Elektronika 2009-11.pdf - Instytut SystemÃ³w Elektronicznych

More documents

Recommendations

Info

An experiment of implementation of DLP system working as a Linux kernel loadable module (Próba implementacji systemu ochrony przed utratą danych (DLP) pracującego na poziomie jądra dla systemu Linux) ADAM RAKOWSKI student, dr inż. IMED EL FRAY Zachodniopomorski Uniwersytet Technologiczny w Szczecinie, Wydział Informatyki Computerization in business is a fact. A perspective of shortening the time of document flow between company units, improving internal communication and enhancement of management processes is expectation of many managers. Due to increased role of computers in business, the need of better care of data security - from physical security till access control is a fact. Each computerized corporation stores the critical confident data about its contracts, staff, technology, security procedures etc... An enterprise shares important data to many people, so the risk of information leakage caused by disloyality or human error is significantly increased. Published in 2006 „Deloitte’s 2006 Global Security Survey” [1] tells that the second most frequent reason of internal IT security violation is data leakage caused by qualified person (28%). Only the viruses and malware are the reason of more incidents (31%). The same report published one year later [2] describes data leakage or intellectual property theft as the incident happening once in 5% of surveyed companies, while in 8% of companies - several times. Due to „CSI Computer Crime and Security Survey” (September 2007) a cost of sacrifice caused by electronic crimes was in average $345 000 per company, about $175 000 more than a year before. A global cost of confidential data leakage in company or data theft caused by qualified person was $13.6 million [10]. DLP systems are a response to data leakage risk caused by employee working with sensitive data. Current IT business applications and systems can authorize user and share important documents to him if administrator allowed him to use that data. After successful authorization the actions performed on protected file usually are not traced or logged, system also is not able to prevent data leakage. There are many possible channels the thief can use: socket, removable memory, screen capture or printing. Well working DLP system should prevent data loss or at least log that try and notify administrator. Data loss prevention system can be made in one of following architectures: host control architecture or DLP network. In first architecture administrator has to install controlling software on each of computer working in network, where protected documents are shared. When user logs in the system and reads from the database set of user’s permissions and privileges to protected documents, then the system starts tracing user’s activities. Administrator can set actions performed in case of policy violation. DLP network is based on another idea. All the hosts are free of controlling software, but it is installed on a network gateway, so the data is analyzed only when tries to get out of network [3]. Data identification According to DLP definition given by Securosis [4] - an independent IT security research laboratory - “Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use, through deep content analysis”. Most important problem is document comparison and classification of the file to protected files group. When employee attempts to send a confidential information to inappropriate recipient, system has to detect this violation. Trusted DLP application should recognize also a snippets of protected documents, or protected files modified a bit, or even encrypted. Recognition and similarity determination is implemented using deep analysis, dictionary methods, regular expressions, statistical methods or watermarks [3,4]. Good DLP implementation can also extract data from compressed archive and analyze data the archive contains. Side effect of watermarking are possible delays in documents access caused by huge quantity of connections to database [4]. Additional technique can be embedding metadata in protected file, but in can be cumbersome. Any application working with such protected file should “know” if this file is protected or not. It implicates on a DLP system vendor need of creating dedicated viewers, browsers which can interpret metadata and edit these documents. Disadvantage of this solution is that user can use only selected applications, tools and formats. Better idea could be keeping in memory the information which files are protected and taking control on external editor (browser) to inform DLP system that any application tries to get access to protected file. Possible scenarios Fig. 1. A difference between DLP host protection and DLP Network Rys. 1. Porównanie koncepcji DLP host protection i DLP Network Available channels of potential data loss are: instant messagers, chats, e-mail, webmail, sending data by ftp/http, printing confident data or screen capture. If user knows that supervisor application use heuristic analysis and similarity comparison, he should get any ciphering application to save text as encrypted file, also steganography application could be helpful. DLP system can trace (and manage with) copies of protected file. The most terrible scenario may looks like following one. 48 ELEKTRONIKA 11/<strong>2009</strong>
