Are you looking for information about DLP (“Data Loss Prevention/Protection“)?
Let’s start with the DLP Toolkit.

“Your kit includes five research reports, an interactive assessment tool, and a library of webcasts, providing direct insights into how your peers are overcoming security challenges on their way to success. Discover the strategies and initiatives that you can implement today to achieve Best-in-Class performance.”

Working as a Security Consultant, I’m always on the road between several customers sites. Some customers allow a limited access from remote locations to perform maintenance tasks or investigations via secure accesses.

I always scare myself how it is easy to send data outside of a security perimeter! But don’t shoot me:

• I’m not trying to steal data nor to send confidential data into the wild Internet;
• I’ve permission to access the data;
• When I need to grab data, they are always sent encrypted (the data itself or the connection).

A good example? When I’m requested to update an open ticket by sending information located on another site. I don’t “hack” the remote site, I’ve always at least one entry points (VPN, SSH tunnels, etc). Once logged on a server or appliance, I simply have to jump on another one. I can use SSH tunnels or any other remote control protocol. There are plenty of tools and ways to access the needed data.

It makes me scary: Once successfully connected on a server, it should be a piece of cake for a “bad guy” to steal data in so many environments! And if it’s so easy, can you imagine from the internal network? What’s your company point of view regarding data leaks? Prevention and awareness are key words!

In 2007, Google acquired Postini, a global leader in on-demand communications security and compliance solutions. It looks that Google introduced some nice features based on Postini technologies to prevent leakage of sensitive data.

Google Apps Premier is a full set of online collaboration tools (email, calendar, IM access and office applications) offered to organizations. But lot of them are still reluctant to “move into the cloud” (for excellent reasons that I fully understand).

Like in Gmail Premier, Google introduced some features in Apps to increase the overall security:

• Custom outbound mail filtering tools to prevent sensitive information from being distributed.
• Custom information sharing rules to determine how broadly employees are allowed to share with Google Docs, Google Calendar and Google Sites.
• Custom password length requirements and visual strength indicators to help employees pick secure passwords.
• Enforced SSL connections with Google Apps to ensure secure HTTPS access.

This is off course very “light” and does not replace a true DLP solution but this is a nice initiative. The goal is clear: attract more companies to move to cloud computing.

Source: google.com.

It’s a fact: Today, lot of security incidents occur inside the security perimeter of companies or organizations. If security perimeters are generally correctly protected, what about the internal side?

Let’s imagine the following scenario: Sandra works for a big hospital. She’s a secretary. Her job requires to access a file share where are stored patient’s medical records. When she’s logged on her workstations with her credentials, she has access to the file share and can read the data. Due to a recent divorce, Sandra has financial problems and she received a proposition from a “cool” guy: to perform a copy of the medial records against some money. The temptation is too big and she starts a copy of all the medical records on her desktop.

On a technical point of view, the hospital uses the “least privilege” principle to grant access to the employees. Least privilege is a good practice to give access to the resources needed to somebody to perform his job. No more no less. But how to detect the copy of all the records by Sandra?

Using behavioral monitoring, it’s possible to detect the unusual behavior of Sandra while performing the copy of data. By granting access to a resource (in this case the file share), it’s not possible to detect suspicious activity like a copy of all files. But extra controls can be deployed:

Define a quota of operations

To process a patient file, Sandra needs 10 minutes. She opens the file, updates the information, print and archives the file. By limiting the number of operations per time period, we can avoid the data leakage. In fact not fully prevent the copy but greatly increase the time required to perform the operation. To achieve this, profiling Sandra’s job is a critical step.

Monitoring accesses to files

If Sandra starts a copy of files, there are chances that she will copy all the files in alphabetical order. By monitoring the access to files, this can generate an alert.

Increased or unusual network traffic

By copying the data, Sandra’s workstation will generate a lot of traffic with the file server. This can also generate an alert. Network monitoring tools like Ntop can also be diverted from their primary usage and help to detect suspicious activities. Ntop can draw network traffic matrix. It can be easy to detect a huge or unusual amount of traffic between some workstations and the file share.

Suspicious account usage

If Sandra shared her credentials with the “bad guy”, alerts can be generated if credentials are used on a different workstation (if credentials and hosts are linked together). If She tries to access files share during unusual period of time, this can be detected as a suspicious activity. Or if the session time is longer than expected.

To achieve behavioral monitoring like in the example above, specific tools are required and strong procedures must be defined. A SIEM (“Security Information and Event Management“) can be helpful to integrate logs and events generated by all the components used by Sandra.

Other control and solutions can be deployed to prevent information leakage. For critical operations, it’s a good practice to implement the principle of “separation of duties“: Do not assign critical operations to only one person. Adding more people in the loop will increase the detection of problems. And finally, deploy countermeasures to prevent the stolen data to be sent outside the security perimeter.

As a conclusion, we can say: “Know your users!”

Internet is full of very useful free applications which are designed to help you in your daily life. DropBox is a good example. Dropbox is a software that synchronizes your files online and across computers. From the website: “Put your files into your Dropbox on one computer, and they’ll be instantly available on any of your other computers that you’ve installed Dropbox on (Windows, Mac, and Linux too!) Because a copy of your files are stored on Dropbox’s secure servers, you can also access them from any computer or mobile device using the Dropbox website.”
Sweet!

But what about confidential data? DropBox announces on the website: “Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder. Everything in your Public folder is, by definition, accessible to anyone. Otherwise, the only way to access the files in your Dropbox online is with your username and password.“. Let’s assume that Drobox is indeed safe. It’s tempting for a company employee to use Dropbox to transfer files between his office computer and a home computer. From his point of view, there are good reasons to do this (example: working on a project during the weekend). Even if the file transfer is secured and files are safely stored by Dropbox, the weak point is the home computer of the employee. It can be stolen, other people can access to sensitive files etc. What about a major vulnerability affecting the Dropbox services? What if a user could access other users’ files?

On a networking point of view, Dropbox uses standard HTTP(S) traffic (via the ports 80 & 443). It’s easy to bypass the local control to send files outside the security perimeter. Once the software has been installed, no specific network configuration is required. Dropbox works perfectly through proxies.

How to protect your users? First, users access must be restricted and prevent them to install applications on the desktop. But using protective (and aggressive) measures is not sufficient. Ask yourself why did your users try to export files outside your security perimeter. If was maybe for a legitimate reason. Don’t forget: security measures must protect the users but not prevent them to perform their regular job! Today, the security perimeter is more and more “open”. It’s maybe time to deploy official solutions to let your users access files from remote places.

To conclude this post, Dropbox was just used as an example to warn about the potential security issue that may arise from this kind of tool. Dropbox is a nice tool but you have to use it in the right way!