Question

Pro & Con discussion about: Data Loss Prevention: Protecting Company's data

Asked by: Tolomir

This is the followup of an open discussion, as a moderator suggested we should include some more experts. So I'm opening a new question here.

Splitting points about best suggestions and comments.

Original question is here:
http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_23258008.html

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-08 at 01:09:17ID24714117
Topics

Microsoft Windows Operating Systems

,

Encryption for Network Security

,

Internet Security

,

Miscellaneous Security

,

Windows Network Security

Participating Experts
1
Points
500
Comments
19

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Pros and Cons of Different Firewalls
    Hi, I would appreciate peoples thoughts on the pros and cons of different firewalls available, i.e Cisco PIX vs Nokia vs Checkpoint etc. I'm working for a company who wants to implement some VPN dialup connections who are currently using MS ISA server as their firewall, whic...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: TolomirPosted on 2009-09-08 at 01:10:44ID: 25279597

Author: iunknown21

Our company has a couple of products that can help with this.  

We wrote a little article that helps explain the problems and solutions in the data loss prevention space.  It's pretty informative with only a little 'ByStorm' copy toward the bottom.  

You can find it here:http://www.bystorm.com/Documentation/Preventing%20data%20loss.pdf

We also have a new product that allows people to 'work in' a file but not print it out or save it.  It works with the most common types of files and we built it especially for sales people.  

 

by: TolomirPosted on 2009-09-08 at 01:11:07ID: 25279602

iunknown21 posted on 09.06.2009 at 05:08PM CEST, ID: 25270201

By blocking read access to Windows Explorer, cutting/pasting/dragging/dropping of files would also be blocked.

As for cutting and pasting of data and not files, we dont deal with clipboard operations at all but instead took the approach that ultimately whatever program accepted the paste would have to save the data, which we could block. The same thing is true for screenshot tools,like SnagIt. In my opinion, while FileSure can do this, it seems cumbersome.

FileSures magic revolves around a rules model that allows easy classification of files (and the data in them) for processing. Data that isnt in a file, i.e. clipboard, print jobs, so the we cant classify it. We didnt want to block entire classes of functionality like block all clipboard operations or stop all printing because they have legitimate functions in day to day operations.

Thankfully, typical evildoers dont steal data slowly, but instead try to get the evil deed over as quickly as possible&so they do a bulk copy of the files.

We did create a new protect called StopCopy-Vault that is targeted at protecting certain files from theft. When a file is placed in the Vault it gets encrypted and a built in viewer doesnt allow printing or saving and clipboard operations are controlled. This product was designed for companies that needed to let their employees use data but were worried about it leaking out. StopCopy-Vault work well for sales people who need to show Vidoes or Powerpoints in the field.

The problem with StopCopy-Vault is that, like all DRM-styled systems, it has to have its own viewer which means it only supports certain types of data. We get the biggies, PDF, Office, Flash, images, etc&

 

by: TolomirPosted on 2009-09-08 at 01:11:18ID: 25279603

richrumble 09.07.2009 at 02:12AM CEST, ID: 25272113

Never the less OCR is the "analog hole" for these types of blocking... you can't block a screen shot from a RemoteDesktop user, VNC, GoToMyPC etc... I doubt you could block a screen shot from much without looking for the applications via some kind of blacklist. Find and replace can be effective at getting around DLP solutions, replace all a's with 1's, all e's with 2's, all i's with 3's all o's with 4's and u's with 5's, then copy paste the text. rot-13 is also very effective at getting around clipboard monitoring.
While it is true that most won't go through the trouble to rot-13 files, they will follow the path of least resistance which if it were me I'd use a boot disk, or hd->usb cable so I could grab the content "off-line". Again physical presence negates most security efforts and other factors like encryption should be used to mitigate those risks. The bottom line remains, if it can be read, it can be copied it's the nature of the digital beast.
-rich

 

by: TolomirPosted on 2009-09-08 at 01:11:46ID: 25279606

iunknown21 09.07.2009 at 03:51AM CEST, ID: 25272354

I've never been a fan of signature checking since there are so many ways to get around it. Rot-13 is just one method, an easier way is just zipping it with a password.

How our customers do it, is to block Read Access to all programs that aren't 'authorized' so they can't zip it with a password or use a encryption program or anything else. Then address the security holes in the 'authorized' program by doing things like 'Block file writes by the authorized program'. (As an aside, one customer denied read access to Mapi32.dll so Excel couldn't do a 'Send to' <grin>)

You're exactly right...if it can be read...it can be stolen. The example I use during demos is someone reading a confidential document over the phone to his answering machine.

You're never going to be able to stop someone sufficiently skilled and motivated, but that's a small percentage of people. I mean, how many non-IT people even have a boot disk, let alone how to use something other than graphical UI.

What we're considering right now is adding encryption to FileSure. If we do this, we'll be able to stop 'off-line' access and restrict 'on-line' access. But real-time file system encryption is a scary thing!

