Unintrusive Traffic Content Monitoring? 82
fuzzybunny asks: "I've recently been given my turn in the bucket as head tech guy at a startup in Germany. We deal with backend monetary transactions for
companies that need to send bills, and as such handle large quantities of personal and confidential financial information. I've been informed that in order to comply with financial due diligence laws here, as well as to guard against sabotage by angry employees (not that we have any), I have to figure out some way to sniff outbound network traffic for stuff that's not supposed to leave the company network."" Internal security is something all network adminstrators will have to deal with at some point or another. Are there methods they can employ to insure that data that's supposed to stay in the network, isn't encouraged to take a nightly stroll somewhere it isn't supposed to without excessively violating the privacy of the users?
"I realize that someone who wants to get confidential information out can easily circumvent any technical measures (copy to floppy, encrypt mail, print out, etc.) However, the idea here is to force someone to take that extra willful step.
Given that I categorically refuse to sniff general network traffic, block URLs, or generally look over people's shoulders, I am looking for a solution that lets me automatically watermark non-ascii files and just sniff for certain binary strings on outgoing traffic, while keeping any non-matching traffic completely anonymous. Any ideas on this?"
Bare Minimum it is then... (Score:4)
We already do this (though the packet sniffer's for diagnostics only): LAN w/NT server+100 clients, proxy w/sniffer to get through to the WAN (Sun SPARCs for DBASE and web server), then another "standard" firewall out beyond the WAN to get to the internet. That way they have to get through two firewalls to get to our files from outside, and the inside users get their files scanned on the way out. Non-intrusive as we could make it, once the machines are set up for proxy the users don't know the difference. The packet sniffer's a 10-year-old SPARC classic, so we're not talking about major investment of $$$ here.
-jpowers
Simple, common sense things you can do. (Score:1)
1. Recognize you are stopping casual abuses or last minute abuses. You are trying to stop the fired sales person from taking the entire client list, not the clever system admin from hell. Set your thoughts accordingly.
2. Make written security guidelines for your company. For example, one large company that shall remain nameless, even though it's Sun, makes ever new employee watch a fifteen minute hokey video showing a team talking about a confidential problems in public, leaving notes on white boards, and even letting ex-employees use the system. Also, they make a couple of levels of confidentiality ("MyCo Confidential", etc.). This cuts down on the accidental mistakes.
3. Ignore incomming traffic. You can't do a good job on it anyway.
4. Have your DBAs remove the old "print all to file" type commands in your applications. The only remaining use in most corporations is to take a copy of the client list, account list, or whatever.
5. Log, copy, encrypt all outgoing email that hits matching criteria. Criteria include greps "MyCo Confidential" and size (>2Mb) and time (weekends, midnight to 5 a.m.). Yes, it can be a pain, but you've got to keep those drive makers happy. Email isn't time or space critical but is the first tool of the thief.
6. Close of access to outgoing ftp. Normal mortals can use the browsers. Others should need permission.
7. Page the SysAdmin if any one user sends over 100MB of outbound traffic in a 24 hour period.
Yes, this will be a good due diligence level of protection, and may catch anyone who tries something. No, James Bond wouldn't break a sweat.
Cheers!
[shameless plug: Give money at www.truegift.com]
Trying to do the impossible... (Score:2)
As the case of Dr. Wen Ho Lee showed, this is impossible - even for (supposedly) ultra high security installations like the U.S. nuclear research labs.
All you have to do is download to a tape or floppy and walk out with the info. If the person doing this is actually a criminal or spy (as opposed to Dr. Lee - who called tech support to help him figure out how to do this), it is pretty trivial for them to prevent this from being detected.
Yes, there are dozens of basic security procedures that can catch the idiots, but you will never catch anybody who knows anything about computers.
How I would do it (Score:1)
User requiring access to this data must authenticate in a manner that places their system in this zone. Things like Cisco's URT can do this. It will place the user's switchport in the security zone vlan. The user can then view data but not initiate connections outside of the network zone.
