Wednesday, November 10, 2010

Data Loss via CD/DVD Burning

Data Loss Type #4:  Data Loss via CD/DVD Burning

While the most popular and easiest way to steal data is to use a USB drive, another method is to burn a CD/DVD.  Again, this might be intentional theft, or it might be good intentions gone wrong . . .

Example:  It might seem extremely handy to a traveling sales rep to burn his client list to CD so he can read it at the hotel computer.  And then forget it in the hotel computer.

Who is taking the data:  Most likely an authorized user.

What doesn’t (always) work:  Like USB drives, CD burning can be turned off via Windows Group Policy.  However, you may not use Windows Group Policy, or you might be worried about data theft by users who aren’t normally restricted by Group Policy (e.g. Administrators).  You also might want users to be able to burn some content to CD—just not the sensitive stuff.  For all those scenarios, you’ll need FileSure Defend.

How we do it:  In most situations, just defining a FileSure rule to block file creates on the CD/DVD drive will be enough.  For maximum security, designating what programs can access your sensitive files will also be necessary.

Specifically, how to do it:  Here is a screenshot showing how to set up a rule to block writing of Excel files to a CD/DVD.

Here what we’ve done:
  1. Set the rule name to ‘Block CD writes’ for sanity’s sake
  2. Defined that the rule only apply to files with an ‘xls’ extension (‘*.xls’)
  3. Defined that the rule apply to all users (‘*’)
  4. The rule will apply to files trying to be written or created on CD/DVDs on both servers and workstations
This simple rule will probably handle 95% of theft via CD/DVDs (customized for whatever file types concern you); however, CD/DVDs are a bit different than USB drives since there isn’t a ‘file system’ on the CD/DVD until after it’s burned.    So if the user was to burn a CD with another program (e.g. Nero), that writes the entire CD at once, FileSure isn’t going to catch it.

To block that scenario, it would be tempting to use FileSure’s ‘Program Name’ filter to block the CD/DVD burning program explicitly (which will work), but I like to recommend that you opt for a ‘white-list’ approach instead of a ‘black-list,’  in other words . . . exclude ALL programs from reading the protected files EXCEPT the one that is allowed to.

You can use the “Stop File Theft” wizard to achieve this very quickly, please see the previous blog Internet-based Malware and File Compromise for step by step instructions.  This one-page wizard will help you designate the programs that are exclusively allowed access, and then will also generate a rule stopping writes to removable drives, so you can do it all in one place.

Monday, November 1, 2010

Internet-based Malware and File Compromise

Welcome to the FileSure Defend 2.5 Data Loss Prevention Blog series. 

Data Loss Type #3:  Internet-based Malware and File Compromise

The way most internet-based hacks work is by exploiting a security hole in Windows, or the browser, or another running program to run a bit of hacker-generated code. Typically what this bit of code does is to ‘infect’ the computer so the hacker can deliver a more sophisticated ‘Trojan’ virus later. 

After the computer is infected, the ‘Trojan’ typically runs silently, stealing data, infecting other computers, all the while running under the infected user’s security context. 

Example:  If a hacker is lucky enough to infect a CFO’s computer, he will be able to exploit and steal very important data since the CFO has access to it.

Very ugly.

Who is taking data:  Someone offsite, usually unconnected, and they are just grabbing whatever they can.  Definitely malicious in intent.

What doesn’t (always) work:  Protecting against viruses that are already known.  If you happen to get a new malware infection that isn’t one of the files your virus protection is scanning for . . . you’re out of luck. 

How we do it:
  1. Block any program from writing code to the hard drive.  Period.  Most people never need to write an a executable format or even a VBS file so setting up FileSure to block ALL code from being written to the drive, you stop hackers cold. 
  2. Use a Data Loss Prevention-styled rule and block access to protected files with a ‘White-List’ of applications.  Since the hacker will be using a non-authorized program, FileSure will block it from reading the file. 

Specifically, how to do it:  Here’s a screenshot showing how to define a single rule to block malware.  All we do is block creating, writing or the more clever hack of renaming to program files (.exe, .dll, .vbs, .wsh) and we apply the rule to all drive types.  Easy peasy . . . but note-- self-updating programs don’t like this rule so you might want to ‘Exclude’ them from the rule.

For the second half, we created an easy to use, one-page wizard to help you protect your files by limiting program access:


We run the wizard and, in this case, I decided to protect Microsoft Excel files, so I typed in ‘xls’ into the ‘Extensions’ filter and selected the entry I wanted and then clicked ‘Finish.’


This created two rules:



The first one is the ‘meat and potatoes’ rule.  It blocks reading, writing and deleting  of Excel files for all users anywhere—but as you see in the second screen shot, it EXCLUDES Microsoft Excel from that rule.  Hence, you can only access Mircosoft Excel files IN Microsoft Excel.



With these few little characters, FileSure Defend will BLOCK all access to Excel files to every program, including malware and viruses, except for Excel, which it will allow full access.

The second rule isn’t as exciting, but does an important job.  It blocks writing or creating of XLS files to removable drives and CD/DVDs for all programs (that blocks Excel from writing directly to the USB drive).


Trojan hacks are horrible since most of the time, you don’t know they are there and they are stealing data using YOUR security privileges.  By using FileSure, you can be safe from them.   Just too bad we haven’t figured out how to ‘Reverse hack’ them.