book

Data Leaks For Dummies®

Name: Data Leaks For Dummies®
ISBN: 9780470388433

by Guy Bunker, Gareth Fraser-King

February 2009

Beginner

427 pages

9h 47m

English

For Dummies

Read now

Unlock full access

Copyright
About the Authors
Authors' Acknowledgments
Publisher's Acknowledgments
Introduction
Who Should Read This BookFoolish AssumptionsHow This Book Is OrganizedPart I: Building the BackgroundPart II: Starting with the EndpointPart III: Prevention at the OfficePart IV: ApplicationsPart V: Additional Preventive MeasuresPart VI: Dealing with the InevitablePart VII: The Part of TensIcons Used in This BookWhere to Go from Here
I. Building the Background
1. Defining Data Loss
1.1. How the World of Data Has Changed1.1.1. Economic growth — a barrage of gadgets1.1.2. The messaging boom throws data everywhere1.1.3. Technology gone wild; data gone missing1.1.4. Where will we put it all?1.1.5. Where will it all end?1.2. Information and Communication: Risky Business1.2.1. Web 2.0 and the dark side of progress1.2.2. The business of cyber-crime1.2.3. Target: your information1.2.4. More connections, more risk1.3. How IT Risk Affects Business Risk1.3.1. IT risk — buckets of it1.3.2. Electronic records — incoming!1.4. Getting the Whole Picture1.4.1. Knowing and controlling what you have1.4.2. A one-size solution does not fit all1.4.3. A mind map of data loss
2. Examining Your Data Environment
2.1. Discovering the Types of Data at Risk2.1.1. Data at rest2.1.2. Data in motion2.1.3. The most common at-risk data types2.1.3.1. Customer information2.1.3.2. Company information2.2. Where to Find Data at Risk2.2.1. Discovering where your data hangs out2.2.1.1. Start with the obvious2.2.1.2. Move to the derivatives2.2.2. Telling the forest apart from the trees2.3. Who Are We Protecting Against?2.3.1. Bad things happening because of bad people2.3.2. Bad things happening because of good people2.3.2.1. Systemic data loss2.3.2.2. Negligent data loss2.3.2.3. Unlucky data loss2.3.3. The malicious insider2.4. The Arms Race Continues
3. Governance, Risk, and Compliance
3.1. Protecting Your Data — or Else3.1.1. Data breaches, audits, and full disclosure3.1.2. What can you really do about stolen data?3.1.2.1. Starting with passwords3.1.2.2. What else can I do?3.2. Regulations You Need to Know About3.2.1. Existing full-disclosure legislation3.2.1.1. HIPAA3.2.1.2. Gramm-Leach-Bliley3.2.1.3. Basel II Accord3.2.1.4. Payment Card Industry Data Security Standard3.2.2. Regulations in Europe and North America3.2.2.1. Canada3.2.2.2. Europe3.2.2.3. United States3.2.2.4. European Union3.2.2.4.1. Common restrictions on processing data3.2.2.4.2. Implications of the restrictions3.3. How Good Governance Helps Compliance3.3.1. Data classification to the rescue3.3.2. The right technology for record retention and retrieval3.3.3. Using data-loss prevention solutions3.3.4. Balancing privacy and data protection3.4. Creating Auditable Processes3.4.1. Compliance technology requirements3.4.2. Making your organization as strong its data3.4.2.1. Self-audit — the pain that's good for you3.4.2.2. Automating the audit for fun (?) and profit (!)3.5. Which Regulations Are Relevant?
4. Data Loss and You
4.1. Risks and Consequences of Data Loss4.1.1. Direct losses4.1.2. Indirect losses4.1.3. The total cost of data doss4.2. Disclosure Laws and Cyber-Crime4.2.1. New (cyber-) crime versus old habits4.2.1.1. Where there's data, there's money4.2.1.2. Where there's data, there's crime4.2.1.3. Who are the data police? Sorry, nobody yet...4.2.1.4. Cyber-crime — what can I do?4.3. Treating Data Loss as a Disaster4.3.1. Evaluating risk4.3.2. Understanding the damage to reputation4.3.3. Facing the prospect of fines4.3.4. Protecting the data (or doing jail time)4.3.5. Protecting information technology4.4. Starting to Rethink Data Security4.4.1. Looking at the basics of data security4.4.2. Putting a monetary value on your data4.4.2.1. Figuring out the hourly rate4.4.2.2. Figuring costs by customer4.4.2.3. Figuring the loss in terms of employee time4.4.3. Considering your options4.4.4. Keeping an eye on the why

