Skip to Content

I would like to share my thoughts on an area which I believe is high risk and can have a very negative effect on organizations. Although this is not specific to the SAP environment, I felt that the GRC community is the right forum to discuss such concerns.

The Challenge

The formula is simple – the risk of insider information leakage through emails is directly proportional to the increase in email usage.

Why does this happen? It is basically the ease at which confidential information can be sent out of our corporate networks through our email systems. Attaching a document and hitting the ‘send’ button in a mail system takes a few minutes! We all know the number of mails that are forwarded to each other. Organizations have spent huge resources in protecting their internal environment from external attacks.  As per the CSO Magazine, March 2005 “52% of CISOs say they have a “moat and castle” approach to network security, admitting that once the perimeter is penetrated the inner defenses are soft.

As organizations rely more on information technology to increase competitiveness and efficiency they also increase their vulnerability to information leakage by insiders. This information leakage could be perpetrated with malicious intent or caused inadvertently by human error and the result is potentially devastating.

Gartner studies indicate that a majority of real data losses have been caused by insiders. Walk into any corporate office and you will see that the majority of employees are accessing mails or communicating with the external world through chats, internet messaging etc.

The Problem

Organizations are expected to provide greater protection against rampant identity theft which puts their customer data at risk.

Organizations want to ensure that intellectual assets such as patents,  trademarks, brands, trade secrets, software code, designs, architecture, algorithms etc, are not leaked and abused.

Organizations need protection against leakage of internal confidential information, which can be very damaging to customer trust and to the company brand.

Privileged information, such as customer data, credit card info, financial statements, MIS reports, audit reports, board minutes, business plans etc. can be surreptitiously hidden in common applications like spreadsheets, word documents, presentations and sent to persons who should not get this information.

Regulators have mandated more transparent corporate governance and in some cases requires the monitoring of mails.

Therefore, organizations need a solution that would be high performance and a real time vigilance against all information that leaves the organization.

The Solution 

Due to the sheer volume of mails sent out of organizations it is impossible to have a monitoring process that is manual. Technology has to be used to automate the process of verifying every single byte of information being sent through emails and highlighting any violations. Security software is available today that does this.

In order to be effective and efficient such software should cover all communication protocols like SMTP, HTTP, FTP, POP, IP, Telnet, Web Mail, Chat etc. and also the most commonly used file formats like Microsoft Word (.doc), Microsoft Excel (.xls), Powerpoint (.ppt), Adobe (.PDF) etc

Real Time Information Capture and Analysis would normally cover the following areas:

Packet Capture & Protocol Decoding Engine

The engine captures every outgoing packet on the network at line speed, in passive mode and many of the commonly used communication protocols, SMTP, HTTP, FTP, POP, IP, Telnet, Web Mail, Chat etc. are covered. It is important that such engines work on a non intrusive mode since it should not effect the network performance.

Content Analysis Engine

This engine analyses various file formats like Microsoft Word (.doc), Microsoft Excel (.xls), Powerpoint (.ppt), Adobe (.PDF) etc, and can also monitor for structured data items like social security numbers, credit card numbers, URLs, personal IDs etc.

Forensic Analysis Engine

The Audit and Forensic engine allows an administrator to analyze the trail of alert events and to extract patterns of information. These alerts can be the basis of a periodic report, or can trigger appropriate notification via email, an instant message or any other preferred communications medium.

Policy Definition

The administrator can define the desired security policy through the Policy Definition Interface. The security policies that can be set through the policy definition module include, the type of document or content to track, the protocols to decode, the keywords or key phrases to be searched, the threshold for alerts to be generated and the preferred notification vehicle.

Security Alerts

The software should give real time alerts, based on policies set up in the Policy Definition Engine. It is important that these alerts are closely monitored and proper action taken to ensure that confidential information does not reach the wrong hands.

Management Dashboard

The dashboard displays the alerts generated when a specified policy is breached, using either tabular data or charts.

Conclusion

With the increased risk of information leakage by insiders and confidential information getting to the wrong hands, organizations should take immediate steps to mitigate these risks. This cannot be done manually and it is only through the use of technology that preventive, detective and deterrent controls can be administered with ease. This is a real threat and the negative impact it can have on an organization is substantial. This is not fiction…it is a reality!

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Anton Wenzelhuemer
    with all due respect let me express my opinion that this is a pure technologist’s point of view.

    to make this work efficiently you have to set up a trillion rules and filters broken down to roles and individuals and still you will get a large number of false positives leading to a really unwanted climate of mistrust.

    the real malevolelent employee on the other hand will probably know about those precautions and will simply carry printed out information out of the office, scan it at home and send it to whomever he thinks who might benefit from it.

    real GRC measures, imho, are such which encourage something liek ‘corporate responsibility’ in a trivial sense amongst not only the high ranks but the whole workforce.

    regards,
    anton

    (0) 
    1. Babu Jayendran Post author
      I do agree with you about ‘corporate responsibility’ In fact, one of the components of the COSO ERM framework on ‘Internal Environment’ states ‘…Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the foundation for how risk and control are viewed and addressed by an entity’s people…..’
      I do believe that to mitigate risks we have to try all options. Monitoring mails is one of the options. With high end algorithms, the rule creation can be made very effective and the results can be quite revealing.
      Thanks for your feedback.
      (0) 
  2. Ralf Meyer
    Hi,
    I just stumbled about this and think this is becoming a real serious issue. While data inside SAP is safe will be more & more data “exported” from SAP systems into the “dark” and “transported” via eMail, Memory-Stick or iGoogle uploads. Data Leak Prevention (DLP) Solutions integrated with SAP such as http://www.workshare.com/sap may help to reduce this exposure.
    Greetings
    Ralf
    (0) 
    1. Babu Jayendran Post author
      Thanks Ralf for your feedback. Yes, I do believe that this is becoming a serious concern. I have come across situations where Financial Statements, MIS reports, Audit reports and other confidential information have been sent out to private email IDs using the company’s network. Documments have even been embedded in presentations, spreadsheets etc. The solution is to install an email packet sniffing software at the email gateway, that will check every single byte of information going out, both in the body of the mail and attachments. This control can be detective, preventive and can also act as a deterrent. Such software is available today.
      (0) 

Leave a Reply