Data Leakage: Understanding and Preventing the Threat
What is Data Leakage?
Data leakage, also referred to as low-profile data theft, involves the unauthorized transfer of electronic or physical data from an organization to external recipients or destinations. Threat actors often leak data using email accounts or the web. They may also use mobile data storage devices like USB keys, laptops, and optical media.
Data leakage can result from purposeful insider action meant to cause harm to the organization, or as part of a bigger scheme to commit payment fraud. It can also be accidental. Cybercriminals look for various types of information in data leaks, including customer information and trade secrets. The scope and the type of leak determines the damage caused to the organization.
This is part of our series of articles about endpoint security.
Causes of Information Leakage
Here are common causes of information leaks at organizations:
Insider threats include dissatisfied employees, former employees with access to sensitive systems, or business partners. Their motive may be economic gain, theft of valuable data, or a desire for revenge. Insiders can steal an organization’s sensitive data for financial or personal gain.
Payment fraud is an attempt to make a fraudulent or illegal transaction. Common scenarios include credit card scams, false returns, and triangle scams. A triangle scam involves an attacker opening an online store with very low prices, tricking customers into providing their payment information, and then using this payment information to buy products at other stores.
When data leaks are initiated by cybercriminals, they are usually the result of social engineering tactics. Social engineering is the use of psychological manipulation to trick victims into giving over sensitive information. Phishing is the most common type of social engineering attack. Traditionally phishing takes the form of a written message asking the user to provide confidential information or perform an action favorable to the attacker. Increasingly, phishing is performed over the phone (this is known as vishing).
Very often, attackers are after data that does not appear sensitive on its own, but can expand the list of potential victims. This poses a serious threat to data security, because attackers can easily deceive unsuspecting employees, by requesting seemingly harmless information such as phone numbers and social security numbers.
Physical Theft of Sensitive Devices
Company devices contain sensitive information, and misuse of these devices can lead to security breaches and theft of company information.
For example, a cybercriminal can use a stolen device to contact an IT administrator and claim that they have forgotten their login information. With a convincing strategy, attackers can breach the device and gain access to the corporate network.
Many data breaches are not caused by an attack, but rather by unintentional exposure of sensitive information. For example, employees might view sensitive data and save it to a non-secure location, or IT staff might mistakenly expose a sensitive internal server or cloud system to the Internet.
Malicious Electronic Communications
Many organizations give employees access to the Internet, email, and instant messaging, as part of their role. The problem is that all of these mediums are capable of file transfer or accessing external sources over public networks.
Attackers often target these communication channels and achieve a high success rate. For example, a cybercriminal could spoof a legitimate business email and simply ask an employee to send them sensitive data. If the user is fooled by the message, they could attach the requested files to the email and send them to the attacker.
What Do Cyber Criminals Look for in Data Leaks?
The majority of data leaks involve either personally identifiable information (PII) or protected health information (PHI). Examples of PII are names, social security numbers, and other personal details. PHI is defined in the US HIPAA regulation as any information about an individual’s health, now, in the past, or in the future.
Below are a few types of sensitive data that are commonly targeted in data leaks.
This is information about a company’s customers, including their names and contact details, credentials, activity history, and payment details.
What damage can it cause?
Exposure of customer information can damage both the company and its customers, cause harm to reputation, and in many cases expose a company to compliance violations and lawsuits.
This is information revealing the company’s internal operations. It can include emails and internal documents; strategy, marketing, and business plans; and business metrics or forecasts.
What damage can it cause?
Exposure of company information can provide competitors, rivals, or attackers valuable data about a company’s operations. This can give third parties an unfair advantage over the company or help them cause direct damage to its operations. Attackers can also use it to plan secondary attacks.
This is possibly the most sensitive information a company can lose in a data leak, including intellectual property, plans for future products, source code, and details about proprietary technologies.
What damage can it cause?
Exposure of trade secrets can cause a company to lose large investments in research and development and make its market offering less valuable.
This is data used by a business to derive insights about its customers or environment. This can include historical data about customers or prospects in the industry, demographic data, and models that can generate useful predictions in the company’s industry.
What damage can it cause?
Analytics is valuable to the business and so is equally valuable to an attacker. Like other types of data leaks it can give third parties an unfair advantage by exposing internal knowledge. If analytics data is not anonymized, it can have the additional impact of exposing PII.
How to Prevent Data Leaks
Ensure Timely Detection
You can avoid or reduce the fallout from a data leak by detecting improper activity fast. Ensure you receive alerts on changes to critical access or configuration parameters, and act quickly to investigate and remediate anomalies. Put in place monitoring for unusual data transfers, such as data loss prevention (DLP), and intervene early on if you discover users copying unusual amounts of data.
Classify Data according to Sensitivity and Value
To prevent data leaks, the first step is to identify which data employees are able to freely share. You should then decide who should have permission to access this data. Using data identification and classification, you can organize your data into categories, protecting sensitive data as required.
Here are a few technologies commonly used to protect sensitive data:
- Data Loss Prevention (DLP)
- Identity and access management (IAM)
- Privileged Access solutions
- Change management and auditing
- User and entity behavior analytics (UEBA)
Discover and Mitigate IT Risks
You can’t discover your most vulnerable areas unless you periodically assess your risk. To implement successful risk management and risk assessment, you may wish to use an industry standard such as the National Institute of Standards and Technology (NIST). The NIST SP 800-30 document specifies the protocols for vulnerability assessment, which can help mitigate many risks leading to data leakage.
Discover more best practices in our detailed guide to data leakage prevention (coming soon)
Data Leakage Prevention with Hysolate
Hysolate’s fully managed isolated Workspace sits on end user devices, but is managed via granular policies from the cloud. These granular policies give admins full control for monitoring and visibility into potential data leakage risks, including sending telemetry data to their SIEM. Admins can limit data transfer out of the isolated encrypted Hysolate Workspace via copy/paste/printing/peripherals, and can set anti keylogging and screen capture policies, as well as setting up a watermark to block external screen capture.
Employees can be provided with an isolated Workspace on their corporate device, so that they can access sensitive systems and data from a completely isolated and secure environment. Policies can be set to limit data exiting the Workspace, either accidentally or on purpose.
For contractors, Hysolate’s isolated OS solution provides a secure Workspace to access the necessary data and applications they need to do their jobs. The Workspace can be pre-provisioned with all the required applications and policies that are required for the contractor to connect to and work in the corporate environment. At the end of the contractor’s engagement, the Hysolate Workspace can be instantly deprovisioned remotely without leaving any data on the contractor’s device.
The Benefits of Hysolate Workspace for preventing data leakage
- An additional layer of data leakage protection for both corporate and non corporate devices, including telemetry sent to SIEM solution for additional monitoring and visibility.
Admins can set policies to limit data transfer in and out of the Hysolate Workspace, including files, documents and applications.
- Hysolate has security capabilities to lock the Workspace and enter only with a PIN.
- Hysolate’s Workspace can also be set with a watermark, to remove risk from external screen capture.
- Admins can wipe the Workspace OS remotely if a threat surfaces, or when it is no longer needed.