Lessons from the DuPont breach: Five ways to stop data leaks

Computerworld - In the five months Gary Min was stealing $400 million worth of proprietary information from a DuPont database, he downloaded and accessed more than 15 times as many documents as the next-highest user of the system. But he wasn't caught until after he left the company for a rival firm.

Min pleaded guilty last November to misappropriating DuPont data and is scheduled to be sentenced on March 29. His case is only the latest to highlight a lack of internal controls for dealing with insider threats at many companies. Earlier in February, a cell development technologist at battery maker Duracell Corp. admitted to stealing research related to the company's AA batteries, e-mailing the information to his home computer, and then sending it to two Duracell rivals.

Dealing with such issues can be challenging, especially in large corporations, said Tom Bowers, former manager of information security operations for the global security division of Wyeth Pharmaceuticals.

"I am not at all surprised" about what happened at DuPont, said Bowers, who is now managing director at Security Constructs LLC, a Fleetwood, Pa.-based consultancy. "When you have a huge multinational like that, your security department is never really going to fully have any realistic idea of where or how the information is flowing," he said.

But there are ways to mitigate some of the risks and help companies better track what's going inside the firewall, according to security analysts. Experts advise taking the following steps:

• Get a handle on the data. It's impossible to put controls on sensitive and proprietary information on your network if you don't even know where that data is.

  An organization's sensitive data is widely distributed throughout its corporate network, according to Eric Ogren, an analyst at Enterprise Strategy Group in Milford, Mass. Important data resides not just in databases but in e-mail messages, on individual PCs and as data objects in Web portals. Sensitive information also comes in many forms, including credit card numbers and Social Security numbers. And trade secrets can be found in many types of documents and files, such as customer contracts and agreements and product development specifications, Ogren said.

  Implementing one set of controls for all data types can be inefficient and impractical. Instead, categorize data and choose the most appropriate set of controls for each data class. There are a growing number of tools available from vendors such as Reconnex Corp., Tablus Inc. and Websense Inc. that are capable of automatically scanning company networks and identifying sensitive data where it resides. Many of the same tools can be used to separate data into different categories based on policies defined by a company.

• Monitor content in motion. As companies Web-enable their business and link up with networks belonging to partners, suppliers and customers, it is vital to keep track of what's flowing over your networks. Content monitoring was a core "foundation piece" for Wyeth's data protection strategy, Bowers said. With so many network "egress points" through which data can flow out, it is vital to be able to monitor network traffic, he said.

  Vendors such as Vericept Inc., Vontu Inc., Oakley Networks Inc., Reconnex and Websense all sell products that can inspect e-mail, instant messages, P2P file sharing systems, Web postings and FTP sites for data that may be exiting a company network in violation of policies. The tools sit near network gateways and are designed to issue alerts when they come across suspicious data packets. Many of the products can also be used to enforce actions such as blocking data or encrypting it when it leaves the network.

  Such content filtering tools allowed Wyeth to "look at everything coming in and going out of our networks. We monitored all ports and all protocols for content," Bowers said.

• Keep an eye on databases, which can contain a company's crown jewels in terms of information. You should know not only who's accessing them, but also when, where, how and why they're doing so. Several database activity monitoring tools are available from companies such as Imperva Inc., Guardium Inc., AppSec Inc. and Lumigent Technologies Inc. These products are designed to allow companies to monitor database access and activities.

  Such products are designed to keep an eye on what users and administrators are doing with their access privileges and either prevent certain actions -- such as modifying, copying, deleting or downloading large sets of files -- or send out alerts when someone attempts one of those actions. They also can provide clear audit trails that track when people try to act outside of corporate policy. Encrypting sensitive data in databases is another measure companies should consider if they haven't done so already.

• Limit user privileges. Most companies give their employees far more access than they need to do their jobs, said Amichai Shulman, chief technology officer at Imperva. Monitoring user access to mission-critical information and detecting unauthorized access to high-risk data are key capabilities companies need to consider putting in place.

  Create access policies that limit users' network privileges strictly to what is required for their jobs, and put in place controls for enforcing those policies, Shulman said. For instance, have controls that issue alerts when someone who might normally work with about 10 documents a day suddenly starts accessing a lot more, he said.

  Making access control decisions on an "insider vs. outsider" basis is overly simplistic, said Matt Kesner, chief technology officer at Fenwick and West LLC. Sometimes, an outsider may legitimately need equal or even more access to internal assets than an insider would. Fenwick's client extranets, for instance, are used by clients to collaborate with their attorneys -- external users are sometimes "more interested in our data" than insiders, he said.

• Cover those endpoints. The proliferation of portable devices such as laptops and PDAs, and removable media such as USB memory sticks and iPods, make it easier than ever for rogue insiders to walk away with gobs of corporate data. Companies need to think about measures for centrally controlling and monitoring what devices can be attached to corporate networks and systems and what data can be downloaded, uploaded and stored on them. Doing that can be a challenge, but several tools are becoming available that promise to make the task easier, including products from vendors such as Code Green Networks Inc., Control Guard Inc. and SecureWave Inc.

  "When it comes right down to it, very few companies have put in place effective controls that enable them to monitor internal systems closely and allow them to follow the movement of data" on their networks, said Alex Bakman, CEO of Ecora Software Corp. That means breaches can go unnoticed for long periods of time, he said.

Read more about Security in Computerworld's Security Topic Center.