A good offense against an attacker is to have a good defense. In this video, you’ll learn about data loss prevention, file integrity monitoring, USB blocking, and more.
If you’ve ever managed a server or an application instance, then you know that there are a group of files associated with that application that never change and other files that seem to change all the time. Usually the application executables and libraries that make up this application would rarely change, unless the application was upgraded. Of course, there may be data files and cached information that changes constantly with this app, but there is a core set of files that would rarely change.
This means it would be very good to know, from a security perspective, if these files that should never be changing are suddenly being modified, and there are ways to provide monitoring and alerting if any of those files change. We refer to this software as a file integrity monitor, or a FIM. In Windows, this file integrity monitoring is done on demand using the built-in system file checker utility, or SFC. SFC will scan all of your critical operating system files, check to make sure that none of those files have been changed or modified, and if they have been modified, SFC will replace those files with a good version.
If you’re running Linux, one popular utility for file integrity monitoring is Tripwire. Tripwire will also monitor for file changes and can provide real-time monitoring so you’ll know instantly if anything is modified. And there are many different options available for host-based intrusion prevention systems. Not only will an intrusion prevention system look for and block any attacks against known vulnerabilities, it can also perform file integrity monitoring. This is a bit different than a network-based intrusion prevention system. Because this IPS is on the operating system itself, it can monitor all of the files that are on that file system.
Another good monitoring tool is data loss prevention, or DLP. These are systems that can look for sensitive data being sent across the network and block that traffic in real time. So if someone is transmitting Social Security numbers, medical information, or anything else that might be considered sensitive, we can block that using a DLP solution.
One of the useful features of a DLP is blocking this traffic in real time. So it is constantly monitoring traffic either sent across the network or information that might be stored on a local machine. There are DLP solutions available that are network connected that can watch the packets going by, and there are also DLP solutions that were run as software on the operating system itself.
We’ll often refer to these on-computer DLP solutions as something that will monitor data in use, which means the data is in the active memory of that system, or we’ll refer to it as an endpoint DLP, the endpoint being that individual system. If the DLP solution is connected to the network and it’s monitoring packets in real time, we refer to this monitoring as data in motion. This DLP functionality may be integrated into a next-generation firewall or it might be a standalone DLP appliance. And if you need to monitor files that are stored in the file system of an operating system, then you need to monitor data at rest. This is a DLP solution that usually runs as software directly on that server or operating system itself.
If you’re running DLP software on a workstation or endpoint, you may have many different options for allowing or blocking certain data transfers. One of these options may be associated with the USB connection on that device. USB drives are very portable. You can easily plug it in, transfer data, and remove that drive. And because it’s so small, you can take it almost anywhere unnoticed.
This also works in the other direction where someone may bring in a USB drive and connect it to your workstation. This is what happened in November of 2008 with the US Department of Defense. Someone bringing in a random USB drive connected it to their system and unknowingly launched the worm virus agent.btz. This was able to easily replicate itself using this USB storage, so every device in the US Department of Defense was banned from using flash media and any type of USB-connected storage device.
Every device connected to the DoD network had to have all of their USB drives either disabled or blocked using a local DLP agent. These restrictions were lifted in February of 2010 when new guidelines dictated how USB drives were to be used going forward.
Of course, these days, many of our applications are not on our local devices or even in our local data center. Instead, they may be running in the cloud. And we also need data loss prevention solutions for cloud-based applications. This is very similar to the DLP solution that might run on a local workstation or a network-based appliance. This is simply running as a cloud-based appliance and is watching all of the traffic going in and out of a particular cloud-based application instance.
So if someone does try to transfer sensitive information into this cloud-based storage, the cloud-based DLP will recognize that data and block it before it’s stored in the cloud. Many of these cloud-based DLP solutions can also look for and block other types of traffic, such as malware, viruses, and anything else that may seem malicious.
One of the most common threat vectors for sensitive information or data that should be blocked on the network with DLP is your email system. Email is a very easy way to send sensitive information across the network, and you need a DLP solution to block those messages from being sent from your organization.
This email-based DLP can look for sensitive information in outgoing emails or in incoming emails, and there are options available if you run your email system locally in your own data center or if your email system runs in the cloud. For inbound emails, the DLP can look for keywords that may make this email a bit suspicious. It can identify any emails that may be spoofed or may be imposters. And all of these emails can be quarantined so that they never arrive in the user’s inbox.
These solutions can also look at outbound email being sent by anyone in the organization. This can block fake wire transfer emails that are being sent back and forth. And if someone’s trying to send W-2 information, which should include Social Security numbers, it can block those as well. Anything that is outbound email that appears to contain sensitive data can be blocked immediately using this email-based DLP solution.
This email-based DLP solution would have come in handy in November of 2016 when a Boeing employee sent their spouse an email containing a spreadsheet. When they looked at the spreadsheet, it appeared to be blank. But in reality, there were hidden fields in the spreadsheet that contained personal information for 36,000 Boeing employees. This included their Social Security numbers, date of birth, and other sensitive information.
An email-based DLP solution would have blocked that email. Ironically, Boeing sells its own version of DLP software that was not used in this instance. Normally, that DLP is used on customer networks that have classified information.