5. Calculating the Value of Your Data
5.1. Modeling Information5.1.1. Adding risk and consequences into the equation5.1.2. Different perspectives for different devices5.2. Different perspectives for different markets5.3. Identifying Sensitive Data5.3.1. Credit cards and bank details5.3.2. Customer-loyalty cards5.3.3. E-mail addresses5.3.4. E-mail and other communication from customers5.3.5. Health and welfare information5.3.6. Sensitive corporate data5.3.7. Other sources of sensitive data5.3.8. Which information are cyber-criminals after?5.3.8.1. The fine art of zippering5.4. The Elusive Total Cost
6. The Price of Your Data to Others
6.1. How Much Is That Data Worth?6.1.1. The most popular data for criminals to acquire6.1.2. Pile 'em high, sell 'em cheap6.1.3. Where to look for your data on the Web6.2. The Value of Data Over Its Lifetime
II. Starting with the Endpoint
7. IT Security
7.1. Surveying the Threat Landscape7.1.1. The evolution of a script-kiddie to a cyber-criminal7.1.2. Inside the mind of a data thief7.2. The Basics of IT Security Threats7.2.1. How anti-threat technology has evolved7.2.2. Information is the cyber-criminal's priority
8. Protecting the Endpoint
8.1. Why the Endpoint Is a Risk8.1.1. Threats against the user and the endpoint8.1.2. Wayward laptops8.2. Dealing with Lost Laptops8.2.1. Have laptop, will travel8.2.2. Strategies for protecting laptops8.3. Endpoint-Encryption Technologies8.3.1. Full-disk encryption8.3.2. File-based encryption8.3.3. Enterprise digital rights management (eDRM)8.3.4. So many options ... so little time8.3.5. Here be dragons8.3.6. Preventing Keyloggers and Rootkits8.3.7. Defeating the keylogger8.3.8. Defeating the rootkit8.3.9. It's a war out there8.4. Connecting Securely to the Corporate Network8.4.1. Virtual private networks (VPNs)8.4.2. Thin-client solutions8.4.3. Virtualizing the client8.4.4. Which one for me?8.5. Products to Protect the Endpoint
9. USB Devices and Removable Media
9.1. Defeating USB Devices9.1.1. Here comes a brave new (portable) world9.1.2. Careless use of portable media9.2. Strategies for Dealing with Removable Media9.2.1. USB ports — limit or lock down?9.2.2. More policies, more actions9.2.3. Content-based encryption policies9.3. Policies for Destroying Data on Removable Media9.3.1. Three tips for destroying data9.3.2. Storage-security policies9.4. Locking Down a Laptop
10. Mobile Phones and PDAs
10.1. Communicating the Risks and Benefits10.2. Protecting Your Corporate Portal10.2.1. Additional management challenges10.2.2. Putting it all together10.3. Controlling Functionality on Mobile Devices10.3.1. Encryption strategies for mobile devices10.3.2. Remote wipe and kill10.4. The Dangers of Bluetooth10.4.1. A simple solution for Bluetooth vulnerabilities10.4.2. Bluejacking, bluesnarfing, backdooring and bluebugging10.5. Protecting Data Against Mobile Phone and PDA Data Leaks
11. Geography
11.1. Location-Based Access Control11.1.1. Changing policies with geography11.1.2. Merging logical and physical security11.1.2.1. Getting physical (and then logical) about security11.1.2.2. Documenting compliance11.2. Risky Businesses11.2.1. Conferences and exhibitions11.2.1.1. Shiny toys and light fingers11.2.1.2. Keeping your wits (and your data) about you11.2.2. Mergers and acquisitions11.3. Internet Cafés11.3.1. The evil twin11.3.2. Holiday and vacation infections11.4. You're a Stranger Around Here11.4.1. Sweets from strangers11.4.2. Protecting new hires11.4.3. Working from home
III. Prevention at the Office
12. Keeping the Bad Stuff Out
12.1. The War Zone12.2. The Threat from E-mail12.2.1. The move from spam to phishing12.2.2. Endpoint security12.2.2.1. Risk with the best of intentions12.2.2.2. Watching all the doors12.3. The Patience of Today's Criminals12.3.1. Spear phishing12.3.1.1. Shields against spear phishing12.3.1.2. Throttling spammers by shaping traffic12.3.2. Big fish and little fish12.3.2.1. Whales12.3.2.2. Minnows12.4. Wireless Security to Prevent Data Loss12.4.1. Scanning for wireless networks12.4.2. Countering drive-by pharming12.4.3. Locking down your wireless routers12.5. Utilizing Hardware Appliances
13. Keeping the Good Stuff In
13.1. Protecting Intellectual Property13.2. Messaging systems13.2.1. Protecting e-mail from accidental (or not-so-accidental) loss13.2.2. Web-based e-mail13.2.3. Instant messaging13.2.4. The wrong Dave13.2.5. A better solution13.3. Developing Consistent Data Classification13.3.1. The meaning of life (-cycle management)13.3.1.1. What to keep and for how long?13.3.1.2. Classifying data by its stage in the lifecycle13.3.2. Data classification and ILM as a business advantage13.3.2.1. DLM/ILM as an aid to compliance with regulations13.3.2.2. DLM/ILM as a money-saver13.3.3. Consistency counts in classification13.4. Recognizing potential security holes13.4.1. User-level security issues13.4.2. Securing individual computers13.4.3. Managerial security issues
