Beyond Accidental Data Leakage is a company that provides services to help identify, minimize, and manage security threats from data leakage. They conducted a survey of over 200,000 hours of user activity and found that most data theft occurred through mobile devices, webmail, removable media, and web applications. Their findings showed that existing security policies were not being implemented or enforced by companies. They recommend prevention steps like implementing a data classification scheme, security awareness training, defensive monitoring measures, and enforcing policies to help combat accidental and intentional data leakage.

1. Beyond Accidental
Data Leakage

2. A simple, easy to use, online, B2B procurement
portal for purchasing products and services to
identify, minimise and manage the security
threat to business data.
www.riskfactory.com

3. Read All About It…
TJX Data Breach: At 45.6M
TJX Data Breach: At 45.6M
Card Numbers, It's the
Card Numbers, It's the
Biggest Ever
Biggest Ever
(March 2007)
(March 2007)
“We may never be able to identify much of the
“We may never be able to identify much of the
information believed stolen."
information believed stolen."
The company has so far spent about
The company has so far spent about
$250+ million to resolve it
$250+ million to resolve it
($1B+ estimate in cases / / lost revenue)
($1B+ estimate in cases lost revenue)

4. Leakage Defined
Data-Leakage is a loosely defined term used to describe
an incident where the confidentiality of
information has been compromised .
• Data-Breach and Information
Loss are also widely used terms
• Data Slurping: The use of iPODs
or portable USB hard drives

5. Who’s Leaking?
www.privacyrights.org
www.datalossdb.org

6. Who’s Leaking ?

7. Who’s Leaking?
The government sector accounted for
35% of reported data loss with 20%
Education and 10% Healthcare and
remainder reported in private sector…

8. The Leakers
External Internal

9. What's Leaking

10. Biggest Leakers?
FBI/Computer Security Institute 2011:
85% of all offenders prosecuted for cyber crimes
were employees of the company attacked

11. Top 10 Motives
1. Money
2. Dosh
3. Moola
4. Bread
5. Baksheesh
6. Scratch
7. Cabbage
8. Sheckles
9. Chicken Feed
10. Wampum

12. Accidents Can Happen
• Accidental / unintentional
• Carelessness
• Leaving sensitive information accessible to others
• Loosing a laptop
• Sending email to mistaken name or “all”
• Malicious code (viruses, worms, Trojan horses)
• Suspicious email, jokes, etc.

13. Beyond Accidental
• Malicious / intentional
vandalism / delinquency
• Bulletin board postings
(Fu*kedCompany,
Dotcomscoop, Deja)
• Disgruntled employees
• Forwarding company data
to home email, time bombs,
deletion of data

14. You Can Find
• Without hacking
• Without intrusion (denial of service)
• Without breaking any law
• With consent of firewall
• Regardless of company consent
• With consent of end-user / author
• Virtually untraceable
• Replicable millions of times
• Available to anyone with a PC online
• Accessible anywhere in the world

15. Potential M&A Org
Restructure

16. Private Company’s Share
Plan

17. Internal Reorganization

18. Banking Statements

19. Client Contact List

20. Research Data

21. Airplane Specifications

22. Airplane Specifications

23. Flight Simulation Data

24. Flight Sim. Data – Engine
Failure

25. The Where?

26. Beyond Accidental II
The trusted user turned
entrepreneur
Under cover / overlooked
Easy to trust / hard to detect
Has a key to the house
Know’s when you’re not home
Knows your strengths /
weaknesses
Why do they do it?

27. That’s Where The Money
Is…

28. Easy Money Getting
Easier
2000
Name, Address DOB = £2.00
Credit card # = £2.00
Expiry date = £ 3.00 2005
Security Code = £3.00 Name, Address DOB = £1.00
Total = £10.00 Credit card # = £1.00
Expiry date = £ 1.00
Security Code = £2.00 2010
Total = £5.00 Name, Address DOB = £.25
Credit card # = £.25
Expiry date = £ .25
Security Code = £.25
Total = £1.00

