You're Donald Trump's sysadmin. You've got data leaks coming out the *ss. What to do

Beating the leaks with data loss prevention

Trump characture photo via Shutterstock

Sysadmin Blog Imagine yourself as Donald Trump's sysadmin. Trump's first month as President of the United States of America has been notable for the number of information leaks that have occurred. Trump has called these leaks criminal and seems intent on rooting out whistleblowers. Some poor sysadmin is going to be told to prevent these leaks, but just how possible is that in today's world?

One thing to understand about trying to secure information in 2017 is that data centres have no perimeter. Where does the on-premises data centre end and the cloud begin? When you are charged with preventing someone from removing sensitive data, physical security and even psychology start to become very real considerations.

The first thing to know is that nobody can prevent leaks. Not the CEO of a Fortune 500 company and not the leader of a nation. Those in charge can demand that IT reverse the past 15 years of business-focused evolution, returning to being dictators instead of facilitators, but in 2017 that sort of nonsense will barely slow a leaker down. It will only make the lives of rules-abiding employees trying to do their jobs harder.

What properly-employed technology can do is raise reasonable barriers to accidental information leaks and make some kinds of technological leaks easier to attribute to a specific leaker.

DLP 101

One category of tools that's important for those tasked with keeping sensitive data sensitive is everything that falls under the heading of Data Loss Prevention (DLP). DLP is concerned with identifying data that might be sensitive (Data Classification) and then preventing its access and/or exfiltration by unauthorized parties. This can mean keeping out "hackers" or it can mean trying to prevent the accidental (or deliberate) sharing of information with the 'wrong' people.

The hard part of DLP is always data classification. What constitutes sensitive data depends on who you consider to be the bad guys. The more pedestrian the motive, the less you have to protect.

If you're concerned only about money-motivated hackers, for example, you can get a lot of mileage out of flagging files and emails with credit card information, credential pairs and social security numbers. This level of classification is straightforward enough that it is built into Microsoft Windows Server and requires only a passing familiarity with the Data Classification Toolkit to get started.

Microsoft Exchange, Sharepoint, Office 365 and more all have basic data classification capabilities built in. These capabilities can be expanded by third party applications via plug-ins, and for some solutions – such as Office 365's email solution – the data classification and e-discovery capabilities are actually reasonably powerful.

These sorts of DLP tools help protect you from someone who has broken into your network and is looking for goodies. They're less useful against someone accidentally or deliberately trying to exfiltrate data from your network for the simple reason that there are rather a lot of ways for authorized personnel remove data from the premises.

Insider threats

At the moment, no technology can scan the contents of someone's mind and delete data we don't want removed from the organization. Most people, however, do tend to be somewhat limited in the amount of data they can reasonably memorize. If you have reason to be concerned that your salespeople might leave you then you can't stop them from remembering the information about your top clients. What you can do is make it difficult to sneak out a spreadsheet or PDF will all the details on all your clients.

The basic DLP tools make using email risky for those seeking to sneak out sensitive data. It's fairly simple for sysadmins to monitor old school protocols like FTP and to block USB drives. To bypass these sorts of restrictions, public cloud services like Dropbox are frequently used.

Sophos has a great KB article titled "How to monitor sensitive data being uploaded to cloud storage services such as DropBox". In essence, it says to block the installation of the local (Windows/Mac/Linux) installable clients for services like Dropbox, forcing employees to use the web versions. You then force all web traffic through your favourite cloud security package's proxy.

This can allow you to block features you don't want your employees to have access to (such as sharing), an approach favoured by Symantec with their Data Loss Prevention Cloud and CloudSOC products. More importantly, it can allow you to scan files being uploaded for sensitive data.

This approach, and others similar to it fall under the heading of Cloud Access Security Brokers (CASBs), with the most popular example being the recently acquired Bluecoat.

CASBs aren't going to catch everything. The truth is that the entire product category is still too young and too wrapped up in hype. Nobody, for example, seems to be able to really secure public cloud services that install onto the operating system. Merely blocking these will cause people to work around restrictions by bringing in their own devices.

If you are only trying to protect against accidental data loss (i.e. you trust your employees not to purposefully try to exfiltrate data), you can try offering enterprise managed solutions that are functional replacements for various public cloud services they would otherwise use. Contentraven is a popular choice here.

None of this, of course, prevents people from printing or photocopying data. Here, HP Secure Managed Print Services has your back. Think of the most paranoid access controls you'd like to apply to printing, photocopying or faxing and HP has already built a solution around it.

HP can't prevent authorized personnel from walking out of the building with documents, but they can restrict printing so that only certain people can print certain kinds of documents, track who printed what and establish an attribution chain for all printed materials.

Cellphones are another risk for those worried about insiders. While company phones can be locked down with appropriate mobile security software, anyone with a personal mobile phone can take pictures of documents and sync, stream or simply walk out of the building with them. Cellbusters can help identify rogue cellphones and are only one company amongst many in what appears to be a vibrant market.

Attribution

Most of the technological solutions above require, to some extent or another, the cooperation of the employees. They're really aimed at making sure someone doesn't accidentally email a spreadsheet with 10,000 credit cards on it to someone, but no data-loss technologies exist which can be assured to prevent the determined individual from removing sensitive information from the premises.

What we can do is tie any leaks back to them. This is where watermarking comes in. If your threat model includes insider threats then when you talk to your security vendor you need to have a long discussion about watermarking. Good watermarking software will tag every file access, print, share, stream or so forth with digital (or visual) fingerprint that indicates who accessed it, when and from where.

The goal here is to increase the likelihood that someone exfiltrating sensitive data will be identified. Again, this won't prevent the dedicated individual, but it will help in court cases against them, and will almost certain deter many casual data removal events.

Securing from everyone

Sometimes you aren't just worried about keeping your underlings from exfiltrating data. If your threat model extends to "the truth", it is likely that you're worried about storing data such that your superiors, law enforcement and/or the media will not be able to get access to your data.

Traditionally, this has been difficult. PGP is notoriously difficult to use for email encryption, and most file-based encryption solutions aren't much better. Especially if you want to share some of those files with a limited group, take advantage of public cloud storage for backup/multiple device syncing, etc.

Enter tools like Boxcryptor. Individually encrypt files then stuff them into Dropbox. When people demand to peek into your closet looking for skeletons, you can simply "forget" the encryption key.

Of course, if your underlings know about this trick, you'll need to program your DLP systems to detect it and warn you. The cat-and-mouse game is perpetual.

What's missing?

Unfortunately, what's really needed is a product that allows IT to detect not only every instance of public cloud storage in use, but every account being used. In theory, the right tool could force all authentication to public cloud services through an IT-controlled proxy. Any account that IT didn't have permission to scan wouldn't be allowed to log in.

If IT is granted permission (and the credential information) to scan the public cloud storage account, then the staff members would be allowed to go on using it. IT systems would scan all public cloud storage with data classification applications, noting file changes, logging IPs and tracking both shares and accesses. In essence, this would extend data classification systems into the cloud, even for providers that don't directly officially support such integrations.

Various government agencies can sort of do this in that they can get a court order to pry open Dropbox (and several others) to peek inside, or even force the services to scan all their accounts regularly for hashes of leaked documents. Not all public cloud storage solutions have this vulnerability.

Canadian Dropbox replacement Sync, for example, doesn't have to listen to Trump or any of his agencies. Even if someone did haul them into court and demand they cough up the goods the entire service is engineered so that they couldn't reveal what's inside their customers' accounts even if they wanted to. Of course, sysadmins can always block access to cloud services they can't control.

A proper commercial solution that was application-aware, and which used the account credentials of each account used within an organization's network, could scan everything in those accounts for sensitive data. Even the ones the spooks can't see inside.

Ultimately, none of us can entirely prevent secure data from being exfiltrated. With the right technology, however, we can increase the risk and difficulty of doing so such that most individuals would only put in the effort under the most extreme circumstances. ®


Biting the hand that feeds IT © 1998–2017