14. Protecting Your Data Center
14.1. The Curse of Unstructured Data Files14.1.1. The content defines the value14.1.2. Minimizing the number of copies14.2. Data Availability for Good or Bad14.2.1. Working 24/714.2.2. Intrusion detection14.3. Protecting Server Infrastructure14.3.1. Critical system protection14.3.2. Servers, endpoints, and thin-client computing14.3.3. Why centralized backup is a good idea14.4. Denial-of-Service Attacks14.4.1. Variations on the flooding attack14.4.2. Poisoned DNS as a method of stealing data14.4.2.1. Using DNS when it works right14.4.2.2. Poisoning the DNS14.5. Encryption in the Data Center14.5.1. Why outright encryption might cause more problems than it solves14.5.2. Content-based classification and protection14.5.3. Managing digital rights across the enterprise
15. Authorization and Access Control
15.1. Tightening Control over Access to Data15.1.1. Reducing data access15.1.2. What are the alternatives?15.2. Network Access Control: What's In It15.2.1. Data on the move15.2.2. Data at rest15.3. Comprehensive Remediation15.3.1. Authorization strategies to reduce data access15.3.2. Using NAC agents
IV. Applications
16. Backup and Archiving
16.1. Backup: The Easiest Way to Lose Critical Data16.1.1. Backup tapes... under lock and key?16.1.1.1. It's not just the tapes16.1.1.2. Disk-based backup protection16.1.1.3. Hardware encryption to protect offsite data16.1.1.4. Compress and then encrypt16.1.1.5. Managing encryption keys16.1.1.6. Third-party backup management (SaaS)16.2. The Importance of an Archive16.2.1. Identifying risk16.2.2. Protecting the corporate memory
17. Protection through Web Applications
17.1. Attacking Applications through the Web17.1.1. SQL injection attacks17.1.2. Preventing SQL injection attacks17.2. The Dangers from the Internet Browser17.2.1. Browser plug-ins17.2.2. Cross-site scripting17.2.3. Clickjacking17.2.4. Session poisoning and hijacking
18. Making Applications Safer
18.1. Data Corruption: Worse than Data Loss?18.1.1. Guarding against data compromise18.1.2. Taking the performance hit18.2. Poor Code Results in a New Threat Vector18.2.1. Open Source software18.2.2. Developing data-loss testing18.2.3. Putting it all together18.3. Software as a Service: Who's Watching the Watchers?18.3.1. Identifying threats in SaaS environments18.3.2. Securing your data from tampering
19. Losses from the Unlikeliest Places
19.1. Is That Your Data Walking Out the Door?19.1.1. How to destroy electronic data19.1.1.1. What's it stored on?19.1.1.2. Can't I just use a magnet?19.1.2. Disposing of old systems without losing data19.1.3. Strategies for system repair19.2. The Unseen Sources of Information19.2.1. Local e-mail archives19.2.2. SMS19.2.3. The real deal on facsimiles (faxes)19.2.4. Printers and photocopiers19.2.5. VoIP and answering machines19.2.6. Digital cameras19.2.7. Conference calls and Webcasts19.2.8. Remote access19.2.9. Miscellaneous attack vectors19.3. Dealing with the Printed Word19.3.1. Put up a sign19.3.2. Cleaning up after meetings19.3.3. Revisiting the document shredding policy19.3.4. Pick a shredder, any shredder
20. Revisiting Policies
20.1. The People Factor20.1.1. Identifying broken processes20.1.2. Interview techniques to identify data at risk20.2. Common Policies That Put Data at Risk20.2.1. Developing policies and procedures to prevent data loss20.2.2. Correcting broken processes and policies
V. More Preventative Measures
21. Technology Is Not a Silver Bullet
21.1. Social-Engineering Attacks21.1.1. Piggybacking21.1.2. Dumpster diving21.1.3. Contractors21.1.4. Impersonation21.1.5. Controlling freebies21.1.6. Eavesdropping21.2. Processes and Procedures21.2.1. The trouble with standards21.2.1.1. ITIL21.2.1.2. COBIT21.2.1.3. ISO/IEC 2700221.2.1.4. SSE-CMM and/or CMMI21.2.1.5. PCI DSS21.2.2. Choosing a standard21.2.3. Time to reevaluate21.2.4. Ask the question21.3. Treating Data Loss as a Disaster21.4. The Importance of an Awareness Program21.4.1. Security training for everybody21.4.2. An ongoing program21.4.3. Building a culture that protects data
22. Long-Term Prevention
22.1. Creating an Information-Protection Policy22.1.1. Long-term strategy to handle data loss22.1.1.1. Creating a data-loss crisis team22.1.1.2. Tasks for a data-loss crisis team22.1.2. Discovery — an ongoing effort22.1.3. The importance of consistency22.1.4. Moving on from discovery22.1.5. Less data, less risk22.1.5.1. Reducing storage of data to a single instance22.1.5.2. Archiving22.1.5.3. Deleting the old stuff22.1.6. Auditing for governance22.2. Revisiting Decisions You've Made22.2.1. Regulatory changes22.2.2. Threat changes22.2.3. Technology changes
