Slashdot Mirror
Unintrusive Traffic Content Monitoring?
fuzzybunny asks: "I've recently been given my turn in the bucket as head tech guy at a startup in Germany. We deal with backend monetary transactions for
companies that need to send bills, and as such handle large quantities of personal and confidential financial information. I've been informed that in order to comply with financial due diligence laws here, as well as to guard against sabotage by angry employees (not that we have any), I have to figure out some way to sniff outbound network traffic for stuff that's not supposed to leave the company network."" Internal security is something all network adminstrators will have to deal with at some point or another. Are there methods they can employ to insure that data that's supposed to stay in the network, isn't encouraged to take a nightly stroll somewhere it isn't supposed to without excessively violating the privacy of the users?
"I realize that someone who wants to get confidential information out can easily circumvent any technical measures (copy to floppy, encrypt mail, print out, etc.) However, the idea here is to force someone to take that extra willful step.
Given that I categorically refuse to sniff general network traffic, block URLs, or generally look over people's shoulders, I am looking for a solution that lets me automatically watermark non-ascii files and just sniff for certain binary strings on outgoing traffic, while keeping any non-matching traffic completely anonymous. Any ideas on this?"
Set up a proxy server and force all outbound traffic over it. Tell the users it's to filter for Outlook viruses or some (.V)BS. Shut down all but a few ports, then run a packet sniffer to watch the ports you open. The proxy server has to be able to handle all the traffic, so if you have a LAN/WAN setup, you can use the proxy as a gateway between LAN servers and WAN/external traffic (so it won't slow down the outside users' access to your webpage).
We already do this (though the packet sniffer's for diagnostics only): LAN w/NT server+100 clients, proxy w/sniffer to get through to the WAN (Sun SPARCs for DBASE and web server), then another "standard" firewall out beyond the WAN to get to the internet. That way they have to get through two firewalls to get to our files from outside, and the inside users get their files scanned on the way out. Non-intrusive as we could make it, once the machines are set up for proxy the users don't know the difference. The packet sniffer's a 10-year-old SPARC classic, so we're not talking about major investment of $$$ here.
-jpowers
-jpowers
Probably the first comment would be to step back from your high-end security consultants and go think for a while. You will probably come up with the same thoughts, some better thoughts, and a quite a bit less money. Too many security consultants are stuck in the mindset of drastic measures and models that they know do not work, such as the "Adam/Eve" security model. Most thieves are stupid. They email stuff.
1. Recognize you are stopping casual abuses or last minute abuses. You are trying to stop the fired sales person from taking the entire client list, not the clever system admin from hell. Set your thoughts accordingly.
2. Make written security guidelines for your company. For example, one large company that shall remain nameless, even though it's Sun, makes ever new employee watch a fifteen minute hokey video showing a team talking about a confidential problems in public, leaving notes on white boards, and even letting ex-employees use the system. Also, they make a couple of levels of confidentiality ("MyCo Confidential", etc.). This cuts down on the accidental mistakes.
3. Ignore incomming traffic. You can't do a good job on it anyway.
4. Have your DBAs remove the old "print all to file" type commands in your applications. The only remaining use in most corporations is to take a copy of the client list, account list, or whatever.
5. Log, copy, encrypt all outgoing email that hits matching criteria. Criteria include greps "MyCo Confidential" and size (>2Mb) and time (weekends, midnight to 5 a.m.). Yes, it can be a pain, but you've got to keep those drive makers happy. Email isn't time or space critical but is the first tool of the thief.
6. Close of access to outgoing ftp. Normal mortals can use the browsers. Others should need permission.
7. Page the SysAdmin if any one user sends over 100MB of outbound traffic in a 24 hour period.
Yes, this will be a good due diligence level of protection, and may catch anyone who tries something. No, James Bond wouldn't break a sweat.
Cheers!
[shameless plug: Give money at www.truegift.com]
Profit motivates invention.
As the case of Dr. Wen Ho Lee showed, this is impossible - even for (supposedly) ultra high security installations like the U.S. nuclear research labs.
All you have to do is download to a tape or floppy and walk out with the info. If the person doing this is actually a criminal or spy (as opposed to Dr. Lee - who called tech support to help him figure out how to do this), it is pretty trivial for them to prevent this from being detected.
Yes, there are dozens of basic security procedures that can catch the idiots, but you will never catch anybody who knows anything about computers.
First of all, try to identify what kinds of data must never leave the network. Place thsi data in a "security zone" within your network that is not allowed to initiate transactions to systems outside of the zone.
.gif files moving back and forth if you want to.
User requiring access to this data must authenticate in a manner that places their system in this zone. Things like Cisco's URT can do this. It will place the user's switchport in the security zone vlan. The user can then view data but not initiate connections outside of the network zone.
At some point you must trust people. The bottom line is that there is no way that you can be POSITIVE that a user did not authenticate into the secure net, take a screenshot of some data, save it to their local machine, encrypt it with PGP and send it out. You are never going to be able to detect this kind of theft of data by sniffing traffic because the user obtained it in a legitimate manner and the screen dump was done on their local machine and not over the net.
