data loss prevention data protection

Estimated reading time: 7 minutes

Data loss prevention (DLP) is a set of tools and processes used to ensure that sensitive data is not lost, misused or accessed by unauthorized users. DLP software classifies regulated, confidential and business-critical data and identifies violations of policies defined by organizations or within a predefined policy package. Default policies are typically dictated by regulatory compliances such as HIPAA, PCI-DSS, or GDPR.

Once these possible violations are identified, the DLP applies “remediation” with alerts, encryption, and other protective actions. The goal is simple: prevent end users from accidentally or maliciously sharing data that could put the business at risk.

Data loss prevention software and tools monitor and control endpoint activity, filter data flows across corporate networks, and monitor data in the cloud to protect data at rest, in motion, and in use. DLP also provides reports to meet compliance and auditing requirements. A very useful tool also for identifying areas of weakness and anomalies for incident response.

data loss prevention data protection

Is it necessary to use DLP tools?

Data loss prevention addresses three main objectives that are common pain points for many organizations: personal information protection/compliance, intellectual property protection, and data visibility.

Personal Information Protection / Compliance

Does your company collect and store personally identifiable information (PII), protected health information (PHI), or payment card information (PCI)? If so, you are more than likely subject to compliance regulations, such as HIPAA (for PHI) and GDPR (for personal data of EU residents), that require you to protect your customers’ sensitive data.

Data loss prevention can identify, classify and label sensitive data and monitor activities and events surrounding that data. Additionally, reporting capabilities provide the details needed for compliance audits.

Intellectual property (IP) protection

Does the company hold important intellectual property and trade or state secrets that could jeopardize the financial health and/or image of your brand in the event of loss or theft? A DLP solution can classify intellectual property in both structured and unstructured forms.

With policies and controls in place, you can protect against unwanted exfiltration of this data.

Data visibility

Is the company looking to gain additional visibility into data movement? A comprehensive enterprise DLP solution can help you see and track your data across endpoints, networks and clouds. This will provide visibility into how individual users within your organization interact with data. As we have seen other times when talking about social engineering, knowing how users behave is very useful. It is used to draw a basic profile and monitor that there are no anomalies that could indicate compromise of the account.

The ones listed above are main use cases. But DLP can address a variety of other pain points including insider threats, user and entity behavior analytics, and advanced threats.

data loss prevention servers

Why adopt data loss prevention?

In the 2017 Gartner Magic Quadrant for Enterprise DLP, the total data loss prevention market was estimated to reach $1.3 billion in 2020. The size was approximately $2.64 billion. The DLP market is not new, but it has evolved to include managed services, cloud capabilities, and advanced threat protection, among other things.

This, combined with the increasing trend of major corporate breaches, has skyrocketed the adoption of DLP as a means to protect sensitive data. Here are nine trends that are driving DLP adoption.

Growth of CISOs

More and more companies are hiring Chief Information Security Officers (CISOs) who report to the CEO. The latter want to know the strategic plan for preventing data leaks. Data loss prevention tools provide clear value in this regard and give CISOs the reporting capabilities needed to provide regular updates.

Evolution of compliance requests

Global data protection regulations are constantly changing and every organization must be adaptable and prepared. In recent years, EU legislators have approved the GDPR. In the USA a similar event occurred when the State of New York adopted the NYDFS Cybersecurity Regulation. These new regulations have both tightened data protection requirements. DLP solutions allow organizations the flexibility to evolve with changing global regulations.

Increase in “places” where data is kept

The increased use of the cloud, complicated supply chain networks and other services over which you no longer have full control has made data protection more complex. Visibility into events and context surrounding data before it leaves your organization is important to prevent your sensitive data from falling into the wrong hands.

Frequency of data breaches

Nation-state adversaries, cybercriminals, and malicious insiders target your sensitive data for a variety of reasons, such as corporate espionage, personal financial gain, and political advantage. Data loss prevention can protect against all types of adversaries, malicious or otherwise.

In recent years, there have been thousands of data breaches and many other security incidents. Billions of records have been lost in giant data breaches such as: the database misconfiguration that leaked nearly 200 million US voter records in 2015, the Equifax data breach that continued to grow, and the Yahoo breach which affected 3 billion users. These are just a few of the many headlines that highlight the need to protect your organization’s data.

data loss prevention breach

The value of the data is very high

Stolen data is often sold on the Dark Web, where individuals and criminal groups can purchase it and use it for their own benefit. With some types of data selling for up to thousands of dollars, there is a clear financial incentive for data theft.

There is more data to steal

The definition of what is sensitive data has expanded over the years. Sensitive data now includes intangible assets, such as pricing models and business methodologies. From 1975 to 2015, the amount of intangible assets grew from 17% to 84% of market value, according to a study by Ocean Tomo. These assets also reached a record $21 trillion in 2018. This means that your company has a lot more data to protect and using data loss prevention could only help in this regard.

There is a shortage of specialized personnel

The security talent shortage isn’t going away anytime soon, and there has likely already been an impact on your business. In fact, in a 2017 ESG and ISSA survey, 43% of respondents said their organizations were affected by a lack of skilled staff. The shortage is worsening with 3.5 million unfilled security positions expected by the end of 2021. Managed data loss prevention services act as remote extensions of your team to fill this staffing gap.

Adopt a SIEM to implement DLP

Ormai il prodotto di più alto valore di un’azienda sono i dati che gestisce. Il rischio di data exfiltration e conseguente perdita economica e d’immagine è dietro l’angolo. È facile a dirsi che basta proteggere i propri dati, la realtà è che diventa ogni giorno più complicato.

Nowadays, a company’s highest value product is the data it manages. The risk of data exfiltration and consequent economic and image loss is just around the corner. It’s easy to say that protecting your data is enough, the reality is that it becomes more complicated every day.

The places where data are used and stored, as well as the methods of access and consultation, are increasing. Technology, in general, makes our lives easier while at the same time exposing our data. Corporate infrastructures are no exception, indeed, precisely due to the highly valuable nature of the data collected, they are subject to greater risk.

The adoption of an adequate security system is essential and there are many solutions available. We at SOD, speaking of data loss prevention, recommend adopting a SIEM that includes the tools necessary to implement DLP techniques. For even better protection and more granular control of user data, SOC as a Service also provides behavioral analysis performed by an artificial intelligence system (UEBA).

To find out how these services can help your company protect your data and infrastructure, do not hesitate to contact us, we will be happy to answer any questions.

Useful links:

Machine learning and cybersecurity: UEBA applications and security

Avoid Ransomware: That’s why it’s best not to take any risks

Air-fi Rete locale

Estimated reading time: 5 minutes

To keep secret information out of reach of attackers, organizations place it on devices that are not connected to any network. This is to avoid any possibility of communication with the Internet. These machines are called air-gapped . As safe as it may seem, infecting such a machine or network segment isn’t actually that difficult. Extracting the information obtained is much more difficult, but it was still possible with the Air-Fi technique .

To study an exploit of this scenario, all kinds of clever methods come into play, and Mordechai Guri, a researcher at Ben-Gurion University of the Negev (Israel), specializes in finding them. Dr. Guri is not the only one, of course, but in recent years, he has been involved in the discovery of a few dozen of these methods. Un new study describes how to extract data from an isolated computer, this time using Wi-Fi technology (hence the name Air-Fi ).

Air-fi Local network

How the Air-Fi method works

The beauty of Air-Fi is that it works even if the target computer has no Wi-Fi hardware. It relies on malware already installed on the device that can use the bus of DDR SDRAM memory to generate electromagnetic radiation at a frequency of 2.4 GHz . Malware can encode necessary data in variations of this radiation, and any device with a Wi-Fi receiver, including another compromised device, can collect and intercept the generated signals. This other device could be a regular smartphone or even a smart light bulb.

The Air-Fi method is particularly unpleasant from a cybersecurity point of view. It does not require administrator rights on the isolated computer; a normal user account can do the job. Also, using a virtual machine doesn’t provide any protection; VMs have access to memory modules.