29. Where to Start ?
Conduct data leakage survey
– ITM software
– Logical review
– Physical review

30. Detecting the Covert
Channels
1. Check classification scheme & security policies
2. Write policy-synchronised objective & scope
3. Identify keywords/folders & files
4. Identify target department
5. Get Board-level approval before you start
6. Deploy data leakage detection software (30-60 free trials!)
7. Audit office equipment (copy machine, faxes, scanners)
8. Audit VoIP storage access logs
9. Audit CCTV footage
10. Test physical/procedural security measures

31. Where Is Your Data?
• Network
• Client devices: removable media,
unauthorised connections, devices, applications,
local storage, file copy, save as….
• Remote connections
• Storage: photocopiers, scanners, faxes
• 3rd Parties
• Service Providers
• Contractors

32. How & Where Leaking?
Laptop / Desktop
Server
CD / DVD
Piggybacking
USB iPod
Dumpster (Skip) Diving
Social Engineering Memory Stick
Contractors
Road Apple PCMCIA
Eavesdropping Memory Card Readers
Bluetooth
Endpoint
Communication Infrared
Databases
Firewire
File Systems
Serial / Parallel Ports
File Servers
NAS Data-At-Rest Virtual Machine
SANs / iSCSI Storage Screen Scrapers
Voice Mail Data Loss Trojans
Other Threat Vectors
Video Surveillance Key Loggers
Phishing / Spear Phishing
E-Mail
HTTP/S Printers
SSH Backup Tapes / CD / DVD
FTP Laptop / Desktop / Server
Data-In-Motion
IM Fax
VoIP
Physical Photocopier
P2P Mobile Phone / PDA
Blogs Digital Camera (incl. Mobile Phone Cameras)
Incorrect Disposal
Printed Reports

33. Free Advice…
• Stay focussed. Follow the White Rabbit.
• Stay cool. Stay professional.
• Be a-political. No hidden agendas.
• Be prepared. You will see the Sexy Beast.
• Remember: What you will see is not new.
• You’ll see how the business really operates

34. But Remember
“When the Gods want to punish us, they
answer our prayers.”

35. Top Ten Distractions
• Employees viewing porn / shopping …
• Management viewing porn / shopping…
• Clandestine affairs
• Personal affairs
• Rumours
• Employees falsifying company records (expense
accounts)
• Employees running a side business
• Convenience connections

36. Risk Factory Survey
• Analysed over 200,000 hours of user activity
• Carried out over 24 months
• Linked to specific files, folders, and keywords
• Identified the who, what where & when

37. Who?

38. How?

39. Summary Findings
• 68% theft linked to mobile rather than fixed desktop systems.
• IT and Customer Services Departments highest number data thefts.
• 96% male
• 79% incidents occurred on Fridays between 3 and 5PM.
• Applications most favoured to remove data were identified as web mail,
instant messaging (IM) and social networking web sites.
• The top 4 theft vectors were identified as mobile devices, web mail,
removable media and web applications.
• All instances identified could have been prevented. Existing corporate
security policies were not implemented, monitored or enforced.

40. Prevention Steps
Step 1: Classification scheme
Step 2: Education & awareness
Step 3: Locate & marking
Step 4: Implement defensive measures
Step 5: Monitor, enforce, report

41. Defense Must Be Layered
Spyware Hackers
Inappropriate
Content
Network Perimeter security
Layer Attacks
Strong authentication
URL filtering
Anti-virus
Viruses
IDS/IPS
UNAUTHORISED APPLICATION USE
Cut, Copy, Paste, Print, Rename, Save As
UNAUTHORISED APPLICATIONS
UNAUTHORISED CONNECTIONS Malware, IM, Webmail, Skype, MySpace, file sharing
Wireless (802.11, Bluetooth, IR,
GPRS/UMTS/HSPDA), Modems UNAUTHORISED FILE COPYING & OUTPUT DEVICES
Local file copies (removable storage, mobile devices), printers,
copiers, faxes

42. Obligatory Summary
Slide
• Data leakage is not a phenomenon
• Your data worth money - treat it accordingly
• Statistically speaking, bad guy works for you
• Know where your data resides: exit end
points, at rest and in motion…
• Its all about the user

43. 26 Dover Street
London
United Kingdom
W1S 4LY
+44 (0)20 3586 1025
+44 (0)20 7763 7101(fax)