Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/13/2012
05:32 PM
50%
50%

Data Loss Prevention: What's The Use?

Why deploy data loss prevention technologies if there are ways to circumvent the system?

For years I’ve heard arguments as to why data loss prevention (DLP) tools can’t prevent all incidents of sensitive data leakage. These arguments have been delivered by a variety of customers, analysts, vendors, and just about anyone who likes to take a contrarian view, even if only to stoke the fires of debate.

After the new article "Stealing Documents Through Social Media Image-Sharing" gets a bit of circulation, I'm sure to start hearing this new argument as additional proof of why DLP technologies won't work. The article references SNScat, a newly developed software tool that proves it is possible to exfiltrate sensitive data using steganography, a method of making data appear to be something else, so only the intended recipient is aware of the hidden data. The developers explain that SNScat breaks the subject data into pieces that are, in turn, embedded into the data of image files and uploaded to social media sites. The intended recipient then downloads the image files, uses SNScat to reconstruct the subject data, and voila! The whole effort results in the acquisition of the subject data while leaving no trace of the theft.

The developers of this new tool are not interested in using their software for malicious purposes, of course. They are sharing their efforts with the hope that the marketplace will recognize the need to research and challenge this method of data theft.

Steganography is not new; the method has been around for hundreds of years, but the new twist is in leveraging social media sites as data mules for packing out the hidden data in the images. It's a logical and compelling approach that, unfortunately for data owners, appears to work as long as image sharing is available to end users. It has the potential to make malicious efforts of data exfiltration harder to detect -- and prevent.

With this new development, I expect to hear the DLP cynic's argument to go something like this: "What's the use of deploying data loss prevention technologies when a user can simply use SNScat [or insert any other method du jour here] to covertly steal sensitive data?" This flawed logic says that if a network security technology is not 100 percent effective, it's not worth the cost or effort to deploy.

I cringe every time I encounter this defeatist attitude, especially among information security professionals. If we all followed this same logic in other areas of network security, then we would never deploy any security technologies. We would mitigate exactly zero risk, leaving our networks -- and our sensitive data -- completely open to theft.

If we accept the fact (and we must) that there will always be some way to circumvent some security measures to steal sensitive data, then we must also accept our overarching objective as being the identification and mitigation of as much risk as possible.

As for protecting against the likes of SNScat, companies must weigh the risk associated with allowing users access to social media sites (as well as a long list of other sites) with the benefits. There is a simple solution: Restrict access to Facebook, Twitter, and YouTube to all but those who may need these services in the performance of their job duties. No doubt it will be an unpopular decision among employees and maybe even executives. But as we all know, desperate times call for desperate measures. Is the security of your organization's sensitive data more or less valuable than company morale?

I have visited companies where I was forced to surrender my camera phone and put electrical tape over my laptop webcam or surrender the device entirely. Thankfully for most of us, this is the exception and not the rule. One thing is certain: If a malicious insider is hell-bent on extracting confidential data from an organization, then there are certainly easier -- albeit less sophisticated and cool -- ways to do it than steganography.

Jared Thorkelson is founder and president of DLP Experts, a vendor-agnostic VAR and consulting practice focused exclusively on data protection. He can be reached at [email protected] Jared is president of DLP Experts, a value-added reseller dedicated exclusively to data loss prevention (DLP) and other data protection technologies and services. For over twenty years Jared has held executive level positions with technology firms, with the last six years ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.