Instead these unfortunate circumstances where they choose a period to Internet Payday Loan Internet Payday Loan it to go to wonder that means.

Sharp Ideas

Open Source, Future Technology, and the Web

Sharp Ideas header image 2

Review of DeviceWall - an application for reducing risk of data theft

January 20th, 2006 · 5 Comments ·
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/abeusher/sharp-ideas.net/ideas/wp-includes/formatting.php on line 82

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/abeusher/sharp-ideas.net/ideas/wp-includes/formatting.php on line 82
data theft, information security


Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/abeusher/sharp-ideas.net/ideas/wp-includes/formatting.php on line 82


Data theft is a topic that I feel very strongly about. Over the past five years, IT organizations have rapidly matured their network security architectures by integrating firewalls, intrusion detection systems, anti-virus and anti-spam products. The state of information security at most organizations’ network perimeter has improved by an order of magnitude. That’s the good news.

The bad news is that information security is not entirely about protecting networks, it is really about protecting data. Concurrent with the rapid improvement of network security, there has been a vast proliferation of personal media players (e.g. iPods) and portable storage devices. In the past quarter, Apple sold more than 14 million iPods, bringing the total number of iPods in the world to over 42 million. Firewalls, intrusion detection systems, and anti-virus technologies don’t do anything to protect against data theft that occurs with portable USB devices. As global networks converge and computers become increasingly accessible, security must from being network centric to being data centric.
In 2005 I created a small application named slurp.exe that ran off of iPods. Slurp was created to show how easy it is to steal large amounts of data from corporate PCs using mobile devices like iPods, and it reinforced the fact that organizations desiring comprehensive security must have strategies in place that address the endpoint.

I released slurp publicly as a “crippleware” application that had reduced functionality (I didn’t want it to become a tool of hackers and script kiddies). The results were surprising! I received scores of e-mail messages from security professionals, IT leaders, iPod users, and the media. In July 2005 there began a community consciousness that the security implications of data storage devices must be considered. I recently released slurp 2.0; you are welcome to download it to assess the vulnerability of your data on corporate systems.

I recently downloaded an evaluation copy of the DeviceWall application from Centennial Software. This entry on my web site details my impressions of the product.

Bottom Line Up Front:

It was very easy to set up and once running, DeviceWall completely blocked devices running slurp. I was particularly impressed with DeviceWall’s integrated auditing feature that keeps track of all attempts to connect and use external storage and communication devices. This was an unexpected add-on that proves very useful.

In every case, DeviceWall successfully protected against unauthorized use of external computing devices (such as USB thumbdrives, iPods, CDROMs, 802.11 wireless and the like).
Detailed Review:

DeviceWall is a policy centric, role-based access control mechanism for defining very specific privileges and security constraints in a Microsoft Windows environment. It is promoted as an “intelligent PC lockdown” application for endpoint security. (A brief point of clarification: endpoint security is synonymous with host security).

Based on my continued interest in data theft, I decided to take it for a test drive to see if it lived up to its description.
Devicewall user interface

DeviceWall has a clean, efficient user interface for creating security policies pertaining to PDAs, optical drives, storage devices, and communication ports. Like many other enterprise security components, DeviceWall has two major components: a DeviceWall Server (for maintaining policy information and audit logs) and DeviceWall clients (software agents that enforce security policy on end-user workstations).

Installation of the server was a snap; I was up and running in a few minutes.*
The use of the application is fairly intuitive. An administrator selects a device (or class of related devices) and then selects the corresponding privileges that he wants a user or group to have with the selected device. If the administrator decides not to restrict privileges, he can still configure DeviceWall to audit the use of PC devices.

This auditing mechanism could be very useful in an organization that is not certain what their risk level is nor what device types employees need to be maximally productive.

As organizations who have had a major security incident can attest to, it is much less expensive and time consuming to review what happened in a security incident by checking security audit logs than it is to try to forensically reconstruct data from an exploited computer.

My initial test was to restrict USB thumbdrive and iPod device permissions for the user “Abe.” After restricting device privileges for the “Abe” account, I tried logging in and using my slurp application to grab business files from the hard drive. DeviceWall intercepted the connection and prevented me from slurping any data. So far, so good.
devicewall

DeviceWall helps administrators keep track of changes to security policies through a policy change long (pictured above). This is especially important, as most organizations’ security policies change over time and it is essential to be able to grant users privileges that are congruent with the current policy. I made several changes as a DeviceWall administrator; each of the policy changes were appropriately logged.
devicewall

DeviceWall can optionally provide users with log in information on what resources they are allowed to use (and remind them that their actions are being monitored). In the example above, I was logged in with an administrator account and had unrestricted access to all devices. The pop-up warning is a convenience message that can be disabled; I like leaving it on thought - it looks like it could help keep honest people honest.

devicewall

Occassionally special needs arise, that merit a change to a system’s configuration. If a user needs temporary access to an input-output device they may contact a system administration, who may then grant them temporary privileges across the network. What is interesting about this set up to me is that when a user contacts and administrator to get temporary access, he must provide an access code that is unique to his computer. This is clever, as it prevents against “social engineering” attacks where a user attempts to gain access to another system under a false pretext.
devicewall

In the example above you can see that Abe, Heather, and members of the “users” group all have privileges to use Palm OS Devices. Privilege assignment can be as simple or complex as you desire. DeviceWall allows the assignment of privileges by user groups. This is very helpful, as administrators can assign privileges based on roles (e.g. salesman, accountant, IT helpdesk, VP) which drastically reduces the amount of administration required for maintaining the security policies over time.
devicewall

In this example you can see that Heather has read permissions for USB flash disks, but may not write to such devices. If a user does not have explicit permissions for a given device type, they may still inherit privileges based on the groups that they belong to.
devicewall

If two sets of conflicting privileges exist for a given user, the more restrictive permissions are applied. This is generally a good thing, as it can prevent against loop-holes where a user obtains privileges inappropriate for their realm of responsibilty.

Conclusions:

The good

  • Comprehensive protection against a wide spectrum of data theft threats to workstation PCs and laptops.
  • Protected against slurp.exe and other attempts to directly subvert system security.
  • Extremely granular control over what device types may be used by specific users and groups.
  • The GUI is easy to use.
  • Provides mechanisms for granting temporary access to users.
  • Easily to maintain through policy driven enforcement.
  • Integrates with Windows Active Directory.
  • Software agents can be deployed remotely.

The bad

  • The DeviceWall server requires prerequisites of SQL Server and the IIS web server. While neither SQL Server or IIS are difficult to set up, if your IT staff don’t have them running already it will add a small amount of additional overhead to your IT operations.
  • A scriptable / programmable API for controlling access on remote computers is not bundled with the application. An API would helpful to have (to enable automation of some security policy changes).
  • As best as I can tell, DeviceWall does not currently integrate directly with Security Incident Management (SIM) applications like ArcSight and Intellitactics. It would be helpful to be able to integrate DeviceWall’s audit data with a SIM tool.

Overall

DeviceWall is a capable application for locking down PCs and protecting corporate data. While DeviceWall was active on my test set up, I could not find any methods of subverting its security. Organizations with strict requirements for data confidentiality and integrity should consider DeviceWall as a possible solution.
* If you don’t already have a running copy of Microsoft IIS web server and the SQL Server database, set up could take much longer.

Tags:

5 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment