Insider Information Leakage
I would like to share my thoughts on an area which I believe is high risk and can have a very negative effect on organizations. Although this is not specific to the SAP environment, I felt that the GRC community is the right forum to discuss such concerns.
The formula is simple – the risk of insider information leakage through emails is directly proportional to the increase in email usage.
Why does this happen? It is basically the ease at which confidential information can be sent out of our corporate networks through our email systems. Attaching a document and hitting the ‘send’ button in a mail system takes a few minutes! We all know the number of mails that are forwarded to each other. Organizations have spent huge resources in protecting their internal environment from external attacks. As per the CSO Magazine, March 2005 “52% of CISOs say they have a “moat and castle” approach to network security, admitting that once the perimeter is penetrated the inner defenses are soft.
As organizations rely more on information technology to increase competitiveness and efficiency they also increase their vulnerability to information leakage by insiders. This information leakage could be perpetrated with malicious intent or caused inadvertently by human error and the result is potentially devastating.
Gartner studies indicate that a majority of real data losses have been caused by insiders. Walk into any corporate office and you will see that the majority of employees are accessing mails or communicating with the external world through chats, internet messaging etc.
Organizations are expected to provide greater protection against rampant identity theft which puts their customer data at risk.
Organizations want to ensure that intellectual assets such as patents, trademarks, brands, trade secrets, software code, designs, architecture, algorithms etc, are not leaked and abused.
Organizations need protection against leakage of internal confidential information, which can be very damaging to customer trust and to the company brand.
Privileged information, such as customer data, credit card info, financial statements, MIS reports, audit reports, board minutes, business plans etc. can be surreptitiously hidden in common applications like spreadsheets, word documents, presentations and sent to persons who should not get this information.
Regulators have mandated more transparent corporate governance and in some cases requires the monitoring of mails.
Therefore, organizations need a solution that would be high performance and a real time vigilance against all information that leaves the organization.
Due to the sheer volume of mails sent out of organizations it is impossible to have a monitoring process that is manual. Technology has to be used to automate the process of verifying every single byte of information being sent through emails and highlighting any violations. Security software is available today that does this.
In order to be effective and efficient such software should cover all communication protocols like SMTP, HTTP, FTP, POP, IP, Telnet, Web Mail, Chat etc. and also the most commonly used file formats like Microsoft Word (.doc), Microsoft Excel (.xls), Powerpoint (.ppt), Adobe (.PDF) etc
Real Time Information Capture and Analysis would normally cover the following areas:
Packet Capture & Protocol Decoding Engine
The engine captures every outgoing packet on the network at line speed, in passive mode and many of the commonly used communication protocols, SMTP, HTTP, FTP, POP, IP, Telnet, Web Mail, Chat etc. are covered. It is important that such engines work on a non intrusive mode since it should not effect the network performance.
Content Analysis Engine
This engine analyses various file formats like Microsoft Word (.doc), Microsoft Excel (.xls), Powerpoint (.ppt), Adobe (.PDF) etc, and can also monitor for structured data items like social security numbers, credit card numbers, URLs, personal IDs etc.
Forensic Analysis Engine
The Audit and Forensic engine allows an administrator to analyze the trail of alert events and to extract patterns of information. These alerts can be the basis of a periodic report, or can trigger appropriate notification via email, an instant message or any other preferred communications medium.
The administrator can define the desired security policy through the Policy Definition Interface. The security policies that can be set through the policy definition module include, the type of document or content to track, the protocols to decode, the keywords or key phrases to be searched, the threshold for alerts to be generated and the preferred notification vehicle.
The software should give real time alerts, based on policies set up in the Policy Definition Engine. It is important that these alerts are closely monitored and proper action taken to ensure that confidential information does not reach the wrong hands.
The dashboard displays the alerts generated when a specified policy is breached, using either tabular data or charts.
With the increased risk of information leakage by insiders and confidential information getting to the wrong hands, organizations should take immediate steps to mitigate these risks. This cannot be done manually and it is only through the use of technology that preventive, detective and deterrent controls can be administered with ease. This is a real threat and the negative impact it can have on an organization is substantial. This is not fiction…it is a reality!