Human stupidity has no limits, but there is Data Loss Prevention

DLP BOX Seqrite
Developer: Quick Heal
Product name: Seqrite Endpoint Security Enterprise Suite

SRP price: kontakt z dystrybutorem

Conclusions

The Seqrite Data Lost Prevention module enables companies to counter the risks associated with authorized or unauthorized data leaks by regulating data transmission channels, such as removable disks, network shares, online applications and services, printers, and more. Thanks to the DLP module, supervision over confidential data is ensured based on file types (eg graphics, documents, programming, databases) and any keywords.

Editor's opinion

5

"Only two things have no limits: the universe and human stupidity, although we are not sure about the former." The words of Albert Einstein probably best reflect the message contained in the article - even the best security system is of no use if its users are not skilfully using it. Each system is as solid as its weakest link. It is the lack of sufficient knowledge of users that makes designing and implementing protective solutions patience and prepare even the most irritating questions - "why should not save confidential information in the form of unencrypted files?" If so far someone has not done so he had heard about the pernicious habit of sticking the pages to the monitor, apparently he is constantly recording the passwords.

Biggest data leak incidents

The biggest incidents of information and file leakage in the 21st century can include:

# 1: At the turn of 2013 and 2014, Yahoo lost over 1.5 billion records containing email addresses, dates of birth, phone numbers and passwords encrypted with the bcrypt hash function. Yahoo did not admit whether hackers gained access to data due to an ATP attack or someone from their employees helped them.

# 2: In October 2016 to the network hit 412 million accounts from 5 sites for adults belonging to Adult Friend Finder. Among the information obtained were usernames, email addresses and poorly protected passwords with the SHA-1 function.

# 3: In 2011, 77 million user accounts and details of 12,000 credit cards have been stolen to Sony PlayStation Network. Dozens of days of downtime cost the company over 170 million dollars.

# 4: In May 2014 from eBay servers brought out personal data of 145 million users. Three employees of the company who cooperated with hackers admitted to the theft.

# 5: In July 2014, one of the largest banks in the world JP Morgan stolen data identifying 75 million households and 7 million small US companies. The theft occurred as a result of obtaining file permissions on the bank's servers. Three of the four criminals were caught. They have been charged with identity theft, securities and money laundering.

# 6: In an undetermined time (from 2005 to 2010), the Stuxnet computer worm, probably delivered to the network by an infected pen drive, managed to disrupt the PLCs of Siemens centrifuges used for enriching uranium.

There are many similar examples. The most publicized by Polish media include:

  • wyciek exploitów z sieci NSA, które przyczyniły się do powstania ransomware WannaCry,           
  • ogromny wyciek danych klientów z T-Mobile Deutsche Telekom,
  • wyciek tajnych dokumentów i narzędzi CIA,
  • wyciek ponad 50 tysięcy danych osobowych pracowników firmy InPost (w tym numery PESEL) i kilkudziesięciu tysięcy plików z numerami spraw, a także plików z hasłami otwartym tekstem (!),
  • wyciek danych osobowych oraz medycznych 50 tysięcy pacjentów Samodzielnego Publicznego Zakładu Opieki Medycznej w Kole (wśród udostępnionych danych pacjentów znajdowały się informacje takie jak: imię, nazwisko, PESEL, adres zamieszkania, grupa krwi czy wyniki niektórych badań, a w przypadku pracowników także dane dokumentów tożsamości czy kont bankowych),
  • brak regularnych aktualizacji oprogramowania umożliwiło włamanie i kradzież haseł oraz danych klientów z jednego z banków na terenie Polski.

The number of similar incidents and ways to compromise the security of information systems by users is so great that the only limitation to refrain from giving further examples is imagination. However, mentioning individual threats shows the scale of the phenomenon, and also indicates why it is worth focusing on the general reasons for the data leak in order to be able to react early.

Deepening the biography of Edward Snowden , we can conclude that the theft of 1.5 million classified and sensitive documents from closed NSA systems could be avoided. In order to realize what mistakes were made in this case, it is sufficient to follow the story of Edward Snowden. It is an incident of many, however, the fact that it concerned state and international documents meant that the information about the spill was widely heard around the world.

