, however, very 21st century.

VICTIM LANDSCAPE - EXAMPLES OF VICTIMIZED ORGANIZATIONS

In 2010, McAfee identified a multi-layered attack against oil and gas companies that it dubbed “Night Dragon.” The documents exfiltrated from the companies as a result of the attacks, which had been going on for a minimum of two years (perhaps as many as four), included financial records (on field exploration and bidding) and SCADA system data.17 Another disturbing, coordinated attack with nation-state involvement and U.S. national security concerns was “Operation Aurora.” McAfee made this observation about Night Dragon and the attacks that targeted dozens of high profile organizations like Google, Juniper Networks, Northrop Gruman, and Dow Chemical:

What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.18

A 2009 study from Purdue’s Center for Education and Research in Information Assurance Studies (CERIAS), based on its survey of 800 companies, estimated a combined cost of $4.6 billion in lost IP in 2008 alone, as well as $600 million to repair damage caused by breaches.19 In addition to attacks against corporate data repositories, social networking sites are also trawled to fish for information inadvertently shared that can be useful for economic espionage. Guiding employees in the judicious use of social media, perhaps even preventing their posting sensitive content, can reduce opportunities for bad actors.20

Other high-level data leakage incidents detected since 2010 include the U.S. Chamber of Commerce (trusted partner of some three million companies), Sony PlayStation 3 (decryption codes released; this was after the 2011 breach that gave hackers access to 101.6 million customer records, including 12 million unencrypted credit cards), The New York Times and The Wall Street Journal (and other Chinese hacks into various

White Paper Data Leakage

U.S. media organizations to control information flow), Cargill and Dow Chemical (more than $7 million of agribusiness and agrichemical trade secrets passed through to a government sponsored Chinese university), Motorola (1,000 sensitive documents intended for Chinese military and a media company), and Ford (insider theft of at least $50 million worth of manufacturing trade secrets). Interestingly, U.S. Government actions have thus far centered on policy, training, and reporting mechanisms (like databases), rather than tools to detect and capture evidence of leakage.

TECHNOLOGY LANDSCAPE - TOOLS FOR ORGANIZATIONS

As much as sharing is valued and promoted among the nursery school set, the accidental or intentional data sharing subjects an organization to specific collateral damage. The context of the data leakage determines an organization’s response and business impact:

■ Source - Where is the opening, membrane, or surface through which data left the organization?

■ Channel - By what means is the data seeping out (e.g., personal media storage, ephemeral messages, mobile devices, trusted community members)?

■ Data State - Was the compromised data at rest, in motion, in process?

■ Sensitivity - How was the escaped data classified with respect to protection level?

■ Scope of Responsibility - To what extent is the organization legally or ethically accountable for the protection of the data accidentally or intentionally shared?

■ Restitution/Recourse - What kind of safety net (e.g., insurance) does the organization have in place to cover the cost of litigation, penalties, and remediation?

Many of us who watched prime time TV in the 1960s and 1970s remember the nightly ABC admonishment, “It’s 10 p.m. Do you know where your children are?” For organizations, knowing the whereabouts of their data was challenging even before cloud computing, BYOD, and ad hoc trading partner arrangements. In an ideal world, of course, organizations have complete informational awareness, enabled through a combination of responsible organizational data practices, consistently reinforced user training, audited control mechanisms, secure network architecture, and layered monitoring tools.

DO YOU KNOW WHERE YOUR DATA IS? INTELLIGENT ID - BENEFIT TO ORGANIZATIONS

With the pervasiveness of IP theft, data loss, information use and abuse combined with the increase of sensitive information stored and transmitted digitally, cloud computing, management of third party PII and BYOD creates the perfect storm of opportunity for leakage to occur, whether maliciously or accidentally. While many may prefer to adopt an “ignorance is bliss” mindset toward the use of an organization’s data, increasing policy, compliance measures, regulation and the chance of unattractive media exposure demand that decision makers remain in-the-know and proactive regarding company data.

Adopting an in-the-know philosophy regarding data and its usage not only prevents the negative consequences, but produces positive outcomes as well, including cost reduction, efficient data flow, brand protection and over-all enhanced organizational security. According to the PI report, significant opportunities for cost reduction are available to organizations that invest in technologies to assist with and automate recovery and detection activities. (p. 15)

5

White Paper Data Leakage

6

Intelligent ID’s endpoint and user activity management system captures the largest area of opportunity for organizational benefit, identified by PI as “investigation and incident management,” capturing the source, channel, data state and sensitivity of data in the event of a leakage, and preventing loss and theft through monitoring compliance, enforcing policies, user training and intuitive data analysis and alerting. This area of opportunity showed a 40% reduction in cost for those reporting companies that implemented an intelligent security solution as compared to those who did not.21

Because its dashboard monitoring interface and customizable reporting is so easy for IT and non-IT staff alike to use, Intelligent ID can equalize the asymmetry of informational situation awareness among organizational legal, HR, R&D, marketing/sales, and IT teams. Intelligent ID can thus alleviate the “shoot the messenger” response that often characterizes IT communications with other business areas, especially when the news is not welcome. Bridging this information gap facilitates better teamwork for investigation and resolution. In addition to its utility as an investigative tool, Intelligent ID also serves to ensure compliance with HR policies, by promoting staff training/awareness, equally and consistently applied enforcement, and organizational protection against wrongful termination lawsuits. A recent issue of HR Magazine recommends the well-coordinated and preemptive use of technology, policy, and training controls that includes collection of electronically stored information as a “just in case” measure.22

Such coordinated controls covering removable media and mobile devices were not in place at the Florida Department of Juvenile Justice when a mobile device was stolen in January 2013, even though organizational policy governing such usage was disseminated as early as November 2008. The information on the device—at least 100,000 records concerning youths and their employee records—was neither encrypted nor the device or files password-protected. This was in violation of the aforementioned policy. Sadly, three computers that also contained unprotected but sensitive information from the Department were stolen from an Orlando apartment in September 2012. Intelligent ID customers like the Ohio Department of Developmental Disabilities avoid these kinds of unfortunate incidents related to lax policy enforcement and user training. The DODD chose to enhance its data leakage prevention mechanisms by using Intelligent ID’s features such as monitoring removable media, protecting against unauthorized copies to USB drives, and encrypting files that have been deemed sensitive prior to their copy to removable media.

