Elektronika 2009-11.pdf - Instytut Systemów Elektronicznych
Elektronika 2009-11.pdf - Instytut Systemów Elektronicznych
Elektronika 2009-11.pdf - Instytut Systemów Elektronicznych
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
An experiment of implementation of DLP system<br />
working as a Linux kernel loadable module<br />
(Próba implementacji systemu ochrony przed utratą danych (DLP)<br />
pracującego na poziomie jądra dla systemu Linux)<br />
ADAM RAKOWSKI student, dr inż. IMED EL FRAY<br />
Zachodniopomorski Uniwersytet Technologiczny w Szczecinie, Wydział Informatyki<br />
Computerization in business is a fact. A perspective of shortening<br />
the time of document flow between company units, improving<br />
internal communication and enhancement of management<br />
processes is expectation of many managers. Due to increased<br />
role of computers in business, the need of better care of data security<br />
- from physical security till access control is a fact.<br />
Each computerized corporation stores the critical confident<br />
data about its contracts, staff, technology, security procedures<br />
etc... An enterprise shares important data to many people, so<br />
the risk of information leakage caused by disloyality or human<br />
error is significantly increased. Published in 2006 „Deloitte’s<br />
2006 Global Security Survey” [1] tells that the second most frequent<br />
reason of internal IT security violation is data leakage<br />
caused by qualified person (28%). Only the viruses and malware<br />
are the reason of more incidents (31%). The same report<br />
published one year later [2] describes data leakage or intellectual<br />
property theft as the incident happening once in 5% of surveyed<br />
companies, while in 8% of companies - several times.<br />
Due to „CSI Computer Crime and Security Survey” (September<br />
2007) a cost of sacrifice caused by electronic crimes was in average<br />
$345 000 per company, about $175 000 more than a year<br />
before. A global cost of confidential data leakage in company or<br />
data theft caused by qualified person was $13.6 million [10].<br />
DLP systems are a response to data leakage risk caused<br />
by employee working with sensitive data. Current IT business<br />
applications and systems can authorize user and share important<br />
documents to him if administrator allowed him to use<br />
that data. After successful authorization the actions performed<br />
on protected file usually are not traced or logged, system also<br />
is not able to prevent data leakage. There are many possible<br />
channels the thief can use: socket, removable memory, screen<br />
capture or printing. Well working DLP system should prevent<br />
data loss or at least log that try and notify administrator.<br />
Data loss prevention system can be made in one of following<br />
architectures: host control architecture or DLP network.<br />
In first architecture administrator has to install controlling software<br />
on each of computer working in network, where protected<br />
documents are shared. When user logs in the system<br />
and reads from the database set of user’s permissions and<br />
privileges to protected documents, then the system starts tracing<br />
user’s activities. Administrator can set actions performed<br />
in case of policy violation.<br />
DLP network is based on another idea. All the hosts are free<br />
of controlling software, but it is installed on a network gateway,<br />
so the data is analyzed only when tries to get out of network [3].<br />
Data identification<br />
According to DLP definition given by Securosis [4] - an independent<br />
IT security research laboratory - “Products that,<br />
based on central policies, identify, monitor, and protect data at<br />
rest, in motion, and in use, through deep content analysis”.<br />
Most important problem is document comparison and classification<br />
of the file to protected files group. When employee<br />
attempts to send a confidential information to inappropriate<br />
recipient, system has to detect this violation. Trusted DLP application<br />
should recognize also a snippets of protected documents,<br />
or protected files modified a bit, or even encrypted.<br />
Recognition and similarity determination is implemented using<br />
deep analysis, dictionary methods, regular expressions, statistical<br />
methods or watermarks [3,4]. Good DLP implementation<br />
can also extract data from compressed archive and<br />
analyze data the archive contains. Side effect of watermarking<br />
are possible delays in documents access caused by huge<br />
quantity of connections to database [4].<br />
Additional technique can be embedding metadata in protected<br />
file, but in can be cumbersome. Any application working<br />
with such protected file should “know” if this file is<br />
protected or not. It implicates on a DLP system vendor need<br />
of creating dedicated viewers, browsers which can interpret<br />
metadata and edit these documents. Disadvantage of this solution<br />
is that user can use only selected applications, tools and<br />
formats. Better idea could be keeping in memory the information<br />
which files are protected and taking control on external<br />
editor (browser) to inform DLP system that any application<br />
tries to get access to protected file.<br />
Possible scenarios<br />
Fig. 1. A difference between DLP host protection and DLP Network<br />
Rys. 1. Porównanie koncepcji DLP host protection i DLP Network<br />
Available channels of potential data loss are: instant messagers,<br />
chats, e-mail, webmail, sending data by ftp/http, printing confident<br />
data or screen capture. If user knows that supervisor application<br />
use heuristic analysis and similarity comparison, he<br />
should get any ciphering application to save text as encrypted<br />
file, also steganography application could be helpful. DLP system<br />
can trace (and manage with) copies of protected file. The<br />
most terrible scenario may looks like following one.<br />
48 ELEKTRONIKA 11/<strong>2009</strong>