Data leakage accidents are often hard to prevent, and accidental or malicious attacks may become the channel for enterprise information outflow, resulting in business losses. In this article, I will share some tips with you, hoping to help my friends protect corporate data from being leaked. Is the attacker lurking in the secret corner of the internet more worrying, or is the employee inside the enterprise who knows sensitive information such as finance more annoying? As IT turns out, both of these situations are difficult situations that IT departments avoid. According to the 20 12 strategic security survey of enterprise technical experts published on InformationWeek website, the impact of security incidents caused by enterprise employees is basically the same as that of foreign cyber attacks. However, according to the 20 12 data leakage investigation report released by Verizon, internal security threats only account for a small part of the total number of attacks-only 4%. In that case, why do experts pay so much attention to it and even make a fuss? There is a simple reason. Internal employees know the ways and methods to obtain important information of the company, and their familiarity with the system makes them have dozens of means of theft that cannot be prevented. In addition, the impact of their attacks is generally greater. Just last year, an employee of Bank of America sent the account information of hundreds of customers to a malicious person. The latter used these data to start stealing funds from relevant accounts, directly involving tens of millions of dollars-not counting the huge amount of money invested by Bank of America to appease customers afterwards. The threat of internal employees to enterprises is becoming more and more serious, but IT departments often focus on protecting network boundaries from external attacks. Times have changed. At present, the warm nest of new criminal activities worthy of attention lies within enterprises-malicious activities in internal networks must be curbed as soon as possible. Obviously, in this era background, enterprises should immediately reconsider the existing security strategy and put the threat of "internal worries" at the same level of concern as "foreign invasion". There are many reasons for internal security threats, which may be intentional or unintentional. But no matter what the reason is, everyone can usually formulate a complete control mechanism to minimize the harm it brings. To solve the threats within the enterprise, we should start from three aspects, namely, network, host equipment and personnel related to data generation, processing and migration. At the network level, the control system must be able to detect and analyze the network traffic content, and prevent sensitive data from entering the transmission channel in time if possible. In terms of host equipment protection, the project is relatively more traditional: anti-malware, encryption mechanism, change management and other security control means are all indispensable and effective solutions. But in the final analysis, people-related issues are the most troublesome issues: implementing management policies and training employees to handle sensitive data correctly. In the next article, I will talk to you in detail about the specific implementation process of these three levels. Network-Death Prevention For employees in enterprises, the two most common data transmission methods are e-mail and network transmission. Whether it is intentional or accidental negligence, data leakage also depends on these two ways, and at the beginning of the accident, the specific reasons are often unclear. Employees who use corporate email accounts often inadvertently send sensitive data to the wrong receiving address. At the same time, malicious people who intend to steal sensitive information are likely to achieve their ulterior motives through personal online email accounts or uploading information to online file sharing websites. Therefore, e-mail and security gateway can be described as the first line of defense against accidental and malicious damage. These gateways are usually used to check inbound traffic, spam and malware, and they can also be deployed reasonably to monitor outbound traffic. Internal security gateway mainly refers to the traffic generated by employees to the network and mail, as well as the lines and operational activities used as relay equipment or agents. Gateway product suppliers such as BarracudaNetworks, Cisco IronPort, McAfee and WebSense have all introduced their own unique data loss protection functions. Because the traffic must pass through the gateway, DLP (data leakage protection) module will guard here to know whether there is leakage of sensitive data within the enterprise. This protection module will also pay attention to specific data types, such as credit cards and social security numbers, and users can also define which files should not be spread to the outside world by creating classification labels. Once the module detects that this kind of data has output behavior, it will immediately remind the administrator. Traffic will be frozen immediately, and relevant users will also receive an early warning prompt. In addition, such potential violations will be systematically sent to the security department, human resources and users' immediate superiors. This severe disciplinary measure will undoubtedly urge everyone to be serious and cautious in their future work. In addition to network and email traffic analysis, network-based DLP products can also monitor protocols and services, including instant messaging, social networking sites, peer-to-peer file sharing and file transfer protocols. However, in the face of encrypted information, website security products such as DLP can turn a blind eye. If users make full preparations in advance and send data by using encrypted network transmission methods such as SSH/SCP or Tor, then these contents will be able to smoothly bypass the DLP mechanism based on the network. In order to solve this problem, DLP products usually include host-based and storage-based DLP solutions, which we will discuss later. Anomaly detection system is another network-level alternative, and Lancope and Riverbed Technology are industry leaders in this field. This kind of products will first create a set of benchmark indicators of normal network activity, and then compare the current network activity with the indicators, and give an alarm when there is a deviation. For example, every computer in the network environment usually interacts with 12 other computers and servers, and the data generated every day is transmitted between 100MB and 200MB. If one day a computer suddenly involves more than 20 interactive objects (including computers, servers and other systems), or the transmission volume of a file server or database jumps over the 500MB mark, such abnormal activities will immediately attract the attention of the system and alert the system administrator in real time. CERT Internal Threat Center of Carnegie Mellon University has strictly defined the types and characteristics of several main internal attacks, the most obvious of which is that internal attackers usually engage in malicious activities within one month before deciding to leave the enterprise. They download sensitive data from enterprise servers to their workstations, and then keep copies by sending emails, burning CDs or copying with USB flash drives. But in view of the above, this kind of abnormal data download can be captured and tracked in time by the network anomaly detection system, and the activities of related users will be marked and monitored in time. However, the network activity anomaly detection system can't know everything. First of all, it doesn't send us clear hints. For example, employee Bob seems to be trying to steal some sensitive records. Instead, the IT department will get reports of abnormal activities of applications and networks, while the security team will be responsible for in-depth investigation. In other words, log analysis, network activity audit, and party forensics should all be done by guys who don't understand technology at all. This fragmented approach often leads to a deadlock in the investigation work, and huge security threats usually have to go away. IT and security teams must prepare a lot of money, invest time and energy to make reasonable adjustments to the abnormal activity detection system, and finally get valuable security tips through report analysis and investigation. IT departments can also use professional tools to monitor anomalies in the database. The main function of this kind of tools is to grasp the trends of employees in the enterprise, because the database can be said to be the base camp of precious business information. The main suppliers of database activity monitoring (DAM) products include Imperva and IBM, which can help administrators easily understand the interaction between users and database servers. DAM products run on the network or host layer, which can capture many abnormal activities. For example, users who usually only access 30 to 40 information records suddenly access thousands of records in one day. The host who can't be ignored. Host systems such as notebook computers and tablet devices should also be strictly protected to avoid intentional or unintentional infringement. One of the most effective ways to achieve this is encryption technology. In our organization's security strategy survey, 64% of the respondents believe that encryption technology can effectively protect enterprises from security threats. Encrypted laptops, portable storage media and mobile terminals can ensure the security of data in these devices, even after being stolen. Careful deployment and configuration of management strategy will ensure that encryption technology is put in place in all aspects. Strong password distribution strategy and protection ability can not only help us not to worry about data leakage after the equipment is lost, but also remotely clear the information in the equipment. Encryption has many applications, for example, when copying files to mobile storage media, smart phones and emails, this technology will make the whole process more secure. This kind of products, such as MobileGuardian of Credant Company and TotalProtectionforData of McAfee Company, can actively encrypt data when it is written into mobile devices and portable storage media. In order to encourage the popularization of encryption technology, data violation laws in some countries allow enterprises to lose or steal data without informing relevant customers whether the information is encrypted or not. Enterprises with particularly strict security requirements often order employees not to use various portable storage media represented by USB flash drives. Many terminal protection suites, such as Symantec's EndpointProtection and McAfee's DLP, completely or partially prohibit the direct use of USB flash drives. Appropriate access and audit control measures for sensitive data sources (such as file servers) can also effectively prevent malicious behavior of internal employees. One solution is to develop audits at the basic file and folder level. In this way, the administrator can track the user's access behavior and perform operations such as permission promotion and software installation license in real time. Although it doesn't sound difficult, the challenge is that most enterprises don't know where their sensitive data is stored. If you can't master these basic information, then the audit mechanism of files and folders is basically useless. The first step we need to do is to determine the storage location of sensitive data. Data enumeration function is widely added to DLP products, which can effectively help IT departments to grasp the storage location of social security numbers, medical records and credit card data. After the location is determined, we need to merge the data and associate the corresponding user rights; The next step is to implement the file and folder audit process through centralized recording or security information and event management (SIEM) tools. A correctly configured prompt system should give an alarm in time when access behavior is abnormal or external users get sensitive information. Another important step is to monitor the configuration changes of workstations and servers and give an alarm when necessary. Sudden large-scale changes are likely to indicate that some malicious people are or are preparing to infringe on our sensitive data. In the preparation stage, they should first