Transmission range and speed

The researchers transmitted data without noteworthy distortion at a distance of up to 2-3 meters (in one case, up to 8 meters) and a speed of up to 100 bits per second , depending on the hardware of the infected computer and the type of receiver. Like most similar methods, it’s not very fast. Transferring a 20MB file would take 466 hours, for example. That said, the 1,300-byte “Jingle Bells” text could be transferred in 90 seconds. In this light, stealing a username and password with this technique seems entirely realistic.

Air-Fi RAM

How an attack could work

Infecting a air-gapped system with malware is not difficult. An attacker can easily do this by contaminating a USB drive, using social engineering or by tricking staff. Once done, the attacker would then have to infect a nearby WiFi-capable device to receive the leaked data. For this, the attacker can infect nearby desktops, laptops or even smartphones of personnel operating the target system with air-gapped .

To prevent this type of physical attack on the company, you may want to consider our service of physical test your company’s security !

After a successful infection, the malware steals data from the air-gapped system, leaking it into the air as Wi-Fi for the receiving device. As the researchers explained:

As part of the exfiltration phase, the attacker could collect data from compromised computers. The data can be documents, key records, credentials, encryption keys, etc. Once the data is collected, the malware starts the secret Air-Fi channel . It encodes the data and transmits it in the air (in the 2.4 GHz Wi-Fi band) using the electromagnetic emissions generated by the DDR SDRAM buses.

The following video shows a possible attack scenario.

The extraordinary absence of wi-fi hardware

As we have seen, the Air-Fi attack does not require specific Wi-Fi hardware to be installed on the target machines. How is it possible?

It is shown that the attack uses DDR SDRAM memory buses to generate electromagnetic emissions in the frequency band typical of the Wi-Fi protocol , ie 2.4 GHz Furthermore, it is also possible to encode data in binary code without specific privileges . Using a virtual machine doesn’t help, as they typically have access to hardware RAM anyway.

Communication between CPU and RAM modules takes place via a bus synchronized with the system clock . This generates electromagnetic radiation which will have a frequency related to the clock frequency. In the case of the DDR4 memory blocks it is around 2.4 GHz.

If the frequency of the modules is not the correct value, it is still possible to overclock or downclock the memory speed by adjusting it to the Wi-Fi frequency of 2.4 GHz.

In short, a machine that uses RAM blocks could still find a way to use them for data transmission. Of course, it all starts with a first compromise that installed malware on the machine.

How to defend yourself from Air-Fi

The use of Air-Fi involves electromagnetic emissions. It is possible to counter the strategy by using the following measures:

  • Do not allow Wi-Fi enabled devices to approach air-gapped systems for any reason
  • Monitor isolated systems for suspicious processes
  • Shielding the computer in a Faraday cage
  • Using SOCaaS to monitor networked machines
  • Control operations and visits to the company in order to eliminate the possibility of infection via USB stick

Like all similar methods, Air-Fi is too slow and difficult for common cybercriminals to use for everyday attacks. However, if your company is using air-gapped machines for data storage, it is certainly better to take cover, given the recent data hunger of cyber crime < / em>.

We recommend that you consider adopting a SOCaaS to prevent the use of malware, run regular procedures for verifying corporate security, both virtual ( Vulnerability Assessment & amp; Penetration Test ) and physical, as previously suggested, through our dedicated test service .

Contact us to find out how we can help you and how our services can secure your company data, we will be happy to answer any questions.

Useful links:

Data Exfiltration cover

A common definition of data exfiltration is the theft, removal, or unauthorized movement of any data from a device. Data exfiltration typically involves a cybercriminal stealing data from personal or corporate devices, such as computers and cell phones, through various cyberattack methods.

Failure to control information security can lead to data loss which can cause financial and reputational damage to an organization.

How does a data exfiltration happen?

Data exfiltration occurs in two ways, through attacks from outsiders and through threats from within. Both are major risks, and organizations need to ensure their data is protected by detecting and preventing data exfiltration at all times.

An attack from outside the organization occurs when an individual infiltrates a network to steal corporate data or user credentials. This is typically the result of a cybercriminal injecting malware into a device connected to a corporate network.

Some malware strands are designed to spread across an organization’s network and infiltrate others, seeking sensitive data in an attempt to extract. Other types of malware remain dormant on a network to avoid being detected by organizations’ security systems until data is subversively extracted or information is gradually collected over a period of time.

