ISO 27001:2022 A 8.12 Data leakage prevention

Data leakage prevention has been added to ensure organisations have measures to detect and prevent the unauthorized disclosure and extraction of information by both individuals or systems. Data leakage can broadly be described as any information that is accessed, transferred or extracted by unauthorized internal and external personnel and systems, or malicious sources that target an organisation’s information operation. A data leak is an overlooked exposure of sensitive data, either electronically or physically. Data leaks could occur internally or via physical devices such as external hard drives or laptops. If a cyber criminal locates a data leak, they can use the information to arm themselves for a data breach attack. Data leaks are an easy attack vector for cyber criminals. A data leak is the accidental exposure of sensitive information. These events are not initiated by an external impetus. They’re caused by vulnerabilities in the security controls protecting confidential data. Data leaks can also be caused by cyber criminals publishing stolen data on their official dark web noticeboards, also known as ransomware blogs. Exposed data, such as leaked credentials, allows unauthorized access to an organization’s systems. This direct access enables hackers to carry out a range of cyber attacks with less effort, such as:

  • Ransomware and other types of malware injections
  • Social engineering, including phishing
  • Data exfiltration /data theft

Controls

Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.

Purpose

To detect and prevent the unauthorized disclosure and extraction of information by individuals or systems.

ISO 27002 Implementation Guidance

The organization should consider the following to reduce the risk of data leakage:
a) identifying and classifying information to protect against leakage (e.g. personal information, pricing models and product designs);
b) monitoring channels of data leakage (e.g. email, file transfers, mobile devices and portable storage devices);
c) acting to prevent information from leaking (e.g. quarantine emails containing sensitive information).
Data leakage prevention tools should be used to:
a) identify and monitor sensitive information at risk of unauthorized disclosure (e.g. in unstructured data on a user’s system);
b) detect the disclosure of sensitive information (e.g. when information is uploaded to untrusted third-party cloud services or sent via email);
c) block user actions or network transmissions that expose sensitive information (e.g. preventing the copying of database entries into a spreadsheet).
The organization should determine if it is necessary to restrict a user’s ability to copy and paste or upload data to services, devices and storage media outside of the organization. If that is the case, the organization should implement technology such as data leakage prevention tools or the configuration of existing tools that allow users to view and manipulate data held remotely but prevent copy and paste outside of the organization’s control. If data export is required, the data owner should be allowed to approve the export and hold users accountable for their actions. Taking screenshots or photographs of the screen should be addressed through terms and conditions of use, training and auditing. Where data is backed up, care should be taken to ensure sensitive information is protected using measures such as encryption, access control and physical protection of the storage media holding the backup. Data leakage prevention should also be considered to protect against the intelligence actions of an adversary from obtaining confidential or secret information (geopolitical, human, financial, commercial, scientific or any other) which can be of interest for espionage or can be critical for the community. The
data leakage prevention actions should be oriented to confuse the adversary’s decisions for example by replacing authentic information with false information, either as an independent action or as response to the adversary’s intelligence actions. Examples of these kinds of actions are reverse social engineering or the use of honeypots to attract attackers.

Other information

Data leakage prevention tools are designed to identify data, monitor data usage and movement, and take actions to prevent data from leaking (e.g. alerting users to their risky behavior and blocking the transfer of data to portable storage devices). Data leakage prevention inherently involves monitoring personnel’s communications and online activities, and by extension external party messages, which raises legal concerns that should be considered prior to deploying data leakage prevention tools. There is a variety of legislation relating to privacy, data protection, employment, interception of data and telecommunications that is applicable to monitoring and data processing in the context of data leakage prevention. Data leakage prevention can be supported by standard security controls, such as topic-specific policies on access control and secure document management

