ILDP – Information Leakage Detection and Prevention – is getting management attention in the area of information security.

For many years, the focus in information security has been on the detection and prevention of intrusions. CIOs and, specifically, CSOs do not have adequate measures put in place to detect and prevent “extrusions” - compromises from within the organisation.

The risks posed by extrusions are clear and significant, yet most organisations are hampered today by the lack of solutions or expertise in the area of ILDP. Below are just some of the common examples of information leakage that you may have heard of.

Inform users that content in all information-related activities, such as Web surfing and copying to USB, within the organisation belong to the organisation, not to the users.

Put up clear notices at all exit points to inform users about the presence of a ILDP system and the severe consequences if caught.

Sending summary information of users' usage reminds users that their activities are monitored and makes them think twice before leaking information.

Impose heavy penalties for information leakage offences. Put greater emphasis on the criminal penalties which have a stronger deterrence effect. For key appointment holders, a security bond can be imposed and should be accepted by the users in writing.

Inform users about the existence of an ILDP system, civil and criminal penalties when they join your organisation.

Next, though the presence of an ILDP system should be made known, the actual configurations or detection rules should remain secret. This is for the same reasons why armed forces maintain confidentiality about the actual configurations used for their publicly-known weapons systems. If they know how they are being monitored and what is being monitored, potential perpetrators will find means to bypass and evade detection.

Current popular measures can also deter or prevent information leakage. These measures include removal of administrative rights to prevent installation of applications that poses information leakage risks and dual control of administrative passwords.

Lastly, for the ILDP system to be credible, an effective forensics environment must be in place. Without proper forensics, perpetrators may go scot-free even if information leakage is detected. Forensics will be discussed in more details in a separate section.

Top

In encryption, the main focus is to prevent unintentional leakage through theft or negligence. Do note that encryption does not prevent intentional leakage by authorised users.

There are 3 main areas where encryption is useful – Network, Endpoint and Content.

Network encryption is the most prevalent among the three. It can take the form of SSL-encrypted web traffic, encrypted SSH access to Unix systems, VPN remote access and many others.

Many a time, removable storage device and notebooks are found lying around without any supervision or physical restraint. However, compared to network encryption, endpoint and content encryption are less commonly found in organisations. In endpoint encryption, the storage media is protected with strong encryption to ensure that only the authorised users can access the information. With growing prevalence of mobile computing devices, the need for endpoint encryption is much higher than before.

Besides endpoint encryption, content encryption is also a much neglected area. Content encryption offers better protection than endpoint encryption because the protection is independent of the storage media. Coupled with secure authentication means such as 2-factor or biometric authentication, endpoint and content encryption can effectively eliminate the risk from unintentional leakage through theft or negligence.

However, there have been several misconceptions about encryption which are holding back the adoption of endpoint and content encryption:

	Encryption is costly
	Though encryption does come with additional costs, one has to weigh against the value of information it is protecting. No one will question the economics of spending thousands of dollars to protect the information on a CEO's notebook which may be valued at millions of dollars. Furthermore, the cost of encryption has fallen over time with more efficient algorithms being developed.
	Following standards and rules ensure information protection
	This is a common folly committed by organisations today. No matter how stringent the standards or rules are, we are still human. Humans are prone to lapses and may become negligent. This is especially so for a CEO who has been in the air every day of the week. In addition, internal standards and rules cannot deter or prevent physical theft by external parties.
	Encryption requires expensive storage
	With the development of newer, more efficient encryption algorithms, the storage requirements for encryption has fallen. In addition, with the advancement in storage technologies, the unit storage cost has fallen to render this point immaterial.
	Encryption reduces performance
	It is true that encryption does consume computing power and impose a performance penalty. However, with the availability of hardware-based encryption accelerators, encryption can be performed concurrently without material impact to the business workload. Furthermore, with the development of more efficient algorithms, keys of shorter length can offer similar, if not better, encryption than before. In most cases, penalty imposed by encryption should not exceed 5%.

Top

In forensics, the main focus is to build a credible detection capability and provide legally-submissible evidence.

Regardless of how advanced our protection systems are, a good forensics system is required for accurate detection and effective follow-up actions. Without proper forensics, you may find your ability to carry out correction actions, such as imposing penalties or reporting to authorities, to be severely limited. A common mistake is to think that blocking of access removes the need for a good forensics system.

