Bypassing Vontu

[rgula at tenablesecurity.com (Ron Gula)]

Brian Schultz wrote:
> Our security department is testing out Symantec's Vontu and I am playing
> the guinea pig and have to try and get documents out of our company's
> environment. I have a really basic understanding of how it works. It has
> a span port sitting and listening to all outgoing web traffic and there
> is also an agent that sits on desktops and watches to see if any
> sensitive information leaves via USB drive or e-mail.
>  
> Does anyone have any whitepapers or info regarding how it actually works
> or any tactics I should try?

Keep in mind the general consensus on DLP is that they stop/detect
"simple" leakage, which can be a real threat if you have uneducated
users who are doing things like emailing customer lists to their hotmail
account.

However, to show that this indeed can be bypassed:

Try to send some attachments that are:

- zipped and password protected
- PDFs with a password
- screen shots of spreadsheets, docs, .etc
- PGP an attachment (use AxCyrpt, or any other "free" crypt tool)

Also try send an attachment/email :

- to gmail
- to hotmail
- post a doc to facebook
- send it via IM to a buddy using an encrypted client
- if you have comcast or timewarner, most email is encrypted over SSL/TLS

I'm sure there are lots more ideas out here.

-- 
Ron Gula, CEO
Tenable Network Security