Data Loss Prevention Systems and Their Weaknesses Tore Torsteinbø Supervisors Michael Sonntag (JKU) Vladimir A. Oleshchuk (UiA) This Master’s Thesis is carried out as a part of the education at the University of Agder and is therefore approved as a part of this education. However, this does not imply that the University answers for the methods that are used or the conclusions that are drawn. University of Agder, 2012 Faculty of Engineering and Science Department of Information Technology Data Loss Prevention Systems and Their Weaknesses WARNING! This document contains sensitive information and is only for internal distribution to trusted parties. ii Data Loss Prevention Systems and Their Weaknesses Abstract (English) Data loss prevention (DLP) has grown in popularity for the last decade and is now becoming a mature technology. With the growing amount of digitally stored assets, the need for enterprises to detect and prevent data loss is increasing. DLP software that analyses traffic, detects and blocks unauthorized use of confidential data is therefore a result of this growing need, but do these security products live up to their own claims? This thesis will look at how effective DLP is at preventing different types of data loss depending on the various factors involved, such as nature of the attack and the technical knowledge of the attacker. Through examples from real DLP software we will outline the various components that make up a modern DLP solution and how they work together to protect the data of an organization. We hypothesize that current DLP products are insecure and pose a security risk to the environment they are installed in. This is not the fault of DLP itself, but how the technology has been implemented by security vendors. If an attacker can exploit a weakness and compromise a DLP system, the system can be turned against itself and be used to accelerate data theft by providing information about the whereabouts of all sensitive data, if not the data itself. This automated way of stealing data is much faster, and in many cases more accurate than manually scavenging the network for files. As a result the time span to detect and stop an attack reduced and might leave the victim in a worse situation than if no DLP was present in the first place. iii Data Loss Prevention Systems and Their Weaknesses Abstract (German) Data Loss Prevention (DLP) hat in den letzten 10 Jahren stark an Popularität gewonnen und ist jetzt zu einer ausgewachsenen Technologie geworden. Mit der wachsenden Anzahl an digital gespeicherten Datensätzen wächst auch der Bedarf an der Ermittlung und Vorbeugung des Verlustes dieser. DLP Software, welche Traffic analysiert und unauthorisierte Zugriffe auf vertrauliche Daten aufspürt und blockiert, ist somit ein Resultat der wachsenden Notwendigkeit. Aber werden diese Sicherheitsprodukte den Ansprüchen gerecht? Diese Arbeit wird zeigen, wie effektiv DLP dem Verlust von Daten, basierend auf der Art und Weise des Angriffes und dem technischen Wissen des Angreifers, vorbeugen kann. Mit Hilfe von Beispielen von realer DLP Software werden wir gezielte Komponenten, welche eine moderne DLP Lösung ausmachen, aufgreifen und zeigen, wie diese zusammen arbeiten, um die Daten einer Organisation zu schützen. Wir stellen die Hypothese auf, dass DLP Produkte unsicher sind und ein Sicherheitsrisiko für die Umgebung darstellen, in denen sie installiert sind. Dies ist nicht die Schuld des DLP selbst, sondern die der Sicherheitsanbieter, welche die Technologie umgesetzt haben. Wenn ein Angreifer eine Schwachstelle ausnutzt und somit das DLP System kompromittiert, kann das System gegen sich selbst gerichtet werden und beschleunigt somit den Datendiebstahl mit dem Zurverfügungstellen von Kenntnissen über den genauen Ort von empfindlichen Daten, wenn nicht sogar die Daten selbst. Dieser automatisierte Weg des Datendiebstahls ist wesentlich schneller und in vielen Fällen auch genauer als das manuelle Plündern von Daten im Netzwerk. Das Resultat ist ein kürzere Zeitspanne, in welcher ein Angriff ausfgespürt und gestoppt werden könnte und somit könnte das Opfer in einer schlechteren Situation zurückgelassen werden, als wenn das DLP System niemals präsent gewesen wäre. iv Data Loss Prevention Systems and Their Weaknesses TABLE OF CONTENTS List of Figures ....................................................................................................................... vii List of Tables ....................................................................................................................... viii Aknowledgement ...................................................................................................................ix 1 Introduction ...................................................................................................................... 1 1.1 Background ................................................................................................................ 1 1.2 Definitions ................................................................................................................. 1 1.3 Objectives ................................................................................................................... 1 1.4 Methodology .............................................................................................................. 2 1.5 Limitations ................................................................................................................. 3 1.6 Structure..................................................................................................................... 3 1.7 Previous Work ........................................................................................................... 3 2 Data Loss Prevention Architecture ............................................................................... 5 2.1 What Is Data Loss Prevention? ................................................................................. 5 2.1.1 Definition .......................................................................................................... 6 2.1.2 The Various Terms ............................................................................................ 6 2.1.3 A Brief History ................................................................................................... 6 2.2 Threat Elements ........................................................................................................ 8 2.2.1 Accidental Data Loss ......................................................................................... 8 2.2.2 Insider Attacks .................................................................................................. 9 2.2.3 External Attacks ................................................................................................ 11 2.3 The DLP Technology ............................................................................................... 13 2.3.1 Policies .............................................................................................................. 13 2.3.2 Core Technologies ............................................................................................ 14 2.3.3 Data Classification ........................................................................................... 18 2.3.4 Data Protection ................................................................................................ 23 2.3.5 Feature Examples from Bypassing a DLP ........................................................ 30 2.3.6 Technological Shortcomings ........................................................................... 31 2.3.7 Alternative Uses ............................................................................................... 31 3 Vulnerabilities in DLP Systems ................................................................................... 33 3.1 Threat Scenario ........................................................................................................ 34 3.1.1 Background ...................................................................................................... 34 v Data Loss Prevention Systems and Their Weaknesses 3.1.2 The Threat Materialized .................................................................................. 34 3.1.3 Summary........................................................................................................... 37 3.2 Finding the Flaws ..................................................................................................... 38 3.2.1 Test Environment............................................................................................. 38 3.3 Evaluating MyDLP ................................................................................................... 39 3.3.1 Penetrating the Application ............................................................................ 41 3.4 Evaluating Trend Micro DLP.................................................................................. 49 3.4.1 Penetrating the Application ............................................................................ 51 3.5 Attacking the DLP ...................................................................................................59 3.6 Results ..................................................................................................................... 64 4 Discussion ....................................................................................................................65 4.1
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages87 Page
-
File Size-