2

I think I'm too close to the problem here and I just looking for a sanity check.

My product blocks files from being stolen by restricting what programs can access what 'type' of the data. (e.g. Excel can read xls(x), Word can read doc(x), etc.). Basically a 'Content Based White List'.

It seems that my ‘would be’ competitors (McAfee, TrendMicro, etc...) are crazy about signature scanning as being the 'Way'.

To me, attempting to detect leakage by 'content' is flawed since it's so easy to encrypt data before putting it on the wire. That said, it's certainly easier to sell to the non-techie.

So, to all you experts out there, what am I missing?

If I prevent a sensitive file from being renamed, block Save As/Export and block 'Clipboard' operations, what am I missing? (Yeah, I know about the 'Send to' feature inside of Office and can deal with that)

But I get the feeling that there is something OBVIOUS that I missing.

What is it?

Iunknown
  • 133
  • 4

3 Answers3

1

The most likely weakness is in how you identify a file's "type".

A file's extension is ambiguous: ".dat", for example, can be any of thousands of file types. Many file formats are "PKZip"-style compressed archives containing the real data, so you can't use naive content sniffing (eg. it's hard to distinguish a Java JAR, an Word docX, and a PKZip archive). Even advanced content sniffing has edge cases that make it hard to get right (you can append a zip file to a JPEG to get a file that is valid in both formats).

Edit: The other thing you're missing is the analog hole.

So a user can't copy and paste credit card information from a Word document to an email, and they can't attach the document to the email. Nothing is preventing them from re-typing the document in the body of the email.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • Maybe that's what they're selling. 'A credit card number can be in any file so you need to watch them all!' Exactly right on the data type...so I punted on it and make the user define what files type he's interested in. – Iunknown Jun 13 '14 at 02:05
1

I think that your idea is interesting but it cannot be a total solution. What applications will you control? If you control Office what about Libre Office? If you control that, I'll just send it to myself on email and edit/copy or whatever on my iPad or iPhone.

IF you control all the office apps, maybe I'll run Node-Webkit with an office document reader library embedded.

If you fix that, I'll go into CMD prompt, PowerShell or something else. Can you really control everything, will you remember everything? VBA, PowerShell, WSH, CMD, ....

The only way to control a machine that has decades of design behind it to make it into a powerful, flexible all-purpose tool is to turn off everything and lock down what is left. Companies spend millions on this sometimes and I've never worked in any high-security environment yet where I couldn't get data out if I really had wanted to.

So your ideas have merrit but need to be part of a larger solution that includes GPO lockdown, removal of features and software and whitelisting of software (intelligent that is not just based on file name).

Julian Knight
  • 7,092
  • 17
  • 23
  • Right! I don't define any policy, I just provide the tool and guidance. I also recommend a white list approach, so ONLY Winword.exe can read doc files, so Libre Office wouldn't work and neither would emailing it. – Iunknown Jun 13 '14 at 20:19
  • How will the system know it is a doc file? Does it do content checking? If not, can't I just rename it? – Julian Knight Jun 13 '14 at 20:22
  • While I do have a 'signature' check filter, I don't think it's ever been used. Anyway, since I'm restricting access to everything except WinWord.exe, they would have to rename the file within Word. I could also block renaming by WinWord, but it would break the 'safe-save'. I suppose I could allow renaming by WinWord.exe but not allow the extension to change. – Iunknown Jun 13 '14 at 21:45
0

If you are trying to protect it from the user that's admin on the box, then it's quite a difficult proposition because they can undo whatever your product does.

Assuming non-admin:

  • What about saving the file to a different extension, e.g. via word/excel?
  • What about I write some code and call it winword.exe, would you let it open? If so, my code could save, transmit etc. the contents.
  • How about if I were to write an excel macro to save the contents elsewhere?
  • If I have physical access to the machine that has the file (e.g. on hard disk, on USB), I can always attach the medium to another machine and copy, or better yet, just take the hard disk on my way home, copy everything, and bring it back the next day :-)

You might also want to read 10 immutable laws of security, some of which may be applicable in your case.

Verifying the file signature helps when someone attempts to 'save as' or 'copy' in the original format, but not so sure when they change the format (e.g. doc to txt or even an older doc format). If the signature also depends on the content of the file (as opposed to just the format), then the question is whether it can track someone making changes such as making some changes to the content (such as adding spaces at the end, or even bogus content) so that the file signature would change but the essence of the document won't. In the case of office documents, one can typically change the physical file without changing the document contents.

I decided to do something like this because of malware related issues and IP theft concerns at my father's company, and we ended up removing all removable media from the computers, put locks on the physical computer boxes, disconnected the network from the Internet and then made sure that there were usually enough eyes, because he had trade secrets, as well as customer data, that we couldn't lose. (Although this was done in the last century, you can still turn around a workstation or a desktop and see that there are two loops for someone to put in a physical lock and take the key!)

Of course taking a photo with a digital camera always beats all such programs and protections, but very much like in our case, I'd assume that that's outside the scope and perhaps acceptable 'risk'. If not, put on cameras where the machines are (which is actually what my dad did later although he didn't necessarily do it for all machines!)

Hope this helps.

Omer Iqbal
  • 584
  • 2
  • 10
  • It's going to take a few comments blocks to respond to your awesome reply. – Iunknown Jun 13 '14 at 01:59
  • Those are valid concerns and we deal with them pretty well by blocking the program that opened the protected file from writing any files to anywhere but where it was opened. (we make allowances temporary files). Regarding your scenarios: • We catch the ‘save as’/export/extension change (and we record it) • Since 99% of the world isn’t programmers, I would just prevent creating or renaming code files (.exe, .dll, .sys, .ocx, .src, etc…) files. (it will also stop viruses, malware, and ransomware….and automatic updates ) – Iunknown Jun 13 '14 at 01:59
  • I hadn’t considered an excel macro that can get the data out. Since I’m blocking writing to files and clearing the clipboard, the macro would need to be sophisticated. Maybe I could just block reading of the global macro file? It seems to me that if the ‘protected’ files are on a network share and we block them from saving/exporting the file to any non-protected location, pulling the hard drive wouldn’t do you any good. A signature scanning DLP product MIGHT catch the excel macro sending data over the Internet, but anyone smart enough to write a Macro to do this could also encrypt the data. – Iunknown Jun 13 '14 at 02:00
  • The signatures I’m talking about isn’t file signatures, but content signatures, like credit card numbers and SSNs. They would still have an advantage over my approach since I would require classification of the data as ‘protected’ instead of scanning packets (or whatever they are doing). But to me, it’s SO easy to hide the signature (even for a layman) that the approach is…just bad. – Iunknown Jun 13 '14 at 02:01
  • BTW, is there a way to make a formatted, longer response? – Iunknown Jun 13 '14 at 02:01
  • @Iunknown, I do not know how you can make a longer response. Glad you liked my response. You didn't answer the fundamental question: Is the user on the box an admin? If admin, why can't they undo what your product did? Also, you actually need to worry quite a bit about programmers, because once someone writes the code to bypass/disable your product, the "script kiddies" just need to follow the instructions to run it. – Omer Iqbal Jun 13 '14 at 06:02
  • @Iunkown, Excel macro is a symptom of an underlying issue IMO, which is that you have to make sure all bases are covered (hard) and keep up to date with any new changes/new features that might by your protections. Btw, these are discussions at a design level, if you had a set of penetration tester working against your actual product, I am sure they will find many more issues, so that might be another approach to take if you go ahead with this. – Omer Iqbal Jun 13 '14 at 06:04
  • Most of the time, the user is an admin on their own computer. My product runs as local system and uses a file system filter driver to do all the heavy lifting. There are a lot of little things that I do to keep the service running, like prevent it from being stopped, it automatically restarts when it crashes or is killed, I even have a replacement task manager, etc... It's also being monitored from the central server. But wouldn't a signature based product also have these problems? – Iunknown Jun 13 '14 at 20:09
  • @lunknown re long or formatted response: I don't know if it's official but what I've seen fairly often is to EDIT THE QUESTION and add the new info beginning with a clear label, something like "added info due to answer by Gleep" in bold (two asterisks before and after), caps or both. And to be absolutely clear, also a comment on the answer saying something like "see edit in question". – dave_thompson_085 Jun 14 '14 at 10:44
  • Is anyone interest in taking a look at what I have built for Data Loss Prevention? I'll give you a license for your feedback on how to make it better. Say 1 server and 10 workstations (that should protect your home from evil doers) – Iunknown Jan 12 '15 at 05:33