Research

Back when I used to do physical security in Boulder, Colorado, there was a core group of us that were often called in by various bars, hotels, or concert venues when they needed help for a special event or to buffer up their staff. Sometimes I ended up working a few nights as a contract bouncer at random bars I was much more likely to be drinking than working at. One of these places, a bar called Potters, was run by a sketchy manager who shall remain nameless. A buddy and I were called in when they had a big staff turnover and needed some last minute help. Just the two of us, for one of the busiest bars in a college town. Our first instruction? If the girl was cute, and had anything slightly resembling an ID, let her in. This isn’t all that uncommon; many businesses make a pretense at complying with the law to reduce their risk of being busted, but would rather have a lot of cute 18-20 year old girls pushing up the guys’ bar tabs. I’d been to all sorts of training to spot fake IDs and was pretty darn good at it, but that didn’t matter. And sorry guys, we weren’t supposed to let you slide. Today I read more about Apple leaving some really obvious security holes in the iPhone. This time, it’s free ringtones (instead of forcing you to pay $.99). The iPhone isn’t supposed to allow third party applications, but it’s been thoroughly cracked, and the latest updates have done nothing to restrict users. Contrast this to Sony, who seems hell bent on pissing off their users by constantly fighting the homebrew hackers that just want to add a little software to the PSP. Apple’s done this before, most recently with the AppleTV. TiVo is another company that follows this track- it took me all of 3 minutes to add 750 GB to my TiVo Series 3 this weekend (that’s about 90+ hours of HD recordings, or 900 hours at standard definition). Is Apple doing this on purpose? It wouldn’t surprise me, but I’d hate to be responsible for screwing up my future iPhone applications (I’m waiting for a 3G version) by pointing this out. Apple has two classes of users- those who like their products because they look nice and work well, and those who can be a bit more fanatical and love digging in. Yet Apple can’t afford to piss off too many of their media partners by giving users the complete freedom they want. The compromise? Pay lip service to the demands of the media partners while leaving holes that only the really hard-core geeks will take advantage of. In martial arts we sometimes leave an “opening” for our opponent to entice them into taking a predictable action. Perfect security isn’t always best, sometimes leaving a hole creates an advantage. Plausible deniability; consumer electronics style. Share:

I spend a fair bit of time helping friends and family keep their computers up and running. At the local coffee shop I’m known as “the security guy”, which usually means answering questions about which antivirus software to buy. But some of the best ways to protect yourself don’t involve spending any money, or buying any software. One of my favorites is to use different email accounts for different contexts. A lot of security pros know this, but it’s not something we have our less technical friends try. Thanks to the ease of webmail, and most mail applications’ support for multiple email accounts, this isn’t all that hard. Keeping things simple, I usually suggest 4-5 different email accounts: Your permanent address: I have one email account that’s been in active use since 1995. It’s the one I give friends and family, and I don’t use it for anything else. No online purchases, no newsletter subscriptions, nothing but those I know and care about. For a long time I got essentially NO SPAM on this account. Ever. I did make the mistake once of letting a local political party get their hands on it, and they screwed up a mailing and the address leaked to a spam list. Learn from my mistake- have one address you give out for your personal email that you never have to change- e.g. Hotmail, Yahoo, or Gmail, and never use it for anything else. Your work address: We all have these, and we all use them for personal email. That’s fine, but don’t use it for subscriptions or online purchases. An address for buying online when you don’t trust the store: Another Gmail/Yahoo/Hotmail address you use for risky online purchases, and nothing else. That way, if a site you use is compromised you can easily change addresses without too much difficulty. These are the smaller online retailers you don’t really know or trust as much as Amazon and Ebay. An address for trusted retailers: This is your Amazon, Ebay, and Apple address- one you use to buy things from major retailers. This can be the same as your permanent address. Let’s be realistic, I use a few major retail sites and have never had any problems with spam or fraud by letting them use my main address. Yes, it’s a risk if they get breached, but it’s one I’m willing to take for a small group of stores I use more frequently. If you do this, make sure you opt out of any of their marketing emails. This is in your account preferences when you log in. An address for email subscriptions: This is for newsletters, fora, and other sites where your email might not be private. I also often use throwaway addresses. These are temporary accounts I set up for high-risk things like certain forum subscriptions and email lists that I know will end up in the hands of spammers. There’s one kind of address you should never use– the one your ISP (Internet Service Provider) gives you. Not only do these seem to end up on spam lists more often than not, but you may to change your ISP more than you anticipate. If I have to update my address book for someone moving/changing addresses, it’s almost always because they’ve used the email from their ISP. These other services are free and easier to use, so there’s no reason to use an ISP account. This might seem complicated, but it’s really easy. Just go to one of those services and set up some free accounts. For each one, write down the username and password twice- once on a piece of paper you keep near your computer, the other you keep with your important papers (except your work password). I know most security experts tell you to never write your passwords down, but as long as it’s on paper (not in a file on your computer) and reasonably safe in your home the risk is low (however, don’t do this with bank account passwords!). Then launch Outlook Express, Mail.app, Eudora, Thunderbird, or whatever email program you use and add these accounts using the instructions from whoever you set up the account with. It usually takes less than a minute, and gives you one place where you can read all your mail. Personally I have over a dozen accounts, but I’m both paranoid, and like having all my different email lists go to different accounts to make reading them easier. For the rest of you, somewhere between 4-6 accounts can reduce the spam you get, especially on your personal email, and even reduce the chances of fraud. Share:

