PaulDotCom mailing list archives
Bypassing Vontu
From: shawn at NetworksUnlimited.com (Shawn Bernard)
Date: Fri, 23 Oct 2009 09:29:13 -0400
As others have stated, the only way a DLP tool can be reasonably effective is when it is one part of the overall solution. Whole disk encryption and not allowing users to install unauthorized applications would thwart better than half of the suggestions I am not too familiar with vontu but from the little work I have done with the Websense product, on the client end you can prohibit copy/paste/print operations of 'protected' data which knocks out a couple of others. You will never stop readers of security lists from bypassing DLP and other security but with comprehensive policies and a thoughtful deployment you will be able to accomplish the main goal which is making it much harder for good people to make honest mistakes. From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Duncan Alderson Sent: Friday, October 23, 2009 5:38 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Bypassing Vontu I have to agree with Allen on this. You need to have a good test plan but I also think you have to remember that DLP is no security silver bullet. It will not cure cancer but it can stop a lot of things. You just need to test to find out what it does stop and what it doesn't and find another product/solution to protect against that threat. As other people have mentioned Vontu will not stop your user booting into a liveCD and grabbing the files but thats why you would want Whole Disk Encryption. Cheers Duncan 2009/10/23 <allen.deryke at hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm usually pretty "good" at picking up sarcasm but I'm fairly sure that was the actual suggestion. I can see the logic behind just testing for accidental DLP, most infosec pro's know better then to trust some DLP black box solution to stop a really determined attacker/corporate spy. If your looking to do checkbox security, deploy and forget is a completely valid approach to DLP. For the sake of staying on topic I won't delve into that philosophical mine field. I will however indulge in some product testing philosophy. As a professional your test plan needs to demonstrate both products strength and its weakness's. A test plan should be fair and methodical, use an objective scoring system, sidebar opinions and follow a written test plan. Don't include assumptions or opinions about a product or technology, your just there to test what works and what doesn't. For DLP you don't just want to test if it can see a random SSN in a plain text email. Don't forget about the "clever" user who will password protect a zip or excel sheet to make it "secure", change file extensions or screen shot customer data in your billing system. If someone uses PGP in a year to push the client list out of your company, you won't regret documenting that a product cannot protect against that. When testing a product, what's not included in the test plan is much more likely to haunt you later. If you're a security decision maker, then game changes. You need to really assess how this product fits into your overall security strategy, how much of what this product offers can done with another product in house? Most anti-spam solution's should have quite a few useful features to leverage. Once you have that list of missing features, now find that TCO and THEN assess the decision from a business health perspective. When your looking for long term health and real security; "only test the product in the vendors provided scope" ends up costing both you and your empolyer in the long run. - -- Allen On Thu, 22 Oct 2009 17:34:19 -0400 johnemiller at gmail.com wrote:
I am notoriously bad at picking up on sarcasm over email, especially lacking the appropriate <sarcasm> tag, but are you seriously suggesting tailoring the testing to only highlight the features that you know
work? I can understand wanting to demonstrate what would get caught, but the real value of testing this system is to find out where the weakness exist so that appropriate controls can be added to reduce those risks. The testing methodology should be expansive enough to use as education for the
idiots. On Oct 22, 2009 2:14pm, Chris Merkel <cmerkel at gmail.com> wrote:I agree with Ron - DLP is an "idiot screen" and is useful forlittlemore. Therefore, your testing methodology should be to emulateidiotsand nothing more. (and educate any idiot who thinks it willsolve yourleakage issues.)On 10/22/09, xgermx xgermx at gmail.com> wrote:Create a small TrueCrypt container, copy sensitive files tocontainer,copycontainer to usb or email container.On Thu, Oct 22, 2009 at 10:38 AM, Brian Schultztheconqueror at gmail.com>wrote:Our security department is testing out Symantec's Vontu and I
amplayingthe guinea pig and have to try and get documents out of ourcompany'senvironment. I have a really basic understanding of how itworks. Ithas aspan port sitting and listening to all outgoing web trafficand thereisalso an agent that sits on desktops and watches to see if any
sensitiveinformation leaves via USB drive or e-mail.Does anyone have any whitepapers or info regarding how itactuallyworksorany tactics I should try?_______________________________________________Pauldotcom mailing listPauldotcom at mail.pauldotcom.comhttp://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcomMain Web Site: http://pauldotcom.com--Sent from my mobile device- Chris Merkel_______________________________________________Pauldotcom mailing listPauldotcom at mail.pauldotcom.comhttp://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcomMain Web Site: http://pauldotcom.com
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkrg9QIACgkQDIjDYcBm5payLQQAkC1sn8VwxQjfOeS3GanGkRVRnHYR h7oksxA1pFMMErX1AOa/mqGCpcE8vcowrYIPBugrI6FrINOtys9KgIP1EdEICMbh+ByJ L7mZ09sN6jFF93YQcwe7qxcB/gdy4zZU4+zIKVVV9uYVAyyeD+kgEWu321fEcDj7hZC8 nywkGKQ= =XQp/ -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091023/b0aa2adc/attachment.htm
Current thread:
- Bypassing Vontu, (continued)
- Bypassing Vontu John Strand (Oct 22)
- Bypassing Vontu xgermx (Oct 22)
- Bypassing Vontu Chris Merkel (Oct 22)
- Bypassing Vontu johnemiller at gmail.com (Oct 22)
- Bypassing Vontu John Strand (Oct 22)
- Bypassing Vontu Chris Merkel (Oct 22)
- Bypassing Vontu Justin Andrusk (Oct 22)
- Bypassing Vontu Chris Merkel (Oct 22)
- Bypassing Vontu Dan McGinn-Combs (Oct 22)
- Bypassing Vontu Duncan Alderson (Oct 23)
- Bypassing Vontu Shawn Bernard (Oct 23)
- Bypassing Vontu Ron Gula (Oct 23)
- Bypassing Vontu Shane Kelly (Oct 24)