When Does DLP (Data Loss Prevention) Make Sense??

I read Dan Raywood’s SC article this week called “Criticisms made of lax attitudes to data loss prevention tools” and I totally agree with Michael Gabriel’s thoughts on companies, and in some respects the InfoSec communities attitude to DLP technology.

The reason for my interest in this article is because I am in the process of deploying a DLP solution across EMEA and so far I have been very impressed with how things are going, and the benefit it can bring to the organisation. Before doing this project I did think DLP technology would be valuable to organisation, and because I am a geek I love any excuse to mess about with new technology, however I did have concerns about how effective it can be.

I still hold true to some of my original thoughts, and I don’t think DLP is right for everything. I think it is very dependant on the industry you are operating in, and the maturity and security posture of your organisation.

In the article Andrew Waite mentioned that the basics are essential, and unless you have this right you shouldn’t look at DLP. I agree that security basics are essential, and for many reason companies still struggle with this (lets not even talk about patching), however I think DLP could actually help you build an improved case for securing budget for a security back to basics programme.

So when does DLP make sense, and what do you need to be aware of if your going to implement it?

DLP makes sense if you know what you want to protect. This might sound obvious or stupid, however many companies don’t really know what their critical business assets are. Some DLP system can help you identify where this data lives if you don’t know via network and endpoint discovery. Obviously its not a miracle system so you need to give it a clue. You can provide a sample of data and let it use its signatures to find similar, or you can use keywords and phrases etc.

So if you know what your data looks like, and even better if you know where it is, you can point your DLP solution at it, and it will form extracts of the data within the files, and monitor specific network files and folders and then perform verification lookups in real time when data passes through its systems. This is where your policies and rules are important, and as also noted in the SC Article don’t expect it to be effective if you create once and never look at them again, the business changes, so do our processes, policies and rules. We can then leverage (or build cases to invest) in other technologies to prevent the data from leaving the organisation in the first place. So monitor and alert on all network traffic, prevent your critical information being lost externally on removal media, corporate email, webmail, social networking sites, forums, blogs and instant messaging. In my mind the primary reason for DLP is to help your protect and prevent the loss of what matters most to your organisation, its intellectual property, its key business assets. However, DLP can also help you with your Data Protection Act obligations, as well as the wonderful PCI:DSS requirements, as you can define signatures / criteria for your DLP system to match against, some vendors even have these available as default policies.

So if by now your thinking it makes sense to you, and your company has a reasonable grasp on its assets, and hopefully data flows, and you have convinced someone to release the purse strings, your install DLP and your done…. right?

Of course things are not that simple (although it is a little simpler if your in the US as we know there is no privacy :) ). I am in the UK, but need to know about EU regulatory requirement, and as soon as your talking about monitoring and blocking you need to do alot of preparatory work. So hopefully you have some policies in place, and have worked with your legal and HR teams when you implemented email and web filtering technology, well now is a good time to renew those friendships.

So what should you be thinking before you go switching on your new shinny DLP technology. Below I have created a list, some of them may not be applicable to you and the country you are in, but it should at least provide a checkpoint and food for thought, before going away monitoring everyone, until to be shutdown by HR and Legal when you go to give someone the boot from gross miss-conduct when violating company policy.

DLP points for consideration:

  • Resilience in your solution
  • Capacity in your solution (Powerful Tin, Pipes with Capacity, Geographical coverage)
  • Acceptable Usage Policies (Covering the level of monitoring and prevention DLP will provide)
  • Communication (Even though your policies cover it, have you communicated this to staff, and updated policies. The goal is to stop loss by have it not happen)
  • Employee Consent (In some countries such as Germany for example, employee consent is required when you doing this monitoring)
  • Consent not given approach (When an employee does not give consent, how will you handle it? Prevent the use of business systems for personal use?)
  • Data Protection Commissioner Approval (It is always worth having a DLP business process defined so you can share this with the DPC if questioned, however in some countries prior consent from the DPC is required)
  • Workers Council Approval (In some countries workers councils have alot of grunt, it is essential to get their buy in and approval)
  • Labour Inspection (In Italy for example the labour council need to give consent for each office location monitoring occurs, other countries may have something similar)
  • Build and Test policies and rules (This is hopefully obvious. Build and test your DLP policies and rules, tweak as required, and use this as evidence to reassure the business on the uptake of your new solution)
  • Ensure the data your policies are using for matching is accurate and up to date
  • Ensure enough resource is available for daily review, monitoring and management
  • Have a process defined for expediting and reviewing policy violations

DLP is a good tool with the right information, processes and people behind it. Like anything understanding your business, your objectives and proposed outcomes is essential in its success.


Keeping tabs on your Apple Gear… Orbicule Undercover

Since the beginning of the year I have jumped on the Apple bandwagon, and acquired a few of their lovely products. I like the look of them, I like how they work, but I am not the biggest fan of the cost :) However, it obviously hasn’t stopped me becoming a fan. So with cost in mind, one thing that is of course a worry is losing my MacBook Pro, iPhone or other bit of kit. I looked at the Mobile Me offering, but I didn’t fancy paying Apple for more services, when I only wanted one feature. This is when I stumbled across Orbicle’s Undercover, its tracking software for Mac OSX and iOS (iPhone, iPod Touch, iPad). I contacted the guys in Belgium and they were kind enough to let me have a copy to review, so here we go.

I started off with the iPhone. As per usual you need to pop into the App Store, locate Undercover (a quick search soon takes you there) purchase and install. The first thing you will notice at this stage is the cost $4.99 (£3.37) that’s a good way to get started. Once you have installed the App you have to enter an email address that you will register the phone to, and an appropriate name for the device, you will then get a notification to expect an email to setup your Undercover account, you need this for device tracking, and to log into the web console.

Now we check the email and as promised, we have some verification to take care of.

Once we are all signed up we can login to the Undercover Web portal and manage our devices.

Once we are logged in we can instantly see where the iPhone is reported (using Wi-Fi positioning ,GPRS, or  GSM Cell) to be (as the programming is running on the iPhone). We can get information on the iPhone (serial number, etc), we can then report it lost or stolen, and fill out police information, so we can create a nice bundled report to send to the police.

If we decide to do a test and decide our beloved iPhone is lost or stolen, we then have the ability to push an alert to the device.

We can configure our own message, and even force the phone to go to a specific website. Once we press send, just moments later we get the alert on the phone.

When the user goes and views this message, then a little game starts loading. In the background this is launching the Undercover App and sending the co-0rdinates. Personally I am not sure if there is value in this loading splash screen, perhaps it could do with being more stealthy and launch the app in the background. However I appreciate they want to ensure some time elapses whilst the information is sent.

So now as seen earlier when we log into the Undercover Dashboard we can see the co-ordinates, and it will continue to update its location whilst the application is running.

When the device has successfully sent it’s co-ordinates it sends you an email to confirm the device has been located.

Now we have finished playing with this we need to set our device as found.

So there we have the iPhone version, does a decent job of helping you find your lost or stolen device, although I would say the only negative is the requirement for device interaction (thief needs to read the notification), I am not sure if other offerings are fully automated. This solution also works on the iPod Touch and iPad.

So next we have the Mac OSX version, and I have to say I like this alot.

So as you would expect we need to install the application on our Mac, its just under 13Mb so not very big. Once the install has completed the machine will need to be rebooted to get Undercover up and running in the background. It will transfer its position again using the Skyhook Wireless Technology to give its position to around 10 meters.

So as we have seen before we need to log into our Undercover dashboard and add and manage our new device.

Now this time, when we mark our MBP as stolen, as default everything happens in a more stealthy fashion. As expected we get the map location we saw with our iPhone, but we also get details of IP address, we can then lookup the ISP being used, and other funky IP related antics.

We can also get screenshots of what is being looked at at the time the information was collected.

Then for the next trick, if the device is camera enabled, we can literally get a mug shot of the criminal using our device.

So now we can download all this information into a nice little bundle and send it off to our friendly law enforcement people, to recovery it for us :) Its ok, there is a Plan B.

When we enter plan B mode we can move away from the stealth approach and fade the screen away so its very difficult to use, or we can simply blank the screen and have a customised message displayed on screen, making the machine unusable until restored, or formatted.

When this message is displayed, the computer also gives a little cry out for help via the speakers. Something along the lines of “Help, Help, Help, I am a stolen Macintosh Computer, please return me to my owner”

So on the whole I think this is a great product, and even more so as the price is so reasonable. For more information please check out the Orbicule site, and see some more information below on pricing etc.

Undercover Mac

Single User License £30.92 – Covers 1 Mac
Household License £37.23 – Covers up to 5 Macs
Site License £157.13 – Covers up to 25 Macs
Student License £24.61 – Proof of full-time student status will be required
Upgrade to Household £10.10 – Upgrades from a single user to a household license
Volume Education License £6.30 – When ordering 100 copies or more

Undercover iPhone / iPad

Covers all your iPhones and iPads £3.36

Invest in the Community… Schuyler Towne and Open Locksport

One of the best thing about the InfoSec community is the people. Sure like everywhere there are the idiots, big headed know it alls, and the leachers, but in general we are a supportive bunch, and happy to share.

So this brings me to this blog post. Many of you will know that one of my other interests is Lock Picking, and there is this guy called Schuyler Towne (@shoebox), and he likes lock picking… just a little bit :)

So why am I sharing this information, well he has set up a Kick Starter project to help get some funding to release his own customer made picks. Now you may be thinking you have got picks, and thats great. However custom made picks can improve your picking, they look funky, and hey your supporting the community.

I think the pledging opportunity is over at the end of September, so get in now and play your part. Oh and there is also something in it for you.

Click the image below and check out the video for the full story…

iOS4 Is released, and fixes 64 iPhone Security Issues

At 6PM GMT Apple released its anticpated iOS4 software. This software apples to the iPhones and iTouch and in the not to distant future the iPad.

Apple have not really said to much about its Security updates, and they dont seem to be that easy to find. However if your interested here is the link to check out the 64 updates covered under iOS4.

As you can see there is alot of information about fixed vulnerabilities, but not what I was expecting an hoping for. I was looking forward to information on general security improvements, encryption, configuration and enterprise level stuff, not just a list of fixed vulns. Time for a good read through this, and further investigation for the corporate use case.

iPhone Security.. Does it exist??

I am not currently an iPhone user, but its clear that for many reasons they are a smart phone of great desire. Many of the customers I work have have shown an interest in deploying iPhones in their corporate environment. The reason being… well that often seems to be a difficult one for them to answer. I dont think they know really, perhaps they like the idea of developing some internal apps, or perhaps they like the idea of a trendy device.

Now I am all about helping people make an informed decision regardless of if I agree or not, so this got me into looking at the state of iPhone security (pre iOS4) and its not so good. Personally I think the iPhone is great for the user on the street (33% of smart phones globally are iPhones), but letting it lose in the corporate environment, against established Black Berry devices and alike, is surely madness?

I am not going to go into any great detail here, as a blog post is really not the place, but hopefully the information below will paint a small picture of concerns about using an iPhone in the corporate environment. If your interested in doing more research check out iPhone Forensics by Jonathan Zdziarski, as well as checking out his tutorials online. There was also a recent SANS Webcast on iPhone security also, and this also shared the same thoughts that I have, from investigations and information found online. I will also be doing another post on the security benefits iOS4 has brought, and how it does or doesn’t change the iPhones suitability in a corporate environment. Also check out CESG’s declaration of no iPhones allowed in Whitehall posted on The Register.

My main issue with iPhones for corporate environments, aside from the below is that there is no real enterprise management tooling. Yes some things can be improved with the use of the iPhone Configuration Utility, but this is a local process, and requires other tooling to distribute the config files. You can get some more additional control and reporting if you incorporate exchange, and maybe MobileMe. Also dont forget iTunes is also required, how many corporate standard builds feature iTunes?? I just cant see why companies consider the iPhone when compared to established offerings like Black Berrys, with its full enterprise suite of tools.

iPhones can be Jailbroken – This is the term associated with unlocking the restrictions applied to an iPhone, allowing any code to be run regardless of its approval by Apple or any other organisation, another advantage is that a Jail Broken iPhone also removes the ability for the remote removal of applications via Apple. Its is estimated that around 10% of iPhones globally are Jail Broken, the reason for this is most likely that others are worried about the voiding of warranty, as well as restricting the application of future updates from Apple. As well as opening your iPhone to using more programs, and enhancing its use, Jail Breaking also reduces the security of your iPhone if you are not security savvy. This was
demonstrated in late 2009 when a hacker released a worm targeting Jail Broken iPhones, there have also been other reports of viruses on Jail Broken iPhones compromising banking

iPhone OS (pre iOS4) – All popular operating systems have security issues, and the iPhone OS has its fair share of vulnerabilities. The latest OS updated 46 currently known vulnerabilities; the reality is that as the iPhone grows in popularity and becomes adopted by organisations the incentive and reward to find and exploit vulnerabilities will continue to grow. A new feature or some would say security flaw with the iPhone OS that was discovered in May 2010 is the automatic mounting of the iPhone’s memory when connected via USB to a Linux based machine. This bypasses any controls, PINs and encryption set on the device and gives a limited access to the iPhones storage. I believe the primary goal was to allow iPhones to be used easily with Linux distributions, however obviously this brings with it serious security concerns.