Data leakage is a common problem within organisations that deal with large amounts of data, of different classifications, across multiple standalone and linked ICT systems, applications and file servers.‍Data leakage prevention is a cyber security practice that involves implementing secure data practices to reduce accidental exposure. The control is regarding data leakage prevention measures which should be applied to systems, networks and any other devices that process, store, or transmit information. While it can be difficult to detect data leakage within your organisation, we recommend starting with a detailed risk assessment of the data you handle. This will help you to identify any weaknesses in your current data processing procedures that could lead to an unauthorized disclosure of data. Although prevention is better than cure, many organisations take an “assumed breach” approach and on that basis you may also consider “seeding” datasets with uniquely identifiable information that you can easily detect via scans of ‘dark web’ or ‘pasted’ data.Organisations can apply the organisation’s classification scheme to information, having techniques to monitor for data leakage, such as email scanning, file transfers and control of mobile storage devices. and tools to block user actions that could expose sensitive information for example preventing the copying of information from a database into a spreadsheet, etc.Data leakage is difficult to eradicate entirely. That being said, to minimize the risks that are unique to their operation, organisation’s should:

  • Classify data in line with recognized industry standards (PII, commercial data, product information), in order to assign varying risk levels across the board.
  • Closely monitor known data channels that are heavily utilised and prone to leakage (e.g. emails, internal and external file transfers, USB devices).
  • Take proactive measures to prevent data from being leaked (e.g. robust file permissions and adequate authorization techniques).
  • Restrict a user’s ability to copy and paste data (where applicable) to and from specific platforms and systems.
  • Require authorization from the data owner prior to any mass exports being carried out.
  • Consider managing or preventing users from taking screenshots or photographing monitors that display protected data types.
  • Encrypt backups that contain sensitive information.
  • Formulate gateway security measures and leakage prevention measures that safeguard against external factors such as (but not limited to) industrial espionage, sabotage, commercial interference, and/or IP theft.

Data leakage prevention is linked to numerous other ISO security guidelines that seek to safeguard information and data across an organisation’s network, including Access Control measures and secure document management Organisations should consider using dedicated data leakage tools and utility programs that:

  • Work in tandem with the organisation’s approach to data classification, and identify the potential for leakage within high-risk data types.
  • Detect and proactively alert upon the transfer and/or disclosure of data, especially to unauthorised systems, file sharing platforms or applications.
  • Recognize the risks inherent within certain data transfer methods (e.g. copying financial information from a database into a spreadsheet).
  • Data leakage prevention tools are intrusive by their very nature, and should be implemented and managed in accordance with any regulatory requirements or legislation that deals with user privacy.

Data leaks occur when sensitive data is accidentally exposed publicly, either physically or digitally. Common causes of data leaks include:

  • Misconfigured software settings
  • Social engineering
  • Recycled or weak passwords
  • Physical theft/loss of sensitive devices
  • Software vulnerabilities
  • Insider threats

There are four major categories of data leaks – customer information, company information, trade secrets, and analytics.

1. Customer Information: Some of the biggest data breaches included customer data leaks that involved Personal Identifiable information. Customer data is unique to each company. Customer confidential information could include any of the following:

  • Customer names
  • Addresses
  • Phone number
  • Email addresses
  • Usernames
  • Passwords
  • Social Security numbers
  • Payments histories
  • Product browsing habits
  • Credit Card numbers

2. Company Information: Leaked company information exposes sensitive internal activity. Such data leaks tend to be in the cross hairs of unscrupulous businesses pursuing the marketing plans of their competitors. Company data leaks could include the following:

  • Internal communications
  • Performance metrics
  • Marketing strategies

3. Trade Secrets: This is the most dangerous form of data leak to a business. Intellectual property theft destroys a business’s growth potential, running it to the ground. Trade secret leakage could include the following types of data:

  • Upcoming product plans
  • Software coding
  • Proprietary technology information

4. Analytics: Large data sets feed analytics dashboards, and cyber criminals are drawn to any sizable pool of data. Analytics software is, therefore, an attack vector that needs to be monitored. Analytics data leaks could include the following:

  • Customer behavior data
  • Psychographic data
  • Modeled data

The following data security practices could prevent data leaks and minimize the chances of data breaches.

