9. Data Loss Detection (OBJ 1.4)
In this lesson, we’re going to discuss data loss detection techniques that you can use to ensure the security of our enterprise data. These techniques include watermarking, digital rights management, network traffic decryption and deep packet inspection, and network traffic analysis. These techniques are important because we can’t stop all data from leaving our networks, nor would we really want to. For example, my company creates online videos that we sent out digitally all over the Internet, either directly to our students@deontraining. com or to other online learning platforms who send it out to their students. We simply can’t use DLP to stop that from happening. Otherwise, we would be stopping our ability to deliver our product to our customers. So, as you’re watching this course right now, we’ve done a few things to try and protect our content.
Because we sell a digital product, because it’s digital, it’s very easy to make a copy of it and spread it all over the world. This is the same problem that big movie studios have as well. And when you deliver audio and video content digitally, it’s really lossless. So every single copy is just as good as the original. So techniques like Watermarking and DRM are going to be used to attempt to prevent piracy of the owner’s intellectual property. First. We have watermarking. Now, watermarking is the process of superimposing a logo or piece of text to a document or image file that’s going to serve as a means of aiding the copyright protection of that given work.
For example, as you’re watching this video, you see two watermarks embedded into the background behind me. One is the white Dion Training logo that appears in the upper left hand corner of every video. The second is the big shield head located right behind me. These are two visual watermarks and they have helped us to protect our copyright material over time. Now, we’ve also had cases where somebody has gone and copied all the videos from one of our courses and then they crop out the Dion Training logo in the upper left corner and they try to sell that course as their own original content. But due to the big watermark shield and of course, me being on screen the whole time, it was very easy to prove that that content is owned by Dion Training and it was rapidly taken offline from that pirate website.
Another common form of watermarking that you might run across happens inside of ebooks in PDF format. For example, if you bought this course from Deontraining. com, you received a copy of the official CompTIA textbook. If you downloaded a PDF version of that textbook from the website, it’s actually going to add a watermark to the file on the bottom of every page and it says License for, used only by your name and a unique ID number and the date. This means that if you post this PDF online for free or hand it out to all your friends, the company can actually come back after you for copyright infringement because you are effectively copying and distributing this copyrighted text. After all, the way authors get paid for all their hard work in creating a textbook and selling it as a PDF is not by having you giving it away to others for free.
It’s by you buying it, and they get a cut of that by royalties. Now, it’s important to note that watermarks aren’t always visibly seen. Sometimes they’re going to be hidden in the background. A forensic watermark is a digital watermark that’s hidden someplace in the file and can be validated by a piece of software. For example, some ebooks and PDFs will automatically embed your computer’s unique Identifier, your IP address, or some other unique signature that identifies the person who created it, owns it, or license that PDF file. This would then allow the organization to prove they own the file for copyright purposes, or prove exactly who stole it and replicated those files.
As you can see, there are many ways to use watermarks, both visible and invisible, to help you protect your intellectual property, especially when your product must be distributed digitally to your end user, such as a video file or an ebook. Second. We have DRM or Digital Rights Management. Now, Digital rights Management is a technology that’s used to protect the copyrights associated with digital media, things like audio, video, and other digital files. DRM is focused on mitigating the risk of unauthorized copies being distributed without the copyright holder’s permission. Let’s pretend you work for a big movie studio and you’re about to spend a few hundred million dollars to make the latest blockbuster, something like a Marvel movie or the next Harry Potter.
If your studio was investing all that money to create that movie, you want to make sure you control when and how it’s released to the world. It is going to be in your best financial interest to be able to release that movie, first in theaters and then on digital streaming services and eventually on Bluray and DVD. At each of these releases, your studio has the opportunity to make back some of the hundreds of millions of dollars that it spent to create this two hour masterpiece. And hopefully you’re going to turn a profit. Well, this is what DRM is all about.
It’s focused on providing technical mechanisms to ensure that copyright holders restrictions can be enforced on a piece of digital content. Digital rights management is usually going to be implemented as a hardware solution or a software solution. If DRM is going to use a hardware solution, this requires an authorized player to be able to decode the content and make it usable. For example, video game systems like PlayStation and Xbox have embedded hardware solutions to unlock the DRM that’s associated with the different game titles that they’re able to use and play. In the early days of DVDs, we had a similar thing where each DVD was region coded and could only be played by a DVD player from that region.
