PaulDotCom mailing list archives

Bypassing Vontu

From: shawn at NetworksUnlimited.com (Shawn Bernard)
Date: Fri, 23 Oct 2009 09:29:13 -0400

As others have stated, the only way a DLP tool can be reasonably
effective is when it is one part of the overall solution. Whole disk
encryption and not allowing users to install unauthorized applications
would thwart better than half of the suggestions I am not too familiar
with vontu  but from the little work I have done with the Websense
product, on the client end you can prohibit copy/paste/print operations
of 'protected' data which knocks out a couple of others.  You will never
stop readers of security lists from bypassing DLP and other security
but with comprehensive policies and a thoughtful deployment you will be
able to accomplish the main goal which is making it much harder for good
people to make honest mistakes.

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Duncan
Alderson
Sent: Friday, October 23, 2009 5:38 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Bypassing Vontu

 

I have to agree with Allen on this. You need to have a good test plan
but I also think you have to remember that DLP is no security silver
bullet. It will not cure cancer but it can stop a lot of things. You
just need to test to find out what it does stop and what it doesn't and
find another product/solution to protect against that threat.

As other people have mentioned Vontu will not stop your user booting
into a liveCD and grabbing the files but thats why you would want Whole
Disk Encryption.

Cheers

Duncan

2009/10/23 <allen.deryke at hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm usually pretty "good" at picking up sarcasm but I'm fairly sure
that was the actual suggestion.

I can see the logic behind just testing for accidental DLP, most
infosec pro's know better then to trust some DLP black box solution
to stop a really determined attacker/corporate spy.  If your
looking to do checkbox security, deploy and forget is a completely
valid approach to DLP.   For the sake of staying on topic I won't
delve into that philosophical mine field.

I will however indulge in some product testing philosophy. As a
professional your test plan needs to demonstrate both products
strength and its weakness's.  A test plan should be fair and
methodical, use an objective scoring system, sidebar opinions and
follow a written test plan.  Don't include assumptions or opinions
about a product or technology, your just there to test what works
and what doesn't.

For DLP you don't just want to test if it can see a random SSN in a
plain text email.  Don't forget about the "clever" user who will
password protect a zip or excel sheet to make it "secure", change
file extensions or screen shot customer data in your billing
system.  If someone uses PGP in a year to push the client list out
of your company, you won't regret documenting that a product cannot
protect against that. When testing a product, what's not included
in the test plan is much more likely to haunt you later.

If you're a security decision maker, then game changes. You need to
really assess how this product fits into your overall security
strategy, how much of what this product offers can done with
another product in house?  Most anti-spam solution's should have
quite a few useful features to leverage.  Once you have that list
of missing features, now find that TCO and THEN assess the decision
from a business health perspective.

When your looking for long term health and real security; "only
test the product in the vendors provided scope" ends up costing
both you and your empolyer in the long run.

- -- Allen



On Thu, 22 Oct 2009 17:34:19 -0400 johnemiller at gmail.com wrote:

I am notoriously bad at picking up on sarcasm over email,
especially
lacking the appropriate <sarcasm> tag, but are you seriously
suggesting
tailoring the testing to only highlight the features that you know

work? I
can understand wanting to demonstrate what would get caught, but
the real
value of testing this system is to find out where the weakness
exist so
that appropriate controls can be added to reduce those risks. The
testing
methodology should be expansive enough to use as education for the

idiots.

On Oct 22, 2009 2:14pm, Chris Merkel <cmerkel at gmail.com> wrote:

I agree with Ron - DLP is an "idiot screen" and is useful for

little

more. Therefore, your testing methodology should be to emulate

idiots

and nothing more. (and educate any idiot who thinks it will

solve your

leakage issues.)

On 10/22/09, xgermx xgermx at gmail.com> wrote:

Create a small TrueCrypt container, copy sensitive files to

container,

copy

container to usb or email container.

On Thu, Oct 22, 2009 at 10:38 AM, Brian Schultz

theconqueror at gmail.com>wrote:

Our security department is testing out Symantec's Vontu and I

am

playing

the guinea pig and have to try and get documents out of our

company's

environment. I have a really basic understanding of how it

works. It

has a

span port sitting and listening to all outgoing web traffic

and there

is

also an agent that sits on desktops and watches to see if any

sensitive

information leaves via USB drive or e-mail.

Does anyone have any whitepapers or info regarding how it

actually

works

or

any tactics I should try?

_______________________________________________

Pauldotcom mailing list

Pauldotcom at mail.pauldotcom.com

http://mail.pauldotcom.com/cgi-

bin/mailman/listinfo/pauldotcom

Main Web Site: http://pauldotcom.com

--

Sent from my mobile device

- Chris Merkel

_______________________________________________

Pauldotcom mailing list

Pauldotcom at mail.pauldotcom.com

http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom

Main Web Site: http://pauldotcom.com


-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkrg9QIACgkQDIjDYcBm5payLQQAkC1sn8VwxQjfOeS3GanGkRVRnHYR
h7oksxA1pFMMErX1AOa/mqGCpcE8vcowrYIPBugrI6FrINOtys9KgIP1EdEICMbh+ByJ
L7mZ09sN6jFF93YQcwe7qxcB/gdy4zZU4+zIKVVV9uYVAyyeD+kgEWu321fEcDj7hZC8
nywkGKQ=
=XQp/
-----END PGP SIGNATURE-----


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091023/b0aa2adc/attachment.htm

Current thread:

Bypassing Vontu, (continued)
- - Bypassing Vontu John Strand (Oct 22)
- Bypassing Vontu xgermx (Oct 22)
  - Bypassing Vontu Chris Merkel (Oct 22)
    - Bypassing Vontu johnemiller at gmail.com (Oct 22)
    - Bypassing Vontu John Strand (Oct 22)
    - Bypassing Vontu Chris Merkel (Oct 22)
    - Bypassing Vontu Justin Andrusk (Oct 22)
  - Bypassing Vontu Dan McGinn-Combs (Oct 22)
- Bypassing Vontu allen.deryke at hushmail.com (Oct 22)
  - Bypassing Vontu Duncan Alderson (Oct 23)
    - Bypassing Vontu Shawn Bernard (Oct 23)
    - Bypassing Vontu Ron Gula (Oct 23)
    - Bypassing Vontu Shane Kelly (Oct 24)