File hosting services and their data leakage risks, Part II

Over the past few months I have looked at a range of file hosting services. While using these services, I have being monitoring the network traffic as I upload and download files. So far I have found that most of the popular files hosting services use encryption for sending and receiving data. That's both good and bad news for data protection.  It's good news from the point of view of not having passwords being sent in clear text, or data being sent using unsecure protocols like FTP. However it introduces challenges when it comes to detecting users accessing these services. 

In the first part of this blog article, I focused on the issues file hosting services have for networks which host sensitive data. This second article discusses the methods you can use to detect the presence of them on your network.

If it's encrypted, then I cannot monitor users, right?

While it is true that full analysis cannot be done with encrypted traffic, unless some sort of in-line device is used to capture the encryption keys and re-establish the connections. You can detect and monitor the activity with the right sort of monitoring tools. There are three types of data that you need to focus on

  1. Website usage analysis. Both direct and proxy based.
  2. Traffic analysis of all traffic in and out of the Internet gateway.
  3. File-share traffic between clients and the local file-share servers.

To get this data there are also a number of options; from enabling auditing on servers to installing agents on clients and servers. Personally, I prefer to deploy a traffic analysis tool capable of DPI (deep packet inspection), and monitor the Internet gateway(s), and traffic to/from the main file-share servers.  If you don't have something like this available, then you should start to look at your firewall, and work back, making sure you have auditing enabled at each step back to the users, or endpoints on your network. For example on most networks you could follow these steps:

  1. Before you do anything, document what IP address ranges you use on your network. This information is crucial for understanding what is inside and outside of your network perimeter.
  2. Check firewall logs for inbound and outbound connections, making sure no 'holes' exist which could be used to transfer data. Being aware of your local subnets makes this task easier. Some applications will 'sniff' out open firewall ports.
  3. Review the proxy logs, or use your traffic analysis system to decode the traffic between the clients and the proxy server. Ideally you should be capturing URL (www.website.com) and URI (/news/latest.html) information. You then need to search for URL's associated with the popular file hosting services. Also check for user accessing anonymisers, a search for URL's containing the words 'anony' or 'hide' should give you a good starting point.
  4. Look at options for auditing your file server usage. Just be careful with options to enable auditing on files shares, as it can result in large numbers of events being generated. Some traffic analysis systems can also give you this info without the need to switch on auditing. You can then cross reference the file server activity with any instances of users accessing a file hosting service, just match up the times of the web and file server auditing.
  5. Make sure you have auditing enabled on your domain logon servers. Specifically, you need to be watching out for user logon and logoff events. Without usernames you may end up with IP addresses in reports, and in DHCP environments this may not be enough info to track it back to who is responsible.
  6. Watch out for anomalies with user network traffic. Somebody suddenly downloading 1GB of data from the network servers to their PC or laptop late in the evening can be sign of data synchronizing just before they head home. A few months ago I spoke to a network manager, who detected an employee attempting to bring sensitive data with them to a new job. They spotted it as they had a network monitoring tool which constantly reported who were the top users on the network. This employee came out of no-where to be top of the list on a Friday afternoon.

Summary

  • As I mentioned in my previous blog post, I am finding that the use of file sharing sites is on the increase.
  • If users are allowed to access these sites, they present a serious security hole for uploading and downloading sensitive data
  • If you do block access, don't assume users cannot access them. They may use external proxies or anonymizers. I also heard of users using mobile broadband at work to access the blocked sites.
  • If you don't have something in place already, plan to get a traffic analysis system to monitor the core of your network. This will allow you to monitor the file servers and internet gateways. Alternatively enable logging on your firewall and proxy servers and review these regularly.
  • The network protocols may be encrypted between the sites and the online service, but you can still detect the traffic with a decent traffic analysis system
  • The network protocols between the clients and the file shares may not be encrypted, so you will get a good idea as to what is going on by monitoring this data.

Darragh

Darragh Delaney is head of technical services at NetFort Technologies.  As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon