If you’re planning on taking the Security+ or the CASP exams you should have a basic understanding of data loss protection (DLP). Note that this is sometimes referred to as data loss prevention.
For example, can you answer this question:
Q. Management within your organization wants to limit documents copied to USB flash drives. Which of the following can be used to meet this goal?
A. DLP
B. Content filtering
C. IPS
D. Logging
More, do you know why the correct answer is correct and the incorrect answers are incorrect? Answer and explanation at end of this post.
A significant danger with data comes from data leakage. Just as a leak in one of your car’s tires can let air out, leaving you with a flat tire, data can leak out of a company, leaving the company with flat financial performance. Worse, the data leakage can result in losses, reversing the company’s profits.
Looking For Performance-based Questions
Are you looking for up-to-date performance-based questions?
Check out study packages on this site.
Practice test question packages include ten sets of performance-based questions with a total of 57 questions.
Many people have raved about set 10, which includes 20 new performance-based questions helping many people take and pass the Security+ exam the first time they take it.
Data Loss Prevention
Data loss prevention (DLP) techniques examine and inspect data looking for unauthorized data transmissions. You may also see this term as data leak prevention. A DLP system can be network-based to inspect data in motion, storage-based to inspect data at rest, or endpoint-based to inspect data in use. In some scenarios, the DLP control prevents the use of hardware to prevent losses.
Network-based DLP
A network-based DLP monitors outgoing data looking for sensitive data, specified by an administrator.
DLPs will scan the text of all emails and the content of any attached files, including documents, spreadsheets, presentations, and databases. Even if a user compresses a file as a Zip file before sending it, the DLP examines the contents by simply unzipping it.
As an example, I know of one organization that routinely scans all outgoing emails looking for Personally Identifiable Information (PII), such as Social Security numbers.
The network-based DLP includes a mask to identify Social Security numbers as a string of numbers in the following format: ###-##-####. If an email or an attachment includes this string of numbers, the DLP detects it, blocks the email, and sends an alert to a security administrator.
Scanning for Data Labels
Many organizations classify and label data using terms such as Classified, Confidential, Private, and Sensitive. It is easy to include these search terms in the DLP application, or any other terms considered important by the organization.
Network-based DLPs are not limited to scanning only email. Many can scan the content of other traffic, such as FTP and HTTP traffic.
DLP and Endpoint Protection
Another method of preventing data loss is by restricting use of hardware at the computer (endpoint). This includes prohibiting the use of portable devices such as USB flash drives or preventing certain content from being printed.
Portable storage devices refer to any storage system that you can attach to a computer and easily copy data. This primarily refers to USB hard drives and USB flash drives, but many personal music devices, such as MP3 players, use the same type of flash drive memory as a USB flash drive. Users can plug them into a system and easily copy data to and from a system. Additionally, many of today’s smartphones include storage capabilities using the same type of memory.
USB drives represent significant risks to an organization. They can transport malware without the user’s knowledge and can be a source of data leakage. Malicious users can copy and steal a significant amount of information using an easily concealable thumb drive. Users can misplace these drives, and the data can easily fall into the wrong hands.
Because of the risks, it’s common for an organization to include security policy statements to prohibit the use of USB flash drives and other mobile storage devices. Some technical policies block use of USB drives completely.
A DLP solution is more selective and it can prevent a user from copying or printing files with specific content. For example, it’s possible to configure a DLP solution to prevent users from copying or printing any classified documents marked with a label of Confidential. The DLP software scans all documents sent to the printer, and if it contains the label, the DLP software blocks it from reaching the printer.
Remember this
A network-based data loss prevention (DLP) system can examine and analyze network traffic. It can detect if confidential company data or any PII data is included in email and reduce the risk of internal users emailing sensitive data outside the organization. Similarly, endpoint DLP solutions can prevent users from copying or printing sensitive data.
Q. Management within your organization wants to limit documents copied to USB flash drives. Which of the following can be used to meet this goal?
A. DLP
B. Content filtering
C. IPS
D. Logging
A is correct. A data loss prevention (DLP) solution can limit documents copied to a USB drive using content filters.
Many devices, such as unified threat management (UTM) devices use content filters, so content filtering alone won’t limit copies sent to a flash drive.
An intrusion prevention system (IPS) scans traffic coming into a network to block attacks.
Logging can record what documents were copied, but it won’t limit copying.