Internal enemy

Employees contribute to most successful IT attacks. They have extensive knowledge about the organization of a given company, the structure of data distribution and applicable security rules. They usually have permissions in the system for a while away from work. Accounts of such persons should be immediately deleted. Besides, employees / team must be aware that sharing secret information to a colleague from another department is as risky as sharing them with someone completely alien. This seems obvious, but there are often exceptions to this rule.

Snowden's history shows the importance of people working in the company in the area of ​​data security. The only solution is proper control of access to data and granting rights to information only to a privileged group of users. But it is not everything. The proper system of authentication, monitoring and theft prevention is of fundamental importance. Knowledge and adherence to procedures are important in this field, including pre-determined access rights to information. The situation in which one employee gives his login and password to the other is unacceptable - although in practice he is commonplace. This is especially true if the other person has less rights than the first. Of course, it is rare for an employee to take advantage of the situation in order to obtain classified information, but once this happens, it can lead to a global scandal. Creating such opportunities exposes the company to unnecessary risks. You have to protect yourself against unpredictable data theft. Right now!

Unpredictable routine

In theory, the whole thing is simple - there is no system that would be able to detect and stop any type of threat, including the internal one. & nbsp; Therefore, you should be guided by the "3K" principle and & nbsp; determine who, when and to whom information should have access, and then implement these arrangements with appropriate procedures and authentication techniques, as well as control access to information. In practice, employees ignore certain rules to make life easier. In the vast majority of cases, this has no negative consequences, but it creates room for maneuver for someone who knows how to use the resulting gap and gain possession of confidential documents.

All limitations of the general human factor can be significantly reduced by introducing appropriate procedures. It is much easier to get people to follow certain rules if they understand the goal and know the dangers of neglecting arrangements. Therefore, it is good to do even short training on the most important aspects of security as far as the means and time are concerned. Explanation of the principles of operation of basic security mechanisms and ways of circumvention helps to make people aware of potential dangers. After the training, employees will certainly pay more attention to compliance with the established rules, however, as time goes on, old habits will go up and eventually the situation will return to the starting point.

Data Lost Prevention for file and information leaks

Problems with employees' insufficient knowledge or their ill will can be solved by installing a solution for protection of files and information against leaks (DLP - Data Leak / Loss Prevention) in the corporate network. DLP systems should be implemented in organizations that process data subject to protection for business reasons (wherever business secrets apply) or legal (personal, financial, medical data), and disclosure of which may expose the organization to criminal, civil or other financial penalties ( in particular the upcoming RODO / GDPR law).

The circumstances when an employee has access to files to which he should not have such permissions are common. By transferring this to the field BYOD policy and commonly available mass storage, the risk associated with the leakage is very large, therefore the experts from AVLab have verified the effectiveness of the integral Data Lost Prevention module with the product Seqrite Endpoint Security Enterprise Suite from Quick Heal.

Basic assumptions of the DLP test and attack scenario

The purpose of the test to check the effectiveness of DLP security against information leakage is to map several real scenarios of file and data theft. To achieve this, a test environment based on Windows 10 was prepared, the "Security EPS Console" console was configured, the DLP module was set up, and the application and peripheral devices were controlled, as well as reporting. After each scenario, the necessary information was generated to help determine the source of the leak (rule "3K").

Correctly configured monitoring of files on the file server and on the user's local disk can significantly increase the level of security of classified and secret information, in addition, it is very difficult to cheat. Properly implemented rules, according to the "3K" principle, can protect the organization against theft of files, and what's more - alert you to such an administrator attempt. Guided by the "3K" principle, it is possible to get answers to the most important questions:

The most common reasons for data theft include:

 

(1) Transmission of information by electronic means

DLP solutions do not have authentication systems, but they are able to monitor defined keywords that an employee could send to the Internet using any protocol. The most sensitive information are logins and passwords as well as certain types of files. To monitor this data, you can use the PowerShell script, which from Active Directory will export all user data to a CSV file:

