Friday, June 19, 2015

What is DLP and how do you bypass it!

Data Leak Prevention or Data Loss Prevention depending on how you want to call it is nothing but a way to prevent confidential data from leaking outside your network.

In regardless of which vendor or product it works by monitoring data in motion, at rest and in used.

Data in motion = data that is being transmitted via secure or insecure channel.
Data at rest = data that resides in your machine or NAS
Data in used = data that is currently being process or in used.
Most of the time DLP comprise of 2 engine. The monitoring engine and the prevention engine.

Monitoring engine actually monitor the usage of the data in your machine or network. It monitors and send those information to the centralize server. All these events are known as DLP incident and ussually you would need a DLP administrator to monitor and evaluate whether a data breach has occur or not.

Depending on the policy you can set whether to trigger an alert on the desktop if a policy has been violated or just remain passive. Most of the organization would set the monitoring mode in passive mode to avoid alerting the crook /bad guy within their organization.

Another engine which is the Prevention engine is the actual engine which block or prevent the data from going out. It can block you from burning the data to USB, CD, DVD, ftp, cloud storage, print screen and etc..again it is set in policy. Some of the organization will set the prevention engine on the desktop level and some on the gateway level depending on the business case.

Detection can be done using regular expression, keywords, and even fingerprinting a documents. (I would not go into the details here..)


Now !! Here come the interesting part! How do you bypass DLP!!!!

1. Encryption!!!!!
A lot of IT administrator or DLP wannabe expert claim that you should encrypt the email or data on your desktop before sending it outside from the organization. The ironic thing is there is no DLP solution in the market right now which can automatically decrypt and encrypted file, inspect it with DLP engine before sending it out! So by allowing your staff to encrypt the file with password using their own encryption solution such as Truecrypt will render DLP solution useless!!!!

The right way is encryption on the gateway level! Lets look at the scenario below:-

User A send file to User B outside the organization.
User A send file >> file is intercepted by DLP solution in gateway >> analyze if it is a confidential data or not >> if yes encrypt before sending out and if not just send out

This is the right way to do it...

2. USB USB but what about SD card slot??
Most of the administrator set DLP policy on USB drive. To prevent users from copying file to USB. But wait ...what about SD CARD slot?? I am sure a lot of laptop has it. So try using your SD card slot and you will be surprised that the policy is not yet set to prevent data out using SD card slot.

3.Own FTP or HTTP server.
There is a lot of web based file server solution on Iphone and Android. You can just download the apps activate the web storage from your iphone and android and access those URL from your DLP enable laptop or desktop. Chances are you can copy those data out to the iphone or android. Reasons are DLP solution is all about rules. If the administrator set a strict rules that prevent all https and ftp then it is a problem cause it will create lots of false positive. So if you send data to the phone ftp or http storage, chances are it will still work depending on the policy set. However please take note that even you can copy the data out it does not mean it is not logged!! Yes remember i mention DLP has 2 part? Monitor engine and Prevention engine.

4. Fuck Windows ..Use Linux!
Ok DLP is a program. A program that hook to the OS kernel to prevent data loss. But what if you boot from a boot disk and run linux? Yes DLP will be ueseless!!! You can copy anything and DLP monitor and prevention engine will not be there to stop you. The mitigation control is to disable booting from USB or CD on your machine and set a BIOS password to it. I am sure 90% of the organization would not do this cause the so call DLP consultant or security consultant are mostly Windows user who has not actually try to hack anything in their life before!!!

There are more ways to bypass the DLP solution that is in the market now but i am sure the steps i mention above is more than enough to cause a data breach!

Note: The information share above is not meant to encourage malicious activity but to educate the public about their false sense of security when they claimed they are protected from data loss cause they just bought a fancy DLP solution from a vendor.

Feel free to contact me if you wanna know more about DLP :)


No comments: