Archive for January, 2010

Data Leak Prevention (DLP) agents

Saturday, January 30th, 2010

In the last few years, more and more often I hear this buzz word. So what is DLP? DLP stands for Data Loss Prevention. Various vendors also refer it as Information Leak Protection or  Content Monitor and Filtering (CMF) agent.

Essentially, it is a product that can be deployed either in a host or network to prevent sensitive data being sent outside organisation.

When I was at school, I spent a year doing research in anomalous payload based network intrustion detection but the principal is the same as the Data leakeage prevention system. After all, NIDS inspect inflow traffic to the organisation, where DLP agents inspect outflow traffic to the outside organisation. Both are quite similar.

Being anomalous (smart agent), it detects intrustion if the attack pattern deviates from the normal behaviour. As a result, tuning the IDS system is to the right setting is still a challenge. After all, we don’t want to spend much time in monitoring false alerts generated by the IDS. The same as DLP Agents, if would find there will be a lot of false alerts generated by the DLP.

Another issue with the Anomalous payload based NIDS is the NIDS only works if the data is sent in a clear text. If the data is encrypted, the agent would not able to inspect the traffic. Similarly with the DLP Agent, for the DLP agent to work it assumes that the data sent is not encrypted, hence it only effectively works against unintentionally leakage, it wouldn’t work if someone ’smart’ intentially send the data outside the organisation becuase he/she would encrypt the data first before being sent outside by either email or USB.

I still believe that DLP product is a long way to mature, at least for now. I believe that an organisation should consider broader strategy in their Data Leakage Programme, at least at a minimum the organisation should consider the following:

- Grant ‘outbound’ email access to the need to have basis. Yes, not all employees in your organisation should have access to send email outside.

- Disable USB port.

- Deploy Hard Drive Encryption for mobile computing.

Tags: , , , ,
Posted in Security | 1 Comment »

Cover Your Ass (CYA) Security/Risk/Compliance

Monday, January 4th, 2010

What exactly CYA is?
CYA stands for ‘Cover Your Ass’.

http://en.wikipedia.org/wiki/Cover_your_ass

According to the wiki;

CYA describes professional or organizational practices that serve to protect oneself from legal and administrative penalties, criticism, or other punitive measures. The Polite explanation of the abbreviation is “consider yourself accountable”

As a risk professional, I am seeing a lot of CYA in risk & compliance space.

So what is the motive behind CYA in Risk/Compliance space?

Simple; Risk is very subjective and Compliance are not exact science, most guidelines are open to interpretation. More over when an incident happens, every attention turns to risk & compliance officers.

Impact to the organization?

The risk professional who excessively doing CYA activities will become a risk averse person and tends to introduce controls that are not effective; both in terms of cost and to mitigate the risk.

So how to improve the situation? (my personal recommendation)

- Be clear & transparent in terms of what are you covering (obviously you are not covering all risks!) and most importantly what you are not going to cover as part of your risk assessment or duties. Risks especially Operational Risk are still a new subject to not only risk professionals but to other professionals working in the company.

- Formalize your own risk assessment (Keep your self out of trouble). Most people don’t realize that when they provide assurance either by providing positive/negative assurance to the business units, they are putting him/herself  at risk. Remember that opinion = liability and opinion is very expensive.  If the engagement is an agreed upon procedure/issue & recommendation, be clear to your stakeholder that you don’t provide any sort of assurance.

- Educate your stakeholder that there is no such thing called ‘absolute assurance’. Most of the risk/compliance professionals would know this but don’t assume that your stakeholders know it! Incident does happen from time to time but it doesn’t mean we need to put additional/extra controls.

and Most importantly be practical with your recommendation! completing a regulatory compliance checklist, identifying gaps are easy but to advise customer/clients with a solution that are practical while addressing the risk is still a challenge.

Let me know your thought!

Tags: , , ,
Posted in Security | No Comments »