BROOKLYN, NEW YORK — Companies and other enterprises that use data loss prevention (DLP) software to prevent data breaches may actually make themselves more vulnerable to attack, two researchers said today (July 17) at the Summercon 2015 hacker conference here.
That's because many DLP products have easily exploitable security holes, Kelly Lum of Tumblr and Zach Lanier of Accuvant explained. Because DLP software often runs with high system privileges, those security flaws can lead to successful attacks on other applications or on the operating system itself.
In fact, the researchers argued, since DLP software is far from foolproof, and a smart computer user will know how to evade it, it might be best not to run it at all.
DLP software is meant to stop sensitive or valuable data from leaving a company network through email messages, file sharing, copying to portable hard drives or other means. It generally consists of several components — one part may live on a network appliance or on a server, filtering data, while another may silently run on each endpoint, or user PC.
Generally, Lanier said, DLP software is meant to "keep honest people from doing dumb things." Lum explained that a typical DLP product would inspect certain file types, such as Word documents or Excel files, or watch for predictable forms, such as the signature structures of Social Security numbers or credit-card numbers.
DLP detection gets a lot more sophisticated than that, but the DLP software's own security can be rather primitive. In their evaluations of DLP products from CoSoSys, DeviceLock, GTB, MyDLP, OpenDLP, Sophos, Trend Micro and Websense, Lum and Lanier found instances of basic security flaws in six of the eight products.
The vulnerabilities included unencrypted communications, which anyone could read; unauthenticated commands and accounts that anyone could execute or access; cross-site request forgery (CSRF), which allows attacks by users on servers through Web browsers; and cross-site scripting (XSS), which allows code to be transferred from one website to another.
Lanier and Lum praised the DLP products from Sophos, which had "pretty much nothing" wrong, and DeviceLock, which was "probably the most sophisticated of all those we reviewed."
But they noted that another product was very unstable despite having no XSS or CSRF flaws, and, as Lum put it, "crashes harder than [a certain hard-partying young actress] after a 4-gram bender."
And a different DLP product allowed command injections, unauthenticated database scripts and unauthenticated root-level commands. Perhaps most interestingly, Lanier and Lum said that software had a support account that secretly gave privileged access to a server in the Ukraine.
The upshot, Lanier and Lum said, is that DLP software is often useless at best. Sneaking data past DLP monitoring is not hard: Most products can't monitor all file formats, and any user who has administrative access on his or her workplace PC can just turn the DLP software off. And when a DLP product has its own security flaws, it only makes things worse.
"New defenses could actually add weaknesses," Lanier said. "Companies have to understand that every new piece of infrastructure is an additional attack surface."
- 10 Worst Data Breaches of All Time
- The Best (and Worst) Identity Theft Protection
- What to Do After a Data Breach