If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of installing and configuring network components, both hardware- and software-based, to support organizational security. This includes using techniques and technologies to prevent data loss.
For example, can you answer this practice test question?
Q. Management within your organization wants to prevent users from copying documents to USB flash drives. Which of the following can be used to meet this goal?
A. DLP
B. HSM
C. COPE
D. SED
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Organizations often use data loss prevention (DLP) techniques and technologies to prevent data loss. They can block the use of USB flash drives and control the use of removable media. They can also examine outgoing data and detect many types of unauthorized data transfers.
Removable Media
Removable media refers to any storage system that you can attach to a computer and easily copy data. It primarily refers to USB hard drives and USB flash drives, but many personal music devices, such as MP3 players, use the same type of flash drive memory as a USB flash drive. Users can plug them into a system and easily copy data to and from a system. Additionally, many of today’s smartphones include storage capabilities using the same type of memory.
It’s common for an organization to include security policy statements to prohibit the use of USB flash drives and other removable media. Some technical policies block use of USB drives completely.
A DLP solution is more selective and it can prevent a user from copying or printing files with specific content. For example, it’s possible to configure a DLP solution to prevent users from copying or printing any classified documents marked with a label of Confidential. The DLP software scans all documents sent to the printer, and if it contains the label, the DLP software blocks it from reaching the printer.
In addition to blocking the transfer, a DLP solution will typically log these events. Some DLP solutions will also alert security administrators of the event. Depending on the organization’s policy, personnel may be disciplined for unauthorized attempts to copy or print files.
Data Exfiltration
Data exfiltration is the unauthorized transfer of data outside an organization and is a significant concern. In some cases, attackers take control of systems and transfer data outside an organization using malware. It’s also possible for malicious insiders to transfer data.
Chapter 3 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide discusses different types of content filters used in unified threat management (UTM) devices. These devices monitor incoming data streams looking for malicious code. In contrast, a network-based DLP monitors outgoing data looking for sensitive data, specified by an administrator.
DLP systems can scan the text of all emails and the content of any attached files, including documents, spreadsheets, presentations, and databases. Even if a user compresses a file as a zipped file before sending it, the DLP examines the contents by simply unzipping it.
As an example, I know of one organization that routinely scans all outgoing emails looking for Personally Identifiable Information (PII), such as Social Security numbers. The network-based DLP includes a mask to identify Social Security numbers as a string of numbers in the following format: ###-##-####. If an email or an attachment includes this string of numbers, the DLP detects it, blocks the email, and sends an alert to a security administrator.
Many organizations classify and label data using terms such as Confidential, Private, and Proprietary. It is easy to include these search terms in the DLP application, or any other terms considered important by the organization.
Network-based DLP systems are not limited to scanning only email. Many can scan the content of other traffic, such as FTP and HTTP traffic. Sophisticated data exfiltration attacks often encrypt data before sending it out, making it more difficult for a DLP system to inspect the data. However, a DLP system can typically be configured to look for outgoing encrypted data and alert security administrators when it is detected.
Cloud-Based DLP
It’s common for personnel within organizations to store data in the cloud. This makes it easier to access the data from any location and from almost any device. Cloud-based DLP solutions allow an organization to implement policies for data stored in the cloud.
As an example, an organization can implement policies to detect Personally Identifiable Information (PII) or Protected Health Information (PHI) stored in the cloud. After detecting the data, a DLP policy can be configured to take one or more actions such as sending an alert to a security administrator, blocking any attempts to save the data in the cloud, and quarantining the data.
Q. Management within your organization wants to prevent users from copying documents to USB flash drives. Which of the following can be used to meet this goal?
A. DLP
B. HSM
C. COPE
D. SED
Answer is A. A data loss prevention (DLP) solution can prevent users from copying documents to a USB drive.
None of the other answers control USB drives.
A hardware security module (HSM) is an external security device used to manage, generate, and securely store cryptographic keys.
COPE (corporate-owned, personally enabled) is a mobile device deployment model.
A self-encrypting drive (SED) includes the hardware and software to encrypt all data on the drive and securely store the encryption keys.
See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on deploying mobile devices securely.