Three most common shortcomings in forensics are:

	Insufficient logging
	Most companies do not log the content of information being sent out via removable storage and web-based email. Many a time, you hear organisations relying on “trust” that their users will not leak sensitive information.
	Improper handling of digital evidence
	This is not surprising as most information security professionals are not trained in the conditions of what constitute legally-submissible evidence and how to handle evidence when it is collected. No matter how accurate the detection system is, evidence, once tainted by improper handling, will be rendered useless.
	Case Mismanagement
	Many a time, escalations of information leakage are not properly managed. Most organisations, especially in Asia, do not provide an independent escalation path for the whistle-blowers. Examples include pre-mature alerting of the perpetrator and lack of anonymity for the whistle-blower.

Top

Identity Protection consists of Identity Lifecycle Management and Strong Authentication. It is important as all other components in this framework will fail if the user identities are stolen or misused. Coupled with proper auditing, Identity Protection can monitor and prevent identity theft when such abuses take place.

With Identity Lifecycle Management, you can achieve a timely management of identities in the critical systems in your organisation. How many times have we heard of orphaned user accounts left behind in critical systems after users left the organisation? Timeliness is critical as any unused account left behind provides an opportunity for a perpetrator to obtain and leak information. Other benefits include operational savings attributed to an automated, self-service approach to password management that reduces the number of helpdesk calls for password-related issues.

Next, coupled with strong, multi-factor, non-repudiable authentication, Identity Protection can help to reduce the opportunities for social engineering attacks which single-factor authentication systems are vulnerable to. In addition, strong authentication can help to reduce the bad practice of "credentials sharing" among fellow colleagues.

Classification is the one of the first steps to be taken in any ILDP initiative. Classification is usually an output of risk assessment during which the organization or information owner analyses and define the importance of the information to be protected against leakage. As the saying goes, what you cannot measure, you cannot control and manage. The same goes for protecting against ILDP.

It is impractical to expect an organization to protect against leakages of all information. Given the limitations due to budget and technology, you have to analyze and select the more important information to be protected. With the classification of what really matters to you and your organization, only then do you evaluate the type of controls required to protect the information. (A point to note is that fingerprinting of critical information does not equate to classification. Usually, you are still required to classify the generated fingerprints.)

With proper identification and classification, the ability of the ILDP system to protect against leakage of critical information is greatly enhanced. Classification can integrate with the other components in the DEFICIT Framework™ to improve the protection. For instance, with classification, one can deter leakages by blocking the transmission via network or removable storage. Similarly, classification can work hand in hand with encryption to ensure the integrity and confidential of critical information, instead of all information.

The importance of classification cannot be over-emphasized. That is why information and business owners must play an active role in classifying what need to be protected. Such responsibility should not be delegated to the IT/IS department or automated tools.

A key element of any ILDP system is its ability to protect critical information in a timely manner. Just as a 5-minute delayed stock quote may be worthless, protecting against leakage one day after the critical information is first created may be futile. Given the fact that today's world moves at the speed of light, critical information should be protected as soon as it is created.

You may have heard of terms such as zero-day exploits where vulnerabilities are exploited the very day they are made known. Coupled with the potential value of the critical information, the motivation to leak information as soon as it is created is very significant.

Without timely, immediate protection against leakages, a ILDP system will be ineffective no matter how robust the rest of the system is. For instance, even if the fingerprinting algorithm of your ILDP solution is highly accurate, it is of no use if fingerprinting is done only after the critical information has leaked out.

As the saying goes, the strength of a system depends on its weakest link. Do not let speed be your weakest link.

Thin Clients can be used to achieve greater endpoint security.

Some thin clients come with no local storage which allows you to reduce the number of storage media to protect. Others come with a minimal locked-down local storage which prevent users from modifying any local content. However, for the later, endpoint encryption should be considered too for a comprehensive protection.

As usage of Thin Clients require some form of centralised server computing environment, Thin Clients allows you to monitor and detect information leakages from centralised points. With Thin Clients, you can better manage the environment of remote offices or branches to detect and prevent information leakage.

Lastly, most, if not all, thin clients come with the capability to lock down their support for external storage devices, hence effectively preventing leakages via external devices.