1.Evaluate the Risk of Third Parties: Unfortunately, your vendors may not take cybersecurity as seriously as you do. It’s important to keep evaluating the security posture of all vendors to ensure they’re not at risk of suffering data leaks through critical security vulnerabilities. Vendor risk assessments are a common method of identifying third-party security risks and ensuring compliance with regulatory standards,

2. Monitor all Network Access: The more corporate network traffic being monitored, the higher the chances of identifying suspicious activity. Cyber attacks are usually preceded by reconnaissance campaigns – cyber criminals need to identify the specific defenses that need circumventing during an attack. Data leak prevention solutions empower organizations to identify and strengthen security vulnerabilities to prevent the possibility of reconnaissance campaigns. Information security policies may need to be revised to enforce privileged access to highly sensitive data.

3. Identify All Sensitive Data: Data Leakage Prevention should be front of mind for organizations looking to enhance their Information security strategies. Before Data Leakage Prevention policies can be initiated, businesses need to identify all of the sensitive data that needs to be secured. This data then needs to be correctly classified in line with strict security policies. With correct sensitive data discovery and classification, a business can tailor the most efficient data leak prevention defenses for each data category.

4. Secure All Endpoints: An endpoint is any remote access point that communicates with a business network via end-users or autonomously. This includes Internet of Things (IoT) devices, desktop computers, and mobile devices. With most organizations now adopting some form of a remote working model, endpoints have become dispersed (sometimes even internationally), making them harder to secure. Organizations must extend their coverage to cloud-based endpoint security. Organizations need to train their staff to recognize the trickery of cyberattackers, particularly email phishing and social engineering attacks. Education is a very powerful data leakage prevention solution. Securing endpoints is a fundamental component of Data Leakage Prevention .

5. Implement Data Loss Prevention (DLP) Software
Data loss prevention (DLP) is an overarching data protection strategy that should include data leak prevention as a core component. An effective DLP system combines processes and technology to ensure sensitive data is not lost, misused, or exposed to unauthorized users. Below are the six components of a DLP program requiring DLP solutions:

  • Data identification: Many organizations leverage automation techniques, such as machine learning and artificial intelligence (AI), to streamline the data identification process.
  • Securing data in motion: Deploy DLP software at the network edge to detect sensitive data transfers violating data loss prevention policies.
  • Securing endpoints: Endpoint DLP agents can monitor user behavior in real-time and control data transfers between specified parties, e.g., through instant messaging apps.
  • Securing data at rest: DLP products can enforce access control, regulatory compliance requirements, encryption algorithms, and data storage policies to protect archived data.
  • Secure data in use: Comprehensive DLP tools can monitor and flag unauthorized user behavior, e.g., unauthorized privilege escalation on an app.
  • Data leak detection: If data leak prevention strategies fall through, fast remediation is crucial to avoiding a data breach. Effective data leak detection tools can scan the open and deep web for data exposures, including S3 buckets and GitHub repositories, enabling faster removal of potential breach vectors.

6) Encrypt All Data: Cyber criminals may find it difficult to exploit data leaks if the data is encrypted. There are two main categories of data encryption – Symmetric-Key Encryption and Public-Key Encryption.While encrypted data may stump amateur hackers, capable cyber attackers could decrypt the data without a decryption key. For this reason, data encryption shouldn’t be the sole data leak prevention tactic but should be used alongside all the methods in this list.

7) Evaluate All Permissions: Your confidential data could currently be accessed by users that don’t require it. As an initial response, all permissions should be evaluated to ensure access isn’t being granted to authorized parties. Once this has been verified, all critical data should be categorized into different levels of sensitivity to control access to different pools of data. Only trustworthy staff with essential requirements should have access to highly sensitive data.This privileged access assignment process may also identify malicious insiders facilitating sensitive data exfiltration.

8) Monitor the Security Posture of All Vendors: Sending risk assessments will prompt vendors to strengthen their cyber security efforts, but without a monitoring solution, remediation efforts cannot be confirmed. Security scoring is a highly efficient way of evaluating a vendor’s susceptibility to data breaches. These monitoring solutions display all vendors in the third-party network alongside their security rating, giving organizations instant transparency into the health status of their entire vendor network.

Leave a Reply