At some point you must trust people. The bottom line is that there is no way that you can be POSITIVE that a user did not authenticate into the secure net, take a screenshot of some data, save it to their local machine, encrypt it with PGP and send it out. You are never going to be able to detect this kind of theft of data by sniffing traffic because the user obtained it in a legitimate manner and the screen dump was done on their local machine and not over the net.
Using such things as httptunnel, one can use a web connection to tie your internal net to another outside net without you doing much about it. You will not be able to tell this traffic from normal web traffic. Heck, you can hack the prog to make the TCP/IP information look like it is in
The thing to do here is to stress that transmitting of private company information is subject ot immediate dismissal and possibly a civil suit.
The best security is at the door. Hire people you can trust and put systems in place so that it is very difficult to send private data out. Make it difficult or impossible to send such data by accident. Problem is, if a user can display it to their screen, they can get it out of the network if it is possible for them to send outside email or browse the web from their workstation.
No lock will stop a thief, they only serve to keep honest people honest.
Re:Stego (Score:2)
You only need to go as far as necessary to meet regs.
Re:Big Brother is Watching (Score:2)
Perhaps if I noticed they surfed what I thought was an awful lot, I might poke my nose into what they were surfing.. and then poke my nose into whether their boss is happy with their performance or not.
Why? I firmly believe that the bottom line is, the employee has been hired to do a job. If he is doing that job to the satisfaction of those responsible for his position in the first place, I don't *care* how much he surfs.
You hit it on the head when you said 'provide data supervisors needs to see'... if they need to see it. If they have issues with their employees not working out, they can come and ask.
Re:so? (Score:2)
The point wasn't that you could reclaim your damages.. the point was that employees who are run through proper security audits, and forced to sign proper documents indicating the penalties for disclosing confidential information will tend to RESPECT THAT, as opposed to simply putting in a 'technical' solution.
Re:problem number one (Score:1)
The sales guys need access to the customer data. The logistics people have to be able to get at our order database via SAP. The accountants need access to the billing database. Tech guys have to be able to read network diagrams and many of us will have to be able to read internal proprietary strategy documents...
Re:Simple, common sense things you can do. (Score:3)
Don't publish your security methods openly.
Re:users privacy. (Score:1)
Re:Communications Policy Enforcement by Sysadmins (Score:1)
If I have to suffer by eating this shit then so do you.
Re:No good technology solution... (Score:2)
Yes, and that is also basically mentioned in the article text. Anybody is going to be able to get past this system, but the thing is that then they're going to have to take that extra step knowingly, so they can't claim they mailed that sensitive data out unknowingly, because they would have had to take extra steps to make sure it wasn't caught immediately by the filter. Thus, the filter only has to block obvious way of data smuggling, to make the company stand much stronger in court if somebody does smuggle data out, because the employee can't possibly claim he did it by accident.
They must be trusted in order to do their jobs properly.
Yes, ofcourse, but there's a rotten apple in every box. Of all the people I know who work at the company I work for, I wouldn't think they'd be thieves, yet still quite regularly stuff is stolen if it's not locked down. Very sad business...
Unfortunately, as a company, no matter how much you trust your employees, it's a given fact that at least one of them will at some point try to screw you. You can either wait around to be screwed, you can try to prevent being screwed (which is generally very invasive, inefficient and expensive) or, as this company is doing, you can try to increase your chances of finding out when somebody tries to screw you and increase your chances of taking successful legal steps against them.
In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches.
Ah, yes, but even compressing the sensitive data will be that extra willful step. Somebody could theoretically accidentally attach a sensitive file to an email message and send it out. It is however not necessary to compress or encrypt such sensitive data for internal use (I presume), so sending out encrypted or compressed sensitive data, so when you do detect a leak and find the person responsible, he can't claim in court that it was an accident. Yes, even in that case he'd still be responsible, but it could be considered negligence rather than a criminal act.
)O(
Never underestimate the power of stupidity
Re:Stego (Score:1)
)O(
Never underestimate the power of stupidity
Re:If you really need a tight network... (Score:2)
Sure you can control what people do with floppy disks: have computers without floppy disk drives. Of course this applies to all other removable media. If you need removable media, then make sure that access is limited to authorized individuals only (via physical security methods).