Using such things as httptunnel, one can use a web connection to tie your internal net to another outside net without you doing much about it. You will not be able to tell this traffic from normal web traffic. Heck, you can hack the prog to make the TCP/IP information look like it is in
The thing to do here is to stress that transmitting of private company information is subject ot immediate dismissal and possibly a civil suit.
The best security is at the door. Hire people you can trust and put systems in place so that it is very difficult to send private data out. Make it difficult or impossible to send such data by accident. Problem is, if a user can display it to their screen, they can get it out of the network if it is possible for them to send outside email or browse the web from their workstation.
No lock will stop a thief, they only serve to keep honest people honest.
But remember, the issue is that IT must do proper diligence to ensuring that data does not leak, in order to meet with financial regulations.
You only need to go as far as necessary to meet regs.
As an IT person, I may look at people's surfing habits, but only out of idle curiosity.
Perhaps if I noticed they surfed what I thought was an awful lot, I might poke my nose into what they were surfing.. and then poke my nose into whether their boss is happy with their performance or not.
Why? I firmly believe that the bottom line is, the employee has been hired to do a job. If he is doing that job to the satisfaction of those responsible for his position in the first place, I don't *care* how much he surfs.
You hit it on the head when you said 'provide data supervisors needs to see'... if they need to see it. If they have issues with their employees not working out, they can come and ask.
You missed the point.
The point wasn't that you could reclaim your damages.. the point was that employees who are run through proper security audits, and forced to sign proper documents indicating the penalties for disclosing confidential information will tend to RESPECT THAT, as opposed to simply putting in a 'technical' solution.
The sales guys need access to the customer data. The logistics people have to be able to get at our order database via SAP. The accountants need access to the billing database. Tech guys have to be able to read network diagrams and many of us will have to be able to read internal proprietary strategy documents...
Cole's Law: Thinly sliced cabbage
Well, I disagree. I am paid to perform a function. Some days that takes me 16 hours, some days 3. If I want to surf or DL porn fsck anyone who dosen't like it as long as *I* take great care of our clients who need service, when the need it. All the company has a right to expect out of me is the performance of my job. If they want to motivate me then stay the hell out of my emails, web log etc; I can go to a competitor or into biz for myself and they know it. Companies talk about "intrapenuership", hey part of that is getting the sysadmin/MIS or whoever the hell it is to go take a vacation, a VERY long vacation, as in don't come back until something crashes. I treat our customers like they are Gods, and I do it in a cost effective manner, ask anything else from me and I'll stick a harddrive up yer a**.
"Everyone is entitled to their own opinion, but not their own facts."
after we stuff you krauts full of McDonalds there won't be much difference, will there?
If I have to suffer by eating this shit then so do you.
Take this personaility test.
it's nothing your average school kid couldn't circumvent.
Yes, and that is also basically mentioned in the article text. Anybody is going to be able to get past this system, but the thing is that then they're going to have to take that extra step knowingly, so they can't claim they mailed that sensitive data out unknowingly, because they would have had to take extra steps to make sure it wasn't caught immediately by the filter. Thus, the filter only has to block obvious way of data smuggling, to make the company stand much stronger in court if somebody does smuggle data out, because the employee can't possibly claim he did it by accident.
They must be trusted in order to do their jobs properly.
Yes, ofcourse, but there's a rotten apple in every box. Of all the people I know who work at the company I work for, I wouldn't think they'd be thieves, yet still quite regularly stuff is stolen if it's not locked down. Very sad business...
Unfortunately, as a company, no matter how much you trust your employees, it's a given fact that at least one of them will at some point try to screw you. You can either wait around to be screwed, you can try to prevent being screwed (which is generally very invasive, inefficient and expensive) or, as this company is doing, you can try to increase your chances of finding out when somebody tries to screw you and increase your chances of taking successful legal steps against them.
In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches.
Ah, yes, but even compressing the sensitive data will be that extra willful step. Somebody could theoretically accidentally attach a sensitive file to an email message and send it out. It is however not necessary to compress or encrypt such sensitive data for internal use (I presume), so sending out encrypted or compressed sensitive data, so when you do detect a leak and find the person responsible, he can't claim in court that it was an accident. Yes, even in that case he'd still be responsible, but it could be considered negligence rather than a criminal act.
)O(
Never underestimate the power of stupidity
Never underestimate the power of stupidity
To err is human, to moo bovine
Ummmm, did you read the article text at all? There is no intention to prevent any and all kinds of sensitive data leaks, just the most obvious ones so leaks can't happen accidentally.
)O(
Never underestimate the power of stupidity
Never underestimate the power of stupidity
To err is human, to moo bovine
If the data is really sensitive, you might consider the old 'air gap' solution; have a private network that isn't connected to the outside in ANY WAY, and then an external network that employees use on a day-to-day basis. If you put that network on a hub, or on a switch that suppport mirroring, you should be able to monitor all traffic on that private network (assuming you don't exceed, in aggregate, the bandwidth on your monitoring port if you're switch-based) and ensure that no foreign MAC addresses show up on the network, and that all the traffic stays local. You can't, of course, control what users do with things like floppy disks.
