Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy

Unintrusive Traffic Content Monitoring? 82

fuzzybunny asks: "I've recently been given my turn in the bucket as head tech guy at a startup in Germany. We deal with backend monetary transactions for companies that need to send bills, and as such handle large quantities of personal and confidential financial information. I've been informed that in order to comply with financial due diligence laws here, as well as to guard against sabotage by angry employees (not that we have any), I have to figure out some way to sniff outbound network traffic for stuff that's not supposed to leave the company network."" Internal security is something all network adminstrators will have to deal with at some point or another. Are there methods they can employ to insure that data that's supposed to stay in the network, isn't encouraged to take a nightly stroll somewhere it isn't supposed to without excessively violating the privacy of the users?

"I realize that someone who wants to get confidential information out can easily circumvent any technical measures (copy to floppy, encrypt mail, print out, etc.) However, the idea here is to force someone to take that extra willful step.

Given that I categorically refuse to sniff general network traffic, block URLs, or generally look over people's shoulders, I am looking for a solution that lets me automatically watermark non-ascii files and just sniff for certain binary strings on outgoing traffic, while keeping any non-matching traffic completely anonymous. Any ideas on this?"

This discussion has been archived. No new comments can be posted.

Unintrusive Traffic Content Monitoring?

Comments Filter:
  • by jpowers ( 32595 ) on Friday September 15, 2000 @02:25PM (#775538) Homepage
    Set up a proxy server and force all outbound traffic over it. Tell the users it's to filter for Outlook viruses or some (.V)BS. Shut down all but a few ports, then run a packet sniffer to watch the ports you open. The proxy server has to be able to handle all the traffic, so if you have a LAN/WAN setup, you can use the proxy as a gateway between LAN servers and WAN/external traffic (so it won't slow down the outside users' access to your webpage).

    We already do this (though the packet sniffer's for diagnostics only): LAN w/NT server+100 clients, proxy w/sniffer to get through to the WAN (Sun SPARCs for DBASE and web server), then another "standard" firewall out beyond the WAN to get to the internet. That way they have to get through two firewalls to get to our files from outside, and the inside users get their files scanned on the way out. Non-intrusive as we could make it, once the machines are set up for proxy the users don't know the difference. The packet sniffer's a 10-year-old SPARC classic, so we're not talking about major investment of $$$ here.

    -jpowers
  • Probably the first comment would be to step back from your high-end security consultants and go think for a while. You will probably come up with the same thoughts, some better thoughts, and a quite a bit less money. Too many security consultants are stuck in the mindset of drastic measures and models that they know do not work, such as the "Adam/Eve" security model. Most thieves are stupid. They email stuff.

    1. Recognize you are stopping casual abuses or last minute abuses. You are trying to stop the fired sales person from taking the entire client list, not the clever system admin from hell. Set your thoughts accordingly.

    2. Make written security guidelines for your company. For example, one large company that shall remain nameless, even though it's Sun, makes ever new employee watch a fifteen minute hokey video showing a team talking about a confidential problems in public, leaving notes on white boards, and even letting ex-employees use the system. Also, they make a couple of levels of confidentiality ("MyCo Confidential", etc.). This cuts down on the accidental mistakes.

    3. Ignore incomming traffic. You can't do a good job on it anyway.

    4. Have your DBAs remove the old "print all to file" type commands in your applications. The only remaining use in most corporations is to take a copy of the client list, account list, or whatever.

    5. Log, copy, encrypt all outgoing email that hits matching criteria. Criteria include greps "MyCo Confidential" and size (>2Mb) and time (weekends, midnight to 5 a.m.). Yes, it can be a pain, but you've got to keep those drive makers happy. Email isn't time or space critical but is the first tool of the thief.

    6. Close of access to outgoing ftp. Normal mortals can use the browsers. Others should need permission.

    7. Page the SysAdmin if any one user sends over 100MB of outbound traffic in a 24 hour period.

    Yes, this will be a good due diligence level of protection, and may catch anyone who tries something. No, James Bond wouldn't break a sweat.

    Cheers!

    [shameless plug: Give money at www.truegift.com]
  • Are there methods they can employ to insure that data that's supposed to stay in the network, isn't encouraged to take a nightly stroll somewhere it isn't supposed to without excessively violating the privacy of the users?

    As the case of Dr. Wen Ho Lee showed, this is impossible - even for (supposedly) ultra high security installations like the U.S. nuclear research labs.

    All you have to do is download to a tape or floppy and walk out with the info. If the person doing this is actually a criminal or spy (as opposed to Dr. Lee - who called tech support to help him figure out how to do this), it is pretty trivial for them to prevent this from being detected.

    Yes, there are dozens of basic security procedures that can catch the idiots, but you will never catch anybody who knows anything about computers.

  • by Anonymous Coward
    First of all, try to identify what kinds of data must never leave the network. Place thsi data in a "security zone" within your network that is not allowed to initiate transactions to systems outside of the zone.

    User requiring access to this data must authenticate in a manner that places their system in this zone. Things like Cisco's URT can do this. It will place the user's switchport in the security zone vlan. The user can then view data but not initiate connections outside of the network zone.

    At some point you must trust people. The bottom line is that there is no way that you can be POSITIVE that a user did not authenticate into the secure net, take a screenshot of some data, save it to their local machine, encrypt it with PGP and send it out. You are never going to be able to detect this kind of theft of data by sniffing traffic because the user obtained it in a legitimate manner and the screen dump was done on their local machine and not over the net.

    Using such things as httptunnel, one can use a web connection to tie your internal net to another outside net without you doing much about it. You will not be able to tell this traffic from normal web traffic. Heck, you can hack the prog to make the TCP/IP information look like it is in .gif files moving back and forth if you want to.

    The thing to do here is to stress that transmitting of private company information is subject ot immediate dismissal and possibly a civil suit.

    The best security is at the door. Hire people you can trust and put systems in place so that it is very difficult to send private data out. Make it difficult or impossible to send such data by accident. Problem is, if a user can display it to their screen, they can get it out of the network if it is possible for them to send outside email or browse the web from their workstation.

    No lock will stop a thief, they only serve to keep honest people honest.
  • But remember, the issue is that IT must do proper diligence to ensuring that data does not leak, in order to meet with financial regulations.

    You only need to go as far as necessary to meet regs.
  • As an IT person, I may look at people's surfing habits, but only out of idle curiosity.
    Perhaps if I noticed they surfed what I thought was an awful lot, I might poke my nose into what they were surfing.. and then poke my nose into whether their boss is happy with their performance or not.

    Why? I firmly believe that the bottom line is, the employee has been hired to do a job. If he is doing that job to the satisfaction of those responsible for his position in the first place, I don't *care* how much he surfs.
    You hit it on the head when you said 'provide data supervisors needs to see'... if they need to see it. If they have issues with their employees not working out, they can come and ask.
  • You missed the point.
    The point wasn't that you could reclaim your damages.. the point was that employees who are run through proper security audits, and forced to sign proper documents indicating the penalties for disclosing confidential information will tend to RESPECT THAT, as opposed to simply putting in a 'technical' solution.
  • Problem is, I can't really restrict access to the data.

    The sales guys need access to the customer data. The logistics people have to be able to get at our order database via SAP. The accountants need access to the billing database. Tech guys have to be able to read network diagrams and many of us will have to be able to read internal proprietary strategy documents...

  • by mindstrm ( 20013 ) on Friday September 15, 2000 @08:25PM (#775546)
    And..
    Don't publish your security methods openly.
  • Well, I disagree. I am paid to perform a function. Some days that takes me 16 hours, some days 3. If I want to surf or DL porn fsck anyone who dosen't like it as long as *I* take great care of our clients who need service, when the need it. All the company has a right to expect out of me is the performance of my job. If they want to motivate me then stay the hell out of my emails, web log etc; I can go to a competitor or into biz for myself and they know it. Companies talk about "intrapenuership", hey part of that is getting the sysadmin/MIS or whoever the hell it is to go take a vacation, a VERY long vacation, as in don't come back until something crashes. I treat our customers like they are Gods, and I do it in a cost effective manner, ask anything else from me and I'll stick a harddrive up yer a**.
  • after we stuff you krauts full of McDonalds there won't be much difference, will there?

    If I have to suffer by eating this shit then so do you.
  • it's nothing your average school kid couldn't circumvent.

    Yes, and that is also basically mentioned in the article text. Anybody is going to be able to get past this system, but the thing is that then they're going to have to take that extra step knowingly, so they can't claim they mailed that sensitive data out unknowingly, because they would have had to take extra steps to make sure it wasn't caught immediately by the filter. Thus, the filter only has to block obvious way of data smuggling, to make the company stand much stronger in court if somebody does smuggle data out, because the employee can't possibly claim he did it by accident.

    They must be trusted in order to do their jobs properly.

    Yes, ofcourse, but there's a rotten apple in every box. Of all the people I know who work at the company I work for, I wouldn't think they'd be thieves, yet still quite regularly stuff is stolen if it's not locked down. Very sad business...

    Unfortunately, as a company, no matter how much you trust your employees, it's a given fact that at least one of them will at some point try to screw you. You can either wait around to be screwed, you can try to prevent being screwed (which is generally very invasive, inefficient and expensive) or, as this company is doing, you can try to increase your chances of finding out when somebody tries to screw you and increase your chances of taking successful legal steps against them.

    In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches.

    Ah, yes, but even compressing the sensitive data will be that extra willful step. Somebody could theoretically accidentally attach a sensitive file to an email message and send it out. It is however not necessary to compress or encrypt such sensitive data for internal use (I presume), so sending out encrypted or compressed sensitive data, so when you do detect a leak and find the person responsible, he can't claim in court that it was an accident. Yes, even in that case he'd still be responsible, but it could be considered negligence rather than a criminal act.

    )O(
    Never underestimate the power of stupidity
  • Ummmm, did you read the article text at all? There is no intention to prevent any and all kinds of sensitive data leaks, just the most obvious ones so leaks can't happen accidentally.

    )O(
    Never underestimate the power of stupidity
  • If the data is really sensitive, you might consider the old 'air gap' solution; have a private network that isn't connected to the outside in ANY WAY, and then an external network that employees use on a day-to-day basis. If you put that network on a hub, or on a switch that suppport mirroring, you should be able to monitor all traffic on that private network (assuming you don't exceed, in aggregate, the bandwidth on your monitoring port if you're switch-based) and ensure that no foreign MAC addresses show up on the network, and that all the traffic stays local. You can't, of course, control what users do with things like floppy disks.

    Sure you can control what people do with floppy disks: have computers without floppy disk drives. Of course this applies to all other removable media. If you need removable media, then make sure that access is limited to authorized individuals only (via physical security methods).

    But, you still can't control what people do with information they see. If I find out that Joe Sixpack has $500,000 in his account, there is NOTHING to stop me from taking that information from the internal, private network, and typing into the external network connected to the Internet.

    The only way to be absolutely sure that NO data gets out is not have any external network connections at all. People will at least have to PHYSICALLY walk this stuff out the door.

    It all goes back to the old adage: information wants to be free. :)

  • I think you have a nice point going here, but, you can only prosecute someone when you know that they have taken the information. Therefore, as I'm sure you know, you've got to catch them. It follows that, to catch them, you have to have some sort of mechanism, some sort of trigger, that will notice when they do try something on you. Of course, that's what the rest of the (non-troll) posts on /. are about in this discussion. They'll figure out the best way to do that (well, they're trying, anyway), so that you can employ their ideas behind your prosecution scheme).

    And hopefully it will all "work out in the end."
  • I would feel violated if my personal transmissions were searched without my knowledge



    This is something I have a serious problem with. As far as I'm concerned, whatever employees are doing on MY network is company's business... There is no such thing as personal information on my turf.

    Call it overly restrictive, but in the business I'm in (security/alarms) you cannot afford to have "rogue" information travelling. It is ground for immediate dismissal. Employees get a free HOME internet access as part of the package, but on the job, we dont pay them to surf personally.

    I've seen too many people taking the company's line for granted. It costs money. Money that could be use to get me a raise.

  • Ah I think I see -- you want to avoid the excuse of "It was a computer accident". A very credible defense.

    I don't think there's a universal solution for watermarking -- all binaries have different formats. But there are solutions for each different file type. In an MS Word document, for instance, you could embed a hidden macro.

    Then your proxy scans all outbound attachments and simply rejects & logs any that contain any one of a series of watermarks. Tags, really because watermarks are designed to be irremovable.
    Everybody is warned that they need prior approval before transmitting data outbound, even to themselves attheir home ISP. There is a small chance of false positives with this system, that's why you log and evaluate before taking action on proxy rejects.
  • This strikes me as kind of scary that this is an "Ask Slashdot." It sounds to me like the first thing you need to do is go hire a good security guy from a financial institution (bank, credit card, etc.). I worked with a guy that did security at Citibank and I'm amazed at all the things they did to minimize their exposure to threats like this. Check those references real good.

  • I think you're overlooking what he's saying here. The idea isn't really to prevent data theft as you would agree is pretty hard to do with someone looking over the employees' shoulders all the time. The idea is to make the employees have to go the extra mile, to "take that extra willful step" as fuzzybunny puts it. This makes a lot of sense from a legal standpoint.

    Imagine that the "disgruntled employee" starts emailing credit cards to his home address (yes, this would be stupid, but it's just an example). Now if the company catches the employee doing this, he's going to get in trouble, but the employee can always say "oh gee, oops. I must have accidentally sent sensitive information. I'll try to be good next time."

    On the other hand if the company routinely sniffs for credit card numbers (or whatever info) and announces this policy to its employees, then the employees know they're going to have to be craftier than email. So when Joe Employee encrypts the credit card numbers and sends them home, and gets caught, he's going to be in a lot more trouble than had he just emailed it and gotten caught.
  • by SIGFPE ( 97527 ) on Friday September 15, 2000 @02:38PM (#775557) Homepage
    Most transactions that are legitimate involve large numbers of small batches of outgoing data and larger amounts of incoming data (using realaudio, downloading useful software, reading slashdot). Transactions that are frowned upon (eg. sending out images (our job, as a company, is to make pictures)) involve lots of data going out. So the solution I came up with was to throttle data going out to 3K/s for the entire company (50-60 people). (Mail and incoming http is through a server or proxy so isn't counted in this.) Everyone seems happy now. This isn't something that will work for most people but for those in the situation that the items of value are rather large (many megs) it seems to work well. Of course someone can keep an ftp connection open for many hours but (1) everyone would rapidly notice if someone does this excessively and (2) outside work hours (8am-8pm approx.) all IP traffic from individuals to the oustide world is throttled to 0K/s. There's no point being 100% secure - people can hook up an external drive to their PC or even photograph images on their screen using a digital camera.
    --
  • The topic of MIS watching the actions of the company's employee's is one that comes up often. We usually come back to one main point A bad employee is a bad employee and by the same token a good one is a good one. Therefore we sniff packets, track URLs, watch phone usage, scan time clock entrees and many other things. However the results of these are taken with a grain of salt. We, as IT people, know how much web surfing is cool, but we also know that 2 of your 8 hour day is a little excessive unless you have a internet intensive job. All of this data is only useful for two reasons, one to spot employee's work habits that should be checked by supervisors, and to provide the hard data that a supervisor needs to show what they already know.

    I think you should be less concerned with the actual process and just be careful that the results are appropriately interpreted.

  • by Malor ( 3658 ) on Friday September 15, 2000 @03:02PM (#775559) Journal
    Your fundamental goal -- allowing anonymous, untracked internet usage, while simultaneously being *absolutely sure* that unauthorized data isn't getting out -- is impossible.

    The traditional method of access control in this sort of circumstance is a proxy-style firewall. However, I don't know of any proxy firewalls that can inspect for specific content. They can check for correctness of protocol data, but I don't know of any way to set off klaxons and call the police if the user manages to embed today's secret word in an HTTP:// request.

    You definitely can't use packet-level firewalls for this purpose, even stateful inspection ones, because users can bury any data they want in traffic bound for, say, port 80. It doesn't have to be just HTTP. Packet-level firewalls just work on port pairings. Example: if I were ever in a network that refused me access to my home machine, I'd probably just tunnel through port 80, which is open 90% of the time. A proxy firewall would stop that: a packet firewall will not.

    It might be possible to custom-code an outbound content filter into an open-source proxy like Squid. Squid isn't a firewall, so you'd probably have to dual-home your Squid box (to make it the only way out) and then have a firewall between it and the outside.

    Even at that level, it would still be possible to sneak things out. Almost any system that allows two-way communication can have arbitrary data inserted into the data stream in a way that is very inobvious to even a savvy network admin. Just a few days ago I saw a method to tunnel IP networking over DNS requests. (seriously). I think it was probably posted here on /. if you're interested. Good luck catching THAT with a sniffer. :-)

    What this all boils down to is this: if you allow any form of two-way communication into your network, then employees can get data out. Period. And there's no way you can know what it is without extensive and highly sophisticated pattern analysis.

    If the data is really sensitive, you might consider the old 'air gap' solution; have a private network that isn't connected to the outside in ANY WAY, and then an external network that employees use on a day-to-day basis. If you put that network on a hub, or on a switch that supports port mirroring, you should be able to monitor all traffic on that private network (assuming you don't exceed, in aggregate, the bandwidth on your monitoring port if you're switch-based) and ensure that no foreign MAC addresses show up on the network, and that all the traffic stays local. You can't, of course, control what users do with things like floppy disks. However, having the separate high-security network will let you monitor intensely enough to be aware that a given employee is accessing data they don't normally need access to. At least, it can do that if you're willing to put the effort into writing/customizing the monitoring tools. Definitely a non-trivial effort.

    If you can't build two networks, then you probably shouldn't even bother monitoring. It won't do you any good. Anyone out there with a real clue will waltz right past any protections you might set up.

  • You can't stop the "bad" traffic without also viewing some of the "good" traffic. If people want to work in a company that deals with sensitive financial information, they should be able to deal with the fact that the emails they send while at work are not confidential. If not, they should leave. This isn't a platform for some crusade against censorship, it's people's personal financial information you're talking about - information that could severely damage them in the wrong hands (like, a bank for instance ;).

    I find it disappointing that you're more worried about "conforming to the law" than about actually securing this information.

  • I think the best way to deal with this is a two step method. First set up a proxy that either prevents or limits the size of the files being transmitted. Then, set up your database with a uniquely patterned/formatted key (the charchters won't matter, you'll see why) For instance if the key was always nnn%nn$$nn! (n=some character), then you could have your proxy search all e-mail and text files for a string that matches that formatted key. Because of the format of the key, it's unlikely you'll turn a false positive on regular e-mail and the such.

    As far as preventing authorized systems (in this case, systems allowed to transmit binary files) from sending out confidential data, you could look into encrypted filesystems. I'm not experienced witht these, but I wouldn't imagine it to be too hard to force everything binary from that filesystem to remain encrypted if transferred from that filesystem. However, like I said, I don't know too much about encrypted filesystems.

    -----BEGIN GEEK CODE BLOCK-----
    Version: 3.1
    GIT/CC/MU/S d-(---)@ s++:++ a23 C(++++) ULBSC++++$ P++>++++ L+++>++++
    E---(-) W+++(--) N++>+++ o++(--) !K w--- !O M V- PE(-) Y++@ PGP++ t--- 5--
    X++ R-- tv b++>+++ DI++@ D++ G e h-- r+(*) y++(-)>$
    ------END GEEK CODE BLOCK------

  • First of all, this is a German company we're talking about. Germans aren't as sue-happy as American.

    Second of all, German banks are required to take due precaution against leaking of sensitive data, so sensitive data can't be sent out accidentally, and so that people guilty of leaking data can't claim in court that it was an accident.

    It's stunning how many people don't actually read or interpret the article text. They don't want to block all possible ways of leaking information, because that's impossible, they just want to block the most obvious ways of leaking information. They don't want a legal solution, they want a technical one.

    In all the posts in this thread that were moderated up, there were only two or three that are actually relevant to the article text, all the others, including the parent of this message, are based on misinterpretations of the article text and thus useless.

    )O(
    Never underestimate the power of stupidity
  • by Enoch Root ( 57473 ) on Friday September 15, 2000 @03:28PM (#775563)
    I know, I know. Every geek tends to answer a human problem with a technical answer. I should know, I worked for one year as a CSO for a large company. (Won't say which, but suffice to say it's a subsidiary of Canada's largest e-commerce firm.) The answer, in this case, is simple:

    Put a use of confidential information clause in their contract, and threaten to sue them to hell should they ever breach it.

    Now, you may not like this. It's not pretty. But that's the way to do it. If you try to patch the system with a technical solution, they'll never respect it, because hackers figure if they can find a hole, it's their god-given right to exploit it. But trust me, every script kiddie gives up his tactics when he's slapped with a FBI (RCMP in Canada) search warrant and threats of legal action. Ditto with employees.

    This way, you won't even have to bother with configuring your system. Just sue one guy as an example to others, that works well also. It may not be really cool; but trust me, it's effective.

  • Turn off the computer, pull out that old Pen and Paper. No need for firewalls then!
  • Bottom line is if thier doing it on a company machine, during company time,and on company bandwidth they have no right to privacy. Anything that is in thier home dir, is property of the company and can be handled as such. Anyone who thinks otherwise is foolish IMO. Not to say you should go around peeking at thier email, but the fact still remains that all the parts involved including the individual belong to the company that owns them.
  • Hi there,

    I posted this question and I appreciate the responses, but I think a lot of people didn't catch the gist of what I was asking.

    It's a comparatively easy task to secure my network from external threats; that is a combination of good product choice, intelligent design, clued configuration, and conscientious administration and monitoring.

    I also know that I don't have a hope in hell of technically leak-proofing my network from the inside-out. That problem indeed is not a technical one. That's why I'm not sniffing geneeral network traffic; our usage policy is something like "don't be an asshole." If people are abusing resources, we indeed have other problems.

    What I'm trying to do is to address a specific eventuality as required by some of the compliance laws here. Assume a guy is pissed off or leaving for a competitor. He wants to mail/ftp/netcat/ whatever out a customer database or internal documents. We have watermarked our files; he knows this, but doesn't know exactly how, so he will need to encrypt the data, print it out, put it on a tape, write it on his hand, whatever.

    The point is to force him to consciously, wilfully take that extra malicious step. That way, under compliance laws, we can say that we exercised due diligence to the best extent possible without impacting our productivity by doing all kinds of crazy paranoid stuff like keystroke logging or chaining people to their desks.

    So once again, the question is: is there some mechanism by which we can automatically embed some sort of watermark in any non-ascii file (database, ms word doc, etc.), send all outgoing traffic through a layer 5-7 proxy, and just sniff for that single watermark string?

    All replies are appreciated.

  • Ok, two points - First, I think you are misunderstanding what I mean when I say that employees must be trusted. What I mean is that in order to perform job X and employee must have access to sensitive data Y. In such a case a defacto trust relationship is established. Yes, of course, you want to limit the employee's ability to violate that trust as much as possible, but it still must exist for them to do their job.

    Secondly, a company shouldn't need to create a "extra step" to protect itself (a specific filter, etc, as you suggest) in order to strengthen it's case in court if it has taken the proper precautions in enumerating the sensitivity of the data, as well as having employees read and sign (in the presence of a witness, who also signs) confidentiality agreements, sensitive data handling procedures, etc. In the end, these documents will be far more valuable to a legal team than an error-prone, scattershot, scanning tool (which might even be used by the defence to draw focus from the actual data theft to privacy issues, etc.). If such a scanning system had any chance of helping against an actual theft, I would not be so down on them. However, anyone actually trying to steal anything for malicious purposes is likely to either a) disguise that data as something else or b) just carry it out of the building on media. Let's not forget that theft was going on long before the internet.
    --
  • Hey,

    This is pretty much up my alley. Are you aware of any non-format-specific methods of inserting binary strings in non-ascii files (Oracle DB files, visio datagrams, etc.)?

  • Exactly what I'd write if you hadn't written it. Too bad I don't have any moderation points atm.
    ----
    Remove the rocks from my head to send email
  • Are the moderators on crack or something?

    Oh, this is slashdot. Of course they are :)

    A post that preaches security through obscurity and it gets (Score:3 Insightful)...

