Causes of Data Breaches and Preventive Measures. Data Loss Prevention

Technical Report, 2012

43 Pages, Grade: none


Table of Contents


Chapter 1 Introduction
1.1 Background
1.2 Project Objectives
1.3 Methods Used

Chapter 2 Causes of Data Breach
2.1 Types of data breaches
2.1.1 Well-meaning insider or Benevolent Insider
2.1.2 Malicious Insider
2.1.3 Malicious Outsider or Targeted attacks
2.2 Tools and techniques used by Malicious Outsiders or Hackers

Chapter 3: Laws & Cost of Data Breach
3.1 UK Law & Governance
3.1.1 Data Protection Act [16]
3.1.2 Privacy and Electronic Communications Regulations [18]
3.2 Cost of data breaches

Chapter 4: Existing Security Mechanisms
4.1 Antimalware, Antispyware & Proactive Protection [27]
4.2 Firewall [28]
4.3 IDS/IPS [29] [30]
4.4 SIEM (Security Information and Event Management) [31]
4.6 Vulnerability Scanning and patching [34]

Chapter 5: Analyze DLP Solutions to Prevent Data Breaches
5.1 How does Data Loss Prevention system Work?
5.2 Approaches by a DLP system to prevent Data Loss [35]
5.3 Types of Data Loss Prevention Systems [36]
5.4 Architecture of Symantec Data Loss Prevention Solution
5.5 DLP Honey Pots to Detect Malicious Insiders [37]
Future scope for research

Chapter 6: Conclusion & Recommendations

Appendix A: Data Breach Log Template

Appendix B: PECR Security Breach Notification Form


Table of Figures

Figure 1 Four phases of a targeted attack [3]

Figure 2 Comparison of 'Types of breaches' from 2004 to 2011 [4]

Figure 3 A Remote Access Tool displaying various options available for a remote hacker

Figure 4 Types of attacks faced by organization in 2011 [13]

Figure 5 Data Breach attacks by type of industry [14]

Figure 6 The average total cost of data breach per record over five years [21]

Figure 7 The average total organisational cost of data breach over five years [26]

Figure 8 A typical Enterprise network with IPS and IDS

Figure 9 An enterprise network with IDS

Figure 10 An enterprise network with IPS

Figure 11 Architecture of RSA's SIEM solution [32]

Figure 12 A Summary of security events and vulnerable assets in RSA enVision [33]

Figure 13 Architecture of a vulnerability scanner

Figure 14 Architecture of Symantec Data Loss Prevention


As technology evolves, the threat landscape evolves. The threat landscape has changed from mere script kiddies for fun to organised cyber crime to steal data for identity theft and monetary gains.

It is very important to protect the business data from all kind of data breach attacks in order to maintain the brand reputation and customer faith. New laws and governance policies make it mandatory for organisations to protect customer data. This project talks about the different effect of data breaches and preventive measures. This project targets mostly on the 'confidentiality' trait of the information security's CIA triad.

Chapter 1 Introduction

1.1 Background

Technology was never meant for evil purposes. Right from the beginning, as technology evolved and new technologies were discovered, the innovators always thought that it will be used for good. Maybe the famous idiom “every coin has two sides” was not taken seriously by the innovators. The other side of the coin is the evil use of technology. Technology is accessible for both good and bad use. Good use is when technology is used to improve quality of life, improve productivity; availability of information as and when required and the list can go on. However, the same technology can be used in a destructive way to cause harm, damage, identity theft, financial fraud, cyber espionage and lot more.

As technology grows, businesses depend to a great extent on Information Technology to execute their business operations. The businesses exchange information to a great extent for their daily work. For example, BT has outsourced its network monitoring, technical support and customer care services to IT service providers. The IT service providers of the BT have access to their network and customer database. In such kind of an environment, the risks associated to data breach or data theft have also gone up. In such kind of different business systems, it is important to look after the confidentiality of the data. Data should be protected from all kinds of unauthorized access.

Out of the three Information Security attributes of the CIA triad’s Confidentiality, Integrity and Availability, this project discusses about ‘Confidentiality’. This project finds some root causes of data breaches. The project also looks at conventional security mechanisms that fail to prevent a data breach and also analyzes the need of Data Loss Prevention tools to maintain confidentiality of data.