:)
Sure you can control what people do with floppy disks: have computers without floppy disk drives. Of course this applies to all other removable media. If you need removable media, then make sure that access is limited to authorized individuals only (via physical security methods).
But, you still can't control what people do with information they see. If I find out that Joe Sixpack has $500,000 in his account, there is NOTHING to stop me from taking that information from the internal, private network, and typing into the external network connected to the Internet.
The only way to be absolutely sure that NO data gets out is not have any external network connections at all. People will at least have to PHYSICALLY walk this stuff out the door.
It all goes back to the old adage: information wants to be free.
My journal has hot
I think you have a nice point going here, but, you can only prosecute someone when you know that they have taken the information. Therefore, as I'm sure you know, you've got to catch them. It follows that, to catch them, you have to have some sort of mechanism, some sort of trigger, that will notice when they do try something on you. Of course, that's what the rest of the (non-troll) posts on /. are about in this discussion. They'll figure out the best way to do that (well, they're trying, anyway), so that you can employ their ideas behind your prosecution scheme).
And hopefully it will all "work out in the end."
Insert mind here.
This is something I have a serious problem with. As far as I'm concerned, whatever employees are doing on MY network is company's business... There is no such thing as personal information on my turf.
Call it overly restrictive, but in the business I'm in (security/alarms) you cannot afford to have "rogue" information travelling. It is ground for immediate dismissal. Employees get a free HOME internet access as part of the package, but on the job, we dont pay them to surf personally.
I've seen too many people taking the company's line for granted. It costs money. Money that could be use to get me a raise.
Marriage is considered capital punishment for the theft of a goat in some third world countries...
Ah I think I see -- you want to avoid the excuse of "It was a computer accident". A very credible defense.
I don't think there's a universal solution for watermarking -- all binaries have different formats. But there are solutions for each different file type. In an MS Word document, for instance, you could embed a hidden macro.
Then your proxy scans all outbound attachments and simply rejects & logs any that contain any one of a series of watermarks. Tags, really because watermarks are designed to be irremovable.
Everybody is warned that they need prior approval before transmitting data outbound, even to themselves attheir home ISP. There is a small chance of false positives with this system, that's why you log and evaluate before taking action on proxy rejects.
This strikes me as kind of scary that this is an "Ask Slashdot." It sounds to me like the first thing you need to do is go hire a good security guy from a financial institution (bank, credit card, etc.). I worked with a guy that did security at Citibank and I'm amazed at all the things they did to minimize their exposure to threats like this. Check those references real good.
I think you're overlooking what he's saying here. The idea isn't really to prevent data theft as you would agree is pretty hard to do with someone looking over the employees' shoulders all the time. The idea is to make the employees have to go the extra mile, to "take that extra willful step" as fuzzybunny puts it. This makes a lot of sense from a legal standpoint.
Imagine that the "disgruntled employee" starts emailing credit cards to his home address (yes, this would be stupid, but it's just an example). Now if the company catches the employee doing this, he's going to get in trouble, but the employee can always say "oh gee, oops. I must have accidentally sent sensitive information. I'll try to be good next time."
On the other hand if the company routinely sniffs for credit card numbers (or whatever info) and announces this policy to its employees, then the employees know they're going to have to be craftier than email. So when Joe Employee encrypts the credit card numbers and sends them home, and gets caught, he's going to be in a lot more trouble than had he just emailed it and gotten caught.
Most transactions that are legitimate involve large numbers of small batches of outgoing data and larger amounts of incoming data (using realaudio, downloading useful software, reading slashdot). Transactions that are frowned upon (eg. sending out images (our job, as a company, is to make pictures)) involve lots of data going out. So the solution I came up with was to throttle data going out to 3K/s for the entire company (50-60 people). (Mail and incoming http is through a server or proxy so isn't counted in this.) Everyone seems happy now. This isn't something that will work for most people but for those in the situation that the items of value are rather large (many megs) it seems to work well. Of course someone can keep an ftp connection open for many hours but (1) everyone would rapidly notice if someone does this excessively and (2) outside work hours (8am-8pm approx.) all IP traffic from individuals to the oustide world is throttled to 0K/s. There's no point being 100% secure - people can hook up an external drive to their PC or even photograph images on their screen using a digital camera.
--
-- SIGFPE
I think you should be less concerned with the actual process and just be careful that the results are appropriately interpreted.
Your fundamental goal -- allowing anonymous, untracked internet usage, while simultaneously being *absolutely sure* that unauthorized data isn't getting out -- is impossible.
/. if you're interested. Good luck catching THAT with a sniffer. :-)
The traditional method of access control in this sort of circumstance is a proxy-style firewall. However, I don't know of any proxy firewalls that can inspect for specific content. They can check for correctness of protocol data, but I don't know of any way to set off klaxons and call the police if the user manages to embed today's secret word in an HTTP:// request.