But, you still can't control what people do with information they see. If I find out that Joe Sixpack has $500,000 in his account, there is NOTHING to stop me from taking that information from the internal, private network, and typing into the external network connected to the Internet.
The only way to be absolutely sure that NO data gets out is not have any external network connections at all. People will at least have to PHYSICALLY walk this stuff out the door.
It all goes back to the old adage: information wants to be free.
Perhaps a combination of the 2? (Score:1)
And hopefully it will all "work out in the end."
Re:Monitor Certain Ports/Automated Scanning (Score:1)
This is something I have a serious problem with. As far as I'm concerned, whatever employees are doing on MY network is company's business... There is no such thing as personal information on my turf.
Call it overly restrictive, but in the business I'm in (security/alarms) you cannot afford to have "rogue" information travelling. It is ground for immediate dismissal. Employees get a free HOME internet access as part of the package, but on the job, we dont pay them to surf personally.
I've seen too many people taking the company's line for granted. It costs money. Money that could be use to get me a raise.
Avoiding the "It was an accident" excuse (Score:1)
I don't think there's a universal solution for watermarking -- all binaries have different formats. But there are solutions for each different file type. In an MS Word document, for instance, you could embed a hidden macro.
Then your proxy scans all outbound attachments and simply rejects & logs any that contain any one of a series of watermarks. Tags, really because watermarks are designed to be irremovable.
Everybody is warned that they need prior approval before transmitting data outbound, even to themselves attheir home ISP. There is a small chance of false positives with this system, that's why you log and evaluate before taking action on proxy rejects.
Hire an Expert (Score:1)
This strikes me as kind of scary that this is an "Ask Slashdot." It sounds to me like the first thing you need to do is go hire a good security guy from a financial institution (bank, credit card, etc.). I worked with a guy that did security at Citibank and I'm amazed at all the things they did to minimize their exposure to threats like this. Check those references real good.
You're missing the point here (Score:2)
Imagine that the "disgruntled employee" starts emailing credit cards to his home address (yes, this would be stupid, but it's just an example). Now if the company catches the employee doing this, he's going to get in trouble, but the employee can always say "oh gee, oops. I must have accidentally sent sensitive information. I'll try to be good next time."
On the other hand if the company routinely sniffs for credit card numbers (or whatever info) and announces this policy to its employees, then the employees know they're going to have to be craftier than email. So when Joe Employee encrypts the credit card numbers and sends them home, and gets caught, he's going to be in a lot more trouble than had he just emailed it and gotten caught.
One approach to outgoing data we use (Score:3)
--
Big Brother is Watching (Score:2)
I think you should be less concerned with the actual process and just be careful that the results are appropriately interpreted.
If you really need a tight network... (Score:5)
The traditional method of access control in this sort of circumstance is a proxy-style firewall. However, I don't know of any proxy firewalls that can inspect for specific content. They can check for correctness of protocol data, but I don't know of any way to set off klaxons and call the police if the user manages to embed today's secret word in an HTTP:// request.
You definitely can't use packet-level firewalls for this purpose, even stateful inspection ones, because users can bury any data they want in traffic bound for, say, port 80. It doesn't have to be just HTTP. Packet-level firewalls just work on port pairings. Example: if I were ever in a network that refused me access to my home machine, I'd probably just tunnel through port 80, which is open 90% of the time. A proxy firewall would stop that: a packet firewall will not.
It might be possible to custom-code an outbound content filter into an open-source proxy like Squid. Squid isn't a firewall, so you'd probably have to dual-home your Squid box (to make it the only way out) and then have a firewall between it and the outside.
Even at that level, it would still be possible to sneak things out. Almost any system that allows two-way communication can have arbitrary data inserted into the data stream in a way that is very inobvious to even a savvy network admin. Just a few days ago I saw a method to tunnel IP networking over DNS requests. (seriously). I think it was probably posted here on
What this all boils down to is this: if you allow any form of two-way communication into your network, then employees can get data out. Period. And there's no way you can know what it is without extensive and highly sophisticated pattern analysis.
If the data is really sensitive, you might consider the old 'air gap' solution; have a private network that isn't connected to the outside in ANY WAY, and then an external network that employees use on a day-to-day basis. If you put that network on a hub, or on a switch that supports port mirroring, you should be able to monitor all traffic on that private network (assuming you don't exceed, in aggregate, the bandwidth on your monitoring port if you're switch-based) and ensure that no foreign MAC addresses show up on the network, and that all the traffic stays local. You can't, of course, control what users do with things like floppy disks. However, having the separate high-security network will let you monitor intensely enough to be aware that a given employee is accessing data they don't normally need access to. At least, it can do that if you're willing to put the effort into writing/customizing the monitoring tools. Definitely a non-trivial effort.
If you can't build two networks, then you probably shouldn't even bother monitoring. It won't do you any good. Anyone out there with a real clue will waltz right past any protections you might set up.
Impossible (Score:2)
I find it disappointing that you're more worried about "conforming to the law" than about actually securing this information.
I think your best method..... (Score:1)
As far as preventing authorized systems (in this case, systems allowed to transmit binary files) from sending out confidential data, you could look into encrypted filesystems. I'm not experienced witht these, but I wouldn't imagine it to be too hard to force everything binary from that filesystem to remain encrypted if transferred from that filesystem. However, like I said, I don't know too much about encrypted filesystems.
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT/CC/MU/S d-(---)@ s++:++ a23 C(++++) ULBSC++++$ P++>++++ L+++>++++
E---(-) W+++(--) N++>+++ o++(--) !K w--- !O M V- PE(-) Y++@ PGP++ t--- 5--
X++ R-- tv b++>+++ DI++@ D++ G e h-- r+(*) y++(-)>$
------END GEEK CODE BLOCK------
Re:The solution is not technical (Score:2)
Second of all, German banks are required to take due precaution against leaking of sensitive data, so sensitive data can't be sent out accidentally, and so that people guilty of leaking data can't claim in court that it was an accident.
It's stunning how many people don't actually read or interpret the article text. They don't want to block all possible ways of leaking information, because that's impossible, they just want to block the most obvious ways of leaking information. They don't want a legal solution, they want a technical one.
In all the posts in this thread that were moderated up, there were only two or three that are actually relevant to the article text, all the others, including the parent of this message, are based on misinterpretations of the article text and thus useless.
)O(
Never underestimate the power of stupidity
The solution is not technical (Score:3)
Put a use of confidential information clause in their contract, and threaten to sue them to hell should they ever breach it.
Now, you may not like this. It's not pretty. But that's the way to do it. If you try to patch the system with a technical solution, they'll never respect it, because hackers figure if they can find a hole, it's their god-given right to exploit it. But trust me, every script kiddie gives up his tactics when he's slapped with a FBI (RCMP in Canada) search warrant and threats of legal action. Ditto with employees.
This way, you won't even have to bother with configuring your system. Just sue one guy as an example to others, that works well also. It may not be really cool; but trust me, it's effective.
The solution: (Score:1)
users privacy. (Score:1)
Misunderstanding the Question (Score:2)
I posted this question and I appreciate the responses, but I think a lot of people didn't catch the gist of what I was asking.
It's a comparatively easy task to secure my network from external threats; that is a combination of good product choice, intelligent design, clued configuration, and conscientious administration and monitoring.
I also know that I don't have a hope in hell of technically leak-proofing my network from the inside-out. That problem indeed is not a technical one. That's why I'm not sniffing geneeral network traffic; our usage policy is something like "don't be an asshole." If people are abusing resources, we indeed have other problems.
What I'm trying to do is to address a specific eventuality as required by some of the compliance laws here. Assume a guy is pissed off or leaving for a competitor. He wants to mail/ftp/netcat/ whatever out a customer database or internal documents. We have watermarked our files; he knows this, but doesn't know exactly how, so he will need to encrypt the data, print it out, put it on a tape, write it on his hand, whatever.
The point is to force him to consciously, wilfully take that extra malicious step. That way, under compliance laws, we can say that we exercised due diligence to the best extent possible without impacting our productivity by doing all kinds of crazy paranoid stuff like keystroke logging or chaining people to their desks.
