11-05-2012 05:38 PM
APT attack is one of the things the security industry is focusing on these days, and something that we should be aware of as well. In case a RAT (Remote Access Tool) gets installed on the user’s PC, an attacker can access and download all files within the victim’s PC. By having encryption on the documents, it eliminates the threat of allowing the user to open any downloaded files. Encryption especially software is a performance hit. Can the PANs detect and or prevent attacks like this so we do not have to deploy or as an alternative to s/w encryption?
11-06-2012 12:50 AM
Encrypting files will in this case only help if the same files never are decrypted on the device running the RAT.
Most likely either passphrase or some sort of private keys will be used to decrypt the content and both will be able to be fetched once you have got a RAT in your box.
Also if the content is decrypted on the same device running the RAT the RAT can still just take a screenshot to gain access to the sensitive data (thats why using for example Citrix with BYOD really doesnt help much).
Having this said encrypting sensitive data is always a good thing to do, but often you must think twice (for example have a backup of the decryption key, encrypt BEFORE you store the data on the fileserver (and not first store the cleartext and then encrypt the file) etc). You have a list at http://www.consilium.europa.eu/policies/information-assurance/list-of-approved-cryptographic-devices... for approved off-line file-encryptors to be used for various EU levels. I guess there might be a similar list in your area of living.
The PA box will be able (if signature exists) to detect the RAT itself or the behaviour of the RAT (either by IPS/AV signatures, Wildfire or Botnet reports).
A better option security wise (regarding the need of Internetaccess for clients) is to use some sort of terminalserver setup for the browsing and segment that DMZ away from the rest of your network (by using a ICA-proxy for example). This way if shit hits the fan it will only be able to infect the terminalserver environment (which also gives you need to have procedures to reset this environment to original state). Then focus on how your clients should be able to access email (which is an indirect way of accessing the internet - can use another terminalserver setup for this) or for that matter if the operating system running on the clients should accept usb and firewire devices?
Another thing to do, similar to the BYOD, is to use a document handling system so the files itself never are exposed for the client and if the client wants to check out the file its already encrypted when reaching the client box (leaving "only" the security hole of RATs doing screenshots). The main goal of a document handling system is that its the system itself which will send the files to others and the client itself doesnt need to be involved (more than the part of selecting the recepient).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
