Using DLP to Protect Credit Card Data - Part 1

Discusses how to protect credit card information using DLP in your FTP server.
  1. Blog

Overview

A large share of all data security breach incidents involve non-malicious company insiders. In fact, Ponemon's "2013 Cost of Data Breach Study: Global Analysis" revealed that an astounding 35% of data security breaches in 2012 were simply caused by negligent employees or contractors. In a file transfer server, where multiple users can share a single folder, such incidents can easily happen.

In case you want to go straight to a video tutorial, play the video below. Otherwise, just skip the video and proceed.

One class of information that's been getting a lot of attention from company infosec officers these days is that which involves credit card data. It's mostly in response to company efforts to comply with PCI-DSS standards. So in this post, we're going to focus on secure file transfers involving credit card information.

how_to_detect_credit_card_data_during_file_transfers

We'll tackle the importance of detecting credit card information using the DLP (Data Loss Protection) module in JSCAPE MFT Server, how to apply DLP to a group, and how to configure certain countermeasures that would activate once credit card information is detected.

Accidental data breaches happen all the time

Let me ask you this. How would you facilitate collaboration among team members using a file transfer server? One way would be to create a group (of course, assuming your server supports this feature), assign a folder/directory to it, and then add the user accounts of those team members to that group.

That way, if a team member would like to share a file with other members, he would simply have to upload the file to the shared folder. Other members would then be able to download the file from there.

But while this is a convenient way of sharing files, this arrangement is also accompanied by certain vulnerabilities. What if one team member inadvertently uploads sensitive information like say, credit card numbers, unto the shared folder? You think that sounds crazy? Well, certainly not even half as crazy as these:

  • In 2010, the Mississippi National Guard accidentally posted personal information (including SSNs, names, cell phone numbers, etc.) of 3,000 members on a SharePoint website;

  • In 2011, the New York Yankees accidentally sent out emails containing personal customer data of approximately 18,000 ticket holders; and

  • Also in 2011, the Texas Comptroller's office exposed personal information of 3.5 million citizens when they accidentally placed the information on a publicly accessible server.

Nowadays, when sharing even large volumes of information can be accomplished by just a few clicks, accidental data breaches can easily happen. While it would be impossible to totally avoid such incidents, you can certainly minimize the risks involved.

Importance of detecting credit card information using DLP

Before you can start protecting sensitive data on a server's shared folder, you will have to detect them first. Doing that manually would be very tedious and time consuming. But that won't be necessary if you're using JSCAPE MFT Server.

JSCAPE's managed file transfer server has a Data Loss Prevention (DLP) feature that can automatically detect strings of text that match whatever regular expression you specify. If you're not familiar with regular expressions (or regexes), a good place to start would be our post entitled Using Regular Expressions in Triggers.

In the brief how-to we're about to show you, we're going to employ a set of regular expressions, known as DLP rules, to detect credit card numbers buried inside files. We will then apply those regexes on a group folder, so that any file uploaded to that folder gets subjected to these DLP rules.

These rules are already included when you install JSCAPE MFT Server, so we don't have to create them from scratch. If you want a deeper understanding of the various characters that make up these DLP rules, you may read the article Exploring Regular Expressions in DLP.

We can't cover everything in one post, so we'll have to assume you've already created a group and assigned user accounts to it.

In our case, we have created a group named Super Users, consisting of the following members or user accounts: Bruce, Clark, and Peter.

01-jscape-mft-server-9-group-users

When any of these three users login through their respective file transfer clients, they'll be able to access both their own personal folders and their group's folder. So if, say, Peter logs in, he won't be able to see Clark's and Bruce's user account folders. However, he'll be able to see and access his own folder AND the shared folder "superusers".

Subsequently, any file Peter uploads to the "superusers" folder will be accessible to both Clark and Bruce. So again, if Peter accidentally uploads a file containing credit card numbers to that folder and Clark or Bruce ends up downloading that same file, it may result in a nasty data breach.

So now, let me show you how to apply DLP rules to this group folder.

How to apply DLP to a group

To start, go to the Groups node, select the group in question (e.g. Super Users), and then click the Edit button.

02-jscape-mft-server-9-group-users-edit

Next, select the group's path that you want to apply the DLP rule to and then click Edit.

03-jscape-mft-server-9-group-users-edit-path

Tick the Enable DLP check box and click Settings.

04-jscape-mft-server-9-group-enable-dlp

Click the Add button to add a DLP rule.

05-jscape-mft-server-9-group-add-dlp-rule

Select a DLP rule from the drop-down list (e.g. MasterCard). Also select the level of Access that would be implemented should a match for this DLP rule be found. Let's say you're ultra-paranoid, and prefer "deny all".

Make sure the Enabled check box is ticked. Click OK when done.

06-jscape-mft-server-9-group-dlp-rule-deny-all

That DLP rule will then be added to the list of rules for that virtual path.

You may add some more DLP rules. In a real-world scenario, you'll want to add the DLP rules for the other credit cards (American Express, Diners Club, Visa, etc.). But for this demo, let's just apply one.

Click OK.

07-jscape-mft-server-9-group-dlp-rule

Click OK to close the Edit Virtual Path dialog box.

08-jscape-mft-server-9-group-dlp-rule

Click OK to close the Edit User Group dialog box.

09-jscape-mft-server-9-group

You're now done applying DLP on your group folder. At this point, any attempt to retrieve files from the group folder containing content that match the DLP rules will be denied.

In Part 2 of this 3-part series, we will discuss how you can be notified when users attempt to download data matching DLP rules and how you can respond to these types of events.

Get Started Now

Would you like to try an FTP server that allows you to add DLP rules? Try the free, fully-functional evaluation edition of JSCAPE MFT Server. It supports FTP, FTPS, SFTP, WebDAV, OFTP, AS2, HTTP, HTTPS, and other file transfer protocols.


Download JSCAPE MFT Server Trial