Chapter 2 analyses the types of data breaches and the causes of the data breaches. It also discusses some commonly used tools and techniques used by attackers to attack organizations.

Chapter 3 discusses the laws and regulations relating data breaches. It also discusses some examples of 2011 data breaches and insights from several data breach research whitepapers.

Chapter 4 discusses some existing security mechanisms used by organizations to protect from outside attacks.

Chapter 5 discusses why the exiting security mechanisms are not adequate to prevent a data loss and why an extra layer of protection is required. It discusses why organisations need two way protection that is, protection against outside attacks and protection from inside by preventing data being lost to the outside world. It analyses some ‘Data Loss Prevention’ solutions.

Chapter 6 suggests recommendations and conclusion.

1.2 Project Objectives

Despite having several security mechanisms, organizations are still facing data breaches. The project intends to study the causes of data breaches and suggests preventive measures. The project also lists laws related to data breaches.

1.3 Methods Used

The project analyses several white papers and breaches faced by organizations. The papers analyzed are from ‘Ponemon Institute’ and ‘Verizon Data Breach Investigation Report’. There are several critiques on the cost of data breaches on the reports by these two organizations one such example is from Microsoft [1]. This project does not consider the actual cost reported by the surveys of Ponemon and Verizon. The survey’s have less samples of data breach incidents that’s why the average cost of data breach might be too high however, larger samples might bring the average cost of data breach. As it is not feasible to conduct such kind of survey, this project uses the surveys for reference only.

The project intends to find the main types of data breaches and the tools and techniques used by attackers. The project also analyses existing security mechanisms and explains why an extra layer of protection is required to prevent data loss in an event of a data breach.

Chapter 5 is based on analyzing and understanding how a Data Loss Prevention tool works. This project will study the Symantec Data Loss Prevention tool for this; I will get the technical training and guidance on how Symantec DLP works from a Symantec employee. The contact details of the Symantec employee are-

Name: Jatinder Tanothra


Mobile Number: +91-9860549246

The next chapter discusses about the types of data breaches and the tools and techniques used by attackers to steal data.

Chapter 2 Causes of Data Breach


Organizations dealing with intellectual property, trade secrets, proprietary data, and customer data are at a high risk of a data breach. Organizations have complex IT environments such as dealing with suppliers and vendors, business processes outsourced to service providers and corporate users getting more mobile by using smart phones for corporate work. Data breaches have been successful despite having several security tools and techniques. Companies falling prey to a data breach hit the news headlines every now and then. The reason for a data breach does not have to be always a malicious or cyber attack. This chapter will discuss the types and causes of data breaches.

2.1 Types of data breaches

According to a survey by Verizon Business Risk Team and Open Security Foundation, the three main sources of data breaches are [2].

- Well-meaning insider or Benevolent Insider
- Malicious Insider
- Malicious Outsider or Targeted attacks

Most of the data breaches were a combination of the above three causes. The following sections will discuss the causes of data breaches with some examples of each.

2.1.1 Well-meaning insider or Benevolent Insider

A well-meaning or benevolent insider is an employee who has legitimate access to the network who inadvertently violates data security policies that causes a data breach. A well-meaning insider does not have malicious intents however, unwittingly exposes the company data to risk failing to adhere security policies. [3]

Some examples of a well-meaning insider data breaches are-

I. Data on Endpoint Devices: End users copy sensitive information unknowingly on their laptops, desktops and mobiles. Un-patched and unprotected endpoint devices like desktops and servers that contain unencrypted files
II. Lost or stolen devices and improper disposal of devices and documents: Employee loses an unencrypted USB drive or laptop or mobile phone that has sensitive information on it. It administrators fail to comply IT security policy to dispose end-of-life equipments such as Servers, Desktops, Laptops and Backup Tape Drives. Employees often print product design, customer list and intellectual property information. Employees often lose documents or do not shred the document before disposing it after it is used
III. Removable devices, email and web mail: An employee may be a target of a social engineering attack; an employee may open an email with malicious code or attachment. Sometimes employees transfer work related files to their personal email and then they download the files at home to work over the weekend. The home computer might not have enough security techniques. The home computer might have P2P torrent software that uploads user files without the user’s knowledge
IV. Third party or vendor data loss incidents: A business partner might accidentally send an email to a wrong person because of the Outlook auto-fill feature. The risk of a data breach increases when a business has to rely on third party vendors for supply chain management and other activities and when vendors fail to enforce security policies
V. Business process automation and business process outsourcing: An outdated business process might grant access rights to a non-privileged employee leading to a data breach. Businesses have outsourced business process to service providers. In the past few years there have been incidents where Indian call centre employee working as a customer service agent had access to customer data. The call centre employee used the customer’s credit card information for their personal shopping.

