Announcement

**xor** · October 17, 2008, 16:18

Re: Data Leak Prevention

I'm no expert but this could be a start.

Your data should be encrypted this way if there is a leak it can minimize the impact. You will no doubt be required by law to do it soon anyway.

http://online.wsj.com/article/SB122411532152538495.html

If you are trying to monitor who is accessing the data on your LAN you could install keystroke loggers on all your systems. With do diligence it could prevent a data leak. It is also cheap and easy though going through all the data collected by not be.

xor

**Thorn** · October 17, 2008, 16:21

Re: Data Leak Prevention

Originally posted by ShadowCat66 View Post

I have been looking at a few DLP programs and the one thing that I am concerned about is that they make a copy of the data as an inventory to compare against the data that it is meant to protect. With that in mind, DLP programs sit on the perimeter of the network watching. Theoretically, if I were looking to get my hands on the crown jewels, malicious intent would dictate that I go straight to the queen herself, so you can see how this could be a potential security problem.

This isn't my area of expertise by a long shot, but according to what little I have looked on DLP, many of theses systems work by using a hash or signature of the data, rather than straight copy. If someone grabs that, all they have is a hash.

**xor** · October 17, 2008, 16:35

Re: Data Leak Prevention

You could also take out Floppies & CD/DVD Burners. Honestly they shouldn't be on a systems with "sensitive data" anyway. Anything you need to do as an admin should be able to be done over the network. If someone needs a copy they should go to a supervised workstation where records are made of each transaction. I've also heard of sysadmins filling the USB ports with hot glue. Though admittedly a little extreme.

xor

**Thorn** · October 17, 2008, 16:46

Re: Data Leak Prevention

Originally posted by xor View Post

I've also heard of sysadmins filling the USB ports with hot glue. Though admittedly a little extreme.

xor

Wouldn't a GPO turning off USB data devices be enough?

**xor** · October 17, 2008, 16:54

Re: Data Leak Prevention

Originally posted by Thorn View Post

Wouldn't a GPO turning off USB data devices be enough?

http://www.theinquirer.net/en/inquir...e-up-usb-ports

I didn't say I would do it(hides bottle of super glue

); I just stated I heard about it.

xor

**xor** · October 17, 2008, 17:01

Re: Data Leak Prevention

Here's the thread I was looking for.

http://www.watchyourend.com/2007/01/...curity-breach/

Los Alamos at work protecting our Nuclear secrets.

Actually when I first heard of the practice I thought it was kind of an IT urban myth.

xor

**streaker69** · October 17, 2008, 17:23

Re: Data Leak Prevention

Originally posted by xor View Post

You could also take out Floppies & CD/DVD Burners. Honestly they shouldn't be on a systems with "sensitive data" anyway. Anything you need to do as an admin should be able to be done over the network. If someone needs a copy they should go to a supervised workstation where records are made of each transaction. I've also heard of sysadmins filling the USB ports with hot glue. Though admittedly a little extreme.

xor

There's a company that actually makes a physical lock for USB ports. Just plug it in and turn the key. I looked at them for a bit, but for what I wanted them for, they were a bit pricey.

http://www.pcguardian.com/products/data.html

**xor** · October 17, 2008, 19:36

Re: Data Leak Prevention

Found this, there is a free trial. I think this is what Thorn was talking about.

http://www.devicewall.com/

xor

**Deviant Ollam** · October 17, 2008, 21:12

Re: Data Leak Prevention

Originally posted by streaker69 View Post

There's a company that actually makes a physical lock for USB ports. Just plug it in and turn the key.

maybe it was an older model, but someone brought one of these to us at a TOOOL booth at a con. as i say, i can't comment on their entire product line, but the one we saw was an absolute joke. the locking mechanism was easily manipulated open, and besides that there's the fact that a USB port isn't constructed like a Kensington-style laptop lock.