Attacks can result from malicious insiders stealing your organization’s data and sending documents to your personal email address. Typically the data is then sold to cyber criminals. They can also be caused by inattentive employee behavior that sees corporate data fall into the hands of bad actors.

Data Exfiltration Hacker with Phone

Types of Data Exfiltration

Data exfiltration occurs in various ways and through multiple attack methods, mostly on the Internet or on a corporate network.

The techniques cybercriminals use to extract data from organizations’ networks and systems are becoming increasingly sophisticated. These include: anonymous connections to servers, Domain Name System (DNS) attacks, Hypertext Transfer Protocol (HTTP) tunneling, Direct Internet Protocol (IP) addresses, fileless attacks, and remote code execution.

Let’s see in detail some attack techniques to know what we are talking about specifically.

1. Social engineering and phishing attacks

Social engineering attacks and phishing attacks are popular network attack vectors. They are used to trick victims into downloading malware and entering their account credentials.

Phishing attacks consist of emails designed to appear legitimate and often appear to come from trusted senders. They usually contain an attachment that injects malware into the device. Other types contain a link to a website that appears legitimate but is forged to steal the login credentials entered. Some attackers even launch targeted phishing attacks to steal data from a specific user. Often the targets are the executives of a company or known individuals.

To defend against these types of attacks, it’s best to recognize them immediately and trash the emails. In a company it is possible to help the process through an ad hoc training course, based on data collected internally by the company through a controlled test. SOD also offers this service, if you are interested, you will find more information on the page of the service itself.

2. Outgoing email

Cybercriminals check e-mails to retrieve any data coming out of organizations’ e-mail systems. The recovered data can be calendars, databases, images and planning documents. These provide sensitive information of value or information that is useful for recovering valuable data.

3. Download to unsafe devices

This method of data exfiltration is a common form of accidental insider threat. The attacker accesses sensitive corporate information on his trusted device, then transfers the data to an insecure device. The insecure device could be an external drive or smartphone that is not protected by corporate security solutions or policies, which puts it at risk of data exfiltration.

Smartphones are also susceptible to data exfiltration. Android devices are vulnerable to the installation of malware that take control of the phone to download applications without the user’s consent.

4. Upload to external devices

This type of data exfiltration typically comes from bad guys. The internal attacker can extract data by downloading the information from a secure device, then uploading it to an external (insecure) device. This external device could be a laptop, smartphone, tablet or USB stick.

5. Human error and unsafe behavior on the network

The cloud provides users and businesses with a multitude of benefits, but together there are significant risks of data exfiltration. For example, when an authorized user accesses cloud services in an insecure way, it allows an attacker an access route from which he can retrieve data and take it off the secure network. Human error also plays a role in data mining, because appropriate protection may no longer be in place.

How to spot a data exfiltration attack

Depending on the type of attack method used, detecting data exfiltration can be a difficult task. Cybercriminals using more difficult-to-detect techniques can be mistaken for normal network traffic. This means that they can lurk in networks unnoticed for months and even years. Data exfiltration is often only discovered when the damage has already been caused.

To detect the presence of at-risk users, organizations must use tools that automatically discover malicious or unusual traffic in real time.

One tool with this capability is SOC (also offered as a service: SOCaaS) which implements an intrusion monitoring system, as well as an automatic system that verifies user behavior. When the SOC detects a possible threat, it sends an alert to the organization’s IT and security teams who can take action and investigate the situation.

SOC works by searching for and detecting anomalies that deviate from regular network activity. They then issue an alert or report so administrators and security teams can review the case.

In addition to detecting automatic threats, organizations can also construct the entire sequence of an event as it occurred, including mapping to a known kill chain or attack framework.

Using a SOCaaS, for a company that manages sensitive data, is an advantage from many points of view. Being offered as a service, the company will not have to invest in setting up a specialized IT department for its SOC, will not have to hire additional personnel and will be able to count on security systems that are always updated with qualified and always available operators.

For more information, do not hesitate to contact us.

Useful links:

Test your business with ethical phishing attacks

UEBA: Behavior Analysis Explained


Contact us