For example, I used to travel a lot back in the early 2000s when DVDs were really popular. And if I bought a DVD while I was in South America or Europe or Japan, I couldn’t play it on my player back home because it was an American DVD player and it was locked to a different region. This was a form of DRM, and it was put in place due to the different prices, movies, and features that are released to different areas of the world at different times. Now, if the DRM uses a software solution, this is going to require a specific type of software player to decode the DRM and allow the file to be played. For example, when I was in college, I bought an ebook that required me to download a specific ebook app onto my iPad to open that file as part of its DRM protections. Similarly, if you buy a song from an online platform like Amazon Music or itunes, it will usually have some form of DRM enabled on that MP3 or AAC file.
Third, we have network traffic decryption and deep packet inspection. Now, most network communications these days operate securely using encrypted tunnels. While this may seem like a great thing, it’s actually quite dangerous to the security of your enterprise architecture. What? Yeah. Really? That sounds kind of crazy, right? But it’s true. Let’s pretend I’m an insider threat working at your company. Now, I want to steal your data and send it out of your network. Well, the easiest way is probably for me to log in on a Web browser, sign into my Google Drive account, and start uploading those files. And the best part is, your systems can’t see me because I have an encrypted tunnel from my Web browser over to the Google server.
So even if you’re running a network based DLP or an intrusion detection system, or an intrusion prevention system, you’re not going to see what I’m doing. And I’m going to send all your files scrambled and encrypted out past your sensors and over to Google. Now, do you see why I said encryption tunnels can be dangerous? All right, so what can we do about this? Well, we can use network traffic decryption so that we can see into these SSL and TLS tunnels and then do inspection. Network traffic decryption is going to allow an organization to break open those encrypted traffic tunnels and inspect its content using deep packet inspection by using a DLP system, an IDs or an IPS or other things like that, before it reencrypts that data and sends it out back to the destination. Now, you may hear this called break and inspect, which is really the term I prefer, but many other people call it network traffic decryption, and they mean the same thing.
Now, for this to work, the network traffic decryption device is going to be configured to act as a proxy and almost like an onpass attack or a man in the middle attack for you, but one that you control. Now, the end user’s web browser is going to first connect to your network traffic decryption device, and then this device connects to the destination server, such as Google Drive. In my example. Now, the end user has a secure connection to the network decryption device, and the network decryption device has a secure connection over to Google Drive. As data passes from the end user over to Google Drive, it first stops at the network decryption device, it gets inspected, and then if it passes inspection, it can be re encrypted and sent over to the destination of Google Drive. But if we want to, we can actually stop the traffic there because they’re trying to send out files we don’t want them to. And that’s why this can be combined with a DLP system.
Technically, these network decryption devices can be configured as a proxy like I just described, or as a next generation firewall, or as a device connected to a network tap for offline analysis and inspection. But for simplicity’s sake, I use the example of one functioning as a proxy because it is the most common technique that you’re going to use in an enterprise network. I also just mentioned the term deep packet inspection, or DPI, when I describe this process. Now, deep packet inspection is a method of examining the content of the data packets as they pass by a checkpoint on the network. This can be performed by the network decryption device, a firewall, an IDs, an IPS, a DLP, or any other sensor you want. For the purposes of this discussion, it really doesn’t matter which one we’re talking about.
It’s just more important right now to think about the fact that this data stream can be stopped, decrypted, inspected by one or more sensors, and then encrypted again before sent on to its destination. Fourth, we have network traffic analysis. Now, network traffic analysis is a method of monitoring the data flows on a network to identify patterns or abnormalities. Network traffic analysis can be used to intercept and examine messages in order to determine the information about the communications based on the patterns being observed, even if the messages themselves are encrypted. By using traffic analysis, we can highlight trends and patterns in the traffic that’s being generated and use visualization tools to quickly create a map of different network connections and the flow patterns we’re seeing.
By identifying different traffic patterns, we’re going to be able to uncover bad behavior, malware and transit tunneling or other data exfiltration. For example, consider the following graph created by the Mrtg tool. What is useful about this graph that might help us as we attempt to defend our enterprise networks? First, you’re going to see some patterns emerging. For instance, in the top graph on the router firewall, where do you see a big spike in traffic you can see that there is a big spike in traffic between 02:00 A. m. And 04:00 A. m. . Now, the question is, would this be considered normal or abnormal from this graph alone? We really don’t know.
