Data Loss Prevention and Server Security
A guest post by Paul Hawkinson
The Art of DLP
There is an interesting article on DLP (Data Loss Prevention) linked to by Slashdot today. This short article was written by Kevin Fogarty.
Go give it a read but the jist of the article is that a large percentage of companies out there don’t do DLP well. His reasoning is that “…it’s too damn complicated” and he is right on many levels. Hard drives need to be encrypted attacks from outside the firewall must be thwarted with IPS systems but that doesn’t protect you from the guy or gal inside your network that might even work for you. These data breaches can be committed with malicious intent or may just be caused by a misguided or misinformed user putting sensitive information in the wrong place.
Many of these companies spend an exorbitant amount of money on applications that are supposed to keep their private data… well, private only to have to make the announcement to the media that their clients sensitive information has been lost. Later in this article Fogarty points to this study that found that “ U.S. companies waste $12.3 billion in licenses for software no one uses and 10 percent of new software purchased is never installed at all.” (International Association of Information Technology Asset Managers and vendor 1E, Ltd.)
So what is a systems/network admin to do? Well first we can find a bit of encouragement or maybe exhortation from this quote from Sun Tzu in The Art of War:
The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
– Sun Tzu
There are many good security applications and appliances out there but none of them can make you “unassailable” alone. Also, don’t go throwing your money around until you check out some of the many useful open source applications out there that can help you along the way toward obtaining “unassailable” status (just don’t get too cocky….ask HBGary)
Here are three applications to check out that may help you on your way:
TrueCrypt is free, open-source disk encryption software. It allows you to encrypt a particular folder on your machine, USB flash drives and also the whole windows partition of a computer. There are too many features to mention here but one cool option when encrypting your entire hard drive makes it hard to tell that the system is encrypted at all. By default when you set up encryption on a machine it will ask for a password when the system is booted showing a little Truecypt screen with the usual login prompt. However, TrueCrypt gives the option of throwing up an “Operating System Not Found” message when the machine is booted. All you must do to boot the system is type in the password at that point and hit enter even though the screen gives no feedback that you are typing anything. Pretty cool indeed…
OpenDLP is a very young application (version 0.2.6 was just released in February) that allows you to get a picture of what systems on your network have sensitive information on them. This is a good way to know what machines need to be encrypted first (and also maybe whose hand needs to be slapped.) The program must be run in a windows environment by a Domain Admin and works by sending out agents to machine that scan the machine for sensitive information and then “report home” to the server the information they have found. These scans take very little processing power and the agents delete themselves once the scan is complete.
MyDLP takes a more defensive approach than OpenDLP in that it’s agent monitors the machine and blocks any sensitive information from leaving that machine via “web pages, e-mails, external storage devices…etc” It can even be “trained” to recognize files that you consider to be private and then will detect and block them as well.
This is just a tiny look at what is available out there in the form of free projects. So throw a couple Google searches out there and see what else you can find to make your network “unassailable.”*
* The author of this article doesn’t actually believe that there is such a thing as an “unassailable” network or system but that doesn’t mean we can’t make them as close to “unassailable” as possible. J