Fig. 2. Possible scenarios of data leakage Rys. 2. Możliwe scenariusze celowej utraty danych User takes some screen captures of confident data. Images are stored in clipboard by default. User copies these images do graphics editor and perform some changes (cropping, adding some random points). Performed operations can reduce the probability of positive matching the screen captures taken by user in case of embedded watermark in print screen. Later user writes the screenshots to file and creates encrypted archive. After all the archive is sent using SSL protocol. Alternative scenario can be like this: user copies a fragment of protected text document to clipboard. Then he performs a simple, reversible obfuscation of this text. Text after obfuscation is directed to input of steganography application. The result of this operation is image. This image is sent by instant messager. Analysis of example scenarios show how wide range of IT system has to be mentioned and controlled. It also shows that protecting only some selected output channels will only delay the discreditation of DLP system. Available solutions Nowadays DLP system can be software implementation (for Windows) or hardware. Software implementation are offered by (e.g.): Websense, RSA, McAffe, Symantec, Nitrobit, Trend Micro i GSS. The leader of DLP software for Windows is Websence. It’s Data Security package is made of four fully integrated components: Data Discover, Data Monitor, Data Protect and Data Endpoint. System is based on user policies and rules. Policy determines access range for each group of users to documents (context) and allowed output channels. The PreciseID technology using ThreatSeeker solution (determines whether remote source of data is safe or can be dangerous to computer) makes possible classifying corporation data on workstation (end-point protection) and also in whole the Internet. Controlled channels are network traffic (HTTP, SMTP and IM) and workstation supervision (removable storages, printing, print screen, clipboard). Administrator set the policies used in case of violation. Some of possible actions are force encryption when writing to removable storage, denial or quarantine [7]. Another solution in data loss prevention comes from Nitrobit company and is called Policy Extension. Due it’s name it is a set of policies which extends standard Windows security policies. This software is available for Windows OS version 2000 to Vista, 32 and 64 bits. It supports removable media, system registry, services and network storages. Removable media can be configured using it’s serial number, type and vendor [8]. Disadvantage is less flexibility of configuration. Popular solution for Windows platform is security policies based package LeakProof made by Micro Trend company. It is made of three components: DataDNA Technology (documents watermarking), Server and Client module (installed on employees’ computers). Both DLP network and end-point protection modes are supported. This software allows to control removable media, also plugged to COM and LPT ports and printers. Blocking print screen is also possible. Features of control: removable media, optical discs drives, USB memory, e-mail and webmail (also encrypted), HTTPS and FTP protocols, IM protocols. An interesting feature is controlling Bluetooth interfaces and WiFi networks. LeakProof can also work with on- and off-line computers. System can deny disloyal or absent-minded employee, or display on his screen a message window with policy information and message that try of violation is possible. When such employee tries to move data to removable media, system can force encryption of file [9]. All the above solutions, despite the fact they can not guarantee full security of sensitive or confident information, they reduce the risk of consequences caused by neglect of employees. For computer geeks hacking DLP system is possible. Main problem and the topic of this paper is a question why there is no DLP system for Linux similar to described or released as Open Source. Experiment of implementation DLP solution for Linux Others also were looking for an answer to this question [5], we started searching a reason of this fact. General idea of the experiment was to find out why the vendors of DLP systems for Windows have not tried to take over the market of DLP solutions for Linux