Archive for March, 2010

RegExs – How TMC Can Protect Vulnerable PII

Wednesday, March 24th, 2010

Regular Expressions or (RegEx’s) are alphanumeric grouping of characters that have a specific pattern (and relevance or meaning to an application, entity or consumer). Many programming languages have built in regular expression engines to allow the parsing of data to find these patterns. Let’s take a look at a quick example.

Many security standards emerging or present in today’s market focus on the protection of PII (Personally Identifiable Information). Items such as national identification numbers (such as the US Social Security Number or the UK’s National Health Service Number) are government issued identification cards used for everything from tracking employment to assuring healthcare for its citizens. In addition, privately issued items like credit cards and university student ID numbers are also the focus of predatory attacks (if you’re curious, browse for examples of theft as well as the potential impact to corporations, governments and private citizens).The Data Breach Blog

The emergence of global security standards like PCI DSS in financial markets as well as government driven legislation (like the recently announced HITECH Act in the United States as well as privacy/security legislation developed by the European Union) have created the following requirements:

  • Requirements to monitor requests for and the ongoing protection of PII
  • Financial and punitive penalties for offending organizations who disclose PII

Obviously, this impacts a range of business markets, multiple levels of government as well as the consumer. It makes sense that there exists greater willingness to work with a company or provider that takes the PII threat seriously and have policies and systems in place to minimize the threat of information loss.

As part of our Message Classification for Outlook product, customers can now define not only keywords but use pre-defined or built-in regular expressions TMC’s Content Validation policy provides capabilities to search for specific regular expressions and warn the customer of their presence in the email message or an attachment.To check emails and attachments for regular expressions, the TMC Administrator creates a Content Validation policy and defines whether they wish to check for keywords, regular expressions or both. Several regular expressions are pre-defined, and customers can build their own regular expressions if they wish (for a good reference, see the fantastic regular expression cheat sheet developed by Dave Child here).

Now, let’s move back to what the consumer experience is like. In the following scenario, an employee unknowingly attaches a Microsoft Office document which contains Social Security Number information, clicks Send, and classifies the email as Public. The Content Validation policy finds the SSN in the Word document and notifies the sender of the issue.

TMC provides customers several strong benefits for organizations concerned with PII protection:

  1. Immediate analysis (warnings are presented to the user at the same time the email is sent vs. feedback from a quarantine mailbox)
  2. Feedback to the consumer can be customized (the TMC Administrator can create information messages indicating why the error occurred as well as steps to be taken to rectify the problem)
  3. Adaptable controls (the TMC Administrator can simply warn the user of the issue but give them final decision on delivery or prevent sending the message until the sensitive content is removed from the message body or attachment.
  4. Monitored – all policy events in TMC are written to the Windows Event Log (which can be parsed for reporting to identify common errors (resulting in guidance on where employees may need training or policies may need to be refined.

I would be happy to receive feedback on regular expressions you would like to see added to the product. Please feel free to contact me at

-Stephen Kingston

Email Data Loss Prevention and the Windows Server 2008 R2 File Classification Infrastructure

Tuesday, March 2nd, 2010

This is a copy of a blog I wrote jointly with Microsoft. It can be viewed on the Microsoft Windows Server WebLog at

There has been a lot of talk lately about data breaches costing organizations millions of dollars in fines or lawsuits not to mention the bad publicity and other intangible losses. Data Loss Prevention products are being deployed to try to help organizations minimize these types of incidents. Information classification can be used to prevent data breaches and help organizations with compliance requirements such as PCI, HIIPA, ISO 27001, the Massachusetts Data Protection Law 201 and other similar legislation.

The new File Classification Infrastructure (FCI) in Microsoft Windows 2008 R2 enables organizations to protect data by automatically classifying files and applying policy. FCI includes the ability to define classification properties, automatically classify files based on location and content, and invoke file management tasks such as file expiration and custom commands based on classification. Once the files have been classified, appropriate security can be applied based on the business value of the information. For example, in a PCI environment, FCI based classification can be used to identify files that contain sensitive credit card information, and in a health care environment, FCI based classification can identify files with private health information. Once the files have been classified file management tasks can be used to segment sensitive files onto more secure storage devices, to protect files with encryption, and to assign more restrictive permissions to the files. This helps ensure that information stored on file servers is well secured.

Another concern is email. Email messages or email attachments are a security risk as email cannot easily be controlled. At Titus Labs we’ve extended classification and information protection to the Microsoft Outlook environment. Titus Labs Message Classification can recognize file attachments that have been classified using FCI.

The Titus Labs solution can examine the FCI classifications of Microsoft Office attachments, and can apply policy that can restrict the distribution of sensitive information. Titus Labs’ Safe Recipient policies can be used to:

1. Protect the distribution of email within an organization. By examining all the recipients of an email, the Titus Labs policy can verify via Active Directory whether the recipient is allowed to receive attachments of a given classification. This prevents inadvertent data loss by warning the user that one of the recipients should be removed. For example, in an internal scenario, a financial organization may want to ensure that an employee in corporate finance is restricted from sending files classified as MERGER / ACQUISITION to another employee working as a broker or trader.

2. Protect the distribution of email outside the organization. By examining the domain of each of the recipients, the Titus Labs policy can verify that the domain is listed as trusted in the policy and can warn the user of a possible data breach and warn them or force them to change the recipient list. In the following example, the sender has mistakenly selected the wrong Anne Hollingsworth at an external address. The sender receives a warning because the email contains an attachment that has been classified as CONFIDENTIAL / INTERNAL USE.

Invalid recipient is detected based on classification

This is an example of the power of classification to protect your sensitive information.