DATA IS KING

Document classifications What goes wrong?

In the UK government, departments use a number of classifications Perhaps the issues with this case are the lack of due process
for documents, and which typically focus on the risk of harm to life and due diligence in the leaking of the documents, and one must
and limb. The highest levels are: wonder about the methods that are used around cryptography
and document access, if a sensitive document like this can be
• Top Secret. This is the highest classification, and could cause
leaked onto a government Web site. With the usage of crawling
“exceptionally grave damage” if the document was released. This
agents, even documents which are not viewable and be cached in
might relate to designs for the storage and transport of nuclear
an instance. The document is now likely to have been captured by
material, or for military operations.
crawling agents around the world.

DATA IS
• Secret. This document would cause “serious damage” if it was leaked.
The minute a document hits a Web site with a public IP address,
• Confidential. This could cause damage to national security.
it is likely to have been captured for the World. Even when a
• Restricted. This could cause undesirable effects. document is taken off a Web site, it is often still accessible through
• Official. This defines that it a posting from a government department. Google’s caching facility.

KING
Issues related to terrorism would typically be placed in the Top The methods applied in Data Loss Prevention (DLP) are now being
Secret or Secret classification, as the plans would give benefits to extensively applied in a number of industries, especially in the
those who plot malicious activities. The access to the documents finance sector. This includes the scanning of network traffic for
would be highlighted as restricted, and only given access to those things like credit card details, and malicious phishing. Data which
with the highest levels of clearance. does not look right is automatically put into a holding area for
Companies too often require classifying their documents, and again further inspection.
these focus on the harm of the company and/or their employees: Over the past few years, companies have been working hard
• Restricted. which requires the highest level of access control, as on protecting their systems and, especially, their data, so that
a release of the information could cause major problems to the sensitive information does not leak out. So with Sony’s data now
We live in an era where to protect the email, which only protects the email as it travels over
company or employees.
a network, and does not protect at its source or destination. appearing on Wikileaks, we see embarrassing information about
data is King, and it often a
• Confidential. which could do harm to the company or its their executives, but it is highly sensitive information that should
focus for an intrusion. The Few companies properly protect their documents, or use encrypted employees if it was released always be protected, and that is the information that could risk life
scope of data breaches email messages for their sensitive information. While there are
• Internal Use Only. which can disclose information only within a and limb.
are now massive, and often technical access restrictions on document, when it comes
company but could do harm to the company or its employees.
to defining the access policies on documents we still often use With the NPCC data leak, it was a document that related to
often focus on insider • Public. which can disclose information to a wide audience without terrorism plans that was leaked onto a public-facing Web site.
operating rights to restrict access, and for many companies
help to gain privileged and government departments the classification involves adding
any risk to the company or its employees: One must thus worry about the processes applied in that a non-
access to data. No “Commercial-in-Confidence” or “Secret” on the cover page, or at Apart from national defence, the classification of documents can encrypted or protected document containing information around
firewall in the world will least in the footer of the pages. also focus on the risks to individuals around sensitive information. the protection of citizens could be leaked to the Internet.
stop an insider copying Unfortunately the world has moved on, and the distribution of
In the document below the Department of Defence filed a The traditional viewpoint of documents is that there is a single
the complete Exchange government security clearance questionnaire about Steve Jobs copy of them, and that they are static things. These days copies of
documents is now so much easier, and Web crawlers have no
where he divulged that he took LSD between 1972 and 1974.
Post Office onto an SD- respect for these marks. The minute a document connects to “any” documents can be produced in an instance, and distributed widely.
Bill Buchanan In DLP (Data Loss Prevention), though, we get the concept of data
card, and walk out the network, it can be contactable by other computers, and the minute
Edinburgh Napier University existing (Figure 2): at-rest (on the disk); in-motion (on the network);
building. a document resides on a computer with a connected storage
device, it can be copied. and in-process (in the memory of a computer). Data must thus be
Overall the solution is to detect data “at-rest”, “in-motion” and “in-
protected in all these states, but, unfortunately, many people just

Institute of Information Security Professionals Spring 2016 Issue 22

process”. Many existing system detect the transfer of documents Last year a top secret plan named: Operation Temper and entitled
think that everything is secure if they have encryption on their disks.
in network transfers, but with the increasing usage of encryption “Counter Terrorism Post Paris Large Scale Military Support to the
tunnels, it is becoming a challenge to detect this. Dell estimate that Police” was uploaded onto the National Police Chiefs Council Organisations need to understand that documents need to be
within five years, 99% of network connections will be tunnelled. (NPCC) website, and reported in the minutes of a meeting on 22 protected in each of the states defined, so that there is no good
April 2015. It terms of sensitivity, this must be viewed at being one in protecting access to a document on a network drive, and then
For documents “at-rest”, normally there are operating access
of the most sensitive documents around, as it provides details of not protecting it when it is transmitted over the network, or actually
restrictions applied, but these do not embed restrictions outwith an
things to adversaries. It gave details of the deployment of over used within the memory of a computer. A visual marking of the
organisation domain, and are often fairly limited in their scope. An
5,000 heavily armed troops on the streets of UK cities, on a major security of a document will do little if an adversary just deletes the
administrator often, too, have large-scale access to all documents
terrorist attack, and focuses on simultaneous events happening security marking.
in the organisation. Encrypting data at its core, whether it is emails
across the UK. The details also outlined the guarding of key targets
or documents, and defining restrictions on its access is thus a key
by the troops and police.
factor in protecting organisations from large-scale data breaches.
Unfortunately the lack of tools and general understanding of
cryptography are providing key barriers to adoption. The protection
of email, for example, is often just the usage of an encrypted tunnel Figure 1: Steve Job’s admission of LSD taking