    I dunno :)
  • Where would YOUR network be without YOUR workers? Remember that just becuase you pay their wages doesn't mean you own them. If you don't trust your employees to use work facilities reasonably should you be employing them in the security industry?
  • Of course security through obscurity is pure evil, but you don't go and publish the fact that you will be looking for exactly 100MB of traffic or more outgoing in a certain period!
    I'll leave it as an exercise to the reader to figure out exactly why (duh).

  • You could always proposition the FBI to rent out a Carnivore, or whatever they're calling it this week, box to stick on the wire. This would allow you "selectively" monitor content.

  • But, you still can't control what people do with information they see...

    Well, they can't tell anyone if they aren't allowed to leave the office. Just set up some cots in a spare office, and they can sleep there. Have a caffeteria so they can eat, and give them free coffee. They can only be married to other employees (if they ever want to see thier spouse), and thier kids will have to go to the company schoolhouse where they can learn to code and become productive by the time they're 10 years old (you could also breed out concepts such as freedom with the right schooling). Anyone caught trying to leave will be taken to the department of love for permanant dismissal...

  • As somebody else pointed out: most binary files can be watermarked but the method will be different for each type. You'll have to identify all data types that can potentially hold sensitive data, implement a watermark for each, and then implement the checking in your firewall/proxy/ipmasq/whatever.

    An alternative (especially if your key files change fairly infrequently) may be to store a hash value for all critical files and check that on outbound attachments etc.

    Databases are a problem: it's hard to see how you can prevent people from doing a bcp of all the data and send it. Two things may help: (1) make sure all database activity is logged and (2) include a few dummy database entries that you can search for (e.g. username 'faisifopida' or whatever). Just make sure your applications filter the watermark data out.

    Oh, and you'll need to keep the method(s) you emply secret. That sucks and means you'll need to employ several methods at the same time.

  • Geez. You don't even know how to stick up for your nationality! No wonder all you can do is complain about others. How would selling German Tech to the Russians make me eat Jewish food?
    And no-one is "forcing" anyone to do anything. The whole point of McDonalds is that you are stupid enough to eat it yourself.

    Stop looking in the mirror and saying you don't like everyone.
  • Think about it.
    I didn't say 'security through obscurity is good'. That's a blanket statement, and security CANNOY be summed up so simply.

    Is security through obscurity good? Well.. when it comes to holes in software... apparently not. MOre eyes = faster discovery of problems, and faster fixes.

    However.. if I run a server where ALL the daemons are custom written, and NOBODY has the source, how can you tell me that my site will be 'more secure if I publish the source?'. It sure as hell won't be. Nobody would have a clue where to begin.

    One of the first tenets of security is to not divulge how or what your security measures are. If you do, you simply help someone in figuring out how to avoid your measures.

    If security through obscurity is so bad.. why doesn't every firewalled network publish a diagram of their internal network, complete with passwords and firewall configurations? I mean, otherwise they're being 'obscure' right?

    SHeesh.
  • Like Purdue's CERIAS center (Center for Education and Research in Information Assurance and Security)

    http://www.cerias.purdue.edu [purdue.edu]
  • Well the company owns any traffic going through their network since while at work you are well, on their time. I mean if your at work using company computers, they company has the right to restrict the use of or monitor the use of their network and hardware.

    That said, i have a sniffer running monitoring my network for intrustion attempts only, i don't daily sift through logs nor want to. I will search the logs for something specific, say a certain users stuff or a certain file if needed.

    As for blocking specific traffic in realtime that becomes more difficult you'd need to modify your firewall to block packets containg some sort of data. I've never done this, but i'm sure it is possible, practicaly cost-wise i can't say. How much traffic are we talking here?

    You say its a finacnial data being passed, honestly when it comes to that much money for that many ppl employees privacy takes a back seat to covering your ass and protecting your clients money, would you want to be responsible however indirectly for someone losing all their money or say a million dollar screw up?
  • by Chiasmus_ ( 171285 ) on Friday September 15, 2000 @01:11PM (#775580) Journal
    If someone is really smart and wants to steal or transfer company records behind your back, he or she will find a way. It can be disguised, routed through unusual channels, encypted, or even sent out in screen shot format as a bunch of JPGs.

    If, on the other hand, they're an idiot, and sending the stuff out either recklessly or accidentally, you don't need technology to handle it. Either look over their shoulder once in a while, or get them drunk.

    So, do what companies always do: the bare minimum required to meet legal standards, and grudgingly, at that.
  • by LaNMaN2000 ( 173615 ) on Friday September 15, 2000 @01:14PM (#775581) Homepage
    If I were in your position, I would ensure that no outbound traffic travels on non-standard ports that have not first been registered with IT (to prevent DDoS clients from being installed/managed, BackOrifice from being installed, etc. Also, I think that installing an automated scanner for e-mail, prohibiting attachments larger than a certain size, etc. would be prudent. Personally, I would not find it invasive if I was told, as an employee, what type of e-mail would raise a flag with the automatic scanner and esured that my mail would not be read by another human being unless it was potentially dangerous.

    Basically, the most important thing, from an employees perspective, with network scanning is full disclosure. I would feel violated if my personal transmissions were searched without my knowledge, but I think most people would understand the need for tight security given the inherent insecurity of an Internet connection.
  • by kabir ( 35200 ) on Friday September 15, 2000 @01:19PM (#775582)
    Ultimately there is no good solution to this sort of problem. Various technologies have been developed (usually in concert with a government) which allow data to be labled, etc. While there are some rudimentary barriers to moving around labled data, it's nothing your average school kid couldn't circumvent.

    The truth of the matter is this: you have chosen to trust your employees (at various levels). They must be trusted in order to do their jobs properly. If they choose to violate that trust, you will be unable to stop them.

    Now, it is possible to make that sort of thing much more difficult, but the methods are not terribly reasonable, and usually incompatible with business practices.

    In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches. Better to simply spend more time evaluating how trustworth potential employees are before hiring them into sensitive, high access positions. Get background checks and be a good judge of character.

    Oh, and cross your fingers.
    --
  • by Enonu ( 129798 ) on Friday September 15, 2000 @01:22PM (#775583)
    ALL other solutions are either impractical or can be circumvented, perhaps by just pencil and paper :)

  • have you looked at snort? this package listens on a given interface and compares each packet with a kind of regexp. the language is *very* easy to pick up, so you should be able to write rules that notify you of anything that is blatently private information, without a human ever seeing anything private.

    OTOH, make it known (ie, via posters, memos, etc) that any employee that violates your "terms of service" will be met with diar consequences. invoke any legal power that you can, and don't be afraid to scare people.

    if it were my decision, i'd use snort (or similar tool) alone. telling people what you don't want them to do is a great way to get them to do it.

  • by Anonymous Coward
    Why not just ask everybody politely to not send out such data to anybody else. That should work.

    Of course, if you need more ideas, i suggest this site [ntk.net]

  • As mentioned previously, there is theoretically no way of ensuring that someone isn't passing something out, unless they try to send it in plain form. Perhaps what you should be worrying about instead is where the information is headed to. Again, this can be a daunting task, but a simple histogram of all the sites that are sent data packets (all protocols, since as been shown, spoofing is easy), and you then at least the ability to question large where large quantities of data might be headed. Certain 'trusted' sites might be ignored (e.g. slashdot.org), while other sites (e.g. 207.43.24.32) should be more closely examined. If you want to get fancy, you might even be able to employ some statics to find the relationship between someone sending data, and receiving data from these sites.
    <p>
    All of this said, I beleive to a certain extent using these methods not only are going to be more likely at catching possible offenders, but can also protect people's privacy. You are not explicately examining the data people are sending out, but rather where large amounts of data are headed.
  • You can set a VPN and set it up so that only your clients have access to certain parts of you newtwork. I hear that Axent makes a good one. It comes with a firewall and free clients for the end user. Of course, I don't believe that any system is perfect, simply becuase people aren't perfect.
  • .. keep track of who knows what.

    If business critical data leaks out, and you know only a very short list of your top employees had access to it at the time of the leak, you narrow down your list of suspects a lot.

    You can tag text files by making small benign paraphrase changes to the text and giving each recipient a slightly different version, MD5'ed and tagged with the recipient's MAC address in the log when they download it.

    You can do this to images as well .. make small random changes to image files that don't change the appearance appreciably, MD5'ed and tagged with the recipient's MAC address as well.

    If a sensitive file shows up on a public site, MD5 the content and see if its digest matches that of one of the server accesses. If it does, the MAC address will tell you which machine downloaded it, which will tell you who leaked it in most cases, and there is your proof.

    This isn't hard to circumvent, but you can combine it with other approaches and keep quiet about some of them. Someone else said that there has to be some level of trust, and they're right, but deterrents like this have their place. If someone wants to leak information, they can do it, but at least you'll know when they do. That will stop most of them.

  • In the Goverment on Secure networks. Everything
    is locked in rooms with very high security. There
    are no outside nework connections and all access
    is controlled via cards/guard/and cameras.
    Anything that goes into those rooms never leaves
    unless it is totally destroyed. I suggest you
    put your financial data on lans not connected to
    the net what so ever. Does it really need net access? Do the employees really NEED net access
    that work with that data? Sniifing the lan over
    time might reveal some wierd traffic patterns
    you might investigate but at that point you might
    have already lost everything.. It basically boils
    down to this.. Not everyting should be connected
    to the net. And buy pc's with floppy drives.. :)

    Mike
  • by kirwin ( 71594 )
    A friend of mine [fbi.gov] has the perfect solution. I am sure that he would be more than happy to co-locate one of their products [fbi.gov] with you, at no cost.
  • Just look for the binary sequence:00100100
    (the ascii code for ``$'')
  • by kirwin ( 71594 )
    Have you ever heard the expression: "You can't get blood from a turnip"

    If a person steals proprietary data for personal use, they either a. Don't care about the consequences, or b. are stupid. If a. is the case, then sue them, see what you can get out of them. Go for the Toyota Camry, and the $10K they have saved up. I am sure that will cover for the financial loss

  • I think you may want to try a different approach. A good security person knows that the more responsibility you leave the the end user, the more likely your system will fail. You don't make end users responsible for updating their virus protection do you? Why? Because they might not update it. Although I understand what you are trying to do, and it is a good idea, the number of ways to subvert this type of monitoring are right up there with and related to firewall subversion. Fragment that packet with your watermark for 10 minutes and your system loses it's signature. Solution: Why don't you just do it like M$ and put a hash of the MAC address into the documents or get that hash for all your machines and look for that? Remember about 8 months ago? M$ put a hash of your MAC in *.doc files. I think you can probably find info at: http://www.junkbusters.com
  • you're interested in compliance laws and not the real issue of securing the theft of financially sensitive data.

    by watermarking the data i don't see how you've gone the extra mile. you're more interested in setting a trap than just moving the data out of reach. besides if you only watermark binaries, any text (uuencode/uudecode) will make it through.

    technically, the only place a watermark makes sense, would be in your own internal applications, if the application provided a screen shot capability.

    the obvious solution is for your applications department to use an encrypted database, and to restrict the use of applications. any requests for highly sensitive data beyond the insensitive client information should result in a log entry (and the app should let them know it is logging). if you have any applications that run mult-client reports or dump sensitive data, those should be requests that are actually run by your security team.

    now the only person you need to watch is the db admin.

    jim
  • Given that I categorically refuse to sniff general network traffic, block URLs, or generally look over people's shoulders

    What idiot gave you control of computer security?

  • A part of this article seemed to indicate the author felt uncomfortable about monitoring employee's email on the company networks. All employees should sign a Electronic Communications policy that clearly outlines the rules regarding the use of the computer, its lines, and the prohibition of installing or modifying software. This policy will also clearly word what may or may not be sent over the network, susch as sensitive company data, this includes E-mail. This Policy will also inform users that at anytime, users may be selected at random for a policy check. you can have a pop-up box appear everytime the users log on to warn them of consent to monitoring. Companies have always monitored telephones, the calls made, length, and even listen in on employees. Employees knew that they were using the company phone on company time. So what is the difference in surfing or emailing from work? Just like I do not condone employees calling psychic or sex chat numbers on the company phone, I should expect that they will not download porn, pirated warez, or send inappropriate email. I leave my personal surfing and emails to be done at home, on my own ISP, my own computer. As long as you clarify the rules, there should not be any feelings of spying or snooping.
  • What's worse, if they have any wits at all, they'll at least compress big stuff before sending it out. You can probably manage a watermark that'll still be detectable after compression, but the compute requirements on the packet sniffer get really ugly if you need it to do that.
  • You said: "Hire people you can trust and put systems in place so that it is very difficult to send..or impossible to send such data by accident." A Network Security Administrator is just that person. Big companies put a security guard on their site to keep employees from stealing, mistreating customers, mishandling company property, as well as rules/policy violations. If you have such a company, then you need to consider hiring a SecSysAdmin whos sole task will be to surf and monitor the network. If employees know there is a 'rent-a-cop' on the network I am sure they would think twice about violating the rules. Make sure you hire a good SecSysAdmin with a background in law enforcement or security, its the same job.
  • However, they may be your employees, and have their own personal freedoms, but there are certain things that you must abide by on company time/resources. Usually this is mentioned in a person's contract or in other areas on the network (login notes, etc.). We have the usual at work, something to the effect of "these resources are to be used for buisness purposes only, and usage is subject to review by management". It's the company's dollars for the connectivity, endpoints, and infrastructure (enough buzzwords), and they have a right to limit how the employee uses it. If you don't like it, leave. I haven't encountered any problems at work sending some personal emails or reading /. and espn.com, but (aside from forgetting to notice a troll link to goatse.cx) I don't visit any questionable sites from work, and I keep off of the top internet bandwith users list (it's there if you know where to look), except when I d/l KDE or mozilla...

    You can trust your employees, but loyalty in the tech industry in this day and age is more fleeting than ever, so, well, you can't trust everyone - so you have to equally not trust everyone. It isn't the greatest thing, but that's the way it is...

    --
  • You are on very dodgy grounds here as any kind of active monitoring is actually illegal in Germany without informing the employee. Even then it is a problem.

    There is *no* law in Germany that reuqires you to monitor traffic. I have worked for banks and exchanges and have *never* heard of this. Even dealers have private telephone lines that are not taped which makes a nonsense of insider trading regs.

    Some US banks like Goldman Sachs do try agressive monitoring in Germany but it isn't very legal and could get thrm in trouble.

    What you can do is to rigourously fire-wall and to record all EMail traffic over a week or so. Although you can't look at it until an incident occurs, but that will give you the data for an investigation. You must also inform your employees that data is being recorded in case of an investigation and ideally, they should sign something in addition to their contract of employment.

    Remember also to block access to Web Emailers like hotmail otherwise you would see your monitoring being bypassed.
  • Tax laws probably also require that if you're taking tax deductions for business expenses and equipment, those must be used for business purposes...not employee personal use. That's one reason a "company car" often has certain restrictions.
  • Dareth I say this (I'm not a censorship fan by any means, and not a security expert), but if you want to use a tagging solution to this, tag all files (I'm assuming you're using a custom format) with a known signature, and use something like Snort [snort.org] to find that signature in any outgoing traffic. Of course, this isn't 100% perfect (TCP fragments, etc., can confuse many firewalls and detection systems). If put towards the start of the file, it can attempt to reset the connection, as well as log the event.

    Of course, if the secure data is in something like a standard Word(tm) document, you can't tag it with a phrase without forcing all documents to have a keyword, etc., in them that you know to look for, and even then newer editions use compression, which might obscure your mark.

    Once again, I'm not an expert on this, and I may be 100% incorrect, so tread lightly.

  • There are lots of solutions for sniffing. Most IDSs will allow you to do this: simply specify a "rule" in the IDS, and it will trigger when it sees the "watermark". The freeware Snort is going to be the cheapest, or you could try a commercial product like BlackICE Sentry.

    Watermarking is pretty easy: create a special template that everyone should base confidential files on. Put some hidden strings within the template.

    Of course, you'll need to learn a little bit more about IDSs like Snort and Word templates, but I've done things like this in the past and it does work.

  • Turn off all outgoing internet access. When people complain, refer them to whomever gave you this task.
  • This is a common problem throughout the corporate world. Unfortunately, I cannot give you an intelligent suggestion as to what TO do so much as I can tell you what definately won't work. Sniffing is out of the question. All one must do is compress the data (zip it, whatever) and your sniffer is blown out of the water. We all know that security through obscurity is no security at all. However, given that you are exteremely limited in what you can do, some obscurity with the employees may benefeit to a degree. It boils down to this. You have many employees who have access to sensetive data. You can't trust them all. You can't watch them all. And even if you did watch all their traffic that leaves the network, you'd never be able to specify a search pattern since that data is so easily altered. If someone WANTS to steal the data, they will. I suppose it's your job to figure out how to make it as difficult as possible. Sorry I couldn't be of anymore help.

    Connah
  • by mindstrm ( 20013 ) on Friday September 15, 2000 @01:43PM (#775607)
    Switches running with security settings; static switch tables.. .run a network with static arp if you want.

    Aggressive firewalling

    Make sure all mail is logged.
    Make sure all web traffic is proxied and filtered, if it even needs to be there at all. And log everything.

    As for 'protecting privacy' of individuals.. you can't really have it both ways. IF it's a financial network, and people are expected to confrom to a high level of security, it is completely within the rights (most likely) of your company to audit EVERY communication going in or out of the network.

    Simply take away their expectation of privacy.

    Oh.. also, insist that all mail be escrow-keyed, and signed, or it can't hit the servers. This leaves you an accountability trail.

    IN fact, if it's a really secure installation, why do you even need live internet to people's desks?

  • I don't know the legal issues surrounding the situation.. but after more thought.

    1) Is this a high-security office/network? If so, the take extremely aggressive measures. BE The BOFH, and control everything.

    2) If this is simply a requirement.. it's kind of strange. What prevents someone from walking out the door with confidential information? What prevents them from doing it over the phone? Take similar measures to your meatspace security measures as a guideline.

    If you don't search your employees on the way out, if you don't monitor their phones.. why sniff theri network?
  • You're a smart cookie, aren't you? /sbin/ipchains -P input DENY && /sbin/ipchains -F input Heh.

    Connah
  • Internal users use netscape on the terminal server. This prevents you from leaking information without retyping.

    Um, cut and paste?


    --

  • You mean you didn't know about hidden sid="tradesecrets" [slashdot.org] where we've been posting all our company's private data?
  • by Anonymous Coward
    Well the company owns any traffic going through their network since while at work you are well, on their time. I mean if your at work using company computers, they company has the right to restrict the use of or monitor the use of their network and hardware.

    You have to keep in mind laws are different in Germany. You must not do everything here, no, but be careful what you are monitoring.

  • What you are suggesting doing, I classify as passive monitoring. In other words your employee has retrieved the data, he has formatted it as he sees fits and then sent it out onto the network where you are hoping to catch it. This is like trying to shut the doors after the cows get out. Even if you could reliably catch 100% of the inappropriate outbound traffic, your employees could simply write the information on a piece of paper or memorize it or anything like that. You will be very hard pressed to stop this.
    What I suggest you do is active monitoring. Log the queries your employees make to your database. Log the information that they extract from your files. If you see an employee is extracting a lot of personal information, ask him what he is doing. If you see an employee is always looking at the same thing, ask him why he needs to be constantly updated on the status of this thing.
    Now most of your employees will have true business uses for the information they look up and you should probably be able to develop some sort of pattern of information need and usage for each employee. Then when an employee starts looking at data that he doesn't ordinarily need to you can send a warning to his supervisor to check on his data queries.
    This will probably be a much more effective approach. Oh, and BTW, as always be a good sys-admin and don't keep this practice a secret. Tell your employees that you will be monitoring their extracts. Most people don't really care if they are monitored at work, what really pisses them off is when the monitoring is done in secret.
  • by Bazzargh ( 39195 ) on Friday September 15, 2000 @01:51PM (#775615)
    Okay, this is not an ideal solution, but it is a solution.

    Internet
    ---------------------------------------- firewall
    Demilitarized Zone
    [ Terminal Server (WTS or an X server) ]

    ---------------------------------------- firewall
    Internal LAN [ client PC goes here ]

    Internal users use netscape on the terminal server. This prevents you from leaking information without retyping. However it prevents you from pulling in downloads, and sending email with attachments to customers.

    For downloads, open up inbound FTP connections to a fileserver in the DMZ. For outbound emails, warn that emails from the LAN are scanned, and do it. If people want to send a private message, they can use the X or ICA netscape client. This way your users opt in to be scanned when they are deliberately leaking information, because thats what the job requires. Using the X client, all they would have to laboriously retype the information.

    Depending on the size of the company, you could scan ALL of these messages by hand, since most outbound mail will be personal or brief.

    I didnt say it didnt suck. But it does hang together.
  • If you need to have the tightest control on what leaves your network you need to use application level proxies and block all outgoing traffic from every machine expcept the proxies. You are in for a world of hurt if you are going to try to sniff traffic at the packet level.

    I suspect there is no application-level proxy that will suit your needs. You may wish to harness the power of open source to integrate smaller tools to fit your needs. Perhaps starting with the proxies in the firewall toolkit you could build some proxies that have a little language in which you can write rules for blocking traffic. Then you can release it back to the community.

    Like one of the other posters said, though, it is very difficult to detect when sensitive information is leaving the network. You usually have to rely on the form of the information (e.g. does it look like a credit card number?) but the form can easily be disguised. Disguises become harder the stricter the format of the data. For example, suppose you only send out bills though mail and the format of the bill is:

    Dear (foo), You owe us (amount). Send it soon or die.

    You can block all mail that doesn't match this format, thereby preventing, jpegs, cc lists, etc from being mailed. Information can still be leaked by choosing pregnant values for (foo) and (amount). You could lookup to make sure (foo) was a valid customer but your leak may add (foo) to the customer list to get around that. Limiting (foo) to less than 10 characters will help. Insuring (amount) contains nothing but digits would help too but it isn't too hard to encode a message with numbers only.

    There will always be ways to get around whatever measures you put in place but don't let that fact cause you to not put forth any effort at all. The amount of money you spend protecting against leaks should be weighed against the potential loss if certain information is leaked times the likilihood that it will be.

  • by cartec ( 22056 )
    Unfortunately, you don't have a chance. There is a little known counterpart to the science of cryptography - the ugly stepchild, steganography. Steganography is the branch of computer science concerned with hidden communication - not (as encryption) communicating so that others cannot understand - but hiding the existance of communication. If somebody is bright enough to piggyback a couple of bits of data onto emails or (even better) send small strings of data encoded in URLS as GET requests to an imaginary server outside your network . . . I think you get the point. Against a determined, or at least half-witted, attacker, you are powerless.
  • If it were my decision I'd snort it too. But really the key is in telling everyone about "terms of service" in a fear enducing straighten that cap starch those pants we own your arse coma type way. Put some big black guys by each door with metal detector wands. Put PCP in the coffee. Make employee's sing my anthem before they start work as I conducted my hordes via the intercomm. Have business aproved suits and shoes so that foreign bodies can be easily detected.

    (Electric death chairs would be too.)

    Although really, this [slashdot.org] post is the only decent one i've seen so far. I give it my approval.

  • How could monitor my own data on my own hardware be intrusive? There's no 'privacy' involved because the company is monitoring their own data. Is an employee emailing information to a client? Well, is it confidential, or not? That's all you are trying to watch for. Do they visit a web site to order new office supplies? Well, did they enter confidential information into the order?

    If you need to watch for confidential data leaving the company over the corporate network, then you do it. The data is all the companies anyways. You aren't running a public ISP where customers expect that you aren't slurping CC numbers. Or a phone company where people expect to be able to share their whoas without it becoming public knowledge.

    Now, if you're concerned that if by monitoring the companies data, that you'd be exposed to confidential information that you feel would be detrimental if you had access to, then you need to go to your management and talk to them about it. I'm sure they'd be more then willing to do anything they can to make it possible to do your job without you being responsible for keeping secret.

    -Brent

The trouble with being punctual is that nobody's there to appreciate it. -- Franklin P. Jones

Working...