But if this was your Enterprise network, you should know what your typical usage patterns are. As an outside consultant seeing this on your graph, I’m going to be immediately worried that somebody is trying to take things out of your network, because I see a large amount of data leaving your network during this time period, much more than I see at any other hour of the day. But maybe this is normal for your network. It could be that big spike I’m seeing between 02:00 A. m. And 04:00 A. m. Is because your office is doing offsite backups during that time to get everything outside of peak demand hours for your organization. That would be a reasonable explanation.
But if you aren’t doing offsite backups during that time, what else could this be? Well, again, as an outsider looking in, I would suspect that maybe your server has been infected with malware or your network has an Apt on it. This malware or the APT’s actor might be exfiltrating your data out of the network between 02:00 A. m. And 04:00 A. m. Because they’re hoping your administrators and analysts are all at home, cozy in their beds, and not looking for those large spikes and network traffic that’s leaving your network during that time. As I said, just looking at this graph, we really don’t know the whole story, but it does tell us this is something we need to investigate further by using network traffic analysis and talking with our system administrators and our other security personnel.
10. Auditing Files (OBJ 1.4)
I’m going to show you how to configure auditing inside Windows as well as how to audit your files. Let’s jump in the environment and get started. So now that we’re in the lab environment, let’s take a look inside our local Group Policy editor, underneath the local Computer Policy and then underneath the computer configuration, we have our Windows settings, our security settings, and finally our audit policy, as shown here. Under your audit policy, you have seven several different events and this is going to allow you to decide what is going to be audited and what isn’t. For example, do you want to audit your log on events? Well, right now there is no auditing enabled for that.
So if we double click that, we can then log or audit the success and failures of those login attempts. So I’m going to go ahead and apply that and hit OK. For example, you might want to audit our object access. This would be things like files and folders. I’m going to go ahead and hit Success and Failure on this. And if you’re ever wondering what something does, just click on the explanation and it will show you that we can do the same thing for auditing privileges anytime somebody logs in as an admin or does a run as as an admin. So we can go ahead and do those auditing as well. And you can do this for all sorts of different things inside of your policies. Now, in addition to that, we want to look at how we can audit our files and the access to those.
So I’m going to show you that here as I configure my sharedrive. First I’m going to go ahead and minimize this global Policy Editor. And here you can see under my C drive I have a sharedrive. I’m going to right click on that folder and hit Properties. From here we can click on the Security tab. And underneath the Security tab we’re going to click on the advanced button. From the advanced button we’re going to click on Auditing. And this is where you can configure it to audit the files and the folders. So to add those auditing entries, we’re simply going to click the Add button and just like permissions, this is going to inherit downward throughout the rest of the folder structure.
Now from here you’d be able to change what principle it is. So if I select a principal and let’s say I am going to go ahead and make it the JSON adm account, which is the account I’m on right now. Or I could put in some group policies, however you want to set that up. Now anytime that Jason adm has a success that applies to this folder, subfolder or files, then we want to be able to log that and audit that. And that’s what we’re going to be able to do right here. And so next we’ll hit OK. And now you can see that anytime there’s a success that Jason adm is logged into it and does a read or an execute, then this folder subfolder any files underneath it, it is going to be logged. This is going to tell me anytime that happens. That’s the benefit of doing this, logging and this auditing.
So that’s the basics of how to set up auditing on a file or folder. You can use this to be able to log anytime a certain user or a group of users logs in or touches some sort of files or folders, whether they’re reading it, executing it, or modifying it. Now, why would you use this? Well, maybe you have some regulatory requirements. Maybe you’re a healthcare provider and you fall under HIPAA and you need to know exactly who touches each and every person’s confidential health data. And so if you have a nurse who logs in that would be able to keep track of that nurse, a has touched this file on this date and this time, and this is one of the ways you can use auditing.
Now, also, you can do this if you have a suspected insider threat. Maybe. I really think Jason is a bad guy. And so I want to see everything that Jason touches. I can set up these audit trails to log an alert every time Jason tries to touch something, and that way I can keep that information and go back later and use that to build my case against him. You can do a lot of different things with auditing, but it is a mainstay of security. And so you have to figure out exactly what you need to audit, how much you need to audit, and where you need to audit.
