Password-secured Archives Analysis in DLP systems
13.09.2021
The DLP system is one of the most reliable ways to protect confidential company data and monitor the performance and loyalty of employees. In this article, we decided to dive a little deeper into the details of the DLP system in order to better understand what the companies that use it are dealing with.
One of the peculiarities of using a DLP system is working with password-protected archives. Since the system controls all traffic, it sees all communication channels of employee interaction. When the software sees a password-protected archive, it can perform the following actions: block its sending, create a special information security "incident", inform the company's security service about it.
Some modern DLP systems have the function of automatically decrypting archives protected by corporate passwords. To implement such a plan, a special key directory must be created in advance in DLP, in which all corporate passwords of the company are recorded. Further, the system analyzes the archive and tries to open it with passwords from the directory. If none of the keys came to the archive, the archive is blocked, and the "incident" goes to the company's information security service.
The disadvantage of such a solution is that as the directory is filled with passwords, the number of password-archive combinations will grow, and at the same time, the resource intensity of the system will also increase, and the sending of documents will slow down. In addition, some experts believe that the very principle of storing and brute-force passwords on end workstations creates an additional information security risk.
However, there are several alternative approaches when working with password-protected archives. Modern DLP systems contain many functions that are not fully used by information security specialists. As practice shows, when encrypting an archive, most of the company's employees do not use the "Encrypt file names" option. Thus, you can find out the approximate contents of the archive even without a password.
DLP system can retrieve titles, file types without using a password. An archive with a primitive name may contain files related to confidential company information. In the course of such an analysis, it can already become clear whether it is worthwhile to continue extracting files from the archive by any available means or ignore.
How can an employee of the company's information security department work with a password-protected archive?
Let's consider the situation in details. The system detects the transfer of a password-protected archive, blocks it, and then sends a notification to the security officer - he has information on the "incident". So, a specialist sees information about the archive, including the structure, as well as all parameters: attached files, nesting levels, attachment names, their size, date, etc.). Investigation of a single case of obtaining such an archive is not difficult, since the company's security service has the rights to monitor, unlock and view the content in most cases.
As an example, for a more detailed consideration of the algorithm for working with unsafe elements, take SecureTower from Falcongaze:
1) At the moment of detecting a password-protected archive, the system takes the situation into analysis and transfers data about it to the information security department;
2) Next, an employee of the information security department analyzes the incident and analyzes the contents of the archive. During the analysis of the archive, the content is recognized by the file name, keywords.
In SecureTower, you can also configure security rules to recognize password-protected archives. A feature of SecureTower is the ability of an employee of the information security department in the same console to perform all actions to work with the archive.
3) Choosing a password and unlocking the archive. As you know, the password does not appear out of nowhere; it is entered either manually or pasted from the clipboard. SecureTower uses a keylogger, a module that records keystrokes on a computer keyboard. With the help of a keylogger, the system becomes able to find out the password and, with its help, gain access to the contents of the archive. It should be noted that the archive can be unpacked on a special computer for investigations, thus loading the decrypted contents of the archive into the system for automatic analysis of the content and further work on the incident.
Returning to the organizational issues, it is worth emphasizing that it is important to regulate the work with archives, to define restrictions on the type, size, and number of archived files. Of course, employees who, by the nature of their work, need to work with password-protected archives, will be under constant control, and if an ordinary employee sends an uncharacteristic number of archived files for his activity, this will be considered a sign of potentially unsafe correspondence and will be selected by the system for further analysis. A DLP system can not only create an "incident" and transfer it to the control of the security service, but also completely prohibit the transfer of the archive.
When the information security department officer assesses the security of the archive by file names, their size and analyzes the content, it becomes clear whether to allow the transfer of such an archive, what additional measures should be taken.
Summing up, we can say that DLP successfully solves the problem of controlling the transfer of archives, and the high degree of automation of this process greatly facilitates the work of the security service in investigating incidents. Well, SecureTower from Falcongaze can be considered a DLP system with one of the highest quality and most reliable approaches to working with password-protected archives.