Product Group Tests

Extrusion prevention (2008)

by Justin Peltier November 01, 2008
products

GROUP SUMMARY:

A very solid product at a great price makes the Trend Micro LeakProof our Best Buy.

A unique offering with a great number of features from Nextlabs' Enterprise DLP gives it our Recommended rating.

Protection against data leakage, with extrusion software, involves understanding of hackers' practices and tactics and knowing the forms in which data has to be monitored. Justin Peltier reports.

Computer hackers and bank robbers have a lot in common. Both types begin by performing a reconnaissance of the potential target. With a bank robber, this usually means a trip to the bank to understand the physical layout.

When penetrating a computer, the hacker begins with data gathering techniques such as Google hacking and looking for other informational sites. Once this is complete, the hacker typically performs a remote port scan to see what the potential avenues of entrance to the computer system or network are.

Once the ports have been identified the next step is to look for vulnerabilities in the open applications discovered in the port scan. Now the hacker is finally ready for the heist and launches an exploit against a vulnerable system.

Clearly the best option is not to have the vulnerability exist in the first place, but catching every vulnerability in any organisation is a daunting task.

If the exploit is successful the hacker will have access to at least one machine on the network. Often these machines are located alongside other critical assets in the DMZ.

Why all of this comparison between bank robbing and cracking computer systems?

Protection against hackers
With extrusion prevention, also known as data leakage protection, the computer hacker is going to find out that the DLP software is going to stop his ability to copy, move, save or print sensitive files. The extrusion prevention package is also going to stop the hacker from having the ability to insert malicious code, such as a rootkit or a botnet on the exploited system.

Placing the rootkit is doubly frustrating to the computer hacker because most of the protection software uses anti-rootkit functionality to hide the security service from the end user. This means that the hacker cannot install a rootkit on the compromised machine because the security software is already using the components of the operating system that a rootkit would use to take control of the box.

Back to the bank robbery scenario, this would be the equivalent to the robber cracking open the safe to find it empty and another bank robber already in the vault.

Three-way data protection
Data is typically in one of three forms: at rest, in motion or in use. For a good extrusion prevention package to be effective it must protect data in all three forms.

In addition to the state of the data, it needs to be protected from the three most common sources of data leakage. The first is the internet, either through the corporate email system, web- based email solutions (such as Gmail and yahoo), an instant messaging program or other solutions like gotomypc.com.

The internet is the most likely place for a leak to occur, but it is not the only place. The second most common type of breach is through the connection of removable media to a device connected to the corporate LAN via a laptop or workstation.

Without extrusion prevention protection disgruntled employees can download gigabits of sensitive files onto a USB drive and walk right out of the front door with the data intact.

Some organisations use packages to disable USB ports on company laptops and desktops, however all this does is switch the medium that the malicious employees are going to use.

The employees can, perhaps, burn the sensitive data onto a CD or DVD. If you install software to block that, the employees will just email it to themselves. If all else is blocked, the malicious employees can use a network sniffer to read the content as it passes by on the LAN. Before you think this is impossible, we have been able to recreate executable files as large as 75 MB from a free network sniffer we downloaded from the internet.

Wireless networks are both possible egress points for sensitive information and the easiest place to perform the traffic sniffing. This leads to the final necessary component of data leakage protection: encryption. Unfortunately it is a double-edged sword, which can keep your sensitive documents safe, but it can also make it harder to identify when this information is leaving the network.

With mechanisms like https, steganography, PGP and encrypted messenger chats, finding the sensitive information can be a real chore.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US