Unlike a laptop lock (which, as i understand it, will actually break apart some of the system circuitry if forced open, provided the lock has been properly integrated into the device) a USB port has no specific "footholds" let us say that can be used to effectively retain the "lockout device"... we just ripped one clean out of the machine (without superhuman effort) and the port was totally fine and still functional. It might be hard to stick back in there (and thus be evidence that someone was using the port somehow) but it surely won't protect you much, from what we've seen thus far.

**streaker69** · October 18, 2008, 05:06

Re: Data Leak Prevention

Originally posted by Deviant Ollam View Post

maybe it was an older model, but someone brought one of these to us at a TOOOL booth at a con. as i say, i can't comment on their entire product line, but the one we saw was an absolute joke. the locking mechanism was easily manipulated open, and besides that there's the fact that a USB port isn't constructed like a Kensington-style laptop lock.

Unlike a laptop lock (which, as i understand it, will actually break apart some of the system circuitry if forced open, provided the lock has been properly integrated into the device) a USB port has no specific "footholds" let us say that can be used to effectively retain the "lockout device"... we just ripped one clean out of the machine (without superhuman effort) and the port was totally fine and still functional. It might be hard to stick back in there (and thus be evidence that someone was using the port somehow) but it surely won't protect you much, from what we've seen thus far.

When I was originally looking at them, I was wondering if you had seen on before or not. After looking at them as best as possible on their website, I kind of came to the same conclusion. It's a lot of money for something that's easily circumvented. I figured I'd just use some GPO's and tamper evident tape.

**DaKahuna** · October 18, 2008, 06:46

Re: Data Leak Prevention

What you are looking for is something along the lnes of Digital Rights Management. According to the folks at Microsoft, whose solution we are looking at due to Microsoft Products being extremely predominant in our company, DRM manages who can access the data and what they can do with that data.

Also there are DLP solutions that will log what data and when it is written to any removable media. Some of these we have looked at are tied to encryption products so you may want to look at what you are using for laptop or data encryption and see if it has the capability to log any accesses to removable media.

This is not really rocket science and a few calls to some of the "big guns" like McAfee, Microsoft, Symantec, IBM, etc. should produce a number of solutions to choose from.

As for super glueing USB ports, that use to be a common practice by a number of LUGA's (large un-named government agencies).

**Voltage Spike** · October 18, 2008, 12:37

Re: Data Leak Prevention

Originally posted by xor View Post

You could also take out Floppies & CD/DVD Burners. Honestly they shouldn't be on a systems with "sensitive data" anyway.

I originally misread this, but I misread it in a way that makes sense. If you have sensitive data, and you need to control access, is it feasible to not make that data available on the network? Make the data available on DVD/hard drive/USB/whatever and make employees record access to the items. If you can't trust the employees (and if you can't, you've got bigger problems out there), then make sure that employees can't access the data in a private environment. Simple and probably more effective than anything else you'll come up with.

Originally posted by xor View Post

I've also heard of sysadmins filling the USB ports with hot glue. Though admittedly a little extreme.

Originally posted by Thorn

Wouldn't a GPO turning off USB data devices be enough?

That's assuming that your operating system supports such a feature. For a very long time Microsoft did not allow for such a configuration, and, now that they do, it will take a while for the old processes to work their way out of the system.

**DJ Jackalope** · October 19, 2008, 13:48

Re: Data Leak Prevention

Originally posted by Deviant Ollam View Post

maybe it was an older model, but someone brought one of these to us at a TOOOL booth at a con. as i say, i can't comment on their entire product line, but the one we saw was an absolute joke.

Was that the one we died laughing at at HOPE? I think I'd rather attach a rabid creature to my laptop than have one of those.

**streaker69** · October 19, 2008, 14:05

Re: Data Leak Prevention

Originally posted by DJ Jackalope View Post

Was that the one we died laughing at at HOPE? I think I'd rather attach a rabid creature to my laptop than have one of those.

Maybe something like this?

http://www.thinkgeek.com/geektoys/japanfan/9c89/

Someone needs to make one of those that looks like Quagmire and says Giggity.

Announcement

Data Leak Prevention

Data Leak Prevention

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment