28th March 2024

Some Scenarios for DLP (Data Loss Prevention) POC

Some scenarios in DLP POC processes are as follows. These are the scenarios that come to my mind. You can further expand these scenarios.

Protection of Data on File Server

1). Protection of Data on File Server. It will be tried to take out all or certain parts of the files with FingerPrint on the file server. Access to the files on the file server will be done as CIFS with UNC path.

  • A file attachment will be made towards an “https://mail” destination address, (Network level). (Sample x DB Record in the database will be used).
  • Web POST will be performed towards the X destination address. (Network-level – Sample x DB Record in the database will be used).
  • A mail will be sent out of the company from a PC with no agent installed. (Network-level – Sample x DB Record in the database will be used).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Online Endpoint tests – Sample file contents on File Server will be used).
  • Web POST will be performed from the agent installed PC towards the “https://x” destination address. (Online Endpoint tests – Sample file contents on File Server will be used).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. (Online Endpoint tests – Sample file contents on File Server will be used).
  • A file containing data will be copied from a PC with the agent installed to a file server. (Online Endpoint tests – Sample file contents on File Server will be used).
  • The data will be sent via Outlook from an agent installed PC. (Online Endpoint tests – Sample file contents on File Server will be used).
  • Data from a PC with Agent installed will be Pasted into IM Applications. (Online Endpoint tests – Sample file contents on File Server will be used).
  • The relevant data will be output from the Agent Installed client. (Online Endpoint tests – Sample file contents on File Server will be used).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Offline Endpoint tests – Sample file contents on File Server will be used).
  • Web POST will be performed from the agent installed PC to the “https://x” destination address. (Offline Endpoint tests – Sample file contents on File Server will be used).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. The PC will not be connected to the office network. (Offline Endpoint tests – Sample file contents on File Server will
  • be used).
  • A file containing data will be copied from a PC with the agent installed to a file server. The PC will not be connected to the office network. (Offline Endpoint tests – Sample file contents on File Server will be used).
  • The data will be sent via Outlook from an agent installed PC. The PC will not be connected to the office network. (Offline Endpoint tests – Sample file contents on File Server will be used).
  • Data from a PC with Agent installed will be Pasted into IM Applications. The PC will not be connected to the office network. (Offline Endpoint tests – Sample file contents on File Server will be used).
  • The relevant data will be output from the Agent Installed client. (Offline Endpoint tests – Sample file contents on File Server will be used).
Protection of Data on File Server
Protection of Data on File Server

 

Protection of Data on the Database

2). Protection of Data on the Database. A certain number of critical information tracked from critical applications will be taken out of the institution. The aim is to determine the fingerprinting methods of critical information on the application and to determine the monitor / blocking rates.

  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Network-level – Sample x DB Record in the database will be used).
  • The correct file attaches will be made to the “https://mail” destination address. (Network-level – Sample x DB Record in the database will be used).
  • A mail will be sent out of the company from a PC with no agent installed. (Network-level – Sample x DB Record in the database will be used).
  • Web POST will be performed from the agent installed PC towards the “Http://x” destination address. (Online Endpoint tests – Sample x DB Record in the database will be used).
  • Web POST will be performed from the agent installed PC to the “https://x” destination address. (Online Endpoint tests – Sample x DB Record in the database will be used).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. (Online Endpoint tests – Sample x DB Record in the database will be used).
  • A file containing data will be copied from a PC with the agent installed to a file server. (Online Endpoint tests – Sample x DB Record in the database will be used).
  • The data will be sent via Outlook from an agent installed PC. (Online Endpoint tests – Sample x DB Record in the database will be used).
  • Data from a PC with Agent installed will be Pasted into IM Applications. (Online Endpoint tests – Sample x DB Record in the database will be used).
  • The relevant data will be output from the Agent Installed client. (Online Endpoint tests – Sample x DB Record in the database will be used).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Offline Endpoint tests – Sample x DB Record in the database will be used).
  • Web POST will be performed from the agent installed PC to the “https://x” destination address. (Offline Endpoint tests – Sample x DB Record in the database will be used).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. The PC will not be connected to the office network. (Offline Endpoint tests – Sample x DB Record in the database will be used).
  • A file containing data will be copied from a PC with the agent installed to a file server. The PC will not be connected to the office network. (Offline Endpoint tests – Sample x DB Record in the database will be used).
  • The data will be sent via Outlook from an agent installed PC. The PC will not be connected to the office network. (Offline Endpoint tests – Sample x DB Record in the database will be used).
  • Data from a PC with Agent installed will be Pasted into IM Applications. The PC will not be connected to the office network. (Offline Endpoint tests – Sample x DB Record in the database will be used).
  • The relevant data will be output from the Agent Installed client. (Offline Endpoint tests – Sample x DB Record in the database will be used).
LEARN MORE  What is Carbon Black EDR? How to Use It? - Part 2
Protection of Data on the Database
Protection of Data on the Database

 

Leak tests of ID numbers

3). Leak tests of ID numbers will be performed and monitor/blocking rates will be determined. A leak test will be performed on multiple channels, partially or collectively, with some channels of at least 3 ID numbers given. The PC to be used for End Point agent tests will be tested separately in cases where it is on or outside the office network.

  • Web POST will be performed towards the destination address “Http://x”. (Network-level).
  • The correct file attaches will be made to the “https://mail” destination address. (Network-level).
  • A mail will be sent out of the company from a PC with no agent installed. (Network-level).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Online Endpoint tests).
  • Web POST will be performed from the agent installed PC to the “https: // x” destination address. (Online Endpoint tests).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. (Online Endpoint tests).
  • A file containing data will be copied from a PC with the agent installed to a file server. (Online Endpoint tests).
  • The data will be sent via Outlook from an agent installed PC. (Online Endpoint tests).
  • Data from a PC with Agent installed will be Pasted into IM Applications. (Online Endpoint tests).
  • The relevant data will be output from the Agent Installed client. (Online Endpoint tests).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Offline Endpoint tests).
  • Web POST will be performed from the agent installed PC to the “https://x” destination address. (Offline Endpoint tests).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. The PC will not be connected to the office network. (Offline Endpoint tests).
  • A file containing data will be copied from a PC with the agent installed to a file server. The PC will not be connected to the office network. (Offline Endpoint tests).
  • The data will be sent via Outlook from an agent installed PC. The PC will not be connected to the office network. (Offline Endpoint tests).
  • Data from a PC with Agent installed will be Pasted into IM Applications. The PC will not be connected to the office network. (Offline Endpoint tests).
  • The relevant data will be output from the Agent Installed client. (Offline Endpoint tests).
LEARN MORE  New Tenable Security Center Security Vulnerability - CVE-2021-20076
ID numbers
ID numbers

 

Leak tests of Credit Card numbers

4). Leak tests of Credit Card numbers will be performed and monitor/blocking rates will be determined. It will be tested whether the data without real credit card also create false-positive. For at least 10 of the credit card numbers, a leak test will be performed over multiple channels, partially or collectively, with the following channels. The PC to be used for End Point agent tests will be tested separately in cases where it is on or outside the office network.

  • Web POST will be performed towards the destination address “Http://x”. (Network-level).
  • The correct file attaches will be made to the “https://mail” destination address. (Network-level).
  • A mail will be sent out of the company from a PC with no agent installed. (Network-level).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Online Endpoint tests).
  • Web POST will be performed from the agent installed PC to the “Https://x” destination address. (Online Endpoint tests).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. (Online Endpoint tests).
  • A file containing data will be copied from a PC with the agent installed to a file server. (Online Endpoint tests).
  • The data will be sent via Outlook from an agent installed PC. (Online Endpoint tests).
  • Data from a PC with Agent installed will be Pasted into IM Applications. (Online Endpoint tests).
  • The relevant data will be output from the Agent Installed client. (Online Endpoint tests).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Offline Endpoint tests).
  • Web POST will be performed from the agent installed PC to the “Https://x” destination address. (Offline Endpoint tests).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. The PC will not be connected to the office network. (Offline Endpoint tests).
  • A file containing data will be copied from a PC with the agent installed to a file server. The PC will not be connected to the office network. Offline Endpoint tests).
  • The data will be sent via Outlook from an agent installed PC. The PC will not be connected to the office network. (Offline Endpoint tests).
  • Data from a PC with Agent installed will be Pasted into IM Applications. The PC will not be connected to the office network. (Offline Endpoint tests).
  • The relevant data will be output from the Agent Installed client. (Offline Endpoint tests).
Credit Card number
Credit Card number

 

Software Source Codes Tests

5). Software Source Codes Tests: Whether Perl, C, C ++, C #, Java, asp.net, Adobe Flex or etc. software source codes can be detected. Leak testing of sample codes and files will be performed over multiple channels, both as content and as files. The PC to be used for End Point agent tests will be tested separately in cases where it is on or outside the office network.

  • Web POST will be performed towards the destination address “Http://x”. (Network-level – Source code will be used as both content and file).
  • The correct file attaches will be made to the “https://mail” destination address. (Network-level – Source code will be used as both content and file).
  • A mail will be sent out of the company from a PC with no agent installed. (Network-level – Source code will be used as both content and file).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Online Endpoint tests – Source code will be used as both content and file).
  • Web POST will be performed from the agent installed PC to the “Https://x” destination address. (Online Endpoint tests – Source code will be used as both content and file).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. (Online Endpoint tests – Source code will be used as both content and file).
  • A file containing data will be copied from a PC with the agent installed to a file server. (Online Endpoint tests – Source code will be used as both content and file).
  • The data will be sent via Outlook from an agent installed PC. (Online Endpoint tests – Source code will be used as both content and file).
  • Data from a PC with Agent installed will be Pasted into IM Applications. (Online Endpoint tests – Source code will be used as both content and file).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Offline Endpoint tests – Source code will be used both as content and file).
  • Web POST will be performed from the agent installed PC to the “https://x” destination address. (Offline Endpoint tests – Source code will be used both as content and file).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. The PC will not be connected to the office network. (Offline Endpoint tests – Source code will be used both as content and file).
  • A file containing data will be copied from a PC with the agent installed to a file server. The PC will not be connected to the office network. (Offline Endpoint tests – Source code will be used both as content and file).
  • The data will be sent via Outlook from an agent installed PC. The PC will not be connected to the office network. (Offline Endpoint tests – Source code will be used both as content and file).
  • Data from a PC with Agent installed will be Pasted into IM Applications. The PC will not be connected to the office network. (Offline Endpoint tests – Source code will be used both as content and file).
LEARN MORE  Adding Online Disk to Linux Systems on VMware Workstation
Software Source Codes Test
Software Source Codes Test

 

Data Protection on Application (SAP)

6). Data Protection on Application (SAP): A certain number of critical information tracked from critical applications will be taken out of the institution. The aim is to determine the fingerprinting methods of critical information on the application and to determine the monitor / blocking rates. The transaction specified in the SAP records will be run and the information in the list will be exported to the Test file. Leak test of SAP ECC data will be performed over multiple channels in partial or batch. The PC to be used for End Point agent tests will be tested separately in cases where it is on or outside the office network.

  • Web POST will be performed towards the destination address “http://x”. (Network-level).
  • The correct file attaches will be done to the target address “https: //x”. (Network-level).
  • A mail will be sent out of the company from a PC with no agent installed. (Network-level).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Online Endpoint tests).
  • Web POST will be performed from the agent installed PC to the “https://x” destination address. (Online Endpoint tests).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. (Online Endpoint tests).
  • A file containing data will be copied from a PC with the agent installed to a file server. (Online Endpoint tests).
  • The data will be sent via Outlook from an agent installed PC. (Online Endpoint tests).
  • Data from a PC with Agent installed will be Pasted into IM Applications. (Online Endpoint tests).
  • The relevant data will be output from the Agent Installed client. (Online Endpoint tests).
  • Web POST will be performed from the agent installed PC to the “Http://x” destination address. (Offline Endpoint tests).
  • Web POST will be performed from the agent installed PC to the “https://x” destination address. (Offline Endpoint tests).
  • A file containing the data will be copied from the PC with the agent installed to the USB Disk. The PC will not be connected to the office network. (Offline Endpoint tests).
  • A file containing data will be copied from a PC with the agent installed to a file server. The PC will not be connected to the office network. (Offline Endpoint tests).
  • The data will be sent via Outlook from an agent installed PC. The PC will not be connected to the office network. (Offline Endpoint tests).
  • Data from a PC with Agent installed will be Pasted into IM Applications. The PC will not be connected to the office network. (Offline Endpoint tests).
  • The relevant data will be output from the Agent Installed client. (Offline Endpoint tests).
Data Protection on Application (SAP)
Data Protection on Application (SAP)

 

7). Encoded with Powershell.

  • Is an encoded command executed with Powershell in the company?

8). Antivirus Program with VB Script or JavaScript.

  • Did I try to bypass my Antivirus Program with VB Script or JavaScript in the company?

9). Web traffic out of 80 and 443.

  • Except for 80 and 443, is there any web traffic to the outside?

10). Mail is the data in the draft.

  • Draft of an additional data or etc. when sending mail in Outlook. Can it be prevented from being saved in the folder and exported?

11). Confidential data photographed.

  • Is it possible for confidential data photographed to prevent sending mail from within the company?

 

dlp scenarios
Dlp Scenarios

Leave a Reply

Your email address will not be published. Required fields are marked *