DOCSLIB.ORG

Data Loss Prevention Systems and Their Weaknesses

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Data Loss Prevention Systems and Their Weaknesses Data Loss Prevention Systems and Their Weaknesses Tore Torsteinbø Supervisors Michael Sonntag (JKU) Vladimir A. Oleshchuk (UiA) This Master’s Thesis is carried out as a part of the education at the University of Agder and is therefore approved as a part of this education. However, this does not imply that the University answers for the methods that are used or the conclusions that are drawn. University of Agder, 2012 Faculty of Engineering and Science Department of Information Technology Data Loss Prevention Systems and Their Weaknesses WARNING! This document contains sensitive information and is only for internal distribution to trusted parties. ii Data Loss Prevention Systems and Their Weaknesses Abstract (English) Data loss prevention (DLP) has grown in popularity for the last decade and is now becoming a mature technology. With the growing amount of digitally stored assets, the need for enterprises to detect and prevent data loss is increasing. DLP software that analyses traffic, detects and blocks unauthorized use of confidential data is therefore a result of this growing need, but do these security products live up to their own claims? This thesis will look at how effective DLP is at preventing different types of data loss depending on the various factors involved, such as nature of the attack and the technical knowledge of the attacker. Through examples from real DLP software we will outline the various components that make up a modern DLP solution and how they work together to protect the data of an organization. We hypothesize that current DLP products are insecure and pose a security risk to the environment they are installed in. This is not the fault of DLP itself, but how the technology has been implemented by security vendors. If an attacker can exploit a weakness and compromise a DLP system, the system can be turned against itself and be used to accelerate data theft by providing information about the whereabouts of all sensitive data, if not the data itself. This automated way of stealing data is much faster, and in many cases more accurate than manually scavenging the network for files. As a result the time span to detect and stop an attack reduced and might leave the victim in a worse situation than if no DLP was present in the first place. iii Data Loss Prevention Systems and Their Weaknesses Abstract (German) Data Loss Prevention (DLP) hat in den letzten 10 Jahren stark an Popularität gewonnen und ist jetzt zu einer ausgewachsenen Technologie geworden. Mit der wachsenden Anzahl an digital gespeicherten Datensätzen wächst auch der Bedarf an der Ermittlung und Vorbeugung des Verlustes dieser. DLP Software, welche Traffic analysiert und unauthorisierte Zugriffe auf vertrauliche Daten aufspürt und blockiert, ist somit ein Resultat der wachsenden Notwendigkeit. Aber werden diese Sicherheitsprodukte den Ansprüchen gerecht? Diese Arbeit wird zeigen, wie effektiv DLP dem Verlust von Daten, basierend auf der Art und Weise des Angriffes und dem technischen Wissen des Angreifers, vorbeugen kann. Mit Hilfe von Beispielen von realer DLP Software werden wir gezielte Komponenten, welche eine moderne DLP Lösung ausmachen, aufgreifen und zeigen, wie diese zusammen arbeiten, um die Daten einer Organisation zu schützen. Wir stellen die Hypothese auf, dass DLP Produkte unsicher sind und ein Sicherheitsrisiko für die Umgebung darstellen, in denen sie installiert sind. Dies ist nicht die Schuld des DLP selbst, sondern die der Sicherheitsanbieter, welche die Technologie umgesetzt haben. Wenn ein Angreifer eine Schwachstelle ausnutzt und somit das DLP System kompromittiert, kann das System gegen sich selbst gerichtet werden und beschleunigt somit den Datendiebstahl mit dem Zurverfügungstellen von Kenntnissen über den genauen Ort von empfindlichen Daten, wenn nicht sogar die Daten selbst. Dieser automatisierte Weg des Datendiebstahls ist wesentlich schneller und in vielen Fällen auch genauer als das manuelle Plündern von Daten im Netzwerk. Das Resultat ist ein kürzere Zeitspanne, in welcher ein Angriff ausfgespürt und gestoppt werden könnte und somit könnte das Opfer in einer schlechteren Situation zurückgelassen werden, als wenn das DLP System niemals präsent gewesen wäre. iv Data Loss Prevention Systems and Their Weaknesses TABLE OF CONTENTS List of Figures ....................................................................................................................... vii List of Tables ....................................................................................................................... viii Aknowledgement ...................................................................................................................ix 1 Introduction ...................................................................................................................... 1 1.1 Background ................................................................................................................ 1 1.2 Definitions ................................................................................................................. 1 1.3 Objectives ................................................................................................................... 1 1.4 Methodology .............................................................................................................. 2 1.5 Limitations ................................................................................................................. 3 1.6 Structure..................................................................................................................... 3 1.7 Previous Work ........................................................................................................... 3 2 Data Loss Prevention Architecture ............................................................................... 5 2.1 What Is Data Loss Prevention? ................................................................................. 5 2.1.1 Definition .......................................................................................................... 6 2.1.2 The Various Terms ............................................................................................ 6 2.1.3 A Brief History ................................................................................................... 6 2.2 Threat Elements ........................................................................................................ 8 2.2.1 Accidental Data Loss ......................................................................................... 8 2.2.2 Insider Attacks .................................................................................................. 9 2.2.3 External Attacks ................................................................................................ 11 2.3 The DLP Technology ............................................................................................... 13 2.3.1 Policies .............................................................................................................. 13 2.3.2 Core Technologies ............................................................................................ 14 2.3.3 Data Classification ........................................................................................... 18 2.3.4 Data Protection ................................................................................................ 23 2.3.5 Feature Examples from Bypassing a DLP ........................................................ 30 2.3.6 Technological Shortcomings ........................................................................... 31 2.3.7 Alternative Uses ............................................................................................... 31 3 Vulnerabilities in DLP Systems ................................................................................... 33 3.1 Threat Scenario ........................................................................................................ 34 3.1.1 Background ...................................................................................................... 34 v Data Loss Prevention Systems and Their Weaknesses 3.1.2 The Threat Materialized .................................................................................. 34 3.1.3 Summary........................................................................................................... 37 3.2 Finding the Flaws ..................................................................................................... 38 3.2.1 Test Environment............................................................................................. 38 3.3 Evaluating MyDLP ................................................................................................... 39 3.3.1 Penetrating the Application ............................................................................ 41 3.4 Evaluating Trend Micro DLP.................................................................................. 49 3.4.1 Penetrating the Application ............................................................................ 51 3.5 Attacking the DLP ...................................................................................................59 3.6 Results ..................................................................................................................... 64 4 Discussion ....................................................................................................................65 4.1
Load more

Recommended publications
  • Designing a Free Data Loss Prevention System
    University of Piraeus Department of Digital Systems MSc in Security of Digital Systems Master Thesis Designing a free Data Loss Prevention system Dimitrios Koutsourelis March 2014 Data Loss Prevention Systems Supervisors Sokratis Katsikas, Professor University of Piraeus Spyros Papageorgiou, Captain (OF-5) Hellenic National Defense General Staff/ Directorate of Cyber Defense Dimitrios Koutsourelis 2 Data Loss Prevention Systems Abstract Data Loss is an everyday threat within all organizations. The leaking of confidential data ultimately results in a loss of revenue. A quarter of all Data Loss is widely attributed to the use of applications such as Voice, Email, Instant Messaging, Social Networks, Blogs, P2P and Videos. A common approach, adopted to prevent Data Loss is the use of sophisticated data detection algorithms and the deployment of systems to control applications, attempting to access the outside world [1]. Many vendors currently offer data loss prevention products for no small amount of money. This thesis focuses on providing all the necessary information needed to fully comprehend the terms that wrap around data loss prevention and illustrating some of the most common mechanisms and techniques used by the available software. Also, two publicly available, free, data loss prevention software tools, MyDLP and OpenDLP, are presented and analyzed. In the third part of this project, a system architecture is presented, designed to combine the two previously mentioned software in a way such that they co-exist inside an information system, complementing each other, providing solid data loss prevention services. Dimitrios Koutsourelis 3 Data Loss Prevention Systems Table of Contents 1 Introduction .......................................................................................................... 6 1.1 Background ....................................................................................................
    [Show full text]
  • 4.2 Elasticsearch, Logstash, and Kibana (ELK S T a C K )
    T owards a Collection of Cost-E ffective T echnologies in Support of the NIST Cybersecurity Framework Submitted in partial fulfilment of the requirements of the degree of M a s t e r o f S c ie n c e of Rhodes University Bruce M. S. Shackleton Grahamstown, South Africa December 2017 i Abstract The NIST Cybersecurity Framework (CSF) is a specific risk and cybersecurity framework. It provides guidance on controls that can be implemented to help improve an organisa­ tion’s cybersecurity risk posture. The CSF Functions consist of Identify, Protect, Detect, Respond, and Recover. Like most Information Technology (IT) frameworks, there are elements of people, processes, and technology. The same elements are required to suc­ cessfully implement the NIST CSF. This research specifically focuses on the technology element. While there are many commercial technologies available for a small to medium sized business, the costs can be prohibitively expensive. Therefore, this research investigates cost-effective technologies and assesses their alignment to the NIST CSF. The assessment was made against the NIST CSF subcategories. Each subcategory was analysed to identify where a technology would likely be required. The framework provides a list of Informative References. These Informative References were used to create high- level technology categories, as well as identify the technical controls against which the technologies were measured. The technologies tested were either open source or proprietary. All open source technolo­ gies tested were free to use, or have a free community edition. Proprietary technologies would be free to use, or considered generally available to most organisations, such as components contained within Microsoft platforms.
    [Show full text]
  • Introduction to Computational Techniques
    Chapter 2 Introduction to Computational Techniques Computational techniques are fast, easier, reliable and efficient way or method for solving mathematical, scientific, engineering, geometrical, geographical and statis- tical problems via the aid of computers. Hence, the processes of resolving problems in computational technique are most time step-wise. The step-wise procedure may entail the use of iterative, looping, stereotyped or modified processes which are incomparably less stressful than solving problems-manually. Sometimes, compu- tational techniques may also focus on resolving computation challenges or issues through the use of algorithm, codes or command-line. Computational technique may contain several parameters or variables that characterize the system or model being studied. The inter-dependency of the variables is tested with the system in form of simulation or animation to observe how the changes in one or more parameters affect the outcomes. The results of the simulations, animation or arrays of numbers are used to make predictions about what will happen in the real system that is being studied in response to changing conditions. Due to the adoption of computers into everyday task, computational techniques are redefined in various disciplines to accommodate specific challenges and how they can be resolved. Fortunately, computational technique encourages multi-tasking and interdisciplinary research. Since computational technique is used to study a wide range of complex systems, its importance in environmental disciplines is to aid the interpretation of field measurements with the main focus of protecting life, prop- erty, and crops. Also, power-generating companies that rely on solar, wind or hydro sources make use of computational techniques to optimize energy production when extreme climate shifts are expected.
    [Show full text]
  • File Systems and Sysadmin
    ;login FEBRUARY 2014 VOL. 39, NO. 1 : File Systems and Sysadmin & An Overview of Object Storage Matthew W. Benjamin, Casey Bodley, Adam C. Emerson, and Marcus Watts & Hadoop 2 Sanjay Radia and Suresh Srinivas & Loser Buys, Two Tales of Debugging Mark Bainter and David Josephsen & Improving Performance of Logging Reports and Dashboards David Lang & Change Management Jason Paree and Andy Seely Columns Practical Perl Tools: Redis Meets Perl David N. Blank-Edelman Python: The Wheels Keep on Spinning David Beazley iVoyeur: Counters Dave Josephsen For Good Measure: Measuring Security Book Value Dan Geer and Gunnar Peterson /dev/random: Cybertizing the World Robert Ferrell Conference Reports LISA ’13: 27th Large Installation System Administration Conference Advanced Topics Workshop at LISA ’13 UPCOMING EVENTS FAST ’14: 12th USENIX Conference on File and 23rd USENIX Security Symposium Storage Technologies August 20–22, 2014, San Diego, CA, USA February 17–20, 2014, Santa Clara, CA, USA www.usenix.org/sec14 www.usenix.org/fast14 Submissions due: February 27, 2014 2014 USENIX Research in Linux File and Storage Workshops Co-located with USENIX Security ’14 Technologies Summit EVT/WOTE ’14: 2014 Electronic Voting Technology In conjunction with FAST ’14 Workshop/Workshop on Trustworthy Elections February 20, 2014, Mountain View, CA, USA USENIX Journal of Election Technology and Systems (JETS) NSDI ’14: 11th USENIX Symposium on Networked Published in conjunction with EVT/WOTE Systems Design and Implementation www.usenix.org/jets April 2–4, 2014, Seattle,
    [Show full text]