ISO/IEC27000: Data Leakage Monitoring

Data loss prevention has become a growing problem for organizations that are supporting workforce mobility. Unintentional disclosure of confidential information can lead to high-profile incidents that can have long lasting consequences for an organization. The ISO Data Leakage Monitoring report can assist the organization by highlighting areas of potential data leakage and suspicious activity.

The ISO/IEC 27002:2013 provides a framework that can be used to develop and enhance information security policies for any organization. Each security control and objective provided within the standard can be tailored to specific business and regulatory objectives, and assist with maintaining overall compliance. This report aligns with the ISO/IEC 27002 14.1 control that can assist organizations in protecting data-in-transit, and assuring that protections against data leaks are implemented.

When dealing with data loss, many organizations struggle to find a balance in stopping data from slipping through exit points. Knowing which devices and services employees are using to access data can be difficult to monitor. As mobility needs increase, many employees rely on e-mail, USB drives, and cloud services to copy and store data remotely.  Portable devices and remote storage services have the possibility of not including encryption technologies, which can allow data to be disclosed unintentionally or through malicious activity. While data loss prevention (DLP) solutions can prevent sensitive data from leaving the network, this can also reduce employee productivity by blocking access to remote storage endpoints. Before deploying DLP solutions, organizations should first determine where sensitive data is being stored, who is accessing it, and any sensitive data-in-transit.

This report can complement existing DLP solutions by providing a unique look at potential areas of data leakage on a network. Information on e-mail file attachments, cloud services activity, P2P file sharing events, and USB device usage is included within this report. Hosts are scanned for both Instant Messenger (IM) clients and IRC activity, which provide file transfer abilities. Port summary information is included to detect IM and IRC client traffic on non-standard ports. This information is useful in identifying hosts that are trying to bypass firewall security policies or DLP solutions. Hosts are scanned in real-time by the Nessus Network Monitor (NNM) to detect e-mail attachments from Microsoft Office, Adobe PDF, and ZIP files. NNM also highlights data leakage events from social security numbers and credit card data. Both current and previously used USB devices that have been connected to Windows hosts are also included in this report. Together, the elements in this report will assist organizations in improving data security and data loss prevention strategies. 

This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The report requirements are:

• Tenable.sc 5.3.2
• Nessus 8.5.1
• LCE 6.0.0
• NNM 5.9.0

Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring platform. Tenable.sc CV uses Nessus and NNM to continuously monitor networks, applications, cloud infrastructure, and advanced threats. Tenable’s Log Correlation Engine (LCE) performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure. Using Tenable.sc CV, organizations will obtain the most comprehensive and integrated view of its network devices and sources of potential data leakage.

The report contains the following chapters:

• Executive Summary: The Executive Summary chapter presents an overview of data leakage events across the enterprise. The chapters within this report will provide targeted information that organizations can use to quickly identify potential data leakage and other areas of concern. This report aligns with the ISO/IEC 27002 14.1 control that can assist organizations in protecting data-in-transit, and assuring that protections against data leaks are implemented.
• Data Leakage Summary: The Data Leakage Summary chapter provides a comprehensive look at data leakage events across a network. Information presented within this chapter will include a summary of cloud services, peer-to-peer (P2P), instant messenger, and IRC activity. Additional elements include a summary of e-mail file attachments, confidential, and sensitive events. Cloud services, e-mail attachments, and instant messaging all provide potential exit points for data. Organizations should monitor all possible exit point to reduce the chance of data leakage.
• USB Device Summary: Monitoring USB activity can help to reduce or mitigate data leakage and potential security threats. This chapter focuses on USB events on Windows systems. Each element includes information on when a device was attached, device name, and drive letter in use. Each element provides valuable information organizations can use to identify data leakage entry points and exit points on a network.