Re: Data Leak Prevention
You all have given me a lot to consider and think about. The problem with trying to put the info on disk is size. We are talking about terabytes in size. I have contacted McAfee and Symantic and I am waiting on them to send me some information. I am also looking at different encryption methods that will work for both our remote users and our office based people. Thank you one and all for the info you have provided. I look forward to learning more from this group.
-
Re: Data Leak Prevention
Fascinating. Having spent time using epoxy to close various ports on PCs, I'm rather amazed that someone chose to use super glue. It seems that the fumes would have the potential to be damaging to operating parts, for one thing. Yes, epoxy is common practice.Originally posted by xor View Post
Seriously, for computers that supported it, all drives (except the disks, obviously) were disabled via software, and enabled only if needed, and only by specific personnel that had the responsibility to do so. USB keys were not allowed in any case (yes, I know they're small, and I know someone could indeed defy the rules). Not every classified installation is Los Alamos; most people want to do the right thing.> As long as you don't want the USB ports to ever be used again, just fill
> the USB ports with epoxy. 100% guaranteed to stop USB attack vectors and
> prevents siphoning of corporate data to USB drives. It also works well
> to prevent use of the USB headers that are internally available in
> desktop PC motherboards - Wrap the header in a circle of paper to hold
> the epoxy in place and then pour the epoxy into the ring.
http://marc.info/?l=patchmanagement&...6670507780&w=2Leave a comment:
-
Re: Data Leak Prevention
Maybe something like this?Originally posted by DJ Jackalope View Post
http://www.thinkgeek.com/geektoys/japanfan/9c89/
Someone needs to make one of those that looks like Quagmire and says Giggity.Last edited by streaker69; October 19, 2008, 14:22.Leave a comment:
-
Re: Data Leak Prevention
Was that the one we died laughing at at HOPE? I think I'd rather attach a rabid creature to my laptop than have one of those.Originally posted by Deviant Ollam View PostLeave a comment:
-
Re: Data Leak Prevention
I originally misread this, but I misread it in a way that makes sense. If you have sensitive data, and you need to control access, is it feasible to not make that data available on the network? Make the data available on DVD/hard drive/USB/whatever and make employees record access to the items. If you can't trust the employees (and if you can't, you've got bigger problems out there), then make sure that employees can't access the data in a private environment. Simple and probably more effective than anything else you'll come up with.Originally posted by xor View Post
Originally posted by xor View PostThat's assuming that your operating system supports such a feature. For a very long time Microsoft did not allow for such a configuration, and, now that they do, it will take a while for the old processes to work their way out of the system.Originally posted by ThornLeave a comment:
-
Re: Data Leak Prevention
What you are looking for is something along the lnes of Digital Rights Management. According to the folks at Microsoft, whose solution we are looking at due to Microsoft Products being extremely predominant in our company, DRM manages who can access the data and what they can do with that data.
Also there are DLP solutions that will log what data and when it is written to any removable media. Some of these we have looked at are tied to encryption products so you may want to look at what you are using for laptop or data encryption and see if it has the capability to log any accesses to removable media.
This is not really rocket science and a few calls to some of the "big guns" like McAfee, Microsoft, Symantec, IBM, etc. should produce a number of solutions to choose from.
As for super glueing USB ports, that use to be a common practice by a number of LUGA's (large un-named government agencies).Leave a comment:
-
Re: Data Leak Prevention
When I was originally looking at them, I was wondering if you had seen on before or not. After looking at them as best as possible on their website, I kind of came to the same conclusion. It's a lot of money for something that's easily circumvented. I figured I'd just use some GPO's and tamper evident tape.Originally posted by Deviant Ollam View PostLeave a comment:
-
Re: Data Leak Prevention
maybe it was an older model, but someone brought one of these to us at a TOOOL booth at a con. as i say, i can't comment on their entire product line, but the one we saw was an absolute joke. the locking mechanism was easily manipulated open, and besides that there's the fact that a USB port isn't constructed like a Kensington-style laptop lock.Originally posted by streaker69 View Post
Unlike a laptop lock (which, as i understand it, will actually break apart some of the system circuitry if forced open, provided the lock has been properly integrated into the device) a USB port has no specific "footholds" let us say that can be used to effectively retain the "lockout device"... we just ripped one clean out of the machine (without superhuman effort) and the port was totally fine and still functional. It might be hard to stick back in there (and thus be evidence that someone was using the port somehow) but it surely won't protect you much, from what we've seen thus far.Leave a comment:
-
Re: Data Leak Prevention
Found this, there is a free trial. I think this is what Thorn was talking about.
http://www.devicewall.com/
xorLeave a comment:
-
Re: Data Leak Prevention
There's a company that actually makes a physical lock for USB ports. Just plug it in and turn the key. I looked at them for a bit, but for what I wanted them for, they were a bit pricey.Originally posted by xor View Post
http://www.pcguardian.com/products/data.htmlLast edited by streaker69; October 17, 2008, 18:36.Leave a comment:
-
Re: Data Leak Prevention
Here's the thread I was looking for.
http://www.watchyourend.com/2007/01/...curity-breach/
Los Alamos at work protecting our Nuclear secrets.
Actually when I first heard of the practice I thought it was kind of an IT urban myth.
xorLast edited by xor; October 17, 2008, 17:15.Leave a comment:
-
Re: Data Leak Prevention
http://www.theinquirer.net/en/inquir...e-up-usb-portsOriginally posted by Thorn View PostWouldn't a GPO turning off USB data devices be enough?
I didn't say I would do it(hides bottle of super glue
); I just stated I heard about it.
xorLast edited by xor; October 17, 2008, 17:21.Leave a comment:
-
Re: Data Leak Prevention
You could also take out Floppies & CD/DVD Burners. Honestly they shouldn't be on a systems with "sensitive data" anyway. Anything you need to do as an admin should be able to be done over the network. If someone needs a copy they should go to a supervised workstation where records are made of each transaction. I've also heard of sysadmins filling the USB ports with hot glue. Though admittedly a little extreme.
xorLeave a comment:
-
Re: Data Leak Prevention
This isn't my area of expertise by a long shot, but according to what little I have looked on DLP, many of theses systems work by using a hash or signature of the data, rather than straight copy. If someone grabs that, all they have is a hash.Originally posted by ShadowCat66 View PostLeave a comment:
Leave a comment: