Finding Sensitive Data as a Consultant with Nessus
There are many consultants that use Nessus to scan a customer network for vulnerabilities and report a laundry list of security issues which need to be fixed. Another valuable service that can be performed by a consultant is to audit where sensitive data resides in an organization and what sort of access can be gained to it. This blog entry discusses what can be accomplished with the Nessus scanner and what additional types of data analysis can be performed with the sensitive content checks available with the Nessus Direct Feed.
What is "Sensitive Data"?
In the government and military, there are in-depth standards for classifying the sensitivity of data such as "SECRET", "TOP SECRET" and so on. This classification details who can have access to the data and what level of security assurance should be invoked to protect inadvertent disclosure.
For the rest of the world, classifying data may not be as simple. An organization may draw data classification requirements from the compliance regulations it is under. A public and private company both governed by PCI will likely treat their customer credit card data the same way. However, the public company may consider emails about projected revenues, mergers and such, much more seriously than a private company due to SOX requirements. Other companies may have unique requirements to protect the secret beverage drink recipe, plans for the new stealth bomber or conceal the latest marketing campaign.
As a consultant, asking the customer what their data controls and concerns are is a very good place to start. There is always a very strong possibility that an executive's or manager's view of data classification and access controls may be different than what is actually occurring in the organization. As an "outsider" to the organization, the consultant may also have different views as to how data is classified which is based on common sense, prior experience and general industry practice.
With an understanding of what may be sensitive or damaging to an organization if it were lost, Nessus can be used to scan a network from many vantage points and discover where this information is located at.
Finding the Data with Nessus
Information stored on the network is accessed over the network. The following Nessus plugins and families will identify a wide variety of services which enable information sharing on a network:
- Office Files List - scans web servers for the presence of "office" files.
- SMB Shares Enumeration - lists the directories and folder names available for file sharing.
- SMB Share hosting Office Files - scans for servers with a network SMB file share that host .doc, .xls, .ppt and other types of "office" files.
- SMB Share hosting Copyrighted Material - scans for SMB shares hosting MP3s, AVIs and other types of media.
- Web Server hosting Copyrighted Material - scans for web servers which are hosting MP3s, AVIs and other types of media.
- FTP Server hosting Copyrighted Material - scans for FTP servers which are hosting MP3s, AVIs and other types of media.
- USB Drives Enumeration - lists all USB disk drives present on a Windows server.
- NFS Exports - lists all NFS directories that are available.
- Peer to Peer file sharing - this set of plugins not only identifies vulnerabilties in common P2P applications, it also identifies the mere presence of them.
- Databases - this set of plugins not only identifies vulnerabilities in common SQL database applications, it also identifies where they are located.
- And last but not least, there are 100s of Nessus plugins which identify basic data hosting services such as HTTP, FTP, NFS and so on.
Of course, data can be obtained many other ways including the "sneaker network", screen captures through RDP/VNC sessions, sniffing network traffic, copying snapshots of VMWare systems and so on. The point of this exercise with Nessus is to analyze the local network for the "easy" things an average employee may come across without the use of any special tools. I also chose to include the search for potentially illegal music and movie content as part of the sensitive data search because it can highlight certain types of data that management or executives may not know about.
Analyzing the Results
When providing an analysis of the discovered types of data with Nessus, I recommend the following strategies:
- Does the discovered data "look" interesting? When Nessus finds a file share, it will generally list as many of the file names or directory titles found in the scan report. Analyzing this data is a manual process, however, as a consultant you may find enough interesting file or directory names that you can raise a concern. If the share or access is "open" you may even be able to pull back the documents and analyze them yourself. In the next section, we will consider how the Direct Feed can be used to look for specific types of sensitive data by actually looking at the content of the files themselves.
- Who can access this data? Depending on where you performed your Nessus scan, you may have been able to identify data that was obtainable from "outside" of an organization. Keep in mind that "outside" could be mean someone on the Internet, or perhaps could simply mean someone from the accounting group being able to access private human resources data. Performing multiple scans from vantage points across a network could reveal different levels of access or trust that various groups have with each other.
- Does the underlying server have vulnerabilities? When you find a server hosting office files, if it has major vulnerabilities it may be exploitable. This may be irrelevant information or it may not. A vulnerable web server with 1000 sensitive PDF documents on it may be just as damaging to an organization if the web server was fully patched but had the documents available to everyone. On the other hand, a vulnerability on an office automation system such as Lotus Notes, Share Point or a Wiki could allow circumvention of the security controls in those applications. A consultant should be able to differentiate these to situations and recommend where vulnerabilities need to be fixed or more fine-tuned access be added to information sharing resources.
- Does a network of trust have vulnerabilities? If access to data is found through a certain location in the network, such as being able to see sales or customer data from the accounting group, then the vulnerabilities of that location should be considered. The idea is to look for organizations that are "trusted" to access the sensitive data, but are also vulnerable to attack.
- Does the network service serve a purpose? Lastly, Nessus will highlight any type of network service it can find. This includes temporary shares, file services and other types of daemons. As a consultant, if you can ask (and get answers) about where servers are supposed to be, what types of servers are supposed to be there and what types of servers should not be running. As a consultant performing an audit, you may find discrepancies in what should be happening and what actually is happening.
Scanning for Known Sensitive Data Types
The Nessus Direct Feed includes a set of content auditing plugins which open up Word, Excel, PDF, text and other types of files to look for patterns that indicate the presence of credit cards, social security numbers and many other types of content.
The Tenable Support Portal offers several dozen polices that can be used with Nessus to look for sensitive file names, to look for various key words and watermarks and to also identify intellectual property at rest. These audit polices are writen in a simple XML type language which specifies what file extensions to look at, how much of a file should be analyzed, and which keywords and pattern matches should be searched for. These policies can be modified and customized as well as written from scratch.
The example below looks at the first 5000 bytes of each PDF, Word and Excel file for phone numbers. One of the words such as "FAX", "Phone", "Cell" or "Mobile" must be present and if so a regular expression which matches a phone number such as 123-456-7890 as well as 123.456.7890 will be performed.
<item>
type: FILE_CONTENT_CHECK
description: "Determine if server is hosting phone contact info"
file_extension: "pdf" | "doc" | "xls"
regex: "[0-9]{3}[ \.\-][0-9]{3}[ \.\-][0-9]{4}"
expect: "FAX" | "Fax" | "Phone" | "PHONE" | "CELL" | "Cell" | "Mobile" | "MOBILE"
max_size : "5k"
</item>
When Nessus performs these scans it not only lists the servers which did have matching content, it also lists the servers which "passed" and did not have any types of content on them.
There are many obvious uses for this technology such as:
- Scanning for credit card information on systems that should not have that type of data.
- Finding employee information, customer information and other types of data useful for identity theft.
- Looking for source code, text, manuals, .etc which are proprietary in nature and should not be available throughout or outside of a company.
- Leveraging an organization's existing copyright, data classification guides or watermarks to find data on servers or systems that should not exist.
- Finding data stores for employees which have nothing to do with the organization. For example, finding an employee's personal tax, credit card, health, insurance and other types of information stored in a "public" place.
- Finding lists of customers, their contact information and existing or projected revenues
Conclusion
As a consultant, the ability to look for sensitive data where it should not be is a valuable service that can be provided to your customers in addition to security auditing. For more information, please consider these other blog entries and demonstration videos:
- Searching for Classified Content in documents
- Scanning your network for Copyrighted material
- Configuration and Content audit video
Related Articles
- Nessus