Data Loss Prevention is one of the most hyped, and least understood, tools in the security arsenal. With at least a half-dozen different names and even more technology approaches, it can be difficult to understand the ultimate value of the tools and which products best suit which environments. This series of posts will provide the necessary background in DLP to help you understand the technology, know what to look for in a product, and find the best match for your organization. I won’t be providing product ratings, I suggest the Gartner Magic Quadrant for that, but will provide you the tools you need for the selection process. DLP is an adolescent technology that provides significant value for those organizations that need it, despite products that may not be as mature as other areas of IT. The market is currently dominated by startups, but large vendors have started stepping in, typically through acquisition. The first problem in understanding DLP is figuring out what we’re actually talking about. The following names are all being used to describe the same market: Data Loss Prevention/Protection Data Leak Prevention/Protection Information Loss Prevention/Protection Information Leak Prevention/Protection Extrusion Prevention Content Monitoring and Filtering Content Monitoring and Protection And I’m sure I’m missing a few. DLP seems the most common term, and while I consider its life limited, I’ll generally use it for these posts for simplicity. You can read more about how I think of this progression of solutions here. Even a clear definition of DLP can be confusing and hard to find. I generally consider them, “products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis”. I used to restrict myself to network-based monitoring and blocking solutions, but we’ve recently seen advances in endpoint protection. I’ll detail all these nuances as we dig deeper into the subject. The DLP market is also split between DLP as a feature, and DLP as a product. A number of products, particularly email security solutions, provide some basic DLP functions, but aren’t necessarily real DLP products. The difference is: A DLP Product includes centralized management, policy creation, and enforcement workflow dedicated to the monitoring and protection of content and data. The user interface and functionality are dedicated to solving the business and technical problems of protecting content through content awareness. DLP Features include some of the detection and enforcement of DLP products, but are not dedicated to the task of protecting content and data. This distinction is important because DLP products solve a specific business problem that may or may not be managed by the same business unit/user responsible for other security functions. We often see non-technical users responsible for the protection of content, such as a legal or compliance officer. Even human resources is often involved with the disposition of DLP alerts. Some organizations find that the DLP policies themselves are highly sensitive or need to be managed by business unit leaders outside of security, which also supports a dedicated product. Because DLP is dedicated to a clear business problem (protect my content) that is differentiated from other security problems (protect my PC or protect my network) most of you should look for dedicated DLP solutions. This doesn’t mean that DLP as a feature won’t be the right solution for you, especially in smaller organizations. It also doesn’t mean that you won’t buy a suite that includes DLP, as long as the DLP management is separate and dedicated to DLP. We’ll be seeing more and more suites as large vendors enter the space, and as we’ll discuss in a future post it often makes sense to run DLP analysis or enforcement within another product, but the central policy creation, management, and workflow should be dedicated to the DLP problem and be isolated from other security functions. There are a few last terms I want to define before finishing off this post. The first is content awareness. One of the distinctions of DLP solutions is that they look at the content itself, not just the context. Context would be sender/recipient. Content is digging into the pdf embedded in the Word file, embedded in a .zip file, and detecting that one paragraph matches a protected document. In a later post I’ll describe the major detection techniques, and which ones work best for which kinds of content. We also need to discuss what we mean by protecting data at rest, data in motion, and data in use. Data-at-rest includes scanning of storage and other content repositories to identify where sensitive content is located. We call this content discovery. For example, you can use a DLP product to scan your servers and identify any documents with credit card numbers. If that server isn’t authorized for that kind of data, the file can be encrypted or removed, or a warning sent to the file owner. Data-in-motion is sniffing of traffic on the network (passively or inline via proxy) to identify content being sent across communications channels. For example, this includes sniffing emails, instant messages, or web traffic for snippets of sensitive source code. In motion tools can often block based on central policies, depending on the type of traffic. Data-in-use are typically endpoint solutions that monitor data as the user interacts with it. For example, they can identify when you attempt to transfer a sensitive document to a USB drive and block it (as opposed to blocking use of the USB drive entirely). Data in use should also detect things like cut and paste, or use of sensitive data in an unapproved application (such as someone attempting to encrypt data to sneak it past the sensors). The last thing to remember about DLP is that it is highly effective against bad business processes (unencrypted FTP exchange of medical records with your insurance company) and mistakes. While DLP offers some protection against malicious activity, we’re at least a few years away from these tools really protecting against a knowledgeable malicious attacker. Fortunately for us, most of our risk doesn’t fall into this category. That’s it for today; as