Someone get the mop, we have a data leak!
Friday November 2, 2007 at 6:49 am CST
Posted by Brad Antoniewicz
Corny titles aside, you might be surprised all of the ways that your “secure” internal corporate data can become unsecured public information by one disgruntled employee. Data leakage is when your internal corporate data is released to the public or anywhere else that is not in your control. This can be performed mainly in two ways, where the number of variants of each method can be virtually limitless.
- Physical removal of the data via hardcopy or softcopy on removable media
- Transfer of the data over the internet via email, FTP, SCP, etc..
Did I say limitless variants?! Yikes! So how do we prevent this? Well it’s rather unlikely that all of your employees will go under a strip search to validate that they do not have any paper shoved down there pants, but if we don’t allow access to those documents in the first place, and if we make sure they are properly disposed of (i.e shredded) when they are printed, it might be possible to limit some of our exposure
These physical threats are tricky issues that may never be fully solved, but they are extremely important to mindful of. In this post, we’ll focus on the non-physical side of data leakage. Right off the bat, lets disable the easy stuff:
- Discontinue the use of writeable CD/DVD drives on your client systems. There’s normally no reason for the average user to burn CD/DVDs. It might be a good idea that a manager or someone with a higher privilege to first filter this data before burning the data to disk. That is of course, you trust your managers.
- Disable USB/Firewire storage and removable media. You can disable USB all together if your company is not USB keyboard/mouse dependent.
These two basic things will force our mischievous friends to look at the internet as a means of transfer. On nearly every firewall/architecture review, I have one finding that states “Inadequate Egress Filtering”. Egress filtering is controlling the traffic leaving your organization, or traversing from a trusted to untrusted zone (i.e internal network to internet).
Although most companies I work with may or may not have a proxy server to scrutinize outbound traffic, they also have a ton of additional services permitted through the firewall, thus the “Inadequate Egress Filtering” finding. An additional problem that compounds this issue is the separation between the security staff and the firewall staff. This problem makes it hard for the security staff to accurately assess the firewall policy, and thus forces them to test these things on their own. To address this issue security staff can simply set up a host which has all ports open and place it on the internet. Use nmap to portscan the host:
nmap –sT –p 0-65535 [host]
What this will do is check which ports are allowed out through the firewall. There are some online services that will let you do this as well and even some messaging programs will have all ports open on their login servers. With the information presented by nmap, we can then get an idea of the existing potential areas for data leakage.
It’s extremely important to understand that any service can run on any port, which means that even the smallest allowance can permit someone to transmit data out to the internet. Let’s look at some common methods:
SSH Tunneling: Attackers can easily tunnel anything they’d like over SSH and as we mentioned, just because the default port for SSH is TCP/22, doesn’t mean it can’t run it on any other one. SSH can also be proxied, so application filters are even more important. Bottom Line: If an attacker can get SSH outbound, they can do anything!
DNS Tunneling: OzymanDNS (http://www.doxpara.com/ozymandns_src_0.1.tgz) can tunnel SSH over DNS! Yes, over DNS. So think twice about that permit udp any any eq 53, internal users should hit an internal DNS server which is responsible for its outbound queries.
ICMP Tunneling: If all else fails, attackers my try PingTunnel (http://www.cs.uit.no/~daniels/PingTunnel/), which as the name implies, allows SSH over ICMP! This kind of thing may make you think twice about allowing ICMP outbound to any host. If your network engineering staff really needs that as a tool, consider allowing ICMP only to particular hosts.
In an ideal situation, you’d have no outbound allowances without first being forced through a proxy server with application layer filtering. Even then, you only allow HTTP/HTTPS. You can then use a variety of software that will look for certain strings in HTTP/HTTPS or instant messaging sessions then ultimately notify you or prevent them from sending the data that matches. This is an excellent solution and should be deployed everywhere, for more information, Google “Data Leakage” and those applications will present themselves to you.
This isn’t meant to be fully comprehensive, but to just show the risks associated with the smallest allowance. If you can limit traffic outbound and scrutinize it where ever possible, you should be ok. Well… that’s if you try not to think about employee EVDO cards or test DSL lines that terminate at employee cubicles. =]
November 4th, 2007 at 3:47 am
Let’s not forget the disgruntled employee simply taking a photocopy of a sensitive document home and posting it on the Internet.
Limiting traffic is always a good thing security-wise, but you eventually reach a point where you *have* to allow things to talk, to get the required functionality, eg one might not like allowing ICMP on their network, but it’s needed for things like Active Directory (or even upper-layer protocols) to function normally.
(This is where you get into interesting situations like who wins the argument wether to allow ICMP on the network? Does the security guy win the argument, or the CEO who wants a sister-company’s domain integrated into the parents domain.. What if there was no middle-ground solution?)
In my opinion these issues are best handled in the legal arena, because every technological control can be circumvented.
You can secure your company’s computers to the n’th degree, the employee will simply take the sensitive data s/he has access to and distribute it some other way, which may not even involve a computer at all.. (eg, front-page of a major newspaper).
You cant control information, you can only make people responsible for it’s (ab)use.
Regards,
twi252
November 6th, 2007 at 10:03 am
Disable USB? You gotta be kidding! How’re you going to do that without putting glue in the holes and/or managing BIOS passwords (easily bypassable solutions)? How are you going to convince folks that they need to give up their shiny keychained floppies?
November 7th, 2007 at 7:39 am
In security, Defense in Depth is a very important concept that should be put in place with all deployments. The idea behind it is that if one security measure is defeated, supporting measures should further mitigate the attack. In this scenario, we can set a BIOS password, disable USB in the BIOS and disable the USB via group policy. Although a BIOS password might be something that can be bypassed, you can even implement defense in depth in that area as well. Most desktops nowadays are equipped with locking mechanisms, so by adding a little physical security the scenario you can add four layers of defense. You can easily argue the BIOS password management, but you can equally argue that most desktop systems have local administrator passwords that need to be managed as well. Nonetheless, I think BIOS passwords are a good security measure, and really best practice to be deployed as part of the standard corporate build.
November 8th, 2007 at 4:08 am
Along with USB & FireWire, let’s not forget about securing the other physical ports and slots: CardBus, ExpressCard, serial, parallel, modem and of course the LAN port. Laptops travel to employee’s homes and other locations, and employees can bring hubs, switches & WAPs into the office environment. So while we’re at it, let’s also secure the WiFi & Bluetooth. Limitless variants indeed.
November 10th, 2007 at 8:06 am
hehehe, thats why its up to us to try to meet that medium between security and usability. an overly determined person can find a way, its just up to us to make it all that more difficult. we disable USB/firewire to hopefully force him to the network where we have more eyes that might see him.. if we put 4 layers of security in front of the attacker, thats 4 chances we have to catch him. unfortunately because of those limitless variants the attacker may succeed if he jumps straight to the serial port or somewhere else we’re not looking.
(shrug) just got to try your best i suppose, but dismissing the threat and not trying even the simplest mitigation techniques is never the correct option.