The Apple App Store – The Apple App Store provides the single official point of contact for all applications on the iPhone. The idea behind this is to ensure that all applications are safe for use, and there are currently around 235,000 applications approved for download. Apple have confirmed that around 10% of applications submitted to the App Store have components within them that will aim to steal data. With this in mind, I would suggest that it is unlikely that Apple are able to 100% guarantee that all applications available have been fully tested and defined as safe. In fact it has been known that Apple occasionally remove applications from the App Store, and people’s devices, after making a decision to recall specific applications for various reasons. There are also various theories on how an application could be made available on the App Store, and obfuscate its real intention to steal data. The point to be made here, is that applications could potentially steal corporate data, regardless of their supposed safety approvals from Apple.

Passcodes and Pin Numbers – Most smart phones use a passcode, or PIN number to restrict the physical access to the device. iPhones do have this feature, however it is restricted as standard to only being 4 digits. This is obviously not a good situation, however the situation is made worse with multiple ways to bypass the passcode requirement all together. Some methods require the use of a computer, while others can be done stand alone in less than two mintues. This then gives full access to the device, contacts, emails etc, as if you have
entered the appropriate code.

Encryption – Until the release of the iPhone 3GS there was no encryption available on the device. The 3GS now features full hardware encryption of the device’s contents. Once again
with physical access it is possible to make a copy of the entire contents of the device, and circumvent the encryption, all of this is easily possible in fewer than 5 minutes. Just check out YouTube.

System Data – The iPhone stores a lot of data classified as system data. Even though applications run in a sandboxed / isolated environment there is still some leakage that occurs
when obfuscation is used within a program’s code. The system data contains a large amount of information, email parameters, names and addresses, but no passwords or messages. In
addition all keyboard entries (except for password fields) are cached and stored, along with address book entries, the last 20 sites browsing history, WIFI network history, as well as
images and their associated data, time, data, location. An interesting feature is that every time the home button is pressed on the iPhone to return to the home menu a screen shot is
taken, containing all the information on the screen for that application at the time, this is also saved and stored as system data. In addition to this VoiceMails can also be stored as system data. All of this system data can be accessed and backed up with physical access, as discussed before with encryption bypassing. An application that steals data would also have
access to this data, and could transmit the information over a Wifi network, or mobile Internet.

Finally, just as a reminder, these are just my opinions and thoughts, based on research and findings. I do like Apple products, I have a few :) However I am still not sure its ready for the corporate environment. Perhaps after reading about ALL the proposed iOS4 updates I will change my mind.

Review of the 3M Gold Privacy Filter

At Infosecurity Europe 2010 I got talking to the 3M guys about their new Gold Privacy Filter, and those lovely chaps gave me one to have a look at.

  • 3M Gold Privacy Filters provide twice the level of effective privacy protection and 14% higher clarity than standard black out privacy filters
  • User sees more clearly than ever while onlookers see nothing but a vibrant orange/golden screen

So why would you want a privacy filter?? Well if your a regular traveller and you don’t want the person next to you having a good peep whilst playing minesweeper, this will certainly help. Oh and of course those documents you work on containing sensitive data. It essentially just gives you some screen privacy and stops the shoulder surfers getting a look see.

There is not really alot to say, and I will let the below video demo do the talking. It does what is says on the tin, its easy to install and can be left in place 100% of the time. I will certainly be using this when travelling in the future. I do have one gripe with the product, but its most likely a personal thing. I have a matte screen, as reflections drive me mad, with the privacy filter in place, its glossy reflection city, and as its not something I am used to any more I couldn’t leave it on every day. I believe the previous version had gloss and matte sites, but this one seems the same both sides, still it does what it needs to do well, and serves its purpose, perhaps they mate release a matte version in the future.