platform. Is this fact for the reasons of difficulties related to Linux, or maybe because of unwillingness of business to Linux caused by many myths about this system? To find it out, a small DLP system for Linux have been written. It’s aim is to keep sensitive corporate data within the company. System PXX works in end-point mode with same laws for each user. It’s task is to block all the possible output channels for selected processes to prevent data leakage, but without making any problem to user. PXX is made of two components. First - PXX-lkm is a loadable Linux kernel module (2.6.18 and higher). His task is exchanging original system calls of open, close, send, sendto and sendmsg functions with own implementations, and communication with second component - PXX daemon. The service is responsible for parsing configuration file with paths of protected files and logging the incidents in local log and system log. Both elements communicate by netlink socket. This communication architecture allows tear the components apart to insert own element between to improve functionality. Fig. 3. Architecture Rys. 3. Architektura After launching the service and loading kernel module service tries to access /etc/files files, which contains protected files list. The module swaps original kernel’s system calls with own functions (listing 1). sys_call_table[__NR_open]=my_sys_open; sys_open=sys_call_table[__NR_open]; sys_close=sys_call_table[__NR_close]; sys_call_table[__NR_close]=my_sys_close; ELEKTRONIKA 11/<strong>2009</strong> 49
Page 5 and 6: konstrukcje technologie zastosowani
Page 7 and 8: Streszczenia artykułów • Summar
Page 13 and 14: Medical pattern intelligent recogni
Page 15 and 16: Fig. 2. Start graph Z and the set o
Page 17 and 18: Both models are created of the basi
Page 19 and 20: • in some cases in the methods of
Page 21 and 22: 4. Random operators: three types of
Page 23 and 24: useful. In work [1] is stressed, th
Page 25 and 26: Tabl. 1. Fuzzy sets of the objects,
Page 27 and 28: In addition, one has to remember th
Page 29 and 30: The correction of digital images ob
Page 31 and 32: Tabl. 4. MD error before and after
Page 33 and 34: tionship then determines which indi
Page 35 and 36: this goal. A user’s public key au
Page 37 and 38: a) will be or could be broken, or b
Page 39 and 40: Ontology-based approach to scada sy
Page 41 and 42: erarchy of vulnerability classes wi
Page 43 and 44: and the set of tasks is divided int
Page 45 and 46: tasks: T 0 , T 4 , T 5 , T 6 and T
Page 47 and 48: According to presented function CSF
Page 49 and 50: The efficient data authentication i
Page 51: Fig. 3. Example run of three rounds
Page 55 and 56: e necessary, in worst case - also s
Page 57 and 58: dicates the number of tasks at the
Page 59 and 60: • information on their state come
Page 61 and 62: • data regarding their identity (
Page 63 and 64: k = 1, 2, ..., m and m is the numbe
Page 65 and 66: more powerful statistical (algorith
Page 67 and 68: Signal to Noise Ratio (PSNR). We pr
Page 69 and 70: [23] W3C - Web Services Glossary -
Page 71 and 72: Associated with every N-point M-dim
Page 73 and 74: The SMS-B system architecture (Sour
Page 75 and 76: Technika próżni i technologie pr
Page 77 and 78: wniosku i w konsekwencji za rok 200
Page 79 and 80: Poniżej przedstawiono krótki kome
Page 81 and 82: Wspomnienie Edward Leja (1937-2009)
Page 83 and 84: Zastosowanie technik immunoenzymaty
Page 85 and 86: z pasty węglowej, zaś odniesienia
Page 87 and 88: [33] Biani A., Centi S. Tombrlli S.
Page 89 and 90: Problemem bowiem w pracach instytut
Page 91 and 92: 1985 - Zdzisław Dorywalski 1986 -
Page 93 and 94: Rys. 4. Uroczyste wręczanie świad
Page 95 and 96: Imię i Nazwisko Patenty Wzory uży
Page 97 and 98: zadań określonych przez użytkown
Page 99 and 100: Ocena sugerowanych w ankiecie metod
Page 101: Zaprenumeruj wiedzę fachową 2010
Page 104 and 105:
Radary pasywne - nowa technika radi
Page 106 and 107:
c) stopniowo przesuwać jeden przeb
Page 108 and 109:
W przypadku wykorzystania nadajnika
Page 110 and 111:
kreślić to, że owale Cassiniego
Page 112 and 113:
Dla każdego kierunku odbieranej fa
Page 114 and 115:
chomych, które w ogólnym przypadk
Page 116 and 117:
Rys. 19. Fragment zobrazowania SS3
Page 118 and 119:
Zbigniew Czekała jest projektantem
Page 120 and 121:
• wytypowaniu statków zobowiąza
Page 122 and 123:
• używanie właściwego osprzęt
Page 124 and 125:
W jednomodowym szklanym włóknie t
Page 126 and 127:
Światłowody scyntylacyjne W środ
Page 128 and 129:
Parametry materiałowe szklanego w
Page 130 and 131:
126 ELEKTRONIKA 11/2009
Page 132 and 133:
Literatura [1] Yamane M., Asahara Y
Page 134 and 135:
Rys.1. Przebiegi testowe na wyprowa
Page 136 and 137:
nież pasmo emisji od około 500 MH
show all

Elektronika 2009-11.pdf - Instytut SystemÃ³w Elektronicznych

Create successful ePaper yourself

Delete template?

Save as template?