Get-ADuser -filter * -Properties DisplayName | Export-csv c:\users.csv

The exported information can be pasted as strings to the DLP solution. The same effect can be achieved using the graphical application "Lepide Active Directory Query". Of course, this method can be freely modified with specific data, eg. Numbers of company payment cards, the use of which will be reported or protected against digital leakage, regardless of its source - application, protocol and port. The port 3389 blockade on the company's firewall (RDP for incoming connections) will help in obtaining even tighter protection. Blocking popular applications that establish connections remotely (TeamViewer, VNC and others) is an individual matter to consider.

Duże możliwości personalizacji ustawień modułu Data Lost Prevention są cechą rozpoznawczą rozwiązania marki Seqrite.
Skonfigurowane „słowniki”, czyli dowolne ciągi znaków są teraz chronione przed wyciekiem przez moduł DLP
Ochrona zdefiniowanych słów kluczowych w praktyce.

Observations : Keywords defined by the administrator are protected against leakage, the source of which may be a computer program. The Quick Heal Seqrite Endpoint Security Enterprise Suite also protects information from being copied from the system clipboard, making screenshots, printing, sharing on a local network, saving to mass storage, sending via email and Skype and many, many more applications.

 

(2) Using mass storage to steal data

This is the most popular way to steal files. Monitoring and blocking of this type of tests allow only reputable security solutions for companies. What's more, if it is necessary, blocking most types of mass storage (USB, SATA and other) or granting permission to use only company devices is an unpractical result. The Seqrite DLP solution based on the device code can recognize the pendrive or mass memory of your smartphone. As a result, blocked USB ports for mobile devices will not cause complete paralysis of other peripheral devices.

Nic nie stoi na przeszkodzie, aby umożliwić korzystanie z urządzeń USB firmowych.
Zgodnie z ustawieniami dla urządzeń peryferyjnych, dostęp do pamięci masowych USB jest zablokowany.

Observations : blocking access to USB mass storage devices, ie pendrives and smartphones, we will not block the keyboard and mice operating on the USB port - completely blocking FireWire, SATA, USB, Thunderbolt and PCMCIA interfaces is an individual matter .

 

(3) Send files via email or HTTP and HTTPS

An equally common way to transfer files outside your company's network is a browser mail or e-mail supported by MS Outlook, Thunderbird, Apple Mail and others. The first way concerns not only WebMail, but also a form for sending files via the browser for HTTP and HTTPS protocols. It would be unwise to block all traffic on ports 80 and 443, which is why engineers from Quick Heal have developed a rule that prohibits sending attachments.

Blokujemy określone typy plików (dokumenty, archiwa, pliki języków programowania).
Komunikat przedstawiający zablokowaną próbę wysłania chronionego typu pliku w Gmail.
Ten sam komunikat na poczcie O2 podczas próby dodania załącznika.

Observations: protected file types (graphics, documents, programming, archives, etc.) can not be sent as attachments or as data uploaded to disks in the cloud (Dropbox and others) or transmitted with POST request in web forms.

 

(4) Remote data theft resulting from a system or software vulnerability

This is the most difficult scenario to implement, very expensive, but also the most effective. An attacker can do this through a drive-by download attack, recognizing the system architecture and software installed earlier. It is necessary to prepare exploits for installed versions of browsers / plugins and to create a so-called "langing page", as well as to bypass installed security features after the form of multi-layered security software. Such a situation has already happened - at that time, unknown perpetrators managed overcome the security of the WWW server of the Polish Financial Supervision Authority. They managed to hack the knf.gov.pl website, which infected computers of bank employees visiting the official bank information exchange channel, that is, they "did" the same thing as mapped attack scenario in the test prepared by AVLab (in this comparative study, the Quick Heal solution won the highest BEST +++ award).

Wykorzystywane podatności (potocznie zwane dziurami lub lukami) w atakach, stosuje się w celu niepostrzeżonego wtargnięcia do systemu.

Social engineering is a more common element in attacks (due to lower costs and technicals), but malware still has to be delivered to the system, which still has to bypass all protective layers.

Observations : Even if criminals could be fooled by antivirus protection, the end client can count on an IPS (Intrusive Protection System) and firewall. Assuming a positive scenario for a cybercriminal, a standby and well-configured DLP module is able to stop file theft and protect the organization from information leakage.

 

(5) Rename or expand before sending a file

It may seem that the seemingly simple change of the file extension from "Password.xlsx" to "Password.txt" or "Password.xxx", as well as "Password" (without any extension) will be able to fool DLP. Nothing of that. In the case of Seqrite Endpoint Security Enterprise Suite, the files are not recognized by the extension, but based on the file header in the hexadecimal notation, which determines how to encode and store data. E.g:

.PNG: 89 50 4E 47 0D 0A 1A 0A
.XLSX: 50 4B 03 04 14 00 06 00
.ZIP: 50 4B *

We check the file type in the terminal in Linux or in Windows 10 in the built-in bash shell:

Komenda: file Password.xlsx
Odpowiedź: Password.txt: Microsoft Excel 2007+

After changing the XLSX file extension to TXT, the Office document is still the same file:

Komenda: file Password.txt
Odpowiedź: Password.txt: Microsoft Excel 2007+

The situation is different if malware or an angry administrator encrypts a file that & nbsp; loses its properties, so the DLP module will not be able to verify its type:

Komenda: openssl aes-256-cbc -in /mnt/c/Users/test/Desktop/Password.xlsx -out /mnt/c/Users/test/Desktop/Password2.xlsx)Komenda: file Password.xlsx
Odpowiedź: Password4.xlsx: data

Observations : changing the file extension or completely removing it does not affect the correctness of file type recognition. However, encrypting the file by the ransomware means that the files can be stolen by a previously blocked channel checking the file type and decrypted with a private key or password, but on one condition - if you can somehow overcome all levels of protection of the Seqrite security software. An additional difficulty for the authors of malware is to bypass the built-in module preventing the ransomware from encrypting files. In practice, this may not be possible.

Test Comment

The growing number of business information resources is scattered digitally. The Seqrite Data Lost Prevention module enables companies to counter the risks associated with authorized or unauthorized data leaks by regulating data transmission channels, such as removable disks, network shares, online applications and services, printers, and more. Thanks to the DLP module, supervision over confidential data is ensured based on file types (eg graphics, documents, programming, databases) and any keywords. However, you must remember that DLP will not protect your company from the pen and a sheet of paper.

We encourage end customers and sellers to test their own. The distributor declares that he will provide a test version of the Seqrite solution for any number of computers, and in the case of good negotiating skills, the trial period will be extended.

Graficzny raport z aktywności DLP.
Graficzny raport z aktywności DLP, cd.
Raport wskazujący na próbę kradzieży pliku z uwzględnieniem: typu pliku i wykorzystanego oprogramowania.

Data security in the context of the RODO

At present, there is no question of a separate, secure network in which you know at any time - who, from where and how it connects with company resources. Constantly increasing computerization in many areas effectively prevents this. Hence the integral Data Lost Prevention module in the Quick Heal product - Seqrite Endpoint Security Enterprise Suite provides preventive tools to entrepreneurs to protect against targeted attacks and threats related to data leaks through different data transmission channels. With this solution, companies can accurately monitor events in real time and enforce pre-established security policies of the company's intellectual property. It turns out to be necessary in the era of many systems, services and technologies that make up every business. In addition, enterprises can achieve this without reducing the efficiency of employees. And the support for Windows XP, still used, is not without significance.

Customers interested in the solution can count on technical webinars from the console configuration and pre-sales and after-sales support. Detailed information about the Seqrite brand product can be obtained by contacting the distributor - ITD24 Sp. z oo, as well as on the website pl.seqrite.com and by visiting the "producers" tab on our website and selecting Quich Heal .

  • When were the rules matching the data or information theft attempted?
  • Who is responsible for the data leak (who was logged into the system at that time)?
  • Which application, protocol and port contributed to the theft of data?


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.