 

by: TolomirPosted on 2009-09-08 at 01:12:47ID: 25279613

richrumble 09.07.2009 at 01:59PM CEST, ID: 25274403

I'm sure the other hurdle is identifying all the documents that need protection, if your clients are like mine, they have no idea where things are, who can access them and ... it's a nightmare. Granted also, I'd be a motivated attacker ;) What about simple "hacks" like going to a cmd prompt...
type c:\some_folder\protected.doc >c:\hax_r_us\gotcha.doc
to the same effect echo and ADS streams...
type c:\some_folder\protected.doc >c:\hax_r_us\pool.jpg:gotcha.txt

Also try using more or less commands from the cmd prompt...
more c:\some_folder\protected.doc ... or less c:\some_folder\protected.doc
I've got a few other tricks to get past DLP but I'm motivated, I just like to see HOW motivated I'd have to be...
-rich

 

by: TolomirPosted on 2009-09-08 at 01:19:12ID: 25279651


Putting Data in ADS is sooo old ;-)

http://utilitymill.com/utility/Steganography_Decode

 

by: iunknown21Posted on 2009-09-08 at 06:50:28ID: 25281814

Denying read access to cmd.exe would block type and echo.

I think the approach we took of denying read access to everything except the authorized problem is the right one since whatever program is it that builds the ADS has to read the file.  If I deny read access to *.txt to everything but Notepad.exe, only notepad.exe could create an ADS.  

Since it takes a program to do Steganography, it would also be blocked.  Still Steganography is just plain cool. :)

 

by: iunknown21Posted on 2009-09-12 at 19:25:47ID: 25318736

How about this for an issue?

We have a potential customer testing out our product call in; and he discovered a way to steal data that we missed!

Everything was going swimmingly, but then, he decide to use Volume Shadow Service ('Previous Versions' in Vista) to copy the data.  

What made it a fun issue was that VSS basically uses a sparse file of changed blocks so all we could really do was block access to the entire file, which would basically turn off the entire feature.  Not good.

Thankfully, we figured out that VSS was mounting a dynamic drive and that FileSure was working correctly but since the path was 'coming from a file', there wasn't really a drive letter and the rule that they were using had a folder path on it, including a drive letter.

We were able to fix the problem by just adding a new 'Drive type filter' called 'Driveless'.  

Still, it's something I've never thought off.  

But I guess stealing an old versions of a file is more desirable than NOT stealing the file all all.






 

by: TolomirPosted on 2009-09-13 at 01:23:03ID: 25319437

Interesting. Windows 7 comes with so many features but all blogs etc. are reporting is "shake the window frame" to minimize all other frames. Bitlocker to go is shortly mentioned. Direct access ignored (VPN tool). I guess most users still don't know shadow copy. Today you need some 600 pages windows inside book to get an impression of opportunities.  hackers know these of cause.

Regarding file access to you apply the access policy also to automatic backup and recovery versions of e.g. an excel file?

 

by: iunknown21Posted on 2009-09-13 at 07:24:08ID: 25320283

Automatic backup and restore is also based on Shadow copy so we would probably catch it and block the restore. But if they backed the data up to a removable drive, they could restore it on another computer.

The only way I can think of to handle this is to add encryption to our product.   Something akin to decrypt this file if it's being opened by excel and use the key.   That would mean that the file would always be encrypted.

 

by: TolomirPosted on 2009-09-13 at 08:05:58ID: 25320461

No I'm not talking about saving the files to different media but did you consider to secure  the backup files from excel like http://www.fileinfo.com/extension/xlk

 

 

by: iunknown21Posted on 2009-09-13 at 08:38:35ID: 25320594

Oh!  We don't define what files or types or locations to protect.  FileSure uses a wildcard based rules model so the user can define whatever they want.  

So a file rule of  '*.xl*' and catch the excel types anywhere on the machine/network/VSS.  

 

by: iunknown21Posted on 2009-09-19 at 19:44:41ID: 25375709

I would like to ask you 'Experts' your opinion on Clipboard and Printing based DLP.

Currently our product does not block theft via content cut/paste and printing, so protected data could be cut and pasted into an e-mail or just printed out.

We chose to not-limit the users ability to do their job and instead record that the data has been accessed but not blocked.  

So while we stop theft of the file Presentation.ppt by not letting any program but PowerPoint read it, they could select all the slides in Powerpoint and paste them in an e-mail and send it off.  Same thing for printing.  We would record the access to the file and what program was accessed it, but we dont know what that program did with the data unless it involved another file operation.

Im facing a Checkbox problem.  I have to fight against the signature scanning DLP solutions who claim to have both print and clipboard protection and while we do pretty well again them because of the encryption hole, in larger companies, it seems that a checklist is a big deal.

I decided to attack the clipboard problem first and have a couple of problems:
1.      FileSure runs as a service running as local system and doesnt have access to the users desktop.
2.      If I build a program that runs in the users environment, what would be the best approach to balance blocking theft and productivity?

Right now, Im thinking that best approach is #2 and monitoring the clipboard, and the currently focused application.  So if something is put in the clipboard by a protected application then that application loses focus I would zap the clipboard.  

Any thoughts/advice?

 

by: TolomirPosted on 2009-09-19 at 23:28:25ID: 25376093

Zapping the clipboard sounds good. This should keep the data in e.g. Excel. Preventing a screencopy should be also possible if you monitor that API? call. I wonder though if a user might be able to export the data to a database by odbc?  

 

by: TolomirPosted on 2009-10-04 at 12:21:50ID: 31625945

Let's close this discussion, thank you all.

Tolomir

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...