Passive Discovery of Copyrighted and Potential Data Leakage Files

The Passive Vulnerability Scanner (PVS) can be used to discover web servers hosting files which may be copyrighted or as potential sources of data leakage events. Such material may contain sensitive intellectual property that is not intended for public release. By passively sniffing traffic to and from web servers, the PVS can discover hosted content that may be in violation of corporate policies.

Finding Potential Copyright Violations

Several plugins are available to discover movies and music files being hosted on a web server. These files may be subject to inquiries from the RIAA or the MPAA.

Typically, if a user on your network is sharing copyrighted content, they are either physically bringing it into your network, or they are using your bandwidth to download content via P2P file sharing. A user that attempts to share their movies or music using a web server could be a liability for your organization.

The following PVS plugins are available to discover hosted entertainment content:

• 3827 Web Server hosting .mp3 file(s)
• 3828 Web Server hosting .wav file(s)
• 3839 Web Server hosting .ogg file(s)
• 3840 Web Server hosting .wma file(s)
• 3847 Web Server hosting .avi file(s)
• 3848 Web Server hosting .mpg file(s)

Tenable considers these plugins very complementary to the Nessus plugins which perform scans for similar content. Tenable has blogged about using active scanning with Nessus to discover potential copyrighted content on web servers, SMB shares and FTP servers.

Finding Potential Data Leakage Files

Many enterprise organizations have experienced inadvertent or malicious disclosure of sensitive corporate data and sensitive customer data. Many of these cases resulted from having sensitive data "too available" to employees who didn't really need access to it.

One way to help combat this is to simply take an inventory of which web servers are hosting typical corporate documents. The PVS has the following rules available to detect web hosted files:

• 3822 Web Server hosting .xls file(s)
• 3823 Web Server hosting .doc file(s)
• 3824 Web Server hosting .ppt file(s)
• 3825 Web Server hosting .csv file(s)
• 3826 Web Server hosting .rtf file(s)

The intent of finding these files isn't to find data leakage incidents, it is designed for organizations to discover if they have any web servers hosting this sort of content. Since the PVS watches 24x7, it can also act as an alerting mechanism when new servers or new content are available.

Tenable has recently made rules available for the PVS which can look for patterns of credit card and social security numbers in network traffic. We've also blogged about how the PVS can be extended to look for proprietary tags of sensitive data.

Comparing with Nessus Active Scanning

Since the PVS is 24x7, it does have an advantage of seeing data in motion. The PVS is also monitoring all unencrypted web servers, regardless of port. It will also see unencrypted web servers hosting this content that are protected by a password. Obviously, Nessus scans can be configured with credentials to perform a scan, but an IT auditor might not have the right password for a rouge web server containing movies or music files.

For active scans, Nessus may be able to find files that are available, but have yet to be downloaded. Nessus can also "log on" to SSL encrypted web servers (providing there is no password) and discover files.

Working With the Security Center

Since the output of these PVS plugins can be used by the Security Center's dynamic rules engine, there are many possibilities for reporting, analysis and alerting. The Security Center can be used to create an asset list of each web server that is hosting potentially sensitive content. Once this occurs, the following activities can take place:

• All systems which have been passively discovered could be automatically (or manually) scheduled for an in-depth active Nessus scan.
• The vulnerabilities of all web servers hosting sensitive content can be analyzed, trended and reported on. This may be a quick way of simply discovering where all the main "servers" with corporate data are located.
• If the Log Correlation Engine is in use, an analysis of who has accessed this data and from where can occur. This can be accomplished using netflow, firewall or sniffed network sessions.
• If intrusion detection logs are available, a separate report or analysis of all attacks against these servers can occur.
• If these assets hosting sensitive data are being managed, the Log Correlation Engine can be used to track changes to the local system, users and supporting network devices.
• If the RIAA or MPAA makes an inquiry to your organization, the PVS can help provide data for the investigation. The Security Center can keep this data on record for "historical" evidence as well.
• The Security Center can be used to find servers that are hosting movies AND music or perhaps PowerPoint AND Spread Sheet files. These correlations can help find a more likely source of interesting files for analysis.