Class 3 ‐ Data Loss Prevention - Justin-Boyd/CIT-Class GitHub Wiki

Sensitive Data

Data Classification

Data Types

Personal Data
Customer Data
Intellectual Property
Financial Data

Personal Identity Information

Health Information
Racial or Ethnic Origin
Political Opinion
Religious or Philosophical Beliefs

Internet Data

Cookie IDs: A value used by web servers and browsers for authentication and session recognition
Hashed Email Addresses: Maintain recognition with identity privacy
Mobile Advertising IDs: A replacement for cookies in mobile app environments

Data Leak Channels

Physical Components

Information can be leaked by employees or stolen by cyberthieves.
USB ports should be locked down, and portable device disks should be fully encrypted.
Webcams, network printers, and guest Wi-Fi should be secured and segmented.

Network

Sharing websites are typically permitted on company networks.
Full TLS inspection is not enabled on many sites.
Web filtering is often not strict enough.
TLS inspection is a method in which TLS traffic is decrypted and inspected.

Malware

Multi-staged malware can be crafted by a variety of tools.
Social media can be used to trigger payloads of dormant malware.
New payloads are not uploaded to online scanners because they send new signatures to AV vendors.

Protocol Abuse

DNS Tunneling: Embedding encrypted chunks of data in DNS queries.
File Server Traffic: Protocol like SFTP is permitted in outbound traffic.
ICMP Tunneling: Sending data using echo packets.

Regular Expressions

What is Regex?

A method used to describe a specific pattern of characters.
Highly flexible, with customizable search parameters.
Text processing tools like PowerGREP enable easier query crafting.

Regex Uses

Searches for text and replaces text
Text input validation
Less code that does more work

Regex for DLP

Filter outbound emails to look for:

Credit card numbers
Social Security information
Custom dictionary phrases
Specific data types

Syntax Patterns

IP Simple Regex Example

\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

\d Represents a digit
{1,3} A group of one to three consecutive numbers (such as= 242)
. Dot denotes a special character and is escaped with \

This pattern isn’t perfect. For example, the number 826 can be in either of the groups. (IP octets can be from 0–255.)

DLP Introduction

DLP Purpose

Prevents organizational data from being shared with unauthorized parties
Prevents both intentional and unintentional data loss
Compliance with privacy laws and regulations

How DLP Works

Content inspection and contextual analysis
Based on rules and policies
Uses regex pattern matching

Local Agent Protection

Monitor and block the printing of confidential material.
Review the clipboard and block the copying of sensitive content.
Analyze and block email messages sent to specific destinations.

Block List vs Allow List

Block List

Everyone is allowed except exclusions
Antivirus, IPS/IDS
Threat-centric
Simple and lenient
Less restrictions = less secure

Allow List

Everyone is forbidden except exclusions.
Access control, digital signatures
Trust-centric
Complex and strict
More restrictions = limited functionality and creativity

OpenDLP

What Is OpenDLP?

Free, open-source, multi-platform, centrally managed, and highly distributable
Agent-based or agentless
Able to concurrently scan thousands of OSs

OpenDLP Uses

Agents for web applications and Windows machines
Agentless database scans
Agentless file system and file share scans

OpenDLP Installation

Download - Download the compressed virtual machine.
Extract - Extract the OVA file.
Import - Import the OVA into Virtualbox.
Configure - Finish initial configuration.

DLP Bypass Techniques

Encoding and Ciphering

Encoding data renders pattern matching useless.
Using a cipher on data will make it unrecognizable.
Corrupting data will most likely work as well.

Steganography

The art of concealing information within files
Hiding files within other files
An inconspicuous image can hide sensitive data.