2.1.2 Malicious Insider

Malicious insiders are users that have legitimate access to the network with malicious intentions to steal sensitive information for monetary gains. Malicious insiders can be End-users, IT administrators, part time and contract employees. IT administrators have higher privileges which often tempts them to access unauthorized data which leads to an abuse to the system. Malicious insiders can be mainly divided in four groups.

I. White collar crime: A white collar crime is non-violent crime committed for monetary gains by a person who has a respected status. Employees, who have privileged access to internal systems, knowingly abuse their privileges to steal data. The employee may sell the data as part of an identity theft ring
II. Terminated or disgruntled employees: We often hear that employees are terminated or laid-off during economic crisis. The employee is notified before the employee’s Active directory and exchange account are disabled. The terminated employee sends files to their personal email address or copy it to the pen drives. Employees who don’t get a good or expected salary hike in the annual appraisal cycle often tend to copy the information to pen drives or send it to their personal email before they switch to some other organization
III. Building career with company data: Employees often copy their work related data to their personal computers as a reference of their work to use it in the future. While the intentions of the employee are not malicious, the employee’s home computer might be infected by a malware which exposes the data to a potential data breach
IV. Industrial or Corporate Espionage: In today’s competitive world, information is the heart of innovation and success. An unhappy or underperforming employee may send sensitive information to the competitor.

2.1.3 Malicious Outsider or Targeted attacks

Malicious Outsider or Targeted attacks are carried out by hackers or cyber criminals against specific organisations. The victims of targeted attacks are like government organisations, financial institution and any other organisation that deals with sensitive information which when hacked can have monetary gains. These kinds of attacks are very difficult to detect, it requires special tools and techniques in place to detect targeted attacks. According to the Verizon’s Data Breach Investigations Report, these kind of attacks are the most difficult to investigate and they cost more than the other type of breaches.

Most of the targeted attacks are carried out in four phases as shown in the below picture.

Abbildung in dieser Leseprobe nicht enthalten

Figure 1 Four phases of a targeted attack [3]

1. Incursion: In the first phase, hacker’s gain access to the network of the targeted organisation by means such as malwares or default password, exploiting system vulnerabilities, SQL Injection.
2. Discovery: Once the hacker gets access of the targeted organisations network, the hacker scans for other systems in the organisation. The hacker can scan the confidential data.
3. Capture: Hackers access unprotected or unencrypted data from end user computers or servers. Hackers can also install tools like root kits to capture the information while it is flowing in the network.
4. Exfiltrate: In this phase, the data is exfiltrated to the hacker in clear or by other sources like email, zip files with password protection, ftp sites and encrypted packets.

The below picture shows the distribution of data breaches by types from 2004 to 2011.

Abbildung in dieser Leseprobe nicht enthalten

Figure 2 Comparison of 'Types of breaches' from 2004 to 2011 [4]

Clearly the external breaches which involve malicious attacks such as hackers and cyber criminals top the charts consistently, followed by the internal breaches which include malicious insiders and well-meaning insiders.

2.2 Tools and techniques used by Malicious Outsiders or Hackers

Below are some of the types of malicious outsider attacks-

I. Malware (Backdoors, Command and Control) [5] [6]: Malware is malicious software that is designed to provide remote access to the hacker. A malware bypasses normal authentication and security measures on a system and communicates covertly with the hacker. RAT’s (Remote Access Tools) are popular forms of malware that are capable of using secret internet chat rely. Once a hacker manages to compromise a computer using a RAT, the hacker can copy data from the user’s computer without the user’s knowledge. There are RAT distribution kit’s that is capable of creating a malware of your choice and the malware can then be distributed. The below picture shows a Remote Access Tool and some of the capabilities of the tool. For example, the tool can gain remote access to the infected computer.

