Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2011-10-21 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical Control 15: Data Loss Prevention

Published: 2011-10-21
Last Updated: 2011-10-21 20:46:47 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

Ever wondered if events like wikileaks are pertaining only to government agencies or large companies? Information is a precious commodity. Many institutions regardless of its size have information of interest to many people and those people are willing to pay large sums of money for it or even make major criminal acts to get it.

How can anybody  get access to information in an unauthorized manner? There are attackers at all times seek to exploit the vulnerabilities of information systems, but there are also users that, once they have been authorized to access a specific information asset, may have unrestricted access to the information and carry out actions such as copy and steal through removable storage media, email, dropbox, among others.

This means it is necessary to place a type of controls that allow the user has been authorized to access the information to manipulate it in the terms allowed by the information asset classification. This is known as Data Loss Prevention (DLP). Under what criteria can we classify information? We can use the classic: Confidentiality, integrity and availability, and can also add other important as traceability and non-repudiation. Traceability is the property of information that helps determine the operations performed on it at all times and non-repudiation is the feature that ensures that a transaction has been for the person whose user ID made ​​and no other. Depending of the classification on each variable, the operations allowed to the information asset can be defined as read only, e-mail transmission, shared resource copy, among many others.

 Data Loss Prevention Software allows monitoring of the following:

  • Data in motion: When you have a network security perimeter in place, just before traffic reaches the firewall you can put the DLP device to monitor incoming and outgoing traffic and then realize which users are violating information security rules by performing unauthorized transmission of information assets.
  • Data at rest: Information Assets are stored into servers located inside datacenters. DLP software can be installed into servers to learn about sensitive information stored in unsecure locations as open windows shares and unencrypted storage devices. 
  • Data in use: DLP software can be installed in endpoint devices to control the transmission of information assets like instant messaging,  desktop e-mail clients and web transmissions.

DLP implementations are very challenging because of information identification. If information is not correctly identified, false positives arises and can be very painful as they can stop the information flow inside the whole company. That is why you should perform several accuracy tests with the information asset classification and solve problems before deploying.

Please keep in mind that business needs are first and needs to be satisfied. You cannot implement controls that will make the company operation slow and painful. Check the control 15 implementation tips for more information.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

0 comment(s)
ISC StormCast for Friday, October 21st 2011

JBoss Worm

Published: 2011-10-21
Last Updated: 2011-10-21 02:06:15 UTC
by Johannes Ullrich (Version: 2)
2 comment(s)

A worm is making the round infecting JBoss application servers. JBoss is an open source Java based application server and it is currently maintained by RedHat. 

The worm exploits and older configuration problem in JBoss, which only authenticated GET and POST requests. It was possible to use other methods to execute arbitrary code without authentication. The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there.

If you do run JBoss, please make sure to read the instructions posted by RedHat here:

Analysis of the worm: 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: jboss
2 comment(s)

New Flash Click Jacking Exploit

Published: 2011-10-21
Last Updated: 2011-10-21 02:03:13 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Feross Aboukhadijeh posted a blog post about a vulnerability in Flash that allows for a click jacking attack to turn on the clients camera and microphone. The attack is conceptually similar to the original click jacking attack presented in 2008. Back then Flash adjusted the control panel. 

The original attack "framed" the entire Flash control page. To prevent the attack, Adobe added frame busting code to the settings page. Feross' attack doesn't frame the entire page, but instead includes just the SWF file used to adjust the settings, bypassing the frame busting javascript in the process. 

Update: Adobe fixed the problem. The fix does not require any patches for client side code. Instead, adobe modified the control page and applet that users load from Adobe's servers. 

Details from Adobe:


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: clickjacking flash
0 comment(s)
Diary Archives