About Me

Brad Antoniewicz

Brad Antoniewicz

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Someone get the mop, we have a data leak!

Friday, November 2, 2007 at 6:49am by Brad Antoniewicz
Brad Antoniewicz

Corny titles aside, you might be surprised all of the ways that your “secure” internal corporate data can become unsecured public information by one disgruntled employee. Data leakage is when your internal corporate data is released to the public or anywhere else that is not in your control. This can be performed mainly in two ways, where the number of variants of each method can be virtually limitless.

  • Physical removal of the data via hardcopy or softcopy on removable media
  • Transfer of the data over the internet via email, FTP, SCP, etc..

Did I say limitless variants?! Yikes! So how do we prevent this? Well it’s rather unlikely that all of your employees will go under a strip search to validate that they do not have any paper shoved down there pants, but if we don’t allow access to those documents in the first place, and if we make sure they are properly disposed of (i.e shredded) when they are printed, it might be possible to limit some of our exposure

These physical threats are tricky issues that may never be fully solved, but they are extremely important to mindful of. In this post, we’ll focus on the non-physical side of data leakage. Right off the bat, lets disable the easy stuff:

  • Discontinue the use of writeable CD/DVD drives on your client systems. There’s normally no reason for the average user to burn CD/DVDs. It might be a good idea that a manager or someone with a higher privilege to first filter this data before burning the data to disk. That is of course, you trust your managers. :)
  • Disable USB/Firewire storage and removable media. You can disable USB all together if your company is not USB keyboard/mouse dependent.

These two basic things will force our mischievous friends to look at the internet as a means of transfer. On nearly every firewall/architecture review, I have one finding that states “Inadequate Egress Filtering”. Egress filtering is controlling the traffic leaving your organization, or traversing from a trusted to untrusted zone (i.e internal network to internet).

Although most companies I work with may or may not have a proxy server to scrutinize outbound traffic, they also have a ton of additional services permitted through the firewall, thus the “Inadequate Egress Filtering” finding. An additional problem that compounds this issue is the separation between the security staff and the firewall staff. This problem makes it hard for the security staff to accurately assess the firewall policy, and thus forces them to test these things on their own. To address this issue security staff can simply set up a host which has all ports open and place it on the internet. Use nmap to portscan the host:

nmap –sT –p 0-65535 [host]

What this will do is check which ports are allowed out through the firewall. There are some online services that will let you do this as well and even some messaging programs will have all ports open on their login servers. With the information presented by nmap, we can then get an idea of the existing potential areas for data leakage.

It’s extremely important to understand that any service can run on any port, which means that even the smallest allowance can permit someone to transmit data out to the internet. Let’s look at some common methods:

SSH Tunneling: Attackers can easily tunnel anything they’d like over SSH and as we mentioned, just because the default port for SSH is TCP/22, doesn’t mean it can’t run it on any other one. SSH can also be proxied, so application filters are even more important. Bottom Line: If an attacker can get SSH outbound, they can do anything!

DNS Tunneling: OzymanDNS (http://www.doxpara.com/ozymandns_src_0.1.tgz) can tunnel SSH over DNS! Yes, over DNS. So think twice about that permit udp any any eq 53, internal users should hit an internal DNS server which is responsible for its outbound queries.

ICMP Tunneling: If all else fails, attackers my try PingTunnel (http://www.cs.uit.no/~daniels/PingTunnel/), which as the name implies, allows SSH over ICMP! This kind of thing may make you think twice about allowing ICMP outbound to any host. If your network engineering staff really needs that as a tool, consider allowing ICMP only to particular hosts.

In an ideal situation, you’d have no outbound allowances without first being forced through a proxy server with application layer filtering. Even then, you only allow HTTP/HTTPS. You can then use a variety of software that will look for certain strings in HTTP/HTTPS or instant messaging sessions then ultimately notify you or prevent them from sending the data that matches. This is an excellent solution and should be deployed everywhere, for more information, Google “Data Leakage” and those applications will present themselves to you.