give their workstations the same high authority as administrators, and add new hardware to copy data, or cover up their criminal activities by emptying or disabling the log system. SIEM and professional change management software can find such activities in time and remind managers. In this respect, I recommend PolicyManager of Tripwire Company and SecureConfigurationManager of NetIQ Company. Another advantage of using change and configuration management tools is that they usually have workflow management functions, which can process and approve workflow content and restore configuration changes according to records. Finally, IT departments must regularly record safety information, check the logs, and make the next work focus according to the statistical results. Although this kind of work is boring, it is of great significance. We might as well recall the conclusion of the 20 1 1 Verizon data leakage investigation report: "Almost every data leakage accident has many opportunities for victims to find and correct these problems in time before it really breaks out. However, these important records are either not read at all, or even if they are read, they are not integrated into actual actions. " In the 20 12 report released by Verizon, this trend continues: 84% of the victims in the survey have no idea that those extremely harmful data leakage accidents have left clues in their daily records. In fact, as long as you carefully check the existing log system, this internal attack can be completely killed in the cradle. It is for this reason that Verizon advised large enterprises to "carefully monitor and deeply analyze the event logs" and put this suggestion in the eye-catching position of the annual motto. Human factors-the study of establishing rules shows that most internal malicious attacks come from employees who are dissatisfied with the enterprise or are about to leave the enterprise to find another job. In addition, employees who have no grudges are likely to fall into phishing attacks on social networks and other websites, because generally speaking, ordinary people do not understand the harm and characteristics of malicious links. Human factor is the most insurmountable gap in safety work. To improve the awareness of the whole people, we must first establish a set of management policies that are accurate and easy to understand. Unfortunately, according to my investigation of the current mainstream security architecture and policy content, most enterprises have not done this well. The policy conditions are smelly and long, and the lines between the lines are extremely obscure, which makes it impossible for most ordinary employees to understand or even read such system terms. Therefore, employees soon put this policy behind them. It's not that they don't want to abide by it, but that they can't understand it at all, or even this long speech. When creating a management policy, don't simply list the contents or rules and regulations that need to be checked. On the contrary, we should infer what employees may encounter in their daily work, and provide them with operational guidance on this basis, and clearly list all kinds of prohibited behaviors. Combining background investigation, data processing and classification, enterprise resource use license, safety precautions, training and policy formulation, we strive to come up with a set of guiding documents that can really serve the practice. Organize detailed data classification and practice scheme, clearly define which data is allowed to be stored in which systems, how data should be transmitted through the network, various encryption requirements and whether data can be stored in mobile devices and portable storage media. Employees who frequently handle sensitive data and systems should keep information in strict accordance with the requirements of the data classification policy and update it regularly. Training is also essential if we want employees to effectively comply with the policy requirements. As far as possible, use existing resources to help enterprises establish training plans, including the safety work outline issued by the System Network Security Association and the enterprise safety awareness training plan formulated by the OffensiveSecurity team. In addition, the report "Safety: Instructions for Users" published by InformationWeek website also contains many practical skills, so employees may wish to read it carefully to guide the actual business. It is worth mentioning that the security of physical equipment is also a key factor that is often overlooked. Enterprises often spend all their energy on formulating management mechanisms, but they don't think of how to prevent employees from stealing public equipment. You might as well deploy monitoring systems in sensitive locations to limit employees' access behavior and minimize the occurrence of theft. Jincheng Tang Chi, ready to fundamentally guard against internal threats, needs to strictly investigate technical loopholes and monitor employee behavior for a long time. It is not easy to do these two things well, especially when internal employees access sensitive data for work purposes. The key to solve the problem is to master the attack process, understand the potential motivation and deploy the control scheme at the best level. You may wish to specify the most important information to be protected and establish an indestructible defense mechanism for them, and then take this opportunity to sum up experience and expand it to the control of network and host system as appropriate. Then don't underestimate the human factor. Formulate management policies that are easy for employees to understand and abide by, cultivate employees' good safety production habits, and always pay attention to every detail of user activities with vigilant eyes. It is true that the factors of network, host and human are controlled by the grading scheme respectively, but it is still far from us. The process of realizing the ideal is always bumpy and long. As Verizon said in its 20 12 annual report (this is the third consecutive year), almost all internal violations are "organized and premeditated results". If we really want to firmly control internal threats, we may have to come up with the same "organized and premeditated" plan to deal with them.