Given the increasing incidents of data leakage reports, rising cost of responding to such incidents, and significant evidence of incidents going underreported or unacknowledged, it is reasonable that companies invest in electronic tools to aid in monitoring, detection, containment, investigation, and response. “Electronic discovery response planning is not just a matter of gathering responsive information but of working in advance to control what information is created and how it is stored. Electronic discovery best practices begin with making data management a part of daily business operations.”23 Intelligent ID’s monitoring capabilities are ideally suited to address these coverage areas. In addition, Intelligent ID is not an “IT Staff Eyes Only” tool. A scalable and customizable tool, it delivers easily comprehensible alerts and reports to the desktop of those who need to know, whether hailing from IT, HR, R&D, accounting, or any other organizational business area. Intelligent ID assembles and correlates the numerous data points needed to attain comprehensive informational situation awareness to prevent defined data extrusion, intercept questionable activity, and consolidate digital evidence: organizational protection against “death by a thousand cuts.”

White Paper Data Leakage

7

For More Information:

Jim Mazotas Founder and CEO

jim.mazotas@onguardsystems.com

1275 Kinnear Road Columbus, OH 43212

p. 614.340.1439f. 614.340.3773

www.IntelligentID.com

References1 Privacy Clearinghouse, Data Breaches: A Year in Review (December 16, 2011). Retrieved from https:// www.privacyrights.org/data-breach-year-review-20112 Gonsalves, Antone, U.S. urged to take comprehensive action on Chinese cyberespionage (February 22, 2013). Retrieved from http://www.cio.com/article/729347/U.S._Urged_to_Take_Comprehensive_Action_on_ Chinese_Cyberespionage?source=CIONLE_nlt_infosec_2013-02-26)3 Lambert, Patrick, What the Mandiant report reveals about the future of cyber espionage (February 25, 2013). Retrieved from http://www.techrepublic.com/blog/security/what-the-mandiant-report-reveals-about- the-future-of-cyber-espionage/91124 Sumagaysay, Levi (March 5, 2013), (In)security: Evernote hacked, corporate data in the age of BYOD, banks as targets. Retrieved from http://bl169w.blu169.mail.live.com/default.aspx#n=125776487&fid=1&fav=1&mi d=62e72741-8501-11e2-9c3f-002264c24396&fv=15 The report analyzed the characteristics of 855 incidents that the partner organizations investigated in 2011. Thus, it reports on a subset of data breach incidents annually.6 2012 Data Brach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/ reports/rp_data-breach-investigations-report-2012_en_xg.pdf.7 Emigh, Jacqueline, RSA: Five Top Internet Security Threats in 2012 (March 6, 2012). Retrieved from http:// www.notebookreview.com/default.asp?newsID=63108 Deloitte & Touche, Blurring the Lines: 2013 TMT Global Security Study (January 2013). Retrieved from http://www.deloitte.com/tmtsecuritystudy9 Deloitte & Touche, Raising the Bar: 2011 TMT Global Security Study—Key Findings (2011).10 Retrieved from http://datalossdb.org/statistics on January 10, 2012.11 Ponemon Institute, Perceptions about Network Security, June 2011.12 Ponemon Institute, Global Study on Mobility Risks (February 2012). Sponsored by Websense.13 Ponemon Institute, 2012 Cost of Cyber Crime Study: United States (October 2012), p. 23. Sponsored by HP Enterprise Security.14 The study participants estimated the remaining external cost factors for 2012 as follows: business disruption, 30%; revenue loss, 19%; equipment damages, 5% (down from 13% in 20102); and other costs, 2%. (Ponemon, 2012b, p. 14)

White Paper Data Leakage

8

15 National Crime Prevention Council. Intellectual property theft: Get real. Retrieved from http://www.ncpc. org/topics/intellectual-property-theft/trends-globalization-and-digitalization-usher-in-a-new-era-of-intellectual- property-theft16 Alperovitch, D. (August 2011). Revealed: Operation Shady RAT. Retrieved March 1, 2012, from www. mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf17 McAfee Foundstone® Professional Services and McAfee Labs (February 2011). Global Energy Cyberattacks: “Night Dragon,” p. 19.18 Alperovitch, p. 2.19 LockLizard. Intellectual property theft (n.d.). Retrieved from http://www.locklizard.com/intellectual_ property_theft.htm20 Nairn, Geoff. Your Wall Has Ears (October 18, 2011). Wall Street Journal Online. Retrieved from http:// www.online.wsj.com/article/SB10001424052970204226204576600531532461052.html#printMode 21. Ponemon Institute (October 2012), p. 17.22 Jackson, Graham. Managing the risk of intellectual property theft in a highly connected business. (July 25, 2012). HR Magazine Online. Retrieved from http://www.hrmagazine.co.uk/hro/features/1073968/ managing-risk-intellectual-property-theft-highly-connected-business23 LexisNexis®. Electronic discovery best practices. Retrieved from http://www.lexisnexis.com/ applieddiscovery/lawlibrary/whitePapers/ADI_ImplementEDiscBestPractices.pdf