Technologies of protection against internal violators

Protection against information leaks

As practice shows, in most cases the simplest channel of its receiving is a legal user, the internal violator. The measures necessary for neutralization of such threat are divided into technical and organizational and legal.

Technical measures

The violator having legal access to corporate network can take out information out of perimeter limits by many methods, for example such as:

• Copying on the removable medium (flash-memory, DVD, etc.)
• Transfer by e-mail (including web mail)
• Transfer of the file through a third-party resource (the file hosting service, a forum on the Internet, etc.)
• Sending a text fragment by means of IM
• Printing and carrying out out of limits of the organization (a controlled zone)

Visual information retrieval (including using technical means)

In each case the violator has legal (caused by his service duties) an information access. It is impossible to prohibit this access, the fact of access is also not violation. Therefore before Information Security Service there is a problem of interpretation and the analysis of actions of the user. And here the system of prevention of date leak can come to the rescue (data loss prevention – DLP).

In the simplest case critical information is just a file set. Then for preserving of its confidentiality it is possible to use practically any of the available DLP solutions – practically all these solutions intercept all possible methods of plunder of information. Use of exotic file formats (for the analysis of contents of the file the product should "know" its format) can serve as the only obstacle.

There are two main types of DLP solutions on the mode of work:

• Agency solutions (when on workstations of employees the special agent is established);
• The solutions working at an information exchange node (for example, the gateway of Internet access).

Advantages of agency solutions consist that all ways of plunder of information are blocked including figurative carriers and those programs communicators which use enciphering of traffic (for example, skype). At the same time, such method is not deprived of shortcomings – by the machine of the user it is necessary to create the entrusted environment (otherwise the agent will be simply unloaded by the malefactor). Besides, agents exist almost only under operating systems of Microsoft that suits not all.

The DLP solutions working at a node of information exchange have other shortcomings – it is impossible to sort "on the fly" the ciphered traffic and (for example, it is possible to control traffic of Skype only agency DLP) it is necessary or to accept this risk, or to apply other measures (including purely organizational) to prohibition of such messages. Also such DLP-the solution is obviously not able to control use of flash-disks and similar information media.

In case of use of the agency DLP solution, service cybersecurity needs to make the list of confidential information and places of its storage and to install corresponding to software on workstations of employees. If all used types of files are supported by a product, they will be indexed also all actions for copying (including through a clipboard) will be controlled. After that "simple" actions somehow will not possible to steal information. However it is possible to formulate enough scenarios which will be applied by the internal violator to a bypass of the agency DLP solution, for example:

• Bulk copy of important files on the workstation with the subsequent archiving;
• Compilation of the file containing important information from many other sources.

Search of similar scenarios can be continued, but the main reason of leak consists that the user has legal access to confidential information and it is impossible to prohibit this access. It is impossible to recognize concealment of the applied protection methods (and the used solutions including) good practice therefore it is possible to consider that the violator knows opportunities and shortcomings of information security tools.

Thus, it is necessary to apply to high-quality information loss prevention also other measures. However DLP solutions are irreplaceable when conducting investigations – they allow to control actions of users and to reveal suspicious activity (for example, copying of big fragments of files through a clipboard). As other technical measures it is possible to apply the systems of records of the user (up to record of all events on the screen), programs of shadow copying (when all data transmitted via figurative carriers) and other methods of fixing of actions (are registered up to records of a video surveillance system).

However, it is necessary to notice that some DLP solutions can connect this functionality in the form of add-on modules.

Security administrator, having information collected by such means, can recover the exact sequence of actions of the expected violator and prove or disprove the fact of theft of information. Application of the listed measures separately most likely will not yield result as the end-to-end analysis of any recording system is extremely labor-consuming. It is possible concretize a time span and the suspected user by means of a DLP system.

At the same time, application of only one such system also seriously complicates life to the potential violator (especially if he is not a professional in the field of IT). Also DLP helps to prevent information leaks by negligence – the user will receive an additional warning that information transferred to them has confidential character and it should confirm need of transfer. The fact that actions of the user are controlled is the strongest restraining factor for most of potential violators.

Organizational and legal measures

Let's imagine to ourselves a situation when the fact of theft of confidential information became known and responsible is caught. There is a question – how it is possible to punish it?

If the stolen information is confidential in terms of the legislation of the Russian Federation (for example, is personal data or a trade secret), responsible can be made responsible on the provisions of the law.

However the most part of information, critical for business, is not protected by the law, and the management of the organization should think out corrective actions within the organization. If formal job descriptions regarding providing Information Security, security policies, etc. in the organization it is not issued, it turns out that violator to punish it is actually very problematic. Certainly, the most part of the people convicted of such violation will prefer to leave voluntarily firm, however in case of the big organization such situation is unacceptable.

The commonly accepted solution of the problem of legal protection of critical information is writing of the internal regulating documents defining processes of providing Information Security in the organization:

• The security policy (defining both the general approach to data protection, and the specific important directions);
• Job responsibilities of the workers having access to critical information (then disclosure of such information will be official violation and there will be an opportunity to punish the violator, remaining within the legislation);
• Addition to job descriptions of the representative of the top management of the company supervising questions cybersecurity (practice shows that such curator the employee should be not lower than the first deputy head of the organization).

In case of existence of a complete set of internal regulations, based on office investigation the violator will be punished, and the employer, in return, does not risk to violate the labor law.

However it is necessary to remember that some actions of staff of division of information security can be beyond not only the labor law. For this reason as at implementation of the systems of prevention of leaks and development of regulating documents, and at investigation of incidents the serious help of lawyers of the company is necessary.

Conclusion

The problem of protection against internal violators is extremely difficult in permission. In difficult situations (for example if on the organization to be carried out the planned attack of competitors) tension of all forces both services cybersecurity of the organization, and legal service and the top management of the company is required.

The organization at the same time undergoes testing for durability as regarding technical infrastructure, and (even more) regarding moral atmosphere in collective. Very few people like to be object of investigation and to be exposed to inquiries of a security service. Efforts of services cybersecurity should be directed equally, both to identification of the facts of leak, and to collecting of proofs of participation of employees in these leaks. A situation when also guilty of leak it is not found, and work of the organization is broken by nervousness in collective Bol what is real.

Competent use of technical means of fight against internal violators together with legal methods of data protection will repeatedly increase efficiency in a crisis situation and will allow to leave it with minimum possible losses.

• Managing partner of company Pointlane, Queens Alexey Lvovich