Protecting sensitive data from threats both internal and external is a difficult problem because there are a number of ways to transfer such data, including email, printing, web-based uploads and others. Data Loss Prevention solutions attempt to limit the flow of sensitive data in an environment by restricting its movement. These DLP systems are difficult to correctly configure so that sensitive data is restricted while business needs can still be met. This often results in an overly permissive implementation policy, which puts sensitive data at risk. In this assessment, we attempt to discover sensitive data such as account numbers, PII, and credit card numbers, and transfer it using a number of methods, including:
- Mail server based email (Exchange)
- Web-based email
- File upload services
- Hardware: CD, DVD, USB
- Mobile device storage
- Mobile device network access
- FTP, SFTP
- Screen capture
The result of this assessment is a comprehensive report on what sensitive data was discovered, which methods of transfer were successful, which were unsuccessful, and for the unsuccessful methods, whether they were detected, or blocked.
Basically DLP is a fancy industry term that means that we try to stop insiders from (even accidentally) leaking sensitive information. This is accomplished by technical controls (e.g., preventing USB storage devices from being attached) and scanning. For scanning, what we do is run a search on a subset of the companies computers that looks for things like social security number, credit cards, etc. that should be not stored unencrypted.
Contact us to talk about Data Loss Prevention techniques and systems that are right for your company.