Abbildung in dieser Leseprobe nicht enthalten

Figure 3 A Remote Access Tool displaying various options available for a remote hacker

II. Spyware (Key logger or Form-grabber) [7]: Spyware’s are malicious software that is installed by disguise or by exploiting vulnerabilities. Spywares are hidden from the user and they are difficult to detect. A spyware such as a key logger is designed to secretly listen to keyboard keystrokes while the user types. A form-grabber is a spyware that captures user sensitive data such as username and password or credit card number details. Both the type of spywares are installed

III. SQL injection [8]: SQL injection is a technique that exploits a security vulnerability of web applications. This is done by injecting SQL statements to web form fields or the web address. The vulnerability is exploited when the user input is not filtered for string literal escape characters that get embedded in the SQL command. Such commands can dump information such as credit card numbers, username & password, Social Security Number, etc. This kind of attack can be used to exploit any database that uses SQL. According to ‘The Open Web Application Security Project’ (OWASP) SQL injection attacks has been in the top 10 for several years.

An example of a SQL injection statement is explained below:

Consider a webform that accepts username and password for login. The web page will create a SQL command as below-

Statement = "SELECT * FROM users WHERE name = '" + userName + "';"

‘UserName’ is a variable that accepts user input from a text box in a web page. Typical malicious users can type-

' or '1'='1' --’

The below statement is constructed as a result of such kind of a malicious input-

SELECT * FROM users WHERE name = '' OR '1'='1' -- ';

The ' -- '; instruct to truncate anything after it. The '1'='1' creates a ‘True’ condition for the ' OR ' operator which makes the SQL statement true thus allowing the user access to the web site.

IV. System Vulnerabilities [9]: System vulnerability is a software weakness or software bug, which when exploited by a hacker could give access to the system by bypassing the normal authentication process of the system. Once an attacker manages to exploit vulnerability and gain ‘administrative’ access or ‘SYSTEM’ access, the attacker can scan for sensitive information and can also compromise other systems in the network. The attackers can exfiltrate data via email or to an ftp server. There are several causes for vulnerabilities. Some of them are-

Complexity: As the systems grow bigger, the complexity rises, the complexity also rises when a system has to be integrated with some other system.

Operating System design flaws: Operating System design flaws are due to improper implementation of the architecture. For example, Microsoft did not implement the proposed X86 four ring security architecture in windows operating system. Windows uses only two rings out of the proposed four rings. Security was not considered seriously by leading technology vendors. The implications of poor implementation are leading to system vulnerabilities that allow attackers to gain higher privileges.

V. Cross Site Scripting [10]: Cross site scripting is one of the top 10 security attacks listed by OWASP. It is a type of vulnerability found in web applications which allows the attacker to bypass the normal authentication process.

VI. Social Engineering and phishing [11]: Social engineering are targeted attacks towards organisations or individuals. The attacker gathers information about the victim before launching the attack or might have information of victims. For example, an attacker might have email addresses of customer of a bank. The attacker then sends an email that looks as if it the bank sent it to the users. The email asks the users to update their personal information and login details. Once the victim opens the email, the victim believes it to be from the bank. When the victim opens the web page, it looks like the bank’s web page and enters personal information and login details. The attacker gets the details of the victims. Another form of phishing attack is carried out in festive seasons such as Christmas, New Year or Olympics. The attacker sends an email with a malicious attachment. The subject of the email looks appealing and tempts the victim to open the email and the attachment. Once the victim opens the attachment, the malicious code installs a malware silently without the user’s knowledge. The attacker can gather user sensitive information and even copy user data without the user’s knowledge.


Excerpt out of 43 pages


Causes of Data Breaches and Preventive Measures. Data Loss Prevention
Royal Holloway, University of London
M.Sc. Information Security
Catalog Number
ISBN (eBook)
ISBN (Book)
File size
1784 KB
causes, data, breaches, preventive, measures, loss, prevention, internal, watchdog
Quote paper
Vikas Rajole (Author), 2012, Causes of Data Breaches and Preventive Measures. Data Loss Prevention, Munich, GRIN Verlag,


  • No comments yet.
Read the ebook
Title: Causes of Data Breaches and Preventive Measures. Data Loss Prevention

Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free