TOC & Recently Viewed

Recently Viewed Topics

Detecting Confidential Data in Motion

Many organizations want to ensure that confidential data does not leave the network. NNM can aid in this by looking at binary patterns within observed network traffic. If critical documents or data can be tagged with a binary string, such as an MD5 checksum, NNM will have the ability to detect these files being passed outside the network. For example:

Create a document that has a binary string of:

0xde1d7f362734c4d71ecc93a23bb5dd4c and 0x747f029fbf8f7e0ade2a6198560c3278

A NNM plugin could then be created to look for this pattern as follows:

id=79580

trigger-dependency

dependency=2004

dependency=2005

hs_dport=25

description=POLICY - Confidential data passed outside the

corporate network. The Confidential file don'tshare.doc was

just observed leaving the network via email.

name=Confidential file misuse

family=Generic

clientissue

risk=HIGH

bmatch=de1d7f362734c4d71ecc93a23bb5dd4c

bmatch=747f029fbf8f7e0ade2a6198560c3278

These binary codes were created by simply generating md5 hashes of the following strings:

"Copyright 2006 BigCorp, file: don'tshare.doc"

"file: don'tshare.doc"

The security compliance group maintains the list of mappings (confidential file to md5 hash). The md5 hash can be embedded within the binary file and could then be tracked as it traversed the network.

Similar checks can be performed against ASCII strings to detect, for example, if confidential data was cut-and-pasted into an email. Simply create text watermarks that appear benign to the casual observer and map to a specific file name. For example:

"Reference data at \\192.168.0.2\c$\shares\employmentfiles for HR data regarding Jane Mcintyre" could be a string which maps to a file named Finances.xls.

A NNM plugin could look for the string as follows:

id=79581

trigger-dependency

dependency=2004

dependency=2005

hs_dport=25

description=POLICY - Confidential data passed outside the

corporate network. Data from the confidential file Finances.xls was just

observed leaving the network via email.

name=Confidential file misuse

family=Generic

clientissue

risk=HIGH

match=Reference data at

match=192.168.0.2\c$\shares\employmentfiles

match=for HR data regarding Jane Mcintyre

The two example plugins above (IDs 79580 and 79581) would detect files leaving the network via email. Most corporations have a list of ports that are allowed outbound access. SMTP is typically one of these ports. Other ports may include FTP, Messenger client ports (e.g., AIM, Yahoo and ICQ), or Peer2Peer (e.g., GNUTELLA and BitTorrent). Depending on your specific network policy, you may wish to clone plugins 79580 and 79581 to detect these strings on other outbound protocols.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.