Group Test: Extrusion Prevention

Computer crackers and bank robbers have much in common. Both types of ner-do-wells begin by performing a reconnaissance of the potential target. With a bank robber, recon usually means a trip to the bank to understand the physical layout, where the cameras are located and placement of the guards. Also, the ultimate prize is to find the location of the vault.

When penetrating a computer, the cracker begins with data-gathering techniques, using Google hacking and other informational sites. Once this is complete, the cracker typically begins by performing a remote port scan to see which are the potential avenues of entrance to the computer system or network.

Once the ports have been identified, the next step is to find vulnerabilities in the open applications discovered in the port scan. Now, the cracker is finally ready for the heist and launches an exploit against a vulnerable system.

Clearly, the best option is to not have the vulnerability exist in the first place, but catching every vulnerability in any organization is a daunting task. If the exploit is successful, the cracker now has access to at least one machine on the network. Often these machines are located alongside other critical assets in the DMZ [the firewall configuration for securing the LAN]. But, why all of this comparison between bank robbing and computer systems?

With extrusion prevention, also called data leakage protection, the computer cracker is going to find out that the data loss prevention (DLP) software is going to stop his ability to copy, move, save or print sensitive files. The extrusion prevention package also is going to stop the cracker from having the ability to insert malicious code, such as a rootkit or a botnet, on the exploited system. Placing the rootkit is doubly frustrating to the computer cracker because most of the protection software uses anti-rootkit functionality to hide the security service from the end-user. This basically means the cracker can't install a rootkit on the compromised machine because the security software is already using the components of the OS that a rootkit would use to take control of the box. This would be equivalent to the robber cracking open the safe to find it empty with another bank robber already in the vault.

Forms of data
Data is typically in one of three forms: at rest, in motion or in use. For a good extrusion prevention package to be effective, it must protect data in all three forms. In addition to the state of the data, the data needs to be protected from the three most common sources of data leakage. Number one is the internet - either through the corporate email system, web-based email solutions, or through an instant messaging program or other solutions, such as

The internet is the most likely place for a leak to occur, but it is not the only place. The second most common type of breach is through the connection of removable media to a device connected to the corporate LAN through a laptop or workstation. USB drives are cheap, plentiful and have massive amounts of storage capacity. Without extrusion prevention protection, a disgruntled employee can download gigabits of sensitive files and walk right out the front door with the data intact. Some organizations use packages to disable USB ports on company laptops and desktops. But all these security measures do is switch the medium the malicious employee is going to use. Instead of using a portable USB drive, the employee will, perhaps, burn the data to a CD or DVD. If you install software to block that, malicious employees will just email the sensitive documents to themselves. If all else is blocked, the malicious employee can use a network sniffer and read the content as it passes by on the LAN. Before you think this is impossible, we have been able to recreate executable files as large as 75 MB from a free network sniffer we downloaded from the internet. Wireless networks are egress points for sensitive information and also the easiest place to perform the traffic sniffing.

This leads to the final necessary component of data leakage protection: encryption. Unfortunately, encryption is a double-edged sword. Encryption can keep your sensitive documents safe, but encryption can also make it harder to identify when sensitive information is leaving the network. With mechanisms - such as HTTPS, steganography, PGP, TOR and encrypted messenger chats - finding the sensitive information can be a real chore.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.