Detecting Confidential Data in Motion
Many organizations want to ensure that confidential data does not leave the network. Tenable Nessus Network Monitor can aid in this by looking at binary patterns within observed network traffic. If critical documents or data can be tagged with a binary string, such as an MD5 checksum, Tenable Nessus Network Monitor can detect these files being passed outside the network. For example:
Create a document that has a binary string of:
0xde1d7f362734c4d71ecc93a23bb5dd4c and 0x747f029fbf8f7e0ade2a6198560c3278
A Tenable Nessus Network Monitor plugin can then be created to look for this pattern as follows:
id=79580
trigger-dependency
dependency=2004
dependency=2005
hs_dport=25
description=POLICY - Confidential data passed outside the
corporate network. The Confidential file don'tshare.doc was
just observed leaving the network via email.
name=Confidential file misuse
family=Generic
clientissue
risk=HIGH
bmatch=de1d7f362734c4d71ecc93a23bb5dd4c
bmatch=747f029fbf8f7e0ade2a6198560c3278
These binary codes were created by simply generating md5 hashes of the following strings:
"Copyright 2006 BigCorp, file: don'tshare.doc"
"file: don'tshare.doc"
The security compliance group maintains the list of mappings (confidential file to md5 hash). The md5 hash can be embedded within the binary file and can then be tracked as it traverses the network.
Similar checks can be performed against ASCII strings to detect, for example, if confidential data was cut-and-pasted into an email. Simply create text watermarks that appear benign to the casual observer and map to a specific file name. For example:
"Reference data at \\192.168.0.2\c$\shares\employmentfiles for HR data regarding Jane Mcintyre" could be a string which maps to a file named Finances.xls.
A Tenable Nessus Network Monitor plugin can look for the string as follows:
id=79581
trigger-dependency
dependency=2004
dependency=2005
hs_dport=25
description=POLICY - Confidential data passed outside the
corporate network. Data from the confidential file Finances.xls was just
observed leaving the network via email.
name=Confidential file misuse
family=Generic
clientissue
risk=HIGH
match=Reference data at
match=192.168.0.2\c$\shares\employmentfiles
match=for HR data regarding Jane Mcintyre
The two example plugins above (IDs 79580 and 79581) detect files leaving the network via email. Most corporations have a list of ports that are allowed outbound access. SMTP is typically one of these ports. Other ports may include FTP, Messenger client ports (for example, AIM, Yahoo and ICQ), or peer-to-peer (for example, GNUTELLA and BitTorrent). Depending on your specific network policy, you may wish to clone plugins 79580 and 79581 to detect these strings on other outbound protocols.