23. Partners and Suppliers
23.1. Preventing Data Loss by Third Parties23.1.1. Information-security audits23.1.2. Outsiders inside your data center23.1.3. Potential threats from Software as a Service (SaaS) providers23.1.4. Service Oriented Architectures and Data Loss23.2. Who can you trust?23.2.1. Fending off dangers in third-party data processing23.2.2. Questions to ask
VI. Dealing with the Inevitable
24. In the Event of Data Loss
24.1. Don't Panic24.1.1. Creating a plan24.1.1.1. Build a team24.1.1.2. Find out what happened24.1.1.3. Inform the appropriate people24.1.1.4. Create a project office24.1.2. Mobilizing the troops24.1.3. Dealing with the media24.1.3.1. Figure out who will be the main spokesperson24.1.3.2. Have your facts straight24.1.3.3. Offer frequent updates24.2. The Ongoing Project24.2.1. Support desks and supporting your customers24.2.2. Minimizing customer impact24.2.3. Ensuring that it won't happen again
25. Preparing for the Future
25.1. The Decline of Implicit Trust25.1.1. Analyzing application access25.1.2. Analyzing user behavior25.1.3. Malicious data corruption25.2. Hiding Data You Don't Want Seen25.2.1. Information sensitivity and access25.2.2. Real-time redaction25.3. Social Networking and the Dangers of Data Loss25.3.1. Corporate phishing through private individuals25.3.2. Data loss in cyberspace
VII. The Part of Tens
26. Ten Tips to Prevent Data Loss Today
26.1. Identify what information you have that needs to be protected26.2. Identify where sensitive information resides26.3. Identify who has access to sensitive and confidential information26.4. Identify processes involving sensitive information26.5. Identify when and where data goes offsite26.6. Protect the endpoint26.7. Protect information in motion26.8. Revisit how reports and printouts are destroyed26.9. Revisit system disposal26.10. Start an education-and-awareness program
27. Ten Common Mistakes
27.1. "It won't happen to me"27.2. Secrecy about data-loss threats27.3. Mistaking ignorance for bliss27.4. Trusting your partners blindly27.5. Delaying finding out where your data was — especially after a breach27.6. Assuming that it will be business as usual after an event27.7. Assuming all data is equal27.8. Giving data the same protection at all times27.9. Assuming that people will do the right thing with the data27.10. Assuming that your current processes won't result in data loss
28. Ten Tips to Protect Data at Home
28.1. Shred personal information28.2. Understand what personal data you have on your laptop28.3. When signing up for a service, consider which data is requested28.4. Check the Web browser's address bar28.5. Lock down your home network28.6. Keep your anti-virus and anti-malware software up to date28.7. Install a pop-up blocker and Web-site checker28.8. Educate your family28.9. Run anti-spyware and anti-adware programs28.10. Check browser plug-ins

Content preview from Data Leaks For Dummies®

Chapter 22. Long-Term Prevention

In This Chapter

Creating an information-protection policy
Dealing with data loss over the long haul
Initiating ongoing discovery
Auditing for governance
Reviewing policy decisions

Unfortunately, data loss, data leaks, and data breaches are here to stay. Electronic information is how our businesses, and even our society, survives. Information has unarguable value — to those it belongs to, and to those it does not belong to. The consequences of data loss can be dire enough that short-term, knee-jerk reactions to data breaches are clearly a substandard way for a company to govern itself. The reputation of the company is at stake. What it needs is an effective, long-term view of data loss — and that means creating an information-protection policy.

Creating an Information-Protection Policy

An information-protection policy is an overarching set of agreed-upon practices for looking after information in your organization, regardless of whether it's paper-based or electronic (including e-mail, files on disk, structured databases, data on Web sites, you name it).

Note

It's worth repeating: Security is only as strong as its weakest link. Don't let that weak link be protection of your data.

Policies tend to be written down and then ignored. For your information-protection policy to be effective, it has to be clearly understood, consistently applied, and followed by everyone — from the CEO to the cleaner and from suppliers and partners to customers. All have important parts ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780470388433Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design