Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Encryption Blog

Stopping the WikiLeaks Scenario with Encryption, Device Control and Endpoint DLP

Created: 09 Dec 2010 • Updated: 05 Nov 2012 • 13 comments
Tim_Matthews's picture
+5 5 Votes
Login to vote

A U.S. Army intelligence specialist? Walking out with confidential documents on a CD? Impossible.

When I first heard about the exposure of hundreds of diplomatic memos, I was anticipating a sophisticated cloak and dagger tale. But Pfc. Manning walked out the door with a bogus Lady Gaga CD-RW filled with government secrets. While my initial reaction was that this never should have happened, I can see where the dual priorities of a worker-friendly environment and the mission-critical imperative to share information quickly could have led to this situation. The good news is that there is a straightforward regimen to help stop these kinds of risks.

1) Install Device Control

Device control, as its name suggests, controls what devices can be used on a given computer. So if you want to disallow CD burning by a government security analyst with access to secret documents, you can do so. Symantec Endpoint Encryption (SEE) Device Control allows this to be done by policy, across the organization. Permissions can be set by group or per individual user. SEE Device Control could even have allowed Pfc. Manning to listen to Lady Gaga MP3 files, but prevented him from copying files of any type to the CD. Here’s how a security administrator could have done that:

With SEE Device Control, a security administrator can make the decision that the use of USB sticks by field engineers who need to download software for clients is okay, for example, but not by customer service agents with access to lots of personal customer information, who never take work home. SEE Device Control policy can be set so prevent any type of Bluetooth or WiFi data transfer. Here’s a quick look at some of the options.

SEE Device Control also offers some capabilities to facilitate audits and forensics, like creating a log of all files copied or creating a “shadow copy” in case you want to see what was actually copied down to the device. This would allow investigators to quickly and clearly see the extent of breach perpetrated by an actor like Manning. More info on SEE Device Control here.

2) Use Endpoint DLP

Some may find device control too coarse grained and want to only restrict copy operations based on content. A great way to do this is with Symantec Data Loss Prevention Endpoint Protect. It also prevents employees from copying confidential data to removable devices, transferring it over the network, or trying to copy or paste, or print it – but with the added ability to do so based on content. The advantage is that employees can, for example, copy pictures of their kids to and from a USB stick, but not anything marked confidential or that matches the fingerprint of a product design document or that contains confidential customer information. Endpoint Prevent leverages the Symantec Data Loss Prevention suite for deep content inspection, so policies on the endpoint can leverage those used for inspection of email traffic. You can find out more about how it works here.

3) Encrypt Sensitive Documents

Obviously, preventing those without a need to know is one of the best ways to protect secrets. The problem, however, is that access control lists on file shares are not vigorously maintained. That means people who should not see documents can do so. This is exacerbated with corporate search engines indexing all kinds of content, making it easy to find. The answer is to encrypt those files, so if someone has access to a directory it won’t matter because they won’t be able to read the file. It also has the nice side benefit of making file content opaque to search engines. This is exactly what PGP NetShare from Symantec does.

And the user experience really doesn’t change at all. Having a lock on the file or folder is intuitive and likely sends a warning to those looking to steal. The file opens as normal for those with access, and is unreadable by those without.

PGP NetShare also protects against mistakes made by those with permissions. I’ve heard myself cases of generals with security clearance, who are maybe better with intelligence than computers, copying top secret documents to the wrong folder. Encryption solves this problem - even if a file is moved to the wrong place, only those with keys can read it.

One of my favorite features of PGP NetShare is encrypt by file type. This makes it easy to protect Word docs, Excel spreadsheets and PowerPoint presentations, but not MP3 files (unless that’s your intellectual property, of course.)

We will no doubt be hearing more from WikiLeaks. Forbes reported that a large financial institution is next. With such well understood defenses available, CISOs really have no excuse for not putting them in place. Perhaps we’ve been putting too much focus on the criminal syndicates and not enough on the malicious insider.

Do yourself a favor and take a look into device control, DLP and encryption. Have a healthy suspicion of IT workers still using CDs instead of iPods to listen to music at work, and make sure your device control and DLP policies cover both.

Comments 13 CommentsJump to latest comment

sophietan's picture

too bad US army didn't buy Symantec's solutions. do they ?

+1
Login to vote
Tim_Matthews's picture

Clearly, we are not able to confirm or deny the use of our products in classified environments;)  Having said that, we do have an established track record of detecting IP theft using our solutions in circumstances that closely ressemble the circumstances of the Bradley Manning case.

+1
Login to vote
xlloyd's picture

What happens when the malicious insider is the Director of Network Security?

In any event...if the US Army did buy DLP at least, this wouldn't have happened...unless they weren't using it properly that is.

*sigh*

If this post has helped you, please vote up or mark as solution
+1
Login to vote
Vikram Kumar-SAV to SEP's picture

Good Article !! You should have written it earlier wink

However it will help many to prevent such kind of Data Theft

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+1
Login to vote
xlloyd's picture

Hopefully someone from the Army has read this article!

At least we know these kinds of security breaches cause people to think twice about security...maybe it will cause others to do the same and hopefully approach Symantec!

If this post has helped you, please vote up or mark as solution
+1
Login to vote
delifeath's picture

I'm currently testing out Safend Data Protection Suite for device control...because SEP still doesn't support 64 bit.  The interface is extremely similar to the screenshots above.  What relationship does Symantec have with Safend?  Thanks!

+1
Login to vote
xlloyd's picture

I think their relationship would be considered "competitors" lol

If this post has helped you, please vote up or mark as solution
+3
Login to vote
delifeath's picture

Yeah that's what I would expect as well.  Which is why I was surprised to see this interface. They're almost identical.  Anyone have any idea what that's about?

-5
Login to vote
Jack_Of_Shadows's picture

The prescription here only prevents one, or more accurately one set of scenarios.  I could generate a very long list of alternate pathways to copy and remove informationi that is not helped in any way, many of which aren't that hard to do for anyone somewhat technically inclined.  Actually, a far easier, and much better, way of preventing what happened would be to disallow any digital medium, especially players/recording-capable devices, from crossing the SCIF boundry.  Anytime you allow a device that can remove energy (information) from the facility this immediately results in the potential for compromise of that facility's boundaries.

 

Having been in the military for over a decade, the highest security clearence, handling such material, and being responsible for IT at my commands, I've thought long and hard about this problem and the potential breach scenarios.  While your solution is pretty, actually very, good is is not the sine qua non.  Your observation that ease of use is at the heart of the matter at hand is what I feel security managers should walk away with.

 

+1
Login to vote
Tim_Matthews's picture

I think we all know that it's very difficult to stop every conceivable scenario, but this is about controls and risk management.  What's important is to make it hard for people to remove sentitive information that is against policy.  The Bradley Manning case is an example of one with such a straightforward solution, we're simply trying to encourage people to implement it to save themselves the same kind of information loss.

Also, in speaking with our customers, they want to let employees know that they've got controls in place to discourage them from violating policy.  As for the IT insider or those with top levels of clearance and authority, it's the feeling of many in the security field that good controls will eventually catch those who get sloppy or overconfident.

+2
Login to vote
M_Marcos's picture

As you said “This is about controls and risk management” ! absolutely true

+1
Login to vote
patriot3w's picture

There are so many products out there, but still depend on ppl how to use them

+1
Login to vote