So once again, the question is: is there some mechanism by which we can automatically embed some sort of watermark in any non-ascii file (database, ms word doc, etc.), send all outgoing traffic through a layer 5-7 proxy, and just sniff for that single watermark string?
All replies are appreciated.
Re:No good technology solution... (Score:2)
Secondly, a company shouldn't need to create a "extra step" to protect itself (a specific filter, etc, as you suggest) in order to strengthen it's case in court if it has taken the proper precautions in enumerating the sensitivity of the data, as well as having employees read and sign (in the presence of a witness, who also signs) confidentiality agreements, sensitive data handling procedures, etc. In the end, these documents will be far more valuable to a legal team than an error-prone, scattershot, scanning tool (which might even be used by the defence to draw focus from the actual data theft to privacy issues, etc.). If such a scanning system had any chance of helping against an actual theft, I would not be so down on them. However, anyone actually trying to steal anything for malicious purposes is likely to either a) disguise that data as something else or b) just carry it out of the building on media. Let's not forget that theft was going on long before the internet.
--
Re:Lots of solutions (Score:1)
This is pretty much up my alley. Are you aware of any non-format-specific methods of inserting binary strings in non-ascii files (Oracle DB files, visio datagrams, etc.)?
Moderate this up +1 Insightful (Score:1)
----
Remove the rocks from my head to send email
Re:Simple, common sense things you can do. (Score:1)
Oh, this is slashdot. Of course they are
A post that preaches security through obscurity and it gets (Score:3 Insightful)...
I dunno
Re:Monitor Certain Ports/Automated Scanning (Score:1)
Re:Simple, common sense things you can do. (Score:1)
I'll leave it as an exercise to the reader to figure out exactly why (duh).
Why not rent... (Score:1)
Re:If you really need a tight network... (Score:1)
But, you still can't control what people do with information they see...
Well, they can't tell anyone if they aren't allowed to leave the office. Just set up some cots in a spare office, and they can sleep there. Have a caffeteria so they can eat, and give them free coffee. They can only be married to other employees (if they ever want to see thier spouse), and thier kids will have to go to the company schoolhouse where they can learn to code and become productive by the time they're 10 years old (you could also breed out concepts such as freedom with the right schooling). Anyone caught trying to leave will be taken to the department of love for permanant dismissal...
Re:Misunderstanding the Question (Score:2)
As somebody else pointed out: most binary files can be watermarked but the method will be different for each type. You'll have to identify all data types that can potentially hold sensitive data, implement a watermark for each, and then implement the checking in your firewall/proxy/ipmasq/whatever.
An alternative (especially if your key files change fairly infrequently) may be to store a hash value for all critical files and check that on outbound attachments etc.
Databases are a problem: it's hard to see how you can prevent people from doing a bcp of all the data and send it. Two things may help: (1) make sure all database activity is logged and (2) include a few dummy database entries that you can search for (e.g. username 'faisifopida' or whatever). Just make sure your applications filter the watermark data out.
Oh, and you'll need to keep the method(s) you emply secret. That sucks and means you'll need to employ several methods at the same time.
Re:Communications Policy Enforcement by Sysadmins (Score:1)
And no-one is "forcing" anyone to do anything. The whole point of McDonalds is that you are stupid enough to eat it yourself.
Stop looking in the mirror and saying you don't like everyone.
Re:Simple, common sense things you can do. (Score:2)
I didn't say 'security through obscurity is good'. That's a blanket statement, and security CANNOY be summed up so simply.
Is security through obscurity good? Well.. when it comes to holes in software... apparently not. MOre eyes = faster discovery of problems, and faster fixes.
However.. if I run a server where ALL the daemons are custom written, and NOBODY has the source, how can you tell me that my site will be 'more secure if I publish the source?'. It sure as hell won't be. Nobody would have a clue where to begin.
One of the first tenets of security is to not divulge how or what your security measures are. If you do, you simply help someone in figuring out how to avoid your measures.
If security through obscurity is so bad.. why doesn't every firewalled network publish a diagram of their internal network, complete with passwords and firewall configurations? I mean, otherwise they're being 'obscure' right?
SHeesh.
Best Best, get resaerch going at a Top University (Score:1)
http://www.cerias.purdue.edu [purdue.edu]
What you can sniff, cannot (Score:1)
That said, i have a sniffer running monitoring my network for intrustion attempts only, i don't daily sift through logs nor want to. I will search the logs for something specific, say a certain users stuff or a certain file if needed.
As for blocking specific traffic in realtime that becomes more difficult you'd need to modify your firewall to block packets containg some sort of data. I've never done this, but i'm sure it is possible, practicaly cost-wise i can't say. How much traffic are we talking here?
You say its a finacnial data being passed, honestly when it comes to that much money for that many ppl employees privacy takes a back seat to covering your ass and protecting your clients money, would you want to be responsible however indirectly for someone losing all their money or say a million dollar screw up?
It's the same deal as always... (Score:4)
If, on the other hand, they're an idiot, and sending the stuff out either recklessly or accidentally, you don't need technology to handle it. Either look over their shoulder once in a while, or get them drunk.
So, do what companies always do: the bare minimum required to meet legal standards, and grudgingly, at that.
Monitor Certain Ports/Automated Scanning (Score:4)
Basically, the most important thing, from an employees perspective, with network scanning is full disclosure. I would feel violated if my personal transmissions were searched without my knowledge, but I think most people would understand the need for tight security given the inherent insecurity of an Internet connection.
No good technology solution... (Score:4)
The truth of the matter is this: you have chosen to trust your employees (at various levels). They must be trusted in order to do their jobs properly. If they choose to violate that trust, you will be unable to stop them.
Now, it is possible to make that sort of thing much more difficult, but the methods are not terribly reasonable, and usually incompatible with business practices.
In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches. Better to simply spend more time evaluating how trustworth potential employees are before hiring them into sensitive, high access positions. Get background checks and be a good judge of character.
Oh, and cross your fingers.
--
Limit the visibility employees have to data (Score:4)
what's so bad about sniffing? (Score:1)
OTOH, make it known (ie, via posters, memos, etc) that any employee that violates your "terms of service" will be met with diar consequences. invoke any legal power that you can, and don't be afraid to scare people.
if it were my decision, i'd use snort (or similar tool) alone. telling people what you don't want them to do is a great way to get them to do it.
Just ask them (Score:1)
Of course, if you need more ideas, i suggest this site [ntk.net]
Impossible task (Score:2)
<p>
All of this said, I beleive to a certain extent using these methods not only are going to be more likely at catching possible offenders, but can also protect people's privacy. You are not explicately examining the data people are sending out, but rather where large amounts of data are headed.
Virtual Private Network (Score:1)
Limit the visibility of data AND.. (Score:1)
If business critical data leaks out, and you know only a very short list of your top employees had access to it at the time of the leak, you narrow down your list of suspects a lot.
You can tag text files by making small benign paraphrase changes to the text and giving each recipient a slightly different version, MD5'ed and tagged with the recipient's MAC address in the log when they download it.
You can do this to images as well
If a sensitive file shows up on a public site, MD5 the content and see if its digest matches that of one of the server accesses. If it does, the MAC address will tell you which machine downloaded it, which will tell you who leaked it in most cases, and there is your proof.
This isn't hard to circumvent, but you can combine it with other approaches and keep quiet about some of them. Someone else said that there has to be some level of trust, and they're right, but deterrents like this have their place. If someone wants to leak information, they can do it, but at least you'll know when they do. That will stop most of them.
Gotta break off the network (Score:1)
is locked in rooms with very high security. There
are no outside nework connections and all access
is controlled via cards/guard/and cameras.
Anything that goes into those rooms never leaves
unless it is totally destroyed. I suggest you
put your financial data on lans not connected to
the net what so ever. Does it really need net access? Do the employees really NEED net access
that work with that data? Sniifing the lan over
time might reveal some wierd traffic patterns
you might investigate but at that point you might
have already lost everything.. It basically boils
down to this.. Not everyting should be connected
to the net. And buy pc's with floppy drives..
Mike
OH! (Score:2)
Financial information is very easy to detect (Score:1)
(the ascii code for ``$'')
so? (Score:1)
If a person steals proprietary data for personal use, they either a. Don't care about the consequences, or b. are stupid. If a. is the case, then sue them, see what you can get out of them. Go for the Toyota Camry, and the $10K they have saved up. I am sure that will cover for the financial loss
Different approach needed (Score:1)
problem number one (Score:1)
by watermarking the data i don't see how you've gone the extra mile. you're more interested in setting a trap than just moving the data out of reach. besides if you only watermark binaries, any text (uuencode/uudecode) will make it through.
technically, the only place a watermark makes sense, would be in your own internal applications, if the application provided a screen shot capability.
the obvious solution is for your applications department to use an encrypted database, and to restrict the use of applications. any requests for highly sensitive data beyond the insensitive client information should result in a log entry (and the app should let them know it is logging). if you have any applications that run mult-client reports or dump sensitive data, those should be requests that are actually run by your security team.
now the only person you need to watch is the db admin.
jim
You won't WHAT? (Score:1)
What idiot gave you control of computer security?
Communications Policy Enforcement by Sysadmins (Score:1)
Re:Misunderstanding the Question (Score:1)
Re:How I would do it (Score:1)
Re:Simple, common sense things you can do. (Score:1)
Re:Monitor Certain Ports/Automated Scanning (Score:2)
You can trust your employees, but loyalty in the tech industry in this day and age is more fleeting than ever, so, well, you can't trust everyone - so you have to equally not trust everyone. It isn't the greatest thing, but that's the way it is...
--
Monitoring *not* legal in Germany!!!!!! (Score:1)
There is *no* law in Germany that reuqires you to monitor traffic. I have worked for banks and exchanges and have *never* heard of this. Even dealers have private telephone lines that are not taped which makes a nonsense of insider trading regs.
Some US banks like Goldman Sachs do try agressive monitoring in Germany but it isn't very legal and could get thrm in trouble.
What you can do is to rigourously fire-wall and to record all EMail traffic over a week or so. Although you can't look at it until an incident occurs, but that will give you the data for an investigation. You must also inform your employees that data is being recorded in case of an investigation and ideally, they should sign something in addition to their contract of employment.
Remember also to block access to Web Emailers like hotmail otherwise you would see your monitoring being bypassed.
Re:Monitor Certain Ports/Automated Scanning (Score:2)
If you really want to use file signatures... (Score:1)
Of course, if the secure data is in something like a standard Word(tm) document, you can't tag it with a phrase without forcing all documents to have a keyword, etc., in them that you know to look for, and even then newer editions use compression, which might obscure your mark.
Once again, I'm not an expert on this, and I may be 100% incorrect, so tread lightly.
Lots of solutions (Score:2)
Watermarking is pretty easy: create a special template that everyone should base confidential files on. Put some hidden strings within the template.
Of course, you'll need to learn a little bit more about IDSs like Snort and Word templates, but I've done things like this in the past and it does work.
block all access (Score:1)
Sniffing? Forget it... (Score:1)
Connah
Yes. (Score:3)
Aggressive firewalling
Make sure all mail is logged.
Make sure all web traffic is proxied and filtered, if it even needs to be there at all. And log everything.
As for 'protecting privacy' of individuals.. you can't really have it both ways. IF it's a financial network, and people are expected to confrom to a high level of security, it is completely within the rights (most likely) of your company to audit EVERY communication going in or out of the network.
Simply take away their expectation of privacy.
Oh.. also, insist that all mail be escrow-keyed, and signed, or it can't hit the servers. This leaves you an accountability trail.
IN fact, if it's a really secure installation, why do you even need live internet to people's desks?
Issues (Score:2)
1) Is this a high-security office/network? If so, the take extremely aggressive measures. BE The BOFH, and control everything.
2) If this is simply a requirement.. it's kind of strange. What prevents someone from walking out the door with confidential information? What prevents them from doing it over the phone? Take similar measures to your meatspace security measures as a guideline.
If you don't search your employees on the way out, if you don't monitor their phones.. why sniff theri network?
Re:block all access (Score:1)
Connah
Re:Actually, yes you can. (Score:2)
Um, cut and paste?
--
Why would you trust slashdot? (Score:2)
Re:What you can sniff, cannot (Score:1)
You have to keep in mind laws are different in Germany. You must not do everything here, no, but be careful what you are monitoring.
Active vs Passive Monitoring (Score:2)
What I suggest you do is active monitoring. Log the queries your employees make to your database. Log the information that they extract from your files. If you see an employee is extracting a lot of personal information, ask him what he is doing. If you see an employee is always looking at the same thing, ask him why he needs to be constantly updated on the status of this thing.
Now most of your employees will have true business uses for the information they look up and you should probably be able to develop some sort of pattern of information need and usage for each employee. Then when an employee starts looking at data that he doesn't ordinarily need to you can send a warning to his supervisor to check on his data queries.
This will probably be a much more effective approach. Oh, and BTW, as always be a good sys-admin and don't keep this practice a secret. Tell your employees that you will be monitoring their extracts. Most people don't really care if they are monitored at work, what really pisses them off is when the monitoring is done in secret.
How to make a network completely secure: (Score:1)
Actually, yes you can. (Score:3)
Internet
---------------------------------------- firewall
Demilitarized Zone
[ Terminal Server (WTS or an X server) ]
---------------------------------------- firewall
Internal LAN [ client PC goes here ]
Internal users use netscape on the terminal server. This prevents you from leaking information without retyping. However it prevents you from pulling in downloads, and sending email with attachments to customers.
For downloads, open up inbound FTP connections to a fileserver in the DMZ. For outbound emails, warn that emails from the LAN are scanned, and do it. If people want to send a private message, they can use the X or ICA netscape client. This way your users opt in to be scanned when they are deliberately leaking information, because thats what the job requires. Using the X client, all they would have to laboriously retype the information.
Depending on the size of the company, you could scan ALL of these messages by hand, since most outbound mail will be personal or brief.
I didnt say it didnt suck. But it does hang together.
Application level proxy is needed, not packet filt (Score:2)
If you need to have the tightest control on what leaves your network you need to use application level proxies and block all outgoing traffic from every machine expcept the proxies. You are in for a world of hurt if you are going to try to sniff traffic at the packet level.
I suspect there is no application-level proxy that will suit your needs. You may wish to harness the power of open source to integrate smaller tools to fit your needs. Perhaps starting with the proxies in the firewall toolkit you could build some proxies that have a little language in which you can write rules for blocking traffic. Then you can release it back to the community.
Like one of the other posters said, though, it is very difficult to detect when sensitive information is leaving the network. You usually have to rely on the form of the information (e.g. does it look like a credit card number?) but the form can easily be disguised. Disguises become harder the stricter the format of the data. For example, suppose you only send out bills though mail and the format of the bill is:
Dear (foo), You owe us (amount). Send it soon or die.You can block all mail that doesn't match this format, thereby preventing, jpegs, cc lists, etc from being mailed. Information can still be leaked by choosing pregnant values for (foo) and (amount). You could lookup to make sure (foo) was a valid customer but your leak may add (foo) to the customer list to get around that. Limiting (foo) to less than 10 characters will help. Insuring (amount) contains nothing but digits would help too but it isn't too hard to encode a message with numbers only.
There will always be ways to get around whatever measures you put in place but don't let that fact cause you to not put forth any effort at all. The amount of money you spend protecting against leaks should be weighed against the potential loss if certain information is leaked times the likilihood that it will be.
Stego (Score:2)
Re:what's so bad about sniffing? (Score:1)
(Electric death chairs would be too.)
Although really, this [slashdot.org] post is the only decent one i've seen so far. I give it my approval.
This is company data, on company property. (Score:2)
If you need to watch for confidential data leaving the company over the corporate network, then you do it. The data is all the companies anyways. You aren't running a public ISP where customers expect that you aren't slurping CC numbers. Or a phone company where people expect to be able to share their whoas without it becoming public knowledge.
Now, if you're concerned that if by monitoring the companies data, that you'd be exposed to confidential information that you feel would be detrimental if you had access to, then you need to go to your management and talk to them about it. I'm sure they'd be more then willing to do anything they can to make it possible to do your job without you being responsible for keeping secret.
-Brent