You definitely can't use packet-level firewalls for this purpose, even stateful inspection ones, because users can bury any data they want in traffic bound for, say, port 80. It doesn't have to be just HTTP. Packet-level firewalls just work on port pairings. Example: if I were ever in a network that refused me access to my home machine, I'd probably just tunnel through port 80, which is open 90% of the time. A proxy firewall would stop that: a packet firewall will not.
It might be possible to custom-code an outbound content filter into an open-source proxy like Squid. Squid isn't a firewall, so you'd probably have to dual-home your Squid box (to make it the only way out) and then have a firewall between it and the outside.
Even at that level, it would still be possible to sneak things out. Almost any system that allows two-way communication can have arbitrary data inserted into the data stream in a way that is very inobvious to even a savvy network admin. Just a few days ago I saw a method to tunnel IP networking over DNS requests. (seriously). I think it was probably posted here on
What this all boils down to is this: if you allow any form of two-way communication into your network, then employees can get data out. Period. And there's no way you can know what it is without extensive and highly sophisticated pattern analysis.
If the data is really sensitive, you might consider the old 'air gap' solution; have a private network that isn't connected to the outside in ANY WAY, and then an external network that employees use on a day-to-day basis. If you put that network on a hub, or on a switch that supports port mirroring, you should be able to monitor all traffic on that private network (assuming you don't exceed, in aggregate, the bandwidth on your monitoring port if you're switch-based) and ensure that no foreign MAC addresses show up on the network, and that all the traffic stays local. You can't, of course, control what users do with things like floppy disks. However, having the separate high-security network will let you monitor intensely enough to be aware that a given employee is accessing data they don't normally need access to. At least, it can do that if you're willing to put the effort into writing/customizing the monitoring tools. Definitely a non-trivial effort.
If you can't build two networks, then you probably shouldn't even bother monitoring. It won't do you any good. Anyone out there with a real clue will waltz right past any protections you might set up.
I find it disappointing that you're more worried about "conforming to the law" than about actually securing this information.
--
It's a
-- Danny Vermin
I think the best way to deal with this is a two step method. First set up a proxy that either prevents or limits the size of the files being transmitted. Then, set up your database with a uniquely patterned/formatted key (the charchters won't matter, you'll see why) For instance if the key was always nnn%nn$$nn! (n=some character), then you could have your proxy search all e-mail and text files for a string that matches that formatted key. Because of the format of the key, it's unlikely you'll turn a false positive on regular e-mail and the such.
As far as preventing authorized systems (in this case, systems allowed to transmit binary files) from sending out confidential data, you could look into encrypted filesystems. I'm not experienced witht these, but I wouldn't imagine it to be too hard to force everything binary from that filesystem to remain encrypted if transferred from that filesystem. However, like I said, I don't know too much about encrypted filesystems.
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT/CC/MU/S d-(---)@ s++:++ a23 C(++++) ULBSC++++$ P++>++++ L+++>++++
E---(-) W+++(--) N++>+++ o++(--) !K w--- !O M V- PE(-) Y++@ PGP++ t--- 5--
X++ R-- tv b++>+++ DI++@ D++ G e h-- r+(*) y++(-)>$
------END GEEK CODE BLOCK------
"God is REAL
First of all, this is a German company we're talking about. Germans aren't as sue-happy as American.
Second of all, German banks are required to take due precaution against leaking of sensitive data, so sensitive data can't be sent out accidentally, and so that people guilty of leaking data can't claim in court that it was an accident.
It's stunning how many people don't actually read or interpret the article text. They don't want to block all possible ways of leaking information, because that's impossible, they just want to block the most obvious ways of leaking information. They don't want a legal solution, they want a technical one.
In all the posts in this thread that were moderated up, there were only two or three that are actually relevant to the article text, all the others, including the parent of this message, are based on misinterpretations of the article text and thus useless.
)O(
Never underestimate the power of stupidity
Never underestimate the power of stupidity
To err is human, to moo bovine
Put a use of confidential information clause in their contract, and threaten to sue them to hell should they ever breach it.
Now, you may not like this. It's not pretty. But that's the way to do it. If you try to patch the system with a technical solution, they'll never respect it, because hackers figure if they can find a hole, it's their god-given right to exploit it. But trust me, every script kiddie gives up his tactics when he's slapped with a FBI (RCMP in Canada) search warrant and threats of legal action. Ditto with employees.
This way, you won't even have to bother with configuring your system. Just sue one guy as an example to others, that works well also. It may not be really cool; but trust me, it's effective.
Turn off the computer, pull out that old Pen and Paper. No need for firewalls then!
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
Bottom line is if thier doing it on a company machine, during company time,and on company bandwidth they have no right to privacy. Anything that is in thier home dir, is property of the company and can be handled as such. Anyone who thinks otherwise is foolish IMO. Not to say you should go around peeking at thier email, but the fact still remains that all the parts involved including the individual belong to the company that owns them.
"If you love someone, set them free. If they come home, set them on fire." - George Carlin
I posted this question and I appreciate the responses, but I think a lot of people didn't catch the gist of what I was asking.
It's a comparatively easy task to secure my network from external threats; that is a combination of good product choice, intelligent design, clued configuration, and conscientious administration and monitoring.
I also know that I don't have a hope in hell of technically leak-proofing my network from the inside-out. That problem indeed is not a technical one. That's why I'm not sniffing geneeral network traffic; our usage policy is something like "don't be an asshole." If people are abusing resources, we indeed have other problems.
What I'm trying to do is to address a specific eventuality as required by some of the compliance laws here. Assume a guy is pissed off or leaving for a competitor. He wants to mail/ftp/netcat/ whatever out a customer database or internal documents. We have watermarked our files; he knows this, but doesn't know exactly how, so he will need to encrypt the data, print it out, put it on a tape, write it on his hand, whatever.
The point is to force him to consciously, wilfully take that extra malicious step. That way, under compliance laws, we can say that we exercised due diligence to the best extent possible without impacting our productivity by doing all kinds of crazy paranoid stuff like keystroke logging or chaining people to their desks.
So once again, the question is: is there some mechanism by which we can automatically embed some sort of watermark in any non-ascii file (database, ms word doc, etc.), send all outgoing traffic through a layer 5-7 proxy, and just sniff for that single watermark string?
All replies are appreciated.
Cole's Law: Thinly sliced cabbage
Ok, two points - First, I think you are misunderstanding what I mean when I say that employees must be trusted. What I mean is that in order to perform job X and employee must have access to sensitive data Y. In such a case a defacto trust relationship is established. Yes, of course, you want to limit the employee's ability to violate that trust as much as possible, but it still must exist for them to do their job.
Secondly, a company shouldn't need to create a "extra step" to protect itself (a specific filter, etc, as you suggest) in order to strengthen it's case in court if it has taken the proper precautions in enumerating the sensitivity of the data, as well as having employees read and sign (in the presence of a witness, who also signs) confidentiality agreements, sensitive data handling procedures, etc. In the end, these documents will be far more valuable to a legal team than an error-prone, scattershot, scanning tool (which might even be used by the defence to draw focus from the actual data theft to privacy issues, etc.). If such a scanning system had any chance of helping against an actual theft, I would not be so down on them. However, anyone actually trying to steal anything for malicious purposes is likely to either a) disguise that data as something else or b) just carry it out of the building on media. Let's not forget that theft was going on long before the internet.
--
Behold the Power of Cheese!
This is pretty much up my alley. Are you aware of any non-format-specific methods of inserting binary strings in non-ascii files (Oracle DB files, visio datagrams, etc.)?
Cole's Law: Thinly sliced cabbage
Exactly what I'd write if you hadn't written it. Too bad I don't have any moderation points atm.
----
Remove the rocks from my head to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Where would YOUR network be without YOUR workers? Remember that just becuase you pay their wages doesn't mean you own them. If you don't trust your employees to use work facilities reasonably should you be employing them in the security industry?
You could always proposition the FBI to rent out a Carnivore, or whatever they're calling it this week, box to stick on the wire. This would allow you "selectively" monitor content.
Geez. You don't even know how to stick up for your nationality! No wonder all you can do is complain about others. How would selling German Tech to the Russians make me eat Jewish food?
And no-one is "forcing" anyone to do anything. The whole point of McDonalds is that you are stupid enough to eat it yourself.
Stop looking in the mirror and saying you don't like everyone.
Take this personaility test.
Like Purdue's CERIAS center (Center for Education and Research in Information Assurance and Security)
http://www.cerias.purdue.edu
Well the company owns any traffic going through their network since while at work you are well, on their time. I mean if your at work using company computers, they company has the right to restrict the use of or monitor the use of their network and hardware.
That said, i have a sniffer running monitoring my network for intrustion attempts only, i don't daily sift through logs nor want to. I will search the logs for something specific, say a certain users stuff or a certain file if needed.
As for blocking specific traffic in realtime that becomes more difficult you'd need to modify your firewall to block packets containg some sort of data. I've never done this, but i'm sure it is possible, practicaly cost-wise i can't say. How much traffic are we talking here?
You say its a finacnial data being passed, honestly when it comes to that much money for that many ppl employees privacy takes a back seat to covering your ass and protecting your clients money, would you want to be responsible however indirectly for someone losing all their money or say a million dollar screw up?
this space for rent
If someone is really smart and wants to steal or transfer company records behind your back, he or she will find a way. It can be disguised, routed through unusual channels, encypted, or even sent out in screen shot format as a bunch of JPGs.
If, on the other hand, they're an idiot, and sending the stuff out either recklessly or accidentally, you don't need technology to handle it. Either look over their shoulder once in a while, or get them drunk.
So, do what companies always do: the bare minimum required to meet legal standards, and grudgingly, at that.
"Beware he who would deny you access to information, for in his heart he deems himself your master."
If I were in your position, I would ensure that no outbound traffic travels on non-standard ports that have not first been registered with IT (to prevent DDoS clients from being installed/managed, BackOrifice from being installed, etc. Also, I think that installing an automated scanner for e-mail, prohibiting attachments larger than a certain size, etc. would be prudent. Personally, I would not find it invasive if I was told, as an employee, what type of e-mail would raise a flag with the automatic scanner and esured that my mail would not be read by another human being unless it was potentially dangerous.
Basically, the most important thing, from an employees perspective, with network scanning is full disclosure. I would feel violated if my personal transmissions were searched without my knowledge, but I think most people would understand the need for tight security given the inherent insecurity of an Internet connection.
ByteMyCode.com: A Web 2.0 code sharing community.
Ultimately there is no good solution to this sort of problem. Various technologies have been developed (usually in concert with a government) which allow data to be labled, etc. While there are some rudimentary barriers to moving around labled data, it's nothing your average school kid couldn't circumvent.
The truth of the matter is this: you have chosen to trust your employees (at various levels). They must be trusted in order to do their jobs properly. If they choose to violate that trust, you will be unable to stop them.
Now, it is possible to make that sort of thing much more difficult, but the methods are not terribly reasonable, and usually incompatible with business practices.
In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches. Better to simply spend more time evaluating how trustworth potential employees are before hiring them into sensitive, high access positions. Get background checks and be a good judge of character.
Oh, and cross your fingers.
--
Behold the Power of Cheese!
ALL other solutions are either impractical or can be circumvented, perhaps by just pencil and paper :)
have you looked at snort? this package listens on a given interface and compares each packet with a kind of regexp. the language is *very* easy to pick up, so you should be able to write rules that notify you of anything that is blatently private information, without a human ever seeing anything private.
OTOH, make it known (ie, via posters, memos, etc) that any employee that violates your "terms of service" will be met with diar consequences. invoke any legal power that you can, and don't be afraid to scare people.
if it were my decision, i'd use snort (or similar tool) alone. telling people what you don't want them to do is a great way to get them to do it.
Of course, if you need more ideas, i suggest this site
As mentioned previously, there is theoretically no way of ensuring that someone isn't passing something out, unless they try to send it in plain form. Perhaps what you should be worrying about instead is where the information is headed to. Again, this can be a daunting task, but a simple histogram of all the sites that are sent data packets (all protocols, since as been shown, spoofing is easy), and you then at least the ability to question large where large quantities of data might be headed. Certain 'trusted' sites might be ignored (e.g. slashdot.org), while other sites (e.g. 207.43.24.32) should be more closely examined. If you want to get fancy, you might even be able to employ some statics to find the relationship between someone sending data, and receiving data from these sites.
<p>
All of this said, I beleive to a certain extent using these methods not only are going to be more likely at catching possible offenders, but can also protect people's privacy. You are not explicately examining the data people are sending out, but rather where large amounts of data are headed.
You can set a VPN and set it up so that only your clients have access to certain parts of you newtwork. I hear that Axent makes a good one. It comes with a firewall and free clients for the end user. Of course, I don't believe that any system is perfect, simply becuase people aren't perfect.
.. keep track of who knows what.
.. make small random changes to image files that don't change the appearance appreciably, MD5'ed and tagged with the recipient's MAC address as well.
If business critical data leaks out, and you know only a very short list of your top employees had access to it at the time of the leak, you narrow down your list of suspects a lot.
You can tag text files by making small benign paraphrase changes to the text and giving each recipient a slightly different version, MD5'ed and tagged with the recipient's MAC address in the log when they download it.
You can do this to images as well
If a sensitive file shows up on a public site, MD5 the content and see if its digest matches that of one of the server accesses. If it does, the MAC address will tell you which machine downloaded it, which will tell you who leaked it in most cases, and there is your proof.
This isn't hard to circumvent, but you can combine it with other approaches and keep quiet about some of them. Someone else said that there has to be some level of trust, and they're right, but deterrents like this have their place. If someone wants to leak information, they can do it, but at least you'll know when they do. That will stop most of them.
73 de N5VB (ex-KD5BIV) AR SK
In the Goverment on Secure networks. Everything :)
is locked in rooms with very high security. There
are no outside nework connections and all access
is controlled via cards/guard/and cameras.
Anything that goes into those rooms never leaves
unless it is totally destroyed. I suggest you
put your financial data on lans not connected to
the net what so ever. Does it really need net access? Do the employees really NEED net access
that work with that data? Sniifing the lan over
time might reveal some wierd traffic patterns
you might investigate but at that point you might
have already lost everything.. It basically boils
down to this.. Not everyting should be connected
to the net. And buy pc's with floppy drives..
Mike
A friend of mine has the perfect solution. I am sure that he would be more than happy to co-locate one of their products with you, at no cost.
Just look for the binary sequence:00100100
(the ascii code for ``$'')
forth ?love if honk then
If a person steals proprietary data for personal use, they either a. Don't care about the consequences, or b. are stupid. If a. is the case, then sue them, see what you can get out of them. Go for the Toyota Camry, and the $10K they have saved up. I am sure that will cover for the financial loss
I think you may want to try a different approach. A good security person knows that the more responsibility you leave the the end user, the more likely your system will fail. You don't make end users responsible for updating their virus protection do you? Why? Because they might not update it. Although I understand what you are trying to do, and it is a good idea, the number of ways to subvert this type of monitoring are right up there with and related to firewall subversion. Fragment that packet with your watermark for 10 minutes and your system loses it's signature. Solution: Why don't you just do it like M$ and put a hash of the MAC address into the documents or get that hash for all your machines and look for that? Remember about 8 months ago? M$ put a hash of your MAC in *.doc files. I think you can probably find info at: http://www.junkbusters.com
you're interested in compliance laws and not the real issue of securing the theft of financially sensitive data.
by watermarking the data i don't see how you've gone the extra mile. you're more interested in setting a trap than just moving the data out of reach. besides if you only watermark binaries, any text (uuencode/uudecode) will make it through.
technically, the only place a watermark makes sense, would be in your own internal applications, if the application provided a screen shot capability.
the obvious solution is for your applications department to use an encrypted database, and to restrict the use of applications. any requests for highly sensitive data beyond the insensitive client information should result in a log entry (and the app should let them know it is logging). if you have any applications that run mult-client reports or dump sensitive data, those should be requests that are actually run by your security team.
now the only person you need to watch is the db admin.
jim
What idiot gave you control of computer security?
Good heavens Miss Sakamoto - you're beautiful!
A part of this article seemed to indicate the author felt uncomfortable about monitoring employee's email on the company networks. All employees should sign a Electronic Communications policy that clearly outlines the rules regarding the use of the computer, its lines, and the prohibition of installing or modifying software. This policy will also clearly word what may or may not be sent over the network, susch as sensitive company data, this includes E-mail. This Policy will also inform users that at anytime, users may be selected at random for a policy check. you can have a pop-up box appear everytime the users log on to warn them of consent to monitoring. Companies have always monitored telephones, the calls made, length, and even listen in on employees. Employees knew that they were using the company phone on company time. So what is the difference in surfing or emailing from work? Just like I do not condone employees calling psychic or sex chat numbers on the company phone, I should expect that they will not download porn, pirated warez, or send inappropriate email. I leave my personal surfing and emails to be done at home, on my own ISP, my own computer. As long as you clarify the rules, there should not be any feelings of spying or snooping.
"How you live will determine how you will die" www.covertlinks.cjb.net C0VERTl
You are on very dodgy grounds here as any kind of active monitoring is actually illegal in Germany without informing the employee. Even then it is a problem.
There is *no* law in Germany that reuqires you to monitor traffic. I have worked for banks and exchanges and have *never* heard of this. Even dealers have private telephone lines that are not taped which makes a nonsense of insider trading regs.
Some US banks like Goldman Sachs do try agressive monitoring in Germany but it isn't very legal and could get thrm in trouble.
What you can do is to rigourously fire-wall and to record all EMail traffic over a week or so. Although you can't look at it until an incident occurs, but that will give you the data for an investigation. You must also inform your employees that data is being recorded in case of an investigation and ideally, they should sign something in addition to their contract of employment.
Remember also to block access to Web Emailers like hotmail otherwise you would see your monitoring being bypassed.
Of course, if the secure data is in something like a standard Word(tm) document, you can't tag it with a phrase without forcing all documents to have a keyword, etc., in them that you know to look for, and even then newer editions use compression, which might obscure your mark.
Once again, I'm not an expert on this, and I may be 100% incorrect, so tread lightly.
Watermarking is pretty easy: create a special template that everyone should base confidential files on. Put some hidden strings within the template.
Of course, you'll need to learn a little bit more about IDSs like Snort and Word templates, but I've done things like this in the past and it does work.
Turn off all outgoing internet access. When people complain, refer them to whomever gave you this task.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
This is a common problem throughout the corporate world. Unfortunately, I cannot give you an intelligent suggestion as to what TO do so much as I can tell you what definately won't work. Sniffing is out of the question. All one must do is compress the data (zip it, whatever) and your sniffer is blown out of the water. We all know that security through obscurity is no security at all. However, given that you are exteremely limited in what you can do, some obscurity with the employees may benefeit to a degree. It boils down to this. You have many employees who have access to sensetive data. You can't trust them all. You can't watch them all. And even if you did watch all their traffic that leaves the network, you'd never be able to specify a search pattern since that data is so easily altered. If someone WANTS to steal the data, they will. I suppose it's your job to figure out how to make it as difficult as possible. Sorry I couldn't be of anymore help.
Connah
Connah
"Your mouse has moved. Windows NT must be restarted for this change to take effect."
Switches running with security settings; static switch tables.. .run a network with static arp if you want.
Aggressive firewalling
Make sure all mail is logged.
Make sure all web traffic is proxied and filtered, if it even needs to be there at all. And log everything.
As for 'protecting privacy' of individuals.. you can't really have it both ways. IF it's a financial network, and people are expected to confrom to a high level of security, it is completely within the rights (most likely) of your company to audit EVERY communication going in or out of the network.
Simply take away their expectation of privacy.
Oh.. also, insist that all mail be escrow-keyed, and signed, or it can't hit the servers. This leaves you an accountability trail.
IN fact, if it's a really secure installation, why do you even need live internet to people's desks?
I don't know the legal issues surrounding the situation.. but after more thought.
1) Is this a high-security office/network? If so, the take extremely aggressive measures. BE The BOFH, and control everything.
2) If this is simply a requirement.. it's kind of strange. What prevents someone from walking out the door with confidential information? What prevents them from doing it over the phone? Take similar measures to your meatspace security measures as a guideline.
If you don't search your employees on the way out, if you don't monitor their phones.. why sniff theri network?
Um, cut and paste?
--
You mean you didn't know about hidden sid="tradesecrets" where we've been posting all our company's private data?
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
What you are suggesting doing, I classify as passive monitoring. In other words your employee has retrieved the data, he has formatted it as he sees fits and then sent it out onto the network where you are hoping to catch it. This is like trying to shut the doors after the cows get out. Even if you could reliably catch 100% of the inappropriate outbound traffic, your employees could simply write the information on a piece of paper or memorize it or anything like that. You will be very hard pressed to stop this.
What I suggest you do is active monitoring. Log the queries your employees make to your database. Log the information that they extract from your files. If you see an employee is extracting a lot of personal information, ask him what he is doing. If you see an employee is always looking at the same thing, ask him why he needs to be constantly updated on the status of this thing.
Now most of your employees will have true business uses for the information they look up and you should probably be able to develop some sort of pattern of information need and usage for each employee. Then when an employee starts looking at data that he doesn't ordinarily need to you can send a warning to his supervisor to check on his data queries.
This will probably be a much more effective approach. Oh, and BTW, as always be a good sys-admin and don't keep this practice a secret. Tell your employees that you will be monitoring their extracts. Most people don't really care if they are monitored at work, what really pisses them off is when the monitoring is done in secret.
/sbin/shutdown -h now
Okay, this is not an ideal solution, but it is a solution.
Internet
---------------------------------------- firewall
Demilitarized Zone
[ Terminal Server (WTS or an X server) ]
---------------------------------------- firewall
Internal LAN [ client PC goes here ]
Internal users use netscape on the terminal server. This prevents you from leaking information without retyping. However it prevents you from pulling in downloads, and sending email with attachments to customers.
For downloads, open up inbound FTP connections to a fileserver in the DMZ. For outbound emails, warn that emails from the LAN are scanned, and do it. If people want to send a private message, they can use the X or ICA netscape client. This way your users opt in to be scanned when they are deliberately leaking information, because thats what the job requires. Using the X client, all they would have to laboriously retype the information.
Depending on the size of the company, you could scan ALL of these messages by hand, since most outbound mail will be personal or brief.
I didnt say it didnt suck. But it does hang together.
If you need to have the tightest control on what leaves your network you need to use application level proxies and block all outgoing traffic from every machine expcept the proxies. You are in for a world of hurt if you are going to try to sniff traffic at the packet level.
I suspect there is no application-level proxy that will suit your needs. You may wish to harness the power of open source to integrate smaller tools to fit your needs. Perhaps starting with the proxies in the firewall toolkit you could build some proxies that have a little language in which you can write rules for blocking traffic. Then you can release it back to the community.
Like one of the other posters said, though, it is very difficult to detect when sensitive information is leaving the network. You usually have to rely on the form of the information (e.g. does it look like a credit card number?) but the form can easily be disguised. Disguises become harder the stricter the format of the data. For example, suppose you only send out bills though mail and the format of the bill is:
Dear (foo), You owe us (amount). Send it soon or die.You can block all mail that doesn't match this format, thereby preventing, jpegs, cc lists, etc from being mailed. Information can still be leaked by choosing pregnant values for (foo) and (amount). You could lookup to make sure (foo) was a valid customer but your leak may add (foo) to the customer list to get around that. Limiting (foo) to less than 10 characters will help. Insuring (amount) contains nothing but digits would help too but it isn't too hard to encode a message with numbers only.
There will always be ways to get around whatever measures you put in place but don't let that fact cause you to not put forth any effort at all. The amount of money you spend protecting against leaks should be weighed against the potential loss if certain information is leaked times the likilihood that it will be.
Unfortunately, you don't have a chance. There is a little known counterpart to the science of cryptography - the ugly stepchild, steganography. Steganography is the branch of computer science concerned with hidden communication - not (as encryption) communicating so that others cannot understand - but hiding the existance of communication. If somebody is bright enough to piggyback a couple of bits of data onto emails or (even better) send small strings of data encoded in URLS as GET requests to an imaginary server outside your network . . . I think you get the point. Against a determined, or at least half-witted, attacker, you are powerless.
If you need to watch for confidential data leaving the company over the corporate network, then you do it. The data is all the companies anyways. You aren't running a public ISP where customers expect that you aren't slurping CC numbers. Or a phone company where people expect to be able to share their whoas without it becoming public knowledge.
Now, if you're concerned that if by monitoring the companies data, that you'd be exposed to confidential information that you feel would be detrimental if you had access to, then you need to go to your management and talk to them about it. I'm sure they'd be more then willing to do anything they can to make it possible to do your job without you being responsible for keeping secret.
-Brent