This isn’t meant to be fully comprehensive, but to just show the risks associated with the smallest allowance. If you can limit traffic outbound and scrutinize it where ever possible, you should be ok. Well”¦ that’s if you try not to think about employee EVDO cards or test DSL lines that terminate at employee cubicles. =]

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (6)

  • doh May 7, 2009 1:29PM

    Instead of hunting down your employees, why not make a culture of trust, innovation and shared responsibility? Seems this is a solution in want for a problem. Doesn’t sound like a workplace I would want to work in at all, which is why so many large corporations fail so miserably in the staff satisfaction department.

    Better to grow a good working culture, than being paranoid and stifling innovation within your own company. If you shut down all the windows, all the creative / innovative people will just leave you for companies (usually small startups) which can provide fertile ground..

    Reply
  • brad antoniewicz November 10, 2007 8:06AM

    hehehe, thats why its up to us to try to meet that medium between security and usability. an overly determined person can find a way, its just up to us to make it all that more difficult. we disable USB/firewire to hopefully force him to the network where we have more eyes that might see him.. if we put 4 layers of security in front of the attacker, thats 4 chances we have to catch him. unfortunately because of those limitless variants the attacker may succeed if he jumps straight to the serial port or somewhere else we’re not looking.

    (shrug) just got to try your best i suppose, but dismissing the threat and not trying even the simplest mitigation techniques is never the correct option.

    Reply
  • mdubh November 8, 2007 4:08AM

    Along with USB & FireWire, let’s not forget about securing the other physical ports and slots: CardBus, ExpressCard, serial, parallel, modem and of course the LAN port. Laptops travel to employee’s homes and other locations, and employees can bring hubs, switches & WAPs into the office environment. So while we’re at it, let’s also secure the WiFi & Bluetooth. Limitless variants indeed.

    Reply
  • Brad Antoniewicz November 7, 2007 7:39AM

    In security, Defense in Depth is a very important concept that should be put in place with all deployments. The idea behind it is that if one security measure is defeated, supporting measures should further mitigate the attack. In this scenario, we can set a BIOS password, disable USB in the BIOS and disable the USB via group policy. Although a BIOS password might be something that can be bypassed, you can even implement defense in depth in that area as well. Most desktops nowadays are equipped with locking mechanisms, so by adding a little physical security the scenario you can add four layers of defense. You can easily argue the BIOS password management, but you can equally argue that most desktop systems have local administrator passwords that need to be managed as well. Nonetheless, I think BIOS passwords are a good security measure, and really best practice to be deployed as part of the standard corporate build.

    Reply
  • derf November 6, 2007 10:03AM

    Disable USB? You gotta be kidding! How’re you going to do that without putting glue in the holes and/or managing BIOS passwords (easily bypassable solutions)? How are you going to convince folks that they need to give up their shiny keychained floppies?

    Reply
  • twi252 November 4, 2007 3:47AM

    Let’s not forget the disgruntled employee simply taking a photocopy of a sensitive document home and posting it on the Internet.

    Limiting traffic is always a good thing security-wise, but you eventually reach a point where you *have* to allow things to talk, to get the required functionality, eg one might not like allowing ICMP on their network, but it’s needed for things like Active Directory (or even upper-layer protocols) to function normally.

    (This is where you get into interesting situations like who wins the argument wether to allow ICMP on the network? Does the security guy win the argument, or the CEO who wants a sister-company’s domain integrated into the parents domain.. What if there was no middle-ground solution?)

    In my opinion these issues are best handled in the legal arena, because every technological control can be circumvented.

    You can secure your company’s computers to the n’th degree, the employee will simply take the sensitive data s/he has access to and distribute it some other way, which may not even involve a computer at all.. (eg, front-page of a major newspaper).

    You cant control information, you can only make people responsible for it’s (ab)use.

    Regards,

    twi252

    Reply