14 15
 DATA IS KING

For organisations the placing of restrictions on documents is the last So when setting up the system, users need the minimum of rights
line of defence, and means that someone has managed to get over of access to anything sensitive, and sensitive documents must be
all the other hurdles to gain the document. Generally, as illustrated stored in places away from less sensitive documents. A location
in Figure 3, there should be increasingly levels of identity and access lock-down is also important on accesses, especially if this can
control as we go nearer the sensitive documents and these should be be embedded into the document. To allow a document such
place separate from other less sensitive documents. as a terrorism response plan to move onto a Web site, without
authorisation or checks along the way, and even checks when the
In sensitive areas, full auditing should be required so that all accesses
document arrives on the Web site, beggars belief.
to documents can be checked, and logged, and these should be
monitored through an aggregated event log (such as with SIEM Along with this the perception is that documents will be leaked
integration). In some environments, the events are monitored 24x7 by external hackers, but in most cases data leakage involves
by human security staff. Along the way, there should be checks on an insider in the organisation, or a trusted contractor, so all the
accesses, especially for multi-factor authentication. The best methods controls on the firewall and external restrictions, will not stop and
use biometrics, such as fingerprint, retina scan, and handscans, along insider from gaining access to documents behind the firewall.
with geo-location. Increasingly mobile phones are being used as an
“out-of-band” authentication method, where access is gained by
sending a one-time code to the users registered mobile phone, and
then this is placed into the Web login page.

Overall, too, it does not harm to have humans involved in approving

things that are published or moved to certain places, as humans tend
to spot when something is not quite right. Most security products are
based on standard signatures of activity, so an adversary can often
know the signature, and then find a way round it.

Figure 4: Why encrypt? ... people!

Figure 2: At-rest, in-motion and in-use Conclusions

Data loss prevention is likely to become one of the hottest topics
The terrible security restrictions of Microsoft Office The usage of passwords in protecting an encrypted document is around, and adversaries just seem to be able to target companies
also a worry as we severely strict the number of encryption keys and agencies, and gain access to their sensitive data. While
Many companies restrict the editing of a document or add a
that are used, such as from a 128-bit encryption key, which a most have focused on commercial companies, it is likely that
password. Unfortunately, from a security point-of-view, the methods
space alien with quantum computing would struggle to crack, to government departments will become a target, especially around a
used by Microsoft Word to protect documents are almost laughable.
a tiny little encryption key of just 20 bits (which your mobile phone strong commercial drive in selling sensitive data, and with the rise
Previous versions of Microsoft Office have virtually no security levels
could crack!). of hacktivism.
applied, and it was easy to break any restrictions. Newer versions
use the DOCX format, which is actually a ZIP file, where a reader can For exit points, the minute you connect a network to the document, Our methods are often still based on having physical access to
change the file extension of the file and gain access to it contents there are many ways the document can leak out, especially through a paper version of a document, but as long as there’s a network
Figure 3: Secure architecture
(which are defined in XML). It is not a difficult task to change the rights the usage of a secure tunnel, in which network scanners will not be connection to a document (or through a physical storage device)

Institute of Information Security Professionals Spring 2016 Issue 22

of access on the document after this. While newer versions of Word able to detect it. With the increase in storage around SD cards and there is a way that there can be access to it. So just marking a
Okay ... it’s people who make mistakes ... document as “Secret” is not going to stop someone from copying it.
improve the restrictions, they are still open to password attacks, as with USB sticks, there is an easy way to get the document off the
users will often put simple passwords on their documents. File which system. So auditing agents should also be capturing events, not The processes involved in data loss prevention should focus on
are protected by a password must be seen as weak practice, and just just from the network, but also on the usage of the storage devices checking when employees make mistakes, and should make
slow down the progress to gain access to a document. and on the running processes on the system. continual checks for data leakage. A lack of training and giving
someone too many rights are often weak points in the process.
A recent Thales survey on encryption highlighted too that the
So Many exit channels ... So what can we do?
main reason for companies encrypted was not to protect against
There are so many exit channels for a document, and as long as Well, at the lowest level, we can never stop the copying of hackers or malicious insiders, it was “To guard against employee
it is stored on a disk, there can be ways for it to leak out of the documents, as someone can take a picture of a screen. What mistakes” (Figure 4).
system. The best way to protect it is to apply encryption. For a must happen is to restrict sensitive documents so much that it
database, if possible, every record should be stored with a different is extremely difficult for them to gain access, with many tripwires
encryption key, as intruders can often gain access